CISSP D2 Preview | Mission, Data, System Owners, and Data Custodians

In this lecture, we are going to talk about the different types of roles we have in our organization and their responsibilities to ensure that our data is secure.
And as you can see with the little elephant over here, this is an important, important topic.
First off, we have the mission or the business owner.
This is senior leadership that makes the policies that govern our data security.
Remember, they are ultimately liable.
Just because they are ultimately liable does not mean anyone else is not liable as well.
We need to do our due care and our due diligence.
Then we have the actual data or information owner.
These are very critical.
They own the actual data.
It is theirs.
And because it is theirs, they decide how critical is this data and which sensitivity label should it be assigned.
They are normally someone management level for that specific group.
That could be a director of H.R. or payroll or any other department.
It could also be you for the data that is unique and owned by your group.
They are responsible for assigning the sensitivity.
They are also responsible for making sure that the proper security controls are in place, that we have proper backup.
But remember, they are responsible for it. They don’t do it.
And they approve access requests to their data.
They can sometimes delegate that to a subordinate.
But again here, they approve it.
They don’t grant it.
And I think these little differences and nuances are important.
That’s why I go in detail here.
I think you need to understand for the exam who grants an access, who approves it and who is responsible for all the little steps that we have to ensure our data is secure.
Which then brings us to the data custodian.
They are the practical hands-on techies that does all the things that maintain and protect our data.
That is backups and patches and restores and system configurations.
And they do all this at the direction of the data owner.
They are normally someone in the I.T. or the IT Security department.
Most places where I have been, they have been part of a backup team, a server team or a data center team.
Then we have the system owner.
That is the person that owns this system that the data is housed on.
That can be a data center manager or a server manager.
They own the physical hardware.
And they are responsible for the security profile on their systems to ensure that our system either does not share resources with other less secure systems, or if they do, that there are enough security controls in place, so it is less of a security risk.
In most cases, though, since virtual machines are so heavily used, it is smarter to isolate certain infrastructure to handle specific sensitivity levels.
They are also responsible for the security profile of those systems and that the systems are patched.
Again, they don’t do it themselves, but it is their responsibility.
Which then brings us to data controllers and data processors.
The data controllers create and manage our data within our organization.
That could be HR or payroll.
Since this is sensitive data, we need to make sure that what they do, they do securely.
And then the data processors, well, they process certain data for us.
That could be if we have outsourced our payroll.
How do we ensure that our data is secure enough with them?
Are their policies, their procedures, their practices enough for our security standard?
In this case, we would most likely have a right to audit.
So once a year we could come in and audit their processes and how they handle our data.
And since it is outsourced, we need to be clear on what the laws and regulations are, where they reside.
If it is out of state or out of country, they might have entirely different laws that they need to adhere to that may not be as stringent as ours.
As the next role, we have security administrators.
They are responsible for all the practical technical security things; firewalls, intrusion detection and intrusion prevention systems, security patches.
But they are also responsible for account creation and granting of access levels.
And they do that on the discretion of the data owner.
And you could see a question on the exam, “something something” a user needs access rights and then the keyword can be grant or it can be assigned.
Well, who grants the access then?
The access is granted by the data owner.
The access is assigned by the security administrator.
And this is why I keep saying, look for the key word on the questions.
They are super, super critical to answer what they’re actually asking.
And this is also why people say this is an English exam.
So read the question very carefully.
Supervisors are responsible for the users, well, they supervise.
Any actions those people take is their responsibility.
As well as any assets created by those people.
They are directly responsible for the awareness and the training that those users need.
Here again, that does not mean they do the training.
They are responsible for it happening.
The training would probably be done by the security team or an external team.
And then they are responsible for any updates to the team.
If someone moves to another department, gets another job title, this is the responsibility of the supervisor to notify the security departmen in an appropriate amount of time for them to make the needed changes.
If Bob moves from H.R. to payroll, well then, we need to remove his H.R. access rights and add payroll access rights.
Then we have the dreaded users.
They need to access that data to do their day-to-day job.
Its data in use, we can’t encrypt it, so here, it is administrative controls.
It is awareness and training.
It is the supervisor’s responsibility that they clearly understand what is acceptable and what is not acceptable.
And if they have been trained and they do something that is outside of what is acceptable, well then what is the consequences?
What happens when you don’t follow our procedures, our policies and our standards?
My experience is that if we use a carrot rather than a stick, then we get further.
It is much more efficient and effective to reward correct behavior than it is to punish bad behavior.
Obviously, there needs to be consequences when they don’t do what they are supposed to.
But also remember, it is our responsibility to train them.
If they choose to ignore it, well then, that is on them.
And let’s round out this lecture by talking about auditors.
They can be both internal and external.
Most of what they do are detective controls.
They happen after the fact.
They go in and review and confirm that our security policies are implemented correctly, that we adhere to them, and that they provide the protection that they should.
And when I said most of the time before, they don’t always come in after the fact.
Sometimes they do persistent monitoring.
Let’s say we’re a bank and for a loan you need two supervisors to sign off on it.
Now, if only one supervisor signs off and the loan is submitted and someone pushes it through, that might raise an audit flag.
There might be a good reason for it.
There might not be two supervisors.
Maybe some of them are sick.
But again, the audit flag is raised.
They look at that specific case to see if something was happening here that shouldn’t.