CISSP PRACTICE QUESTIONS – 20190923

Effective CISSP Questions

Your company finished conducting an asset inventory. As the head of the sales department, you are assigned as the data owner of the customer master data. You are learning about the role and responsibility of the data owner. Which of the following is least related to the data owner?
A. Classify the data based on business value
B. Delegate the system administrator to authorize users
C. Take the ultimate responsibility if the data is breached
D. Define the classification scheme

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Define the classification scheme.

ClassificationScheme

Accountability and Ultimate Responsibility

Owners make decisions and are accountable for their decisions. To be accountable, the management (or even the senior management) typically assumes the role of the data owner to be accountable or ultimately responsible.

Data owners, typically the management level, are accountable for data breaches. They may (or may not) be members of senior management that take the ultimate responsibility if the data is breached.

The question is asking about “least related to the data owner,” so the option, C. Take the ultimate responsibility if the data is breached, is common and acceptable.

Classification Scheme

The Classification Scheme applies across the organization. It is predefined so that the data owner can use it instead of defining it. The CISO is an appropriate role in defining the classification scheme.

Roles in Data Governance

As information is the organization’s primary asset and data quality can be a legal or regulatory requirement in some sectors, data governance becomes trending, but without an agreed definition. As a result, the author defines data governance as follows:

Data governance is the responsibility of the board and executive management to ensure data fits its purpose and compliant with applicable legal and regulatory requirements through the practice of overall enterprise data management (EDM).

There are three typical roles in a data governance program: data owner, data steward, and data custodian.

Data Owner

The data owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. The data owner is typically a high-level manager who is ultimately responsible for data protection. However, the data owner usually delegates the responsibility of the actual data management tasks to a data custodian.

Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. Wiley. Kindle Edition.

NIST SP 800-18

NIST SP 800-18 outlines the following responsibilities for the information owner, which can be interpreted the same as the data owner.

  • Establishes the rules for appropriate use and protection of the subject data/ information (rules of behavior)
  • Provides input to information system owners regarding the security requirements and security controls for the information system( s) where the information resides
  • Decides who has access to the information system and with what types of privileges or access rights
  • Assists in the identification and assessment of the common security controls where the information resides.

Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. Wiley. Kindle Edition.

 

 

1 thought on “CISSP PRACTICE QUESTIONS – 20190923

Leave a Reply