Data and System Ownership in the CISSP
This article covers a small portion of one of the CISSP CBK’s domains, namely, the domain entitled Asset Security (Protecting Security of Assets), which consists of the following topics:
- Information and asset classification
- Ownership (e.g. data owners, system owners) √
- Protect privacy
- Appropriate retention
- Data security controls
- Handling requirements (e.g. markings, labels, storage)
Based partially on the 7th edition of CISSP Official Study Guide, this writing strives to help you answer one main question:
What types of data roles and responsibilities do I need to know for the CISSP?
Security roles have a volatile nature – meaning, they are not always distinct and static; hence, they are not clearly defined in every job description. Despite this setback, a close and deep familiarity with security roles within a company would improve workplace communication and promote organizational culture by all means, as well as enable enforcement of the company’s security policy. Furthermore, security requires responsibility, and responsibility is based on a well-defined division of roles (even if security is supposed to be everyone’s responsibility). What comes next is a short description of the most important data roles one should know for the CISSP exam.
The term ‘data owner’ may refer to those individuals within an organization who collect and define the metrics of the data. That is de facto the person who is responsible and accountable for a particular set of data. As far as the description is concerned, its structure is similar to what is outlined for the “term “information owner/steward” in the “Governance Structures” section of Domain Four when referring to information governance structures,” according to the Official (ISC)2 Guide to the HCISPP CBK.
Every set of data must have an owner. Ownerless data is not a subject of protection, and therefore the recommended step is dubbed information lifecycle management (ILM) – a process of assigning a data owner and set of controls to information.
A data owner is typically the president, the CEO, or a department head (DH). People in this role are liable for negligence provided that they fail to show due diligence with respect to enforcing security policies, which in turn will protect sensitive data.
Due Care and Due Diligence
A CISSP candidate should expect to be tested on these concepts. According to the 7th edition of CISSP Official Study Guide, “[d]ue care is using reasonable care to protect the interest of an organization. Due diligence is practicing the activities that maintain the due care effort. For example, due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Due diligence is the continued application of the security structure onto the IT infrastructure of an organization.”
Both notions hold great importance because if their existence is proved by the senior management, this fact per se may reduce the culpability and liability of the individuals responsible for a data breach, for example.
It is important to remember that the data owner is ultimately responsible for the data, as he is the one that sets the security parameters and divides the corpus data into different class labels dependent on its sensitivity. So, the most significant duties that he has are classification and protection of all data sets. Although these duties are really important, they are delegable.
NIST SP 800-18 set outs several responsibilities for the information owner, as follows:
- Establish rules for data usage and protection
- Cooperate with information system owners on the security requirements and security controls for the systems on which the data exist
- It is within his discretion to whom to provide access rights and types of privileges – if the data owner use discretionary access control (DAC), he can permit or deny access to users or groups of users based on an access control list (ACL).
- Participate in identification, implementation, and assessment of security controls
This person, along with the mission owner (i.e., senior management), designs the entire information security program. They also cover vital day-to-day corporate aspects related to the real implementation of the information security program, such as funding, staffing activities (for example, finding security experts or other qualified personnel) and organizational priority. Last but not least, these types of owners need to ensure that every organizational asset is protected.
NIST SP 800-18 sees an overlap in the responsibilities of the business/mission owner and those of the system owners.
This individual is in charge of one or more systems, each of which may contain and operate with data owned by various data owners. A system owner is in a position that predisposes him to participate in drafting security policies, supporting procedures, standard and baselines, and to disseminate them among the members of a division.
The system owner may also be a manager whose job is to supervise and attend to the actual computers that contain data (we are talking about the whole package – hardware and software, including patching and updates). Hence, in addition to physically securing the hardware infrastructure in an organization, the system owner should patch and update operating systems, and harden the system in a similar fashion as much as possible. Technical hands-on tasks, however, are usually delegated to data custodians.
The NIST SP 800-18 envisages the following responsibilities for the system owner:
- Create an information plan together with data owners, the system administrator, and end users
- Maintain the system security plan by the pre-agreed security requirements
- Organize training sessions for the system users and personnel on security and rules of behavior (also known as AUP)
- Bring the system security plan up-to-date as often as possible
- Participate in identification, implementation, and assessment of security controls
Also, a system owner has the responsibility to integrate security logic, considerations, and cautiousness into development projects and purchasing decisions regarding applications and system accessories in the same vein as the security-by-design principle. For instance, people working such a position are to provide interpretations of government regulations, as well as insight into industry trends and analysis of vendor solutions that may advance the cyber-security of the company as a whole.
