Information Owner (Dictionary Entry)

Contexts

IAM, Information Security

Term

Information Owner

Alternative Forms

Data Owner Synonym

Definitions

The person or function with statutory or operational authority over the information.

The information owner has a (possibly legally binding) duty of care over the information.

The information owner is held accountable for the definition and oversight of the policies, requirements and controls that govern information generation, collection, processing, access, modification, dissemination, and disposal.

Related Terms

Quotes

The Data Owner (also called information owner) is a management employee responsible for ensuring that specific data is protected. Data owners determine data sensitivity labels and the frequency of data backup. They focus on the data itself, whether in electronic or paper form. A company with multiple lines of business may have multiple data owners. The data owner performs management duties; Custodians perform the hands-on protection of data.

It is sometimes overlooked that the obligations upon an organisation need to be taken into account when dealing with other businesses. There may be times when contracts for goods, services or both are outsourced. The contracts to cover this will need to include legally binding clauses that cover the information assurance aspects of the data and services concerned. The information owner has a legally binding duty of care to ensure that the external body is competent to process the data securely and will observe the same high standards as the organisation on behalf of which it is performing the work.

Access to IT services must be controlled through a formal user registration and de-registration process. Ensure that:

- On appointment, personnel are allocated access rights that are acceptable to the Information owner.

(Wright, 2008, p. 365)

Information owner — Business executive or business manager who is responsible for a company business information asset. Responsibilities include, but are not limited to:
— Assign initial information classification and periodically review the classification to ensure it still meets the business needs
— Ensure security controls are in place commensurate with the classification
— Review and ensure currency of the access rights associated with information assets they own
— Determine security requirements, access criteria, and backup requirements for the information assets they own
— Perform or delegate, if desired, the following:
- Approval authority for access requests from other business units or assign a delegate in the same business unit as the executive or manager owner
- Backup and recovery duties or assign to the custodian
- Approval of the disclosure of information act on notifications received concerning security violations against their information assets

An information asset is an atomic piece of information that has meaning to the organization or the individual. Information assets have an owner. The information assets of a business organization are owned by a business owner, and those of an individual are owned by the actual individual. Organizations delegate the responsibility of protecting information assets to the IT department, the Information Security department, or the Information Risk Management department; individuals typically protect their own resources, but they may interact with other individuals and organizations, and may seek advice or transfer protection responsibilities to other individuals and organizations.
Whoever is managing protection is considered a custodian of the information asset; however, the owner is still responsible for valuating information, posing requirements for information protection, ensuring that information is protected by following defined procedures for information protection and auditing the protection mechanisms in place. The custodian is responsible for defining security protection mechanisms that meet the requirements of the information owner.

Information Owner

The information owner is the agency official with statutory or operational authority for specified information and is responsible for establishing the controls for information generation, collection, processing, dissemination, and disposal. The information owner has the following responsibilities related to system security plans:

- Establishing the rules for the appropriate use and protection of the subject data/information (rules of behavior); 58

- Providing input to information system owners on the security requirements and security controls for the information systems where the information resides;

- Deciding who has access to the information system and determining what types of privileges or access rights; and

- Assisting in identifying and assessing the common security controls where the information resides.

DATA OWNER: The person within an organisation who has ultimate responsibility for the accuracy and integrity of a data file.

Bibliography

See Also


Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.


This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.