Page 53 - CISSO_Prep_ Guide
P. 53
payable or manages the general ledger of the organization is not
"owned" by IT - it is owned by the Chief Financial Officer
(CFO) or a person in a similar role. The system is supported by
IT, and IT (whether outsourced or provided internally) is
expected to manage, operate, and secure the financial system on
behalf of the owner. The business owns the system - they pay
for it, and they rely on it. The organization indicates where
changes are needed, and they have the final say in when and
what changes may be made to the system. As part of responsible
management, the IT department will indicate when patches or
upgrades may be needed, they may apply to the business for a
time to shut down the system for hardware or network
maintenance. Still, IT should never make a change to a system
without the consent of the owner of that system. Just like a car,
when you purchase it and take it to a repair shop - the mechanic
may indicate work that should be done, but the mechanic is not
authorized to perform that work without the permission of the
owner of the vehicle. In short, a system owner is a senior person
from the business department that relies on the system and pays
for it.
The role of the system owner is critically essential. The system
owner must decide who gets access to the system. The system
owner must determine what changes should be made, when the
changes can be applied, must monitor the reports on system
controls. The system owner must ensure the network is being
operated following the law, policy, and requirements of the
information owner and possibly an authorizing official. The role
of the system owner is an integral part of the security
framework. Each system must have an owner, and the security
administrator must ensure that access is only granted to the
system following the mandates of the owner.