Lastly, the system owner should work closely with the data owner to ensure that the data is secure in its different states – at rest, in transit, or in use.
A data custodian can deliver technical protection of information assets, such as data. Backing up data in line with the company’s backup policy., restoration of data, patching systems, and configuring antivirus software are some of the most common tasks within the scope of duties of data custodians.
It should be noted that most of the time they do not make critical decisions on data protection since this is one of the major responsibilities of the data owner. Instead, the former should diligently follow the orders of the latter. Consequently, a data custodian is responsible for the implementation and maintenance of the security controls in a way that will meet all requirements for security, inter alia, determined by the data owner.
All in all, the data custodian provides all the necessary protection in harmony with the CIA Triad (confidentiality, availability, and integrity). Also, data custodians are entitled to access control functions.
This role is often fulfilled by the IT and/or security department. In essence, a data administrator grants appropriate access based on the principle of least privilege and need-to-know to authorized users to the extent they need to perform their job activities. As the 7th edition of CISSP Official Study Guide states, “[a]dministrators typically assign permissions using a role-based access control model. In other words, they add user accounts to groups and then grant permission to the groups. When users no longer need access to the data, administrators remove their account from the group.”
Other significant duties of data custodians include: performing check-ups on the integrity of the data, restore data from backup sources (when necessary), retain data and records of activity, and execute all tasks and obligations specified in the organization’s security policy or/and guidelines on cyber-security and data protection.
Security Administrator: The security administrator is entrusted with the implementation and maintenance of certain network appliances and software in the company’s IT system. These controls include, but are not limited to, firewalls, IPS, IDS, security proxies, antimalware, and other data loss prevention practices.
This person manages the user access process through careful consideration of the provision of privileges to those people who have authorized access given by business/mission/data owners. The security administrator can create and delete accounts, access permissions, terminate access privileges, maintain records of access request approvals, and file reports of access activities to the auditor in the course of access control audit that checks for compliance with the policies.
Network/Systems Administrator: Availability and accessibility of the data is a vital precondition for the proper functioning of every organization with significant information resources. The role of a system administrator is to ensure that by configuring the network, server hardware, and operating system. Besides patch management and update installation, the network/system administrator provides vulnerability management using both commercial off the shelf (COTS) and non-COTS solutions to test the corporate digital environment and mitigate potential vulnerabilities.
Any other person outside those enumerated so far who are legally allowed to access the system. Users usually have just enough access so as to perform the tasks necessary for their job position (again under the principle of least privilege).
Being merely a user does not exonerate someone from his/her obligations to acquaint himself/herself with the security policy of the organization and uphold it by following all security procedures. Generally speaking, each user must abide by the mandatory rules, policies, standards, procedures, etc. For instance, they must not share personal accounts given to them or divulge their passwords. In this regard, users should be made aware of the risks associated with breaching the abovementioned policies, procedures, etc., and they should also be notified about the consequences of non-compliance with these mandatory rules and procedures.
Data Controller and Data Processor
Under Article 2(d) of the EU Data Protection Directive (Directive 95/46/EC), a data controller is “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data […].” Apparently, the figure of data controller holds a position of great responsibility in the EU data protection legislation.
It is a common mistake to confuse data processors with data controllers. A good illustration of the major difference between these two roles is the one provided by the Data Protection Commissioner of Ireland: “[…] if you hold or process personal data, but do not exercise responsibility for or control over the personal data, then you are a ‘data processor’“. A document by the Article 29 Data Protection Working Party, an EU institution that periodically issues interpretations on data protection norms, clarifies the concept(s) of data processor (and data controller): “…two basic conditions for qualifying as processor are on the one hand being a separate legal entity with respect to the controller and on the other hand processing personal data on his behalf.”
Real-life examples of data processors are market research firms, accounting agencies, and payroll companies. It would not be impossible for an entity to combine the both roles – “a payroll company would be the data controller in respect of the data about its own staff, but would be the data processor in respect of the staff payroll data it is processing for its client companies,” states the Data Protection Commissioner of Ireland.
