Page 55 - CISSO_Prep_ Guide
P. 55
The information owner must ensure that information that
requires protection is adequately protected. That means only
authorized personnel can access that information, the data is
being correctly backed up, and the data is destroyed when no
longer needed. It also means that the data can only be changed
through a controlled process.
Going back to the integration of many departments of the
organization, we see that information that is gathered by one
department may soon be transmitted or available to another
department. This demonstrates why the role of the information
owner is enterprise-wide instead of department-wide. The
system owner is usually from one department and only has
responsibility for the systems in their department. The
information owner has the responsibility to protect data that may
end up on several networks in more than one department. The
burden of the information owner is to ensure that sensitive data
is protected no matter where in the organization it goes. The
information owner is the person who must accept legal
responsibility for protecting that information and possibly facing
some form of criminal or civil charges if the information is
breached. This means that the information owner must be a
senior manager and must have the authority to mandate how a
piece of data will be gathered, stored, accessed, and transmitted.
This includes when data is deleted regardless of what systems or
departments the information belongs to. This includes when
information is shared with business partners or handled by a
third party. How this works in practice is that the information
owner declares what information is protected and how it is to be
processed. For example, a credit card number may be collected
on a sales system but subsequently stored on a financial system
or in a customer database. The information owner must mandate
