Which of the following is least likely done by the data owner?
A. Identify, locate, and take an inventory of data
B. Evaluate the business value of data
C. Determine the protection mechanisms of data
D. Be accountable for the data breach
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Identify, locate, and take an inventory of data.
It’s impossible to assign the data owner if the data is not identified. A data owner is assigned only after data is identified, located, and the inventory is taken. Moreover, conducting a data inventory across the organization requires coordination, oversight, and leadership; a single individual or the management alone cannot do it.
Accountability refers to the engagement that persons commit to something for somebody and legitimately be held liable for the consequences if a situation occurs. It the best arrangement that accountability is assigned to one and only one individual; a committee or a group is not a good choice for accountability.
Accountability is individually owned and is what takes place after a situation has already occurred. A recent article published by Springg HR explains that accountability is literally the ability and/or duty to report (or give account of) on events, tasks, and experiences. It has to do with answerability, blameworthiness, liability, and the expectation of reporting back on particular outcomes. Essentially, it is the way in which an individual chooses to respond and takes ownership of the results of a task that has been assigned to them.
Source: KATE DAGHER
Ownership brings accountability. A data owner is accountable for data security results and responsible for 1) classifying data based on their business value and 2) collaborating with the system owner and other stakeholders to determine security requirements and correspondent protection mechanisms.
A data owner is typically a member of the management team, has the authority and power to have the final say, and understand the business and operation very well to evaluate the business value of data and classify them.
* A data inventory is a list of datasets with metadata that describes their contents, source, licensing and other useful information.
* A dataset is a collection of data that relates to a common topic or was curated for a common purpose. A dataset has a consistent standard in terms of its format and structure. A dataset can contain ‘raw data’, analysed results or derived information.
* An annotated list of datasets can help you to effectively locate, manage, use and share data. The context it provides can help users understand why data has been collected, what it contains, how it is managed and the ways it will be made available for others to use.
Source: Tim Beale
Data Inventory Process
The following is an example of data inventory process from GovEx Labs:
- Step 1: Establish an Oversight Authority
- Step 2: Determine the Data Inventory Scope and Plan
- Step 3: Catalog Data Assets in Accordance with Inventory Plan
- Step 4: Data Inventory Quality Checks
- Step 5: Initiate Data Prioritization Efforts
- ‘People’ vs. ‘Persons’
- Difference Between Power and Authority
- How to Conduct a Data Inventory
- How to create a data inventory
- Data Inventory Guide
- Data Inventory: What Do You Have?
- Appointment of Dr. Matthew Graviss as Chief Data Officer
- What is a chief data officer? A leader who creates business value from data
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.