Quotes
The Data Owner (also called information owner) is a management employee responsible for ensuring that specific data is protected. Data owners determine data sensitivity labels and the frequency of data backup. They focus on the data itself, whether in electronic or paper form. A company with multiple lines of business may have multiple data owners. The data owner performs management duties; Custodians perform the hands-on protection of data.
(Conrad et al., 2016, p. 85)
It is sometimes overlooked that the obligations upon an organisation need to be taken into account when dealing with other businesses. There may be times when contracts for goods, services or both are outsourced. The contracts to cover this will need to include legally binding clauses that cover the information assurance aspects of the data and services concerned. The information owner has a legally binding duty of care to ensure that the external body is competent to process the data securely and will observe the same high standards as the organisation on behalf of which it is performing the work.
(Alexander et al., 2013, p. 108)
Access to IT services must be controlled through a formal user registration and de-registration process. Ensure that:
- On appointment, personnel are allocated access rights that are acceptable to the Information owner.
(Wright, 2008, p. 365)
An information asset is an atomic piece of information that has meaning to the organization or the individual. Information assets have an owner. The information assets of a business organization are owned by a business owner, and those of an individual are owned by the actual individual. Organizations delegate the responsibility of protecting information assets to the IT department, the Information Security department, or the Information Risk Management department; individuals typically protect their own resources, but they may interact with other individuals and organizations, and may seek advice or transfer protection responsibilities to other individuals and organizations.
Whoever is managing protection is considered a custodian of the information asset; however, the owner is still responsible for valuating information, posing requirements for information protection, ensuring that information is protected by following defined procedures for information protection and auditing the protection mechanisms in place. The custodian is responsible for defining security protection mechanisms that meet the requirements of the information owner.
(Todorov, 2007, p. 2)
Information Owner
The information owner is the agency official with statutory or operational authority for specified information and is responsible for establishing the controls for information generation, collection, processing, dissemination, and disposal. The information owner has the following responsibilities related to system security plans:
- Establishing the rules for the appropriate use and protection of the subject data/information (rules of behavior); 58
- Providing input to information system owners on the security requirements and security controls for the information systems where the information resides;
- Deciding who has access to the information system and determining what types of privileges or access rights; and
- Assisting in identifying and assessing the common security controls where the information resides.
(NIST SP 800-100, 2006, p. 69)
Bibliography
See Also
-
Data Owner (Dictionary Entry) (Dictionary)
-
Information Owner (Dictionary Entry) (Dictionary)