cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Nitesh
Newcomer II

Information Owner vs Information System Owner

Dear Team

 

Can anyone explain the practical difference between Information Owner & Information System Owner.

Are both these terms directed to one person and do they share the same roles & responsibilities?

 

Is Information Owner a Data Owner?

Is Information Owner a System Owner?

 

OR

 

Is Information Owner a Business Process Owner?

 

 

 

Thanks

Nitesh

9 Replies
CraginS
Defender I


@Nitesh wrote:

Dear Team

 

Can anyone explain the practical difference between Information Owner & Information System Owner.

Are both these terms directed to one person and do they share the same roles & responsibilities?

 

Is Information Owner a Data Owner?

Is Information Owner a System Owner?

 

OR

 

Is Information Owner a Business Process Owner?

 

 

 

Thanks

Nitesh


NItesh,

Rather than me write-ng a quick essay on the several terms you have asked about, I'd like to propose a different way for you to get your answer.

1. Describe the context in which you came across these terms in your studies.

2. Put the context of your question into a major business organization that includes the following  functional departments:

a. Information Technology (IT) responsible for selection, maintenance, and operation of all company-owned computers, data storage, and telephones, as well as oversight of contracted external IT functions such as cloud services and cybersecurity-related activities.

b. Human resources (HR) responsible for all  personnel screening, hiring, and benefits decisions and records.

c. Office of the General Counsel (OGC) responsible for all company contracts, ethics management, legal compliance, and protection of corporate intellectual property (IP).

d. Accounting & Finance (A&F) responsible for all financial records, billing, accounts receivable, invoice receipt and payment, and internal audits.

e. Corporate officers to include Comptroller, General Counsel (GC), HR Director, Chief Privacy Officer, Chief Information Officer (CIO), Chief Information Security Officer (CISO), Chief Operating Officer (COO), etc..

 

Remember, the CISSP is about thinking like a senior security manager.

 

Please post your thoughts here using the above approach, and many of us will be happy to give our reactions to your analysis.

 

Looking forward to your post.

 

Craig

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Nitesh
Newcomer II

Dear Craig

 

Thanks for your reply.

 

My question is arises from below practise question.

 

Which of the following is a responsibility of the information owner?

 

  • A. Ensure that users and personnel complete the required security training to access the Information System (IS)
  • B. Defining proper access to the Information System (IS), including privileges or access rights
  • C. Managing identification, implementation, and assessment of common security controls
  • D. Ensuring the Information System (IS) is operated according to agreed upon security requirements

 

Normally in our business practice we have data owner representing business who owns the data and approve the access request to data respective to their module e,g Finance, Commercial etc. 

Information System Owner is more a technical person who owns the system and overall owns the maintenance & operations.

 

I am quite confused with the role of Information Owner and no able to relate this term in business practise.

Hence i posted my question. 

 

Appreciate your guidance.

 

Thanks

Nitesh

Steve-Wilme
Advocate II

In practice an information owner will own the data within an IT system.   So say it's a Finance System then the information owner is very likely to be someone senior within the Finance department.  Information Systems Owners are likely to be responsible for the IT systems itself, so where the Finance IT systems is provided centrally for an IT department the information system owner would be someone in IT, responsible for the technologies that made up the Finance system. 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
CISOScott
Community Champion

Also think like this:

HR owns HR data. But they do not maintain any IT systems, so they do not own the servers or infrastructure the information resides on (the information system). So before the IT dept makes changes to the system the HR data resides on, they should inform the HR dept. If HR dept changes HR data, they do not need to inform IT.

Now both HR and IT could be Business process owners, they would just be responsible for the process that affects them. For example, if HR has a business process for inputting new employees, it is not related to the IT department. The IT department may have a business process for installing new servers. It does not require the HR department for installation, but they might be notified when it was done, IF it affected the HR server or HR system infrastructure.

 

Another way to think of it is like renting an apartment. You would be responsible for the furniture and personal belongings in your apartment. The landlord would be responsible for the fixtures and infrastructure of the apartment and make sure that the sinks and heat/air etc. are still working but not really care about your furniture. In this case you would be the information owner and the landlord would be the information system owner. You could have your own business process for moving in and out of your apartment and the landlord can have their own process for when someone moves into or out of an apartment.

rslade
Influencer II

> Nitesh (Newcomer I) posted a new topic in Exam Preparation on 11-29-2020 05:34 PM in the (ISC)² Community :

>   Can anyone explain the practical difference between Information Owner &
> Information System Owner. Are both these terms directed to one person and do
> they share the same roles & responsibilities?   Is Information Owner a Data
> Owner? Is Information Owner a System Owner?

