Effective CISSP Questions

After taking inventory, each asset shall be assigned an owner responsible for asset classification and held accountable for protecting the asset. Which of the following is the best candidate to assume the ownership in terms of accountability?
A. Senior management as a whole
B. A committee at the board level
C. An individual member of the management
D. A group of senior business people

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. An individual member of the management.

Senior management is ultimately responsible for ramifications and the bottom lines. However, activities and tasks are allocated and assigned to various roles and individuals across the organization based on some criteria, e.g., RACI matrix, an acronym for accountable, responsible, consulted, and informed.

Accountability should be uniquely assigned and traceable, while responsibility can be shared. Harold pinpoints the key idea of accountability in his comment as follows:

Scrum Product Owner

For example, the Product Owner’s accountability specified in the Scrum Guide 2020:

  • The Product Owner is accountable for maximizing the value of the product resulting from the work of the Scrum Team.
  • The Product Owner is also accountable for effective Product Backlog management.
  • The Product Owner is one person, not a committee.

Ownership and Accountability

To avoid playing the blame game, ownership and accountability is the solution. A data owner is accountable for data classificationprotection (collaborating with the system owner), and the result. He or she may delegate responsibilities to the data steward or data custodian, but the accountability cannot be delegated or transferred.

Data and System Owners

Accountability and Responsibility

Accountability is the sole authority of decision making and the ultimate responsibility for the result, while responsibility is the duty to implement the decision. Accountability is unique to an individual or party and cannot be shared, while responsibility can be shared to implement the decision collaboratively.

An owner owns the “accountability” instead of the right of “possession.” The data owner of customer profiles is accountable for the data breach. There are thousands of stories, excuses, and justifications behind the data breach. As a CEO, the data owner is the sole and best window for you to trace accountability.

Responsibilities and Authorities

When using the RACI matrix to assign roles and responsibilities in a data governance program, it’s crucial to hold one and only one role accountable for a task. If the senior management will delegate their responsibilities to subordinates, the authorities should be given as well.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

盤點後,應為每項資產分配一個資產擁有者,他應該負責資產分類並承擔保護該資產的責任。 就問責(accountability)而言,以下哪一項是指派擁有權的最佳人選?
A. 全體高階主管 (Senior management)
B. 董事會層級的委員會
C. 管理層的個別成員
D. 一群資深且熟暗業務的人員 

Leave a Reply