Determine and Maintain Ownership for Asset Security
For asset security purposes, within an organization, owners and custodians of systems, data, and the business or mission (more specifically, a line of business or mission aspect) are implicitly or explicitly assigned.
Organizations should explicitly define owners and custodians of sensitive assets to avoid any confusion or ambiguity regarding roles, responsibilities, and accountability.
An owner is normally assigned at an executive or senior-management level within an organization, such as director or vice president. An owner doesn’t legally own the asset assigned to him or her; the owner is ultimately responsible for safeguarding assigned assets and may have fiduciary responsibility or be held personally liable for negligence in protecting these assets under the concept of due care.
Typical responsibilities of an owner may include
- Determining classification levels for assigned assets
- Determining policy for access to the asset
- Maintaining inventories and accounting for assigned assets
- Periodically reviewing classification levels of assigned assets for possible downgrading, destruction, or disposal
- Delegating day-to-day responsibility (but not accountability) and functions to a custodian
A custodian is the individual who has day-to-day responsibility for protecting assigned assets. IT systems administrators or network administrators often fill this role. Typical responsibilities may include
- Performing regular backups and restoring systems and/or data, when necessary
- Ensuring that appropriate permissions are properly implemented on systems, directories, and files, and provide sufficient protection for the asset
- Assigning new users to appropriate permission groups and revoking user privileges, when required
- Maintaining classified documents or other materials in a vault or secure file room
The distinction between owners and custodians, particularly regarding their different responsibilities, is an important concept in information security management. The data owner has ultimate responsibility for the security of the data, whereas the data custodian is responsible for the day-to-day security administration.