The information owner (and, you're right, aka data owner) is, generally speaking
these days, anybody who creates a file. You made it, you own it, you get to grant
permissions to it (under DAC, which is almost universal these days).

The information system owner is the guy who bought the computer, and generally
has no formal meaning in terms of infosec. (Except that he's probably the guy
who has to do the BCP to ensure it keeps running.)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
It's not me who can't keep a secret. It's the people I tell that
can't. - Abraham Lincoln
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Nitesh
Newcomer II

Hi 

 

Seeing the comments if i relate Information Owner to Data Owner then for the below question i would choose the Option C as the best answer. 

 

Which of the following is a responsibility of the information owner?

 

  • A. Ensure that users and personnel complete the required security training to access the Information System (IS)
  • B. Defining proper access to the Information System (IS), including privileges or access rights
  • C. Managing identification, implementation, and assessment of common security controls
  • D. Ensuring the Information System (IS) is operated according to agreed upon security requirements

Any other thoughts?

 

Thanks

Nitesh

CraginS
Defender I


@Nitesh wrote:

Hi 

 

Seeing the comments if i relate Information Owner to Data Owner then for the below question i would choose the Option C as the best answer. 

 

Which of the following is a responsibility of the information owner?

 

  • A. Ensure that users and personnel complete the required security training to access the Information System (IS)
  • B. Defining proper access to the Information System (IS), including privileges or access rights
  • C. Managing identification, implementation, and assessment of common security controls
  • D. Ensuring the Information System (IS) is operated according to agreed upon security requirements

Any other thoughts?

 

Thanks

Nitesh


Nitesh,

I am going to suggest you look again at a couple of the responses, and re-think your answer. 

Note @CISOScott pointed out that HR knows HR Data and is responsible for tha data (information), but does not run the IT system that stores and processes that data.

 

Consider again what Grandpa Rob @rslade said,

"The information owner (and, you're right, aka data owner) is, generally speaking
these days, anybody who creates a file. You made it, you own it, you get to grant
permissions to it (under DAC, which is almost universal these days).

"The information system owner is the guy who bought the computer, and generally
has no formal meaning in terms of infosec. (Except that he's probably the guy
who has to do the BCP to ensure it keeps running.)"

 

And review how many separate job-specific data sets exist, based on my initial reply.

 

Now, look again at your choices. You want to select C, management of common security controls. IF the HR director knows about and owns HR data, should that director really be managing controls for financial and contracting and health data? Remember the IT system houses all of those and other sets.

Each data owner (HR, GC, A&F, etc,) knows the sensitivity of their data, and also knows who, by role or assignment, should be able to see the data, who should be able to add  data, and who should be able to change the data, and even who (if anyone) should be able to delete the data. 

With this added information, do you still like C?

 

Craig

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Nitesh
Newcomer II

Hi Craig

 

Thanks for your advice,

Please see rationale below

 

Option A: Ensure that users and personnel complete the required security training to access the Information System (IS) ; This is more related as responsibility of IT system owner to make sure there is security awareness & training is done.

 

Option B:Defining proper access to the Information System (IS), including privileges or access rights; Classification of Data is under Data Owner jurisdiction and approving the access to the information in the system.Decides who has access to the information system and with what types of privileges or access rights

 

Option C: Managing identification, implementation, and assessment of common security controls; Information Owner/Data Owner should be responsible and accountable for the identification of criticality & security of his/her data.They don't direclty manage the implementation/assessment of control but ultimately responsible of the same as they will sign off the control design assessment & control effectiveness results.

 

Option 😧 Ensuring the Information System (IS) is operated according to agreed upon security requirements;This falls under IT System owner to make sure all identified security controls and requirements are implemented.

 

I would like to change my answer to Option B as Option C is more on managing day to day work which does not fall under information owner bucket.

 

Your thoughts?

 

Thanks

Nitesh

CISOScott
Community Champion


@Nitesh wrote:

Hi 

 

Seeing the comments if i relate Information Owner to Data Owner then for the below question i would choose the Option C as the best answer. 

 

Which of the following is a responsibility of the information owner?

