Effective CISSP Questions

Information is the asset of the organization. Which of the following refers to the careful and responsible management of information belonging to the organization as a whole, regardless of the entity or source that may have originated, created, or compiled the information?
A. Information custodianship
B. Information assurance
C. Information stewardship
D. Information ownership

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Information stewardship.

Information Owner and Steward

NIST SP 800-39

This question is designed as a marker to highlight the inconsistency and vagueness of data governance roles, such as information owner, steward, and custodian; ownership, stewardship, and custodianship. It is a rewording based on NIST SP 800-39:

Federal information is an asset of the Nation, not of a particular federal agency or its subordinate organizations. In that spirit, many federal agencies are developing policies, procedures, processes, and training needed to end the practice of information ownership and implement the practice of information stewardship.

Information stewardship is the careful and responsible management of federal information belonging to the Nation as a whole, regardless of the entity or source that may have originated, created, or compiled the information.

Information stewards provide maximum access to federal information to elements of the federal government and its customers, balanced by the obligation to protect the information in accordance with the provisions of FISMA and any associated security-related federal policies, directives, regulations, standards, and guidance.


  • In NIST guidelines, information owner/steward is the most common form of expression. A “slash” is used.
  • The NIST glossary doesn’t include the term “custodian” which is not found in NIST guidelines.


  • It introduces the data owner and the data custodian. It uses “information owner” and “data owner” interchangeably.
  • It mentioned “stewardship,” but it does not define or address stewardship.
  • The data custodian is responsible for 1) data security and 2) data content, quality, and management criteria. However, the perspective of responsibility #2 differs from some data governance books.




4 thoughts on “CISSP PRACTICE QUESTIONS – 20200208

  1. A. Information custodianship.
    The organisation is responsible for overseeing and implementing the necessary safeguards to protect the information assets.

    • A. Is the right answer. What about comments of the other answers that o been post. It would be nice to update me whether i answered them right or not.


Leave a Reply