Page 56 - CISSO_Prep_ Guide
P. 56
whether the information must be protected while being stored or
transmitted (encrypted), accessed, deleted, and displayed
(masked). Each system owner that processes, stores, or transmits
that credit card data must agree to follow the mandate of the
information owner. The system owner must be willing to
enforce necessary protections on that data according to the order
of the information owner. The information owner must have the
authority to refuse to allow that information to be available to
the sales system or department. Through this, we see the
enterprise-wide mandate of the information owner. This is one
of the most challenging aspects of information protection -
especially given the many different laws and regulations about
the handling of information. Sometimes the rules for handling
data are different from one country to another or one industry
sector to another, and the information owner or owners must be
able to adjust to those various laws as much as possible.
Custodian
The role of the custodian is to have cared for, or custody of, an
asset. The custodian of a sports trophy (ex. the Stanley Cup for
Ice Hockey) is not the owner of the Cup but is tasked with the
responsibility for the protection of the Cup - the secure handling,
storage, transportation, display, and engraving of the trophy on
behalf of the owner. This is the same as the role of IT. IT
manages, cares for, operates, and repairs the systems of the
organization on behalf of the system owners and information
owners. IT has a level of access to information that no one else
has, but with that access comes the responsibility to behave in a
legal, ethical manner and not misuse, disclose or modify that
data or system in an unauthorized way. There are far too many
examples of IT staff reading emails, accessing customer data, or
