Dear Team
Can anyone explain the practical difference between Information Owner & Information System Owner.
Are both these terms directed to one person and do they share the same roles & responsibilities?
Is Information Owner a Data Owner?
Is Information Owner a System Owner?
OR
Is Information Owner a Business Process Owner?
Thanks
Nitesh
@Nitesh wrote:Dear Team
Can anyone explain the practical difference between Information Owner & Information System Owner.
Are both these terms directed to one person and do they share the same roles & responsibilities?
Is Information Owner a Data Owner?
Is Information Owner a System Owner?
OR
Is Information Owner a Business Process Owner?
Thanks
Nitesh
NItesh,
Rather than me write-ng a quick essay on the several terms you have asked about, I'd like to propose a different way for you to get your answer.
1. Describe the context in which you came across these terms in your studies.
2. Put the context of your question into a major business organization that includes the following functional departments:
a. Information Technology (IT) responsible for selection, maintenance, and operation of all company-owned computers, data storage, and telephones, as well as oversight of contracted external IT functions such as cloud services and cybersecurity-related activities.
b. Human resources (HR) responsible for all personnel screening, hiring, and benefits decisions and records.
c. Office of the General Counsel (OGC) responsible for all company contracts, ethics management, legal compliance, and protection of corporate intellectual property (IP).
d. Accounting & Finance (A&F) responsible for all financial records, billing, accounts receivable, invoice receipt and payment, and internal audits.
e. Corporate officers to include Comptroller, General Counsel (GC), HR Director, Chief Privacy Officer, Chief Information Officer (CIO), Chief Information Security Officer (CISO), Chief Operating Officer (COO), etc..
Remember, the CISSP is about thinking like a senior security manager.
Please post your thoughts here using the above approach, and many of us will be happy to give our reactions to your analysis.
Looking forward to your post.
Craig
Dear Craig
Thanks for your reply.
My question is arises from below practise question.
Which of the following is a responsibility of the information owner?
Normally in our business practice we have data owner representing business who owns the data and approve the access request to data respective to their module e,g Finance, Commercial etc.
Information System Owner is more a technical person who owns the system and overall owns the maintenance & operations.
I am quite confused with the role of Information Owner and no able to relate this term in business practise.
Hence i posted my question.
Appreciate your guidance.
Thanks
Nitesh
In practice an information owner will own the data within an IT system. So say it's a Finance System then the information owner is very likely to be someone senior within the Finance department. Information Systems Owners are likely to be responsible for the IT systems itself, so where the Finance IT systems is provided centrally for an IT department the information system owner would be someone in IT, responsible for the technologies that made up the Finance system.
Also think like this:
HR owns HR data. But they do not maintain any IT systems, so they do not own the servers or infrastructure the information resides on (the information system). So before the IT dept makes changes to the system the HR data resides on, they should inform the HR dept. If HR dept changes HR data, they do not need to inform IT.
Now both HR and IT could be Business process owners, they would just be responsible for the process that affects them. For example, if HR has a business process for inputting new employees, it is not related to the IT department. The IT department may have a business process for installing new servers. It does not require the HR department for installation, but they might be notified when it was done, IF it affected the HR server or HR system infrastructure.
Another way to think of it is like renting an apartment. You would be responsible for the furniture and personal belongings in your apartment. The landlord would be responsible for the fixtures and infrastructure of the apartment and make sure that the sinks and heat/air etc. are still working but not really care about your furniture. In this case you would be the information owner and the landlord would be the information system owner. You could have your own business process for moving in and out of your apartment and the landlord can have their own process for when someone moves into or out of an apartment.
Hi
Seeing the comments if i relate Information Owner to Data Owner then for the below question i would choose the Option C as the best answer.
Which of the following is a responsibility of the information owner?
Any other thoughts?
Thanks
Nitesh
@Nitesh wrote:Hi
Seeing the comments if i relate Information Owner to Data Owner then for the below question i would choose the Option C as the best answer.
Which of the following is a responsibility of the information owner?
- A. Ensure that users and personnel complete the required security training to access the Information System (IS)
- B. Defining proper access to the Information System (IS), including privileges or access rights
- C. Managing identification, implementation, and assessment of common security controls
- D. Ensuring the Information System (IS) is operated according to agreed upon security requirements
Any other thoughts?
Thanks
Nitesh
Nitesh,
I am going to suggest you look again at a couple of the responses, and re-think your answer.
Note @CISOScott pointed out that HR knows HR Data and is responsible for tha data (information), but does not run the IT system that stores and processes that data.
