System Owner (Dictionary Entry)

Contexts

Computer Science, Information Security

Term

System Owner

Alternative Forms

Application Owner

Definitions

The system (or application) owner is responsible for the management, operation, maintenance and level of protection provided by his system.

The perspective of the system (or application) owner is that of the system holding and processing information, in contrast with the information custodian whose perspective is that of the information itself.

Related Terms

Quotes

The system owner is responsible for one or more systems, each of which may hold and process data owned by different data owners. A system owner is responsible for integrating security considerations into application and system purchasing decisions and development projects. The system owner is responsible for ensuring that adequate security is being provided by the necessary controls, password management, remote access controls, operating system configurations, and so on. This role must ensure the systems are properly assessed for vulnerabilities and must report any to the incident response team and data owner.

The System Owner is a manager responsible for the actual computers that house data. This includes the hardware and software configuration, including updates, patching, etc. They ensure the hardware is physically secure, operating systems are patched and up to date, the system is hardened, etc. Technical hands-on responsibilities are delegated to Custodians, discussed next.

Application owner — Manager of the business unit who is fully accountable for the performance of the business function served by the application. Responsibilities include the following:
— Establish user access criteria and availability requirements for their applications
— Ensure the security controls associated with the application are commensurate with support for the highest level of information classification used by the application
— Perform or delegate the following:
- Day-to-day security administration
- Approval of exception access requests
- Appropriate actions on security violations when notified by security administration
- The review and approval of all changes to the application prior to being placed into the production environment
- Verification of the currency of user access rights to the application

 

Bibliography

See Also


Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.


This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.