The challenge comes when the system owner is not aware of the
            security requirements they are accountable for. An owner may
            wish to implement as little security as possible since it may
            affect productivity. However, the system owner must realize that
            it is their responsibility to accept the risk of any resulting
            security breaches. For this reason, we see some movement in
            governments and organizations to declare a separate role of
            authorizing officials. The authorizing official has an enterprise-
            wide responsibility and operates at arm's length from the system
            owner. The authorizing official must approve all system changes
            or implementations before implementation. This ensures that no
            owner can put a system into production, operate an order, or
            make changes to a system that may pose a risk to other systems,
            the organization, or its operations. This is addressed through a
            process known as systems authorization or formerly known as
            certification and accreditation.



            Information Owner
            The information owner is the person designated to be
            responsible for the protection of the information held by the
            organization. Organizations are responsible for adequately
            protect any sensitive information they process, store, or transmit.
            The requirement to safeguard information applies to personally
            identifiable information (PII) intellectual property or trade
            secrets.

            One of the first responsibilities of the information owner is to
            identify and classify all information being held by the
            organization. The process of information classification will be
            examined in more detail later in this book.