I'm working through the CISSP Self-Guided Certification and I have a question:
Why are we looking to allow the Data Owner to create the Classification?
Maybe I'm not looking at this incorrectly, but if a user at a company is creating the data, lets say a design engineer at an engineering firm creates a drawing of a device. Who would be the "Data Owner" in that scenario? Would it be the user that created it and maintains it or business that the user works for?
Let me see if I can help and hopefully not make it more confusing.
The Data Classification system is typically developed by Information Security in conjunction with the Business. This helps define the number of classes of data and allows for the proper control and security measures to be put into place.
As to your example:
a user at a company is creating the data, lets say a design engineer at an engineering firm creates a drawing of a device. Who would be the "Data Owner" in that scenario? Would it be the user that created it and maintains it or business that the user works for?
First a design engineer typically would have a client (that client could be an external contract or the engineering firm itself). If the engineer is being paid by the engineering firm to develop devices, then the company they work for would be the data owner. In this case, the engineer would most likely work within a business unit/department and the manager would be the data owner.
If however it is a client than a different scenario drops into play. Its called a contract and the contract should define who owns the drawing.
A simplier example would be:
In accounting, there is a need to create a new spreadsheet for reporting purposes. The IT development department may develop the spreadsheet and may in some cases do database joins, etc to compile or fill in the information. In this case, the data belongs to the accounting department and it would make them the data owner. IT typically does not own any data.
Hope that helps, if not, let me know.
I think that whoever the organization designated as the Data Owner for the engineering firm is the data owner for that information/drawing. Since several different people create data throughout the organization, the data owner should have developed security classification guidance for users/personnel to reference to help ensure that data is properly classified throughout the organization.
Thank you, that clears it up a little bit.
In my example, something I have worked with for several years, the data owner would be the business and most of what the engineers are doing is modifying current designs for a customer under a contract. So inevitably the contract could stipulate how the data can be used/retained, but the business would be the owner.
Watching the videos, the instructor keeps saying "data owner" & "asset owner." I keep thinking its the creator of the data that owns it, which most times it would the person, like an author of a book, but it could easily be the business since the user could work for a business, like a game designer.