Your company finished conducting an asset inventory. As the head of the sales department, Sandy is assigned as the data owner of the customer master data. The sales processes are supported by the ERP system which is tasked to process data from different departments and owned by the CIO, Cynthia – the system owner. In a meeting of information security steering committee, Sandy proposes that multi-factor authentication should be implemented on the ERP system to ensure sufficient security level to protect the customer master data. As a chairperson, how should the proposal be addressed?
A. Implement the multi-factor authentication as Sandy is the data owner of the customer master data
B. Ask Sandy to provide suggested multi-factor authentication solutions
C. Have Cynthia in charge of the proposal
D. Call for votes on the spot to determine if the proposal is accepted
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Have Cynthia in charge of the proposal.
Data owners are usually business people; they are not technology savvy. It’s unwise to waste business people’s time to survey, evaluate, and suggest multi-factor authentication solutions.
System-Specific Security Control
Multi-factor authentication on the ERP system is a system-specific security control which affects not only the customer master data but other data from different departments, so the final decision should be made by the system owner.
Risk Assessment and Change Management
“in charge of” doesn’t mean a yes. Cynthia still has to evaluate the proposal and communicate with other data owners to assess the risk. If it’s feasible, change management should be followed; if not, the proposal should be rejected.
NIST SP 800-18
System Owners The system owner is the person who owns the system that processes sensitive data. NIST SP 800-18 outlines the following responsibilities for the system owner:
- Develops a system security plan in coordination with information owners, the system administrator, and functional end users
- Maintains the system security plan and ensures that the system is deployed and operated according to the agreed-upon security requirements
- Ensures that system users and support personnel receive appropriate security training, such as instruction on rules of behavior (or an AUP)
- Updates the system security plan whenever a significant change occurs
- Assists in the identification, implementation, and assessment of the common security controls
The system owner is responsible for ensuring that data processed on the system remains secure. This includes identifying the highest level of data that the system processes. The system owner then ensures that the system is labeled accurately and that appropriate security controls are in place to protect the data. System owners interact with data owners to ensure the data is protected while at rest on the system, in transit between systems, and in use by applications operating on the system.
Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. Wiley. Kindle Edition.
System-Specific Security Control
A System-Specific Security Control is “a security control for an information system that has not been designated as a common security control or the portion of a hybrid control that is to be implemented within an information system.”
Common Security Control
A Common Security Control a security control that may apply across information systems and/or other assets.
Hybrid Security Control
A Hybrid Security Control is a security control that is implemented in an information system in part as a common control and in part as a system-specific control.