Show Your company
finished conducting an asset inventory. As the head of the sales department, you are assigned as the data owner of the customer master data. You are learning about the role and responsibility of the data owner. Which of the following is least related to the data owner? Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications. My suggested answer is D. Define the classification scheme. Accountability and Ultimate ResponsibilityOwners make decisions and are accountable for their decisions. To be accountable, the management (or even the senior management) typically assumes the role of the data owner to be accountable or ultimately responsible. Data owners, typically the management level, are accountable for data breaches. They may (or may not) be members of senior management that take the ultimate responsibility if the data is breached. The question is asking about “least related to the data owner,” so the option, C. Take the ultimate responsibility if the data is breached, is common and acceptable. Classification SchemeThe Classification Scheme applies across the organization. It is predefined so that the data owner can use it instead of defining it. The CISO is an appropriate role in defining the classification scheme. Roles in Data GovernanceAs information is the organization’s primary asset and data quality can be a legal or regulatory requirement in some sectors, data governance becomes trending, but without an agreed definition. As a result, the author defines data governance as follows:
There are three typical roles in a data governance program: data owner, data steward, and data custodian. Data Owner
NIST SP 800-18
Many organizations fail to implement an effective information security program due to not properly classifying and labeling the data and assets. It's the responsibility of an organization leadership to implement data and asset classification for limiting the data breaches, accidental loss of
sensitive information and loss due to the additional cost associated with securing data that may not require it. So what is Data Classification Policy? It is a standalone document or section in IS policy governing the process of labeling the information assets. Data classification implementation doesn't only limits to information, but it also comprises the hardware that process it and storage media. Data classification helps an
organization to assign value to an asset based on its sensitivity, criticality to organization mission and purpose. Photo Credits: Microsoft Pulse Identify sensitive data for classification Assigning the higher classification label to insensitive information results in a monetary loss to the organization and also assigning the lower classification to sensitive data may result in a data breach. Identifying the sensitivity and categorization of data is a crucial step for implementing a robust data classification policy. Sensitive data can be identified by measuring the impact on the operations in case of the data breach. Industry standards and regulations also define the sensitivity of relative data. The common type of sensitive data:
Next challenge is to define classifications and labels. Typically organization classifies the data after the proper valuation which involves qualitative and qualitative analysis.
Implementing Data Classification Stakeholders such as process owners within an organization should be instructed to identify the information assets and evaluate the risk associated with the assets in case of a breach. The process for identifying the critical assets that each process owner have access to should be documented for categorization. Classification labels should be applied to information assets as per sensitivity. Often organization goes beyond the data classification by doing the classification of systems which stores, process and transmit sensitive and critically classified data. Last but not least step is to secure the classified information assets by implementing security and technical controls. Policy and process controls may involve implementing the IT management framework such as COBIT, ISO 27001, etc and maintain compliance to regulators. Technical controls involve segregation of access via VLANs, Perimeter firewall, DMZ, etc. Security Spoc™ experts had helped organizations from different industries to establish an effective Information Security Program to stay secure and remain compliant. Contact Us! |