Often organizations from the United States process personal information of EU citizens, and these organizations become “data controllers” or “data processors” within the meaning the EU Data Protection Directive. By the EU “adequacy rule,” even organizations from outside the EU must comply with the EU Data Protection Directive when processing the personal data of EU citizens. As concerns the EU-U.S. data transfers, as of 12 July 2016, a decision by the European Commission entitled “EU-U.S. Privacy Shield” was adopted, which, in effect, replaces the Safe Harbor mechanism that was struck down by the European Court of Justice in October 2015, in the wake of Snowden revelations.
This new framework for Transatlantic exchanges of personal data of EU citizens promises, among other things, “regular reviews,” “effective supervision mechanisms,” “tightened conditions for onward transfers,” and “limitation of data retention.” Main principles of the current framework for data transfers between the EU and the U.S. are: 1. Notice, 2. Choice, 3. Accountability for onward transfers, 4. Security, 5. Data Integrity and Purpose Limitation, 6. Access, 7. Recourse, Enforcement, and Liability. More information you can read here.
U.S. companies need to apply for registration to be on the Privacy Shield list and self-certify that they meet the high data protection standards laid down by the arrangement. This is an annually renewable registration.
It should also be noted that the EU Data Protection Directive is to be replaced by the General Data Protection Regulation (GDPR), which is expected to enter in application 25 May 2018.
Are you a “data controller”? Available at https://www.dataprotection.ie/docs/Are-you-a-Data-Controller/y/43.htm (30/10/2016)
Gregg, M. CISSP Exam Cram. Available at https://books.google.bg/books?id=2UzODAAAQBAJ&pg=PT74&lpg=PT74&dq=scoping+and+tailoring+privacy&source=bl&ots=Se48Y2tn1w&sig=RCtlfF8gBupaZgr08uj1OkSV-M0&hl=bg&sa=X&ved=0ahUKEwjrtcHDlu_PAhWGXRQKHTEBCFkQ6AEIPzAD#v=onepage&q=scoping%20and%20tailoring%20privacy&f=false (27/10/2016)
Conrad, E., Misenar, S., Feldmand, J. (2013). Eleventh Hour CISSP®: Study Guide. Available at
Conrad, E., Misenar, S., Feldman, J. (2016). CISSP Study Guide. Available at https://books.google.bg/books?id=M8EtBQAAQBAJ&pg=PA96&lpg=PA96&dq=scoping+and+tailoring+privacy&source=bl&ots=uqXMIoJuJG&sig=Y7zNS7XTV1or5mf3f2QRv_Qskjw&hl=bg&sa=X&ved=0ahUKEwjrtcHDlu_PAhWGXRQKHTEBCFkQ6AEIRDAE#v=onepage&q=scoping%20and%20tailoring%20privacy&f=false (27/10/2016)
Gregg, M. (2005). CISSP Security-Management Practices. Available at www.pearsonitcertification.com/articles/article.aspx?p=418007&seqNum=6 (30/10/2016)
Khurana, K. (2010). EU Article 29 Working Party Clarifies Definitions of “Data Controller” and “Data Processor”. Available at http://privacylaw.proskauer.com/2010/03/articles/european-union/eu-article-29-working-party-clarifies-definitions-of-data-controller-and-data-processor/ (30/10/2016)
Kumar, A. (2016). CISSP – Session 2. Available at https://www.linkedin.com/pulse/cissp-session-2-ashok-kumar?articleId=8658934758953839526 (30/10/2016)
Stewart, J., Chapple, M., Gibson, D. (2015). Certified Information Systems Security Professional Study Guide (7th Edition).
Tipton, H. (2007). Official (ISC)2 Guide to the CISSP CBK. Available at https://books.google.bg/books?id=Ka4oT0PWHUEC&pg=PA106&lpg=PA106&dq=security+baseline+privacy+cissp&source=bl&ots=VyR2snCd41&sig=vU9wQ1-RdD3GGt7HahWCx4dnUJ8&hl=bg&sa=X&ved=0ahUKEwiw5qXrme_PAhXEWRQKHeRBDEEQ6AEIcDAJ#v=onepage&q&f=false (27/10/2016)
The Article 29 Working Party. Opinion 1/2010 on the concepts of “controller” and “processor” (WP 169). Available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdf (27/10/2016)
The European Parliament (1995). Directive 95/46/EC of the European Parliament and of the Council. Available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML (27/10/2016