Your organization is developing a Transportation Management System (TMS) that processes two types of data: air and ground transportation data. It is about time to categorize the system to determine baseline security controls. Which of the following roles least participates in the system categorization process?
A. Executive management
B. Data custodian
C. Information owner
D. System owner
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Data custodian.
According to NIST SP 800-37 R2, “the security categorization process is carried out by the system owner and the information owner or steward in cooperation and collaboration with senior leaders and executives with mission, business function, or risk management responsibilities.”
- A custodian has day-to-day responsibilities for protecting and storing data.
- The data custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.
- The data custodian performs all activities necessary to provide adequate protection for the CIA Triad (confidentiality, integrity, and availability) of data and to fulfill the requirements and responsibilities delegated from upper management. These activities can include performing and testing backups, validating data integrity, deploying security solutions, and managing data storage based on classification.
Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide (Kindle Locations 2073-2077). Wiley. Kindle Edition.