Consider again what Grandpa Rob @rslade said,
"The information owner (and, you're right, aka data owner) is, generally speaking
these days, anybody who creates a file. You made it, you own it, you get to grant
permissions to it (under DAC, which is almost universal these days).
"The information system owner is the guy who bought the computer, and generally
has no formal meaning in terms of infosec. (Except that he's probably the guy
who has to do the BCP to ensure it keeps running.)"
And review how many separate job-specific data sets exist, based on my initial reply.
Now, look again at your choices. You want to select C, management of common security controls. IF the HR director knows about and owns HR data, should that director really be managing controls for financial and contracting and health data? Remember the IT system houses all of those and other sets.
Each data owner (HR, GC, A&F, etc,) knows the sensitivity of their data, and also knows who, by role or assignment, should be able to see the data, who should be able to add data, and who should be able to change the data, and even who (if anyone) should be able to delete the data.
With this added information, do you still like C?
Craig
Hi Craig
Thanks for your advice,
Please see rationale below
Option A: Ensure that users and personnel complete the required security training to access the Information System (IS) ; This is more related as responsibility of IT system owner to make sure there is security awareness & training is done.
Option B:Defining proper access to the Information System (IS), including privileges or access rights; Classification of Data is under Data Owner jurisdiction and approving the access to the information in the system.Decides who has access to the information system and with what types of privileges or access rights
Option C: Managing identification, implementation, and assessment of common security controls; Information Owner/Data Owner should be responsible and accountable for the identification of criticality & security of his/her data.They don't direclty manage the implementation/assessment of control but ultimately responsible of the same as they will sign off the control design assessment & control effectiveness results.
Option 😧 Ensuring the Information System (IS) is operated according to agreed upon security requirements;This falls under IT System owner to make sure all identified security controls and requirements are implemented.
I would like to change my answer to Option B as Option C is more on managing day to day work which does not fall under information owner bucket.
Your thoughts?
Thanks
Nitesh
@Nitesh wrote:Hi
Seeing the comments if i relate Information Owner to Data Owner then for the below question i would choose the Option C as the best answer.
Which of the following is a responsibility of the information owner?
- A. Ensure that users and personnel complete the required security training to access the Information System (IS)
- B. Defining proper access to the Information System (IS), including privileges or access rights
- C. Managing identification, implementation, and assessment of common security controls
- D. Ensuring the Information System (IS) is operated according to agreed upon security requirements
Any other thoughts?
Thanks
Nitesh
@Nitesh One of the things you will have to do when answering questions is this. Analyze each answer and then choose the BEST one available.
Which of the following is a responsibility of the information owner? (So we are looking for ONE of the responsibilities of an Information Owner (IO). Not all of them, not necessarily the primary one, so just one responsibility of the IO.)
So we have 2 answers that could be viable, B & D. So which is the best out of the two? In my opinion, D is the better answer because in order to choose D you would have to understand that one of the responsibilities of a information owner is to set forth the requirements around data security in an agreement. And what was the original question?
Which of the following is a responsibility of the information owner?
So if your answer key does not specify D then you have a bad question (LOL!) Seriously there are some bad questions out there but hopefully your answer key has explanations of what makes each question wrong and right, IN THE MIND OF THAT QUESTION WRITER. Studying why you got an answer wrong so you can understand why you made that choice and fix your thinking, will help your studies more than just shooting for a certain passing percentage. Remember the goal is knowledge, not a piece of paper.
This goes for any test/exam you take. Look at how I attacked the question first, not just jumping right to the answers. First I looked really hard to see what the question was asking for. There are key words to pay attention to. They were looking for one thing in this case. Another question might be asking for the best, most important, key item, etc. Make sure you first understand what the question is looking for. Then once you know that you can begin the ordering of the responses to choose from. Some times you might be able to eliminate answers. I say rank them instead of just eliminating them. I like to say I like this choice more or less than the one before it. This can help you narrow down and choose from the best of the choices available. Notice I did not say the right answer. Some times the BEST or "Right" answer will not even be among the choices, but one of the choices available is the BEST of the choices to choose from. Some questions might have multiple correct answers, but the situation in the question will make one of them better, for that question.
So after reading the responses to this question make sure you understand:
The responsibilities of an information or data owner
The responsibilities of an information system owner
What common controls are and how they can affect an IO and an IS owner
What security agreements are and why they exist (Memorandums of Understanding (MOU's), Service Level Agreements (SLA's), etc.)
So what is this question really testing? Do you understand the responsibilities of an information owner AND an information systems owner. Even though it only asks about one of them, you will really have to know, not only both of their responsibilities, but how they interact with each other.