 

  • A. Ensure that users and personnel complete the required security training to access the Information System (IS)
  • B. Defining proper access to the Information System (IS), including privileges or access rights
  • C. Managing identification, implementation, and assessment of common security controls
  • D. Ensuring the Information System (IS) is operated according to agreed upon security requirements

Any other thoughts?

 

Thanks

Nitesh


@Nitesh One of the things you will have to do when answering questions is this. Analyze each answer and then choose the BEST one available.

 

Which of the following is a responsibility of the information owner? (So we are looking for ONE of the responsibilities of an Information Owner (IO). Not all of them, not necessarily the primary one, so just one responsibility of the IO.)

 

  • A. Ensure that users and personnel complete the required security training to access the Information System (IS) (They are talking about access to the IS, not necessarily access to the data the IO controls. It could be argued that since the data of the IO resides on the IS that they could ask for this requirement in an agreement, but, since it was not stated in the answer we should not assume it, it would be a weak argument at best. So I do not like this as my final answer as I still have 3 other answers to choose from.)
  • B. Defining proper access to the Information System (IS), including privileges or access rights (I like this answer better than A, but again they are talking about access to the IS, not just the IO's data. Yes the IO would define proper access to their data, including privileges and access rights, but not for access to the IS. So I do not like this answer either, but if the other 2 answers are not better than this then I would probably go with this one.)
  • C. Managing identification, implementation, and assessment of common security controls (So this answer is worse than either A or B because it defines common security controls. Common security controls (CC) are controls that are shared across a system or systems. In this case it does not make sense as the IO would be inheriting CC from the IS. This is the worst answer to choose from so far, so I would not select it. Remember that CC are shared, so while the IO may benefit from CC, they are usually not involved in identification, implementation and assessment of them as they would be inheriting them from the IS. Now if it had said something about defining controls that were NOT common controls, then this answer might have been a more correct choice)
  • D. Ensuring the Information System (IS) is operated according to agreed upon security requirements (Now this answer, while it does specify the IS, is the only answer so far that makes the most sense, when compared to what the question was asking. The IO is responsible for creating security agreements around the security of it's data. The IO would be responsible for ensuring that the IS owner is meeting the requirements set out in the agreements. If the IS owner was not in compliance with the agreed upon security requirements the IO could ask that the IS owner bring the IS into compliance or risk removing the IO's data or face the consequences set out in the data security agreements. Also consider that one of the agreed upon requirements MIGHT be that all users have completed security training before gaining access to the IO's data [answer A]. So if the IO had answer A in the agreements AND the IO was ensuring that the IS is operated according to agreed upon security agreements, then answer D includes answer A so that would make D a better choice than A.)

So we have 2 answers that could be viable, B & D. So which is the best out of the two? In my opinion, D is the better answer because in order to choose D you would have to understand that one of the responsibilities of a information owner is to set forth the requirements around data security in an agreement. And what was the original question?

 

Which of the following is a responsibility of the information owner?

 

So if your answer key does not specify D then you have a bad question (LOL!) Seriously there are some bad questions out there but hopefully your answer key has explanations of what makes each question wrong and right, IN THE MIND OF THAT QUESTION WRITER. Studying why you got an answer wrong so you can understand why you made that choice and fix your thinking, will help your studies more than just shooting for a certain passing percentage. Remember the goal is knowledge, not a piece of paper.

 

This goes for any test/exam you take. Look at how I attacked the question first, not just jumping right to the answers. First I looked really hard to see what the question was asking for. There are key words to pay attention to. They were looking for one thing in this case. Another question might be asking for the best, most important, key item, etc. Make sure you first understand what the question is looking for. Then once you know that you can begin the ordering of the responses to choose from. Some times you might be able to eliminate answers. I say rank them instead of just eliminating them. I like to say I like this choice more or less than the one before it. This can help you narrow down and choose from the best of the choices available. Notice I did not say the right answer. Some times the BEST or "Right" answer will not even be among the choices, but one of the choices available is the BEST of the choices to choose from. Some questions might have multiple correct answers, but the situation in the question will make one of them better, for that question.

 

So after reading the responses to this question make sure you understand:

The responsibilities of an information or data owner

The responsibilities of an information system owner

What common controls are and how they can affect an IO and an IS owner

What security agreements are and why they exist (Memorandums of Understanding (MOU's), Service Level Agreements (SLA's), etc.)

 

 So what is this question really testing? Do you understand the responsibilities of an information owner AND  an information systems owner. Even though it only asks about one of them, you will really have to know, not only both of their responsibilities, but how they interact with each other.