Effective CISSP Questions

Which of the following is least likely done by the data owner?
A. Identify, locate, and take an inventory of data
B. Evaluate the business value of data
C. Determine the protection mechanisms of data
D. Be accountable for the data breach

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Identify, locate, and take an inventory of data.

It’s impossible to assign the data owner if the data is not identified. A data owner is assigned only after data is identified, located, and the inventory is taken. Moreover, conducting a data inventory across the organization requires coordination, oversight, and leadership; a single individual or the management alone cannot do it.

Data and System Owners
Data and System Owners


Accountability refers to the engagement that persons commit to something for somebody and legitimately be held liable for the consequences if a situation occurs. It the best arrangement that accountability is assigned to one and only one individual; a committee or a group is not a good choice for accountability.

Accountability is individually owned and is what takes place after a situation has already occurred. A recent article published by Springg HR explains that accountability is literally the ability and/or duty to report (or give account of) on events, tasks, and experiences. It has to do with answerability, blameworthiness, liability, and the expectation of reporting back on particular outcomes. Essentially, it is the way in which an individual chooses to respond and takes ownership of the results of a task that has been assigned to them.


Data Owner

Ownership brings accountability. A data owner is accountable for data security results and responsible for 1) classifying data based on their business value and 2) collaborating with the system owner and other stakeholders to determine security requirements and correspondent protection mechanisms.

A data owner is typically a member of the management team, has the authority and power to have the final say, and understand the business and operation very well to evaluate the business value of data and classify them.

Data Inventory

* A data inventory is a list of datasets with metadata that describes their contents, source, licensing and other useful information.

* A dataset is a collection of data that relates to a common topic or was curated for a common purpose. A dataset has a consistent standard in terms of its format and structure. A dataset can contain ‘raw data’, analysed results or derived information.

* An annotated list of datasets can help you to effectively locate, manage, use and share data. The context it provides can help users understand why data has been collected, what it contains, how it is managed and the ways it will be made available for others to use.

Source: Tim Beale

Data Inventory Process

The following is an example of data inventory process from GovEx Labs:

  • Step 1: Establish an Oversight Authority
  • Step 2: Determine the Data Inventory Scope and Plan
  • Step 3: Catalog Data Assets in Accordance with Inventory Plan
  • Step 4: Data Inventory Quality Checks
  • Step 5: Initiate Data Prioritization Efforts



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

數據所有者(data owner)最不可能進行以下那項工作?
A. 識別,查找和盤點數據
B. 評估數據的業務價值
C. 確定數據保護機制
D. 對數據的外洩負責

Leave a Reply