Your company sells toys online worldwide. A web-based E-Commerce system developed in-house supports the business. The EC system, owned by the IT manager, processes a variety of data owned by department heads. As a CISO, which of the following is the best arrangement to determine security controls for the EC system?
B. Data owners
C. The System owner
D. The IT manager and data owners
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. The IT manager and data owners.
Owners are accountable for something. Data owners are accountable for his or her data, while system owers are accountable for information systems.
An information system may process one or more types of data, so the system owner (IT manager) has to collaborate with data owners to determine security controls. If a system owner determines all the security controls, data owners can play the blame game because their protection needs are not considered and addressed.
There are various security controls, some are applied at the data level, some at the system level, and others are common controls (e.g., the physical access control to data centers). Data are protected by the sum of those controls determined by different authorities.
A single information system may contain information from multiple information owners/stewards. Information owners/stewards provide input to information system owners regarding the security requirements and security controls for the systems where the information is processed, stored, or transmitted.
Source: NIST SP 800-39
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.