2

I just started studying up for the CISSP and am having trouble understanding few concepts:

  • Data owner
  • Data custodian
  • System owner

Somewhere I read:

The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information.

The data custodian (information custodian) is responsible for maintaining and protecting the data

But in the practical world, what exactly is the boundary for these roles? Both seems to be protecting data.

Any real-world example helps.

Improve this question
2
  • I'm a little confused by your confusion. "member of management who is in charge of a specific business unit" vs "responsible for maintaining and protecting the data" seems pretty clear. Head of Finance owns the financial data. The server admin who maintains the server on which the finance system lives.
    – schroeder
    Commented Sep 15, 2019 at 17:00
  • so you mean Head of the finance is data owner and server admin is data custodian. great, thanks. then who is system owner? Is it operations?
    – kudlatiger
    Commented Sep 16, 2019 at 2:11

1 Answer 1

Reset to default
2

Real example:

Data Owner - the administrator/CEO/board/president of a company

Data custodian - the ones taking care of the actual data - like IT staff (generally) or HR staff (for HR-related data)

System owner is the individual that is in charge of one or more systems, which may contain and operate data owned by various data owners.

Example, from a pure CISSP perspective: the IT servers staff. They are responsible for creating information plans together with data owners, the system administrator and end users. They must maintain the system security plan by the pre-agreed security requirements and he in involved in many security aspects of all systems that hold the data.

Limited Example: a HR employee that has a PC with company data on it is in theory a system owner, but not a data owner. He will operate on the data but the data does not belong to him. So the system owner may be considered an operator in such a limited case. Although in most cases such employees should be just users, in many cases they are not only that, therefore they can be put under this category.

Improve this answer
4
  • Now, where I can plug in "Information owner", Can I consider that one system owner can have multiple information owners?
    – kudlatiger
    Commented Sep 17, 2019 at 10:52
  • Yes, that is possible because, for example, multiple owners can host their information on the same system/hardware.
    – Overmind
    Commented Sep 18, 2019 at 5:06
  • Is security admin is data custodian?
    – kudlatiger
    Commented Oct 17, 2019 at 3:19
  • Yes, if that admin hosts your data.
    – Overmind
    Commented Oct 17, 2019 at 5:13

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .