An offboarding sales representative downloaded customer profiles owned by the head of the sales department from the file server onto a USB dongle on the day he left and sold it online. This data breach occurred because of the miscommunication between the HR and IT departments. The HR department didn’t notify the IT department to disable the user accounts and revoke the privileges of the unhappy employee in time. As a CEO, which of the following roles do you think is accountable for the data breach of customer profiles? (Source: Wentz QOTD)
A. The system owner of the file server, due to inappropriate security controls
B. The vice president of HR, owing to lack of due care
C. The CIO, because of ineffective IT support for user provisioning/deprovisioning
D. The vice president of Sales, for the responsibility and authority of classification and protection
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. The vice president of Sales, for the responsibility and authority of classification and protection.
When it comes to information security governance, the board of directors and senior management are accountable and ultimately responsible for the result of information security. The vice presidents of HR and Sales and CIO are members of senior management. Senior management, typically the CIO or IT head, plays the role of the system owner.
As a victim customer of the data breach, you will undoubtedly blame the board and senior management of the company, no matter which departments had committed the negligence. So does a CEO. As a CEO, you can just look up the data governance program, refer to the roles and responsibilities, and identify the data owner. In this question, the vice president of Sales owns the customer profiles and is accountable for data classification, protection, and the result.
Excuses and Justifications
Consider the following excuses and justifications, who is to blame? It’s a difficult decision.
The sales representative stole the data in the morning, but he was fired in the afternoon after a quarrel with his supervisor. We have followed the exit procedure and exercised our due care.
The sales representative has logged into the system when he arrived in the office. Even though our user provisioning system disabled his user account, his session remained active and held the previous privileges. It’s a common limitation to the authentication system.
- System owner
Our system processes many types of data. We are responsible for implementing common security controls and negotiating with data owners to implement security controls that meet their protection needs. Security controls for each type of data are based on the data owner’s classification and the security control framework specified in our company’s security standards.
Ownership and Accountability
To avoid playing the blame game, ownership and accountability is the solution. A data owner is accountable for data classification, protection (collaborating with the system owner), and the result. He or she may delegate responsibilities to the data steward or data custodian, but the accountability cannot be delegated or transferred.
Accountability and Responsibility
Accountability is the sole authority of decision making and the ultimate responsibility for the result, while responsibility is the duty to implement the decision. Accountability is unique to an individual or party and cannot be shared, while responsibility can be shared to implement the decision collaboratively.
An owner owns the “accountability” instead of the right of “possession.” The data owner of customer profiles is accountable for the data breach. There are thousands of stories, excuses, and justifications behind the data breach. As a CEO, the data owner is the sole and best window for you to trace accountability.
Responsibilities and Authorities
When using the RACI matrix to assign roles and responsibilities in a data governance program, it’s crucial to hold one and only one role accountable for a task. If the senior management will delegate their responsibilities to subordinates, the authorities should be given as well.
- Separation of Employment Policy – Procedures for Voluntary and Involuntary (Including Employee Death) Terminations
- Data Breach Accountability and Responsibility: Who Gets Blamed for Data Breaches?
- Who is liable when a data breach occurs?
- Force authenticated user immediate logoff (emergency case)
- Who in an Organization is Responsible for a Data Breach?
- A New Age in Corporate Accountability for Data Breaches
- A Look at Whether CEOs Should Be Held Accountable for Data Breaches
- Breach Accountability: Blaming the CISO vs An End to Shaming
- The RACI matrix: Your blueprint for project success
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.