Effective CISSP Questions

Which of the following is the best role to classify enterprise proprietary data?
A. Data controller
B. Data processor
C. Data steward
D. System owner

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Data steward.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Proprietary data and personal data (or PII) are vital topics of data governance. As personal data are often privacy-sensitive, information/data security and privacy are treated separately in the cybersecurity context. For example, NIST SP 800-53 R5 provides security controls and privacy controls; ISO 27001 (ISMS) deals with information security, while ISO 27701 takes care of privacy information.

Proprietary Data Roles

  • Data Owner: classification, authorization, and accountability
  • Data Steward: data quality
  • Data Custodian: implmentation and daily routines

A data owner is accountable for the data he “owns,” so members of the management team typically assume this role. However, he can delegate the responsibilities to anyone (e.g., data steward or data custodian) but remains accountable for the outcome.

In NIST guidelines, Data Steward is often equivalent to Data Owner (or delegated by Data Owner) because a data owner doesn’t really have the ownership of the “personal data.” They seem to sidestep the argument of personal data ownership by not using controversial terms.

In the private sector, the data roles can be implemented in a more clear cut. Organizations can add more roles in the data governance program to meet their requirements. Data roles are not limited to the three mentioned above. Moreover, organizations can use any role names they like.

Personal Data Roles

  • Data Subject/Principal
  • Data Controller
  • Data Processor

In my opinion, the ownership of personal data should belong to the data subject. Organizations don’t “own” them but control and process them only. A data controller determines the purpose and means of processing; a data processor processes personal data on behalf of the data controller and according to the purpose and means determined by the data controller.


A. Data controller
B. Data processor
C. Data steward
D. System owner

1 thought on “CISSP PRACTICE QUESTIONS – 20210706

  1. Pingback: 企業專有資料進行分類的最佳角色- 資料管家(Data Steward) – Choson資安大小事

Leave a Reply