After taking inventory, each asset shall be assigned an owner responsible for asset classification and held accountable for protecting the asset. Which of the following is the best candidate to assume the ownership in terms of accountability?
A. Senior management as a whole
B. A committee at the board level
C. An individual member of the management
D. A group of senior business people
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. An individual member of the management.
Senior management is ultimately responsible for ramifications and the bottom lines. However, activities and tasks are allocated and assigned to various roles and individuals across the organization based on some criteria, e.g., RACI matrix, an acronym for accountable, responsible, consulted, and informed.
Accountability should be uniquely assigned and traceable, while responsibility can be shared. Harold pinpoints the key idea of accountability in his comment as follows:
Scrum Product Owner
For example, the Product Owner’s accountability specified in the Scrum Guide 2020:
- The Product Owner is accountable for maximizing the value of the product resulting from the work of the Scrum Team.
- The Product Owner is also accountable for effective Product Backlog management.
- The Product Owner is one person, not a committee.
Ownership and Accountability
To avoid playing the blame game, ownership and accountability is the solution. A data owner is accountable for data classification, protection (collaborating with the system owner), and the result. He or she may delegate responsibilities to the data steward or data custodian, but the accountability cannot be delegated or transferred.
Accountability and Responsibility
Accountability is the sole authority of decision making and the ultimate responsibility for the result, while responsibility is the duty to implement the decision. Accountability is unique to an individual or party and cannot be shared, while responsibility can be shared to implement the decision collaboratively.
An owner owns the “accountability” instead of the right of “possession.” The data owner of customer profiles is accountable for the data breach. There are thousands of stories, excuses, and justifications behind the data breach. As a CEO, the data owner is the sole and best window for you to trace accountability.
Responsibilities and Authorities
When using the RACI matrix to assign roles and responsibilities in a data governance program, it’s crucial to hold one and only one role accountable for a task. If the senior management will delegate their responsibilities to subordinates, the authorities should be given as well.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
A. 全體高階主管 (Senior management)