Sistema de blogs Diarium
Universidad de Salamanca
Pablo Gallardo's Blog
My professional web log about IT, Cybersecurity & Project Management
 

Data Roles

This post summarizes the roles involved in managing data in IT systems, according to USA’s NIST SP 800-18 Rev. 1 “Guide for Developing Security Plans for Federal Information Systems” or European Union’s General Data Protection Regulation (GDPR).

This data roles are questioned in CISSP exam, corresponding to CISSP Domain 2.

 

Data Roles

The roles that are reviewed in this post are:

  • Data owner
  • Asset/system owner
  • Business/mission owner
  • Data processor
  • Data controller
  • Custodian
  • Administrator
  • User
  • Data Subject

Data owner

A data owner (also known as organizational owner or senior manager) is the person that has ultimate organizational responsibility of the data.

Responsibilities, according to NIST SP 800-18 Rev. 1 “Guide for Developing Security Plans for Federal Information Systems”:

  • Establishes the rules for appropriate use and protection of the subject data/information (rules of behaviour)
  • Provides input to information system owners regarding the security requirements and security controls for the information system(s) where the information resides
  • Decides who has access to the information system and with what types of privileges or access rights
  • Assists in the identification and assessment of the common security controls where information reside

Asset/system owner

An asset owner or system owner is the person who owns the asset or system that processes sensitive data.

Responsibilities, according to NIST SP 800-18 Rev. 1 “Guide for Developing Security Plans for Federal Information Systems”:

  • Develops a system security plan and ensures that the system is deployed and operated according to the agreed-upon security requirements
  • Maintains the system security plan and ensures that the system is deployed and operated according to the agreed-upon security requirements
  • Ensures that system users and support personnel receive appropriate security training, such as instruction on rules of behaviour (or an AUP)
  • Updates the system security plan whenever a significant change occurs
  • Assists in the identification, implementation, and assessment of the common security controls

Business/mission owner

Person that owns the business processes that use systems.

Data processor

A data processor, according to GDPR, is a person or entity that process data on behalf of a data controller. It could be a third party.

Data controller

A data controller, according to GDPR, is a person or entity that controls the processing of data delegated to a data processor.

Custodian

A custodian is a person that perform day-to-day tasks on a system, like backups, logs, etc. Nevertheless, they do not assign permission to data.

They are typically someone in IT deparment.

Administrator

An administrator is a person that assigns permission to data, always following the requests by data owners.

User

A user is a person that access data in a system.

Data Subject

A data subject , according to GDPR, is a person that can be identified through an identifier.

 

External references

  • NIST; “SP 800-18 Rev. 1
  • European Parliament; “General Data Protection Regulation
  • M. Chapple, J. M. Stewart, D. Gibson; “CISSP Official Study Guide Third Edition”; pp. 204-208; Wiley, 2021
  • M. Chapple, D. Seidl; “CISSP Official Practice Test Third Edition”; Chapter 2, Question 72, 79, 85, 87, 93 and 94; Wiley, 2021
pmgallardo

About pmgallardo

I studied Computer Science at University of Salamanca. Since then, I have been working first as developer and then as SAP consutant. This blog is about problems I dealt when using computers, and more important, the solutions I found. Whenever I am on an issue and suddenlly I have a flash that leads me to a solution, I document my discoveries in a post.

, , , , , , , , , , , , , , , , , ,

No comments yet.

Leave a Reply


*

Política de privacidad
Studii Salmantini. Campus de excelencia internacional