topic Re: CISSP - Data Owners to Determine the Classification Required for the Data in Exam Preparation

CISSP - Data Owners to Determine the Classification Required for the Data

TDwyer2 — Mon, 31 Aug 2020 11:55:17 GMT

I'm working through the CISSP Self-Guided Certification and I have a question:

Why are we looking to allow the Data Owner to create the Classification?

Maybe I'm not looking at this incorrectly, but if a user at a company is creating the data, lets say a design engineer at an engineering firm creates a drawing of a device. Who would be the "Data Owner" in that scenario? Would it be the user that created it and maintains it or business that the user works for?

Thanks

Re: CISSP - Data Owners to Determine the Classification Required for the Data

dcontesti — Mon, 31 Aug 2020 12:46:35 GMT

Let me see if I can help and hopefully not make it more confusing.

The Data Classification system is typically developed by Information Security in conjunction with the Business. This helps define the number of classes of data and allows for the proper control and security measures to be put into place.

As to your example:

a user at a company is creating the data, lets say a design engineer at an engineering firm creates a drawing of a device. Who would be the "Data Owner" in that scenario? Would it be the user that created it and maintains it or business that the user works for?

First a design engineer typically would have a client (that client could be an external contract or the engineering firm itself). If the engineer is being paid by the engineering firm to develop devices, then the company they work for would be the data owner. In this case, the engineer would most likely work within a business unit/department and the manager would be the data owner.

If however it is a client than a different scenario drops into play. Its called a contract and the contract should define who owns the drawing.

A simplier example would be:

In accounting, there is a need to create a new spreadsheet for reporting purposes. The IT development department may develop the spreadsheet and may in some cases do database joins, etc to compile or fill in the information. In this case, the data belongs to the accounting department and it would make them the data owner. IT typically does not own any data.

Hope that helps, if not, let me know.

Re: CISSP - Data Owners to Determine the Classification Required for the Data

sergeling — Mon, 31 Aug 2020 13:22:40 GMT

data owner is respective to the entity; so the engineering firm has a data owner; the business that use the drawing also has a data owner.

Re: CISSP - Data Owners to Determine the Classification Required for the Data

Joelharris788 — Mon, 31 Aug 2020 18:22:57 GMT

I think that whoever the organization designated as the Data Owner for the engineering firm is the data owner for that information/drawing. Since several different people create data throughout the organization, the data owner should have developed security classification guidance for users/personnel to reference to help ensure that data is properly classified throughout the organization.

Re: CISSP - Data Owners to Determine the Classification Required for the Data

rslade — Mon, 31 Aug 2020 19:23:12 GMT

> Joelharris788 (Viewer) posted a new reply in Exam Preparation on 08-31-2020

> I think that whoever the organization designated as the Data Owner for
> the engineering firm is the data owner for that information/drawing. Since
> several different people create data throughout the organization, the data owner
> should have developed security classification guidance for users/personnel to
> reference to help ensure that data is properly classified throughout the
> organization.

I suspect that you guys are overthinking this. I *strongly* suspect that the
original question turns on the DAC/MAC distinction.

In discretionary access control, the owner tends to be simply the person who
creates the file. Under a mondatory access control system, the data owner assigns
sensitivity, but access is granted by the system, checking senistivity against
clearance.

Under a formal non-discretionary access control system, an access control office
may play the role of the data owner (or steward) in granting access. However, I
doubt that any of you would have work with such a system: they are pretty
ancient.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Wrinkles should merely indicate where smiles have been. - Mark Twain
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: CISSP - Data Owners to Determine the Classification Required for the Data

TDwyer2 — Tue, 01 Sep 2020 12:40:06 GMT

Thank you, that clears it up a little bit.

In my example, something I have worked with for several years, the data owner would be the business and most of what the engineers are doing is modifying current designs for a customer under a contract. So inevitably the contract could stipulate how the data can be used/retained, but the business would be the owner.

Watching the videos, the instructor keeps saying "data owner" & "asset owner." I keep thinking its the creator of the data that owns it, which most times it would the person, like an author of a book, but it could easily be the business since the user could work for a business, like a game designer.