Data and system ownership in the CISSP exam

Within the CISSP body of knowledge, the second domain of Asset Security thoroughly assesses a candidate’s understanding of managing and protecting valuable assets. 

This section includes the following sub-topics: 

• Information and asset classification 
• Ownership (e.g., data owners, system owners) 
• Protect privacy 
• Appropriate retention 
• Data security controls 
• Handling requirements (e.g., markings, labels, storage) 

For more CISSP exam tips, get our free CISSP exam tips and tricks ebook, or watch our free one-hour CISSP exam tips course with an instructor whose students have a 95% pass rate. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

What types of data roles and responsibilities do I need to know for the CISSP?

Data and ownership aren’t always clearly defined, thanks to the ever-changing job requirements and different goals and needs of individual organizations. Smaller organizations might bundle several roles into a singular job title, like security analyst, and larger organizations might have robust teams with more niche specialized experts. 

However, CISSP candidates can understand how the unique roles and job titles work together to create a unified cybersecurity team with different hierarchy levels, skill sets and responsibilities. Creating standard, industry-wide definitions improves security posture and creates a well-divine division of responsibilities within an organization. Different data roles might pop up during the CISSP certification exam. 

If you’re curious about any of these roles for your own professional career, explore the free cybersecurity certification breakdown from mid-career professionals. 

1. Data owner 

Definition: A data owner often refers to the person who collects and defines the metrics of data. Every data set must have an owner, and assigning this ownership is a crucial part of information lifecycle management (ILM). 

Responsibilities: Data owners are ultimately fully responsible for data as they establish the security parameters and divide it into different classes based on its sensitivity. The NIST SP 800-18 sets out several key responsibilities for data owners: 

• Establishes rules for data usage and protection 
• Cooperates with information system owners on security requirements and security controls 
• Defines and guides the access rights and types of privilege 
• Participates in the identification, implementation and assessment of security controls 

Job Title: This person is often the president, CEO or a department head like Marketing, Business Operations or Finance. This role is also legally liable for any negligence if they fail to show responsibility for enforcing security policies. 

2. Business owner 

Definition: This role is a senior-level person who is responsible for the entire information security program. A business owner focuses on overall company strategy and financial health and might not have detailed knowledge of specific data. They also typically delegate department-specific data ownership to other teams. 

Responsibilities: The business owner designs the entire information security program. They’re responsible for vital day-to-day tasks such as: 

• Funding the information security program 
• Appropriately staffing teams 
• Ensuring every organizational asset is protected 

Job Title: This role is often senior management, with significant overlaps between the responsibilities of the business and system owner. A business owner could also be the CEO or president. 

3. System owner 

Definition: System owners are in charge of one or more systems which may contain data owned by different data owners. 

Responsibilities: This person is responsible for delegating to other teams, attending to the actual software and hardware, and compliance with governmental regulations. System owners work closely with data owners to ensure that data is secure in all different states — at rest, in transit or in use. 

• Built information plans with data owners, system administrators and end users 
• Organizes training sessions for system users 
• Updates and patches both physical hardware and software as often as possible 
• Formalize security plans and policies and disseminate them among different team members 
• Participate in the identification, implementation and assessment of security controls 

Job Title: Potential job titles could include system administrator, system controller or IT analyst. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

4. Data custodian 

Definition: Data custodians typically have more hands-on roles and do not make critical decisions on data protection. Data custodians are more likely to “follow orders” and carry out the plan determined by the data owner. They’re typically responsible for safekeeping and maintenance instead of overall company compliance strategy. 

Responsibilities: Depending on organization size and team structure, data custodians typically perform technical hands-on tasks instead of the system owner. This includes duties like: 

• Software and hardware patching 
• Implementing and maintaining security controls 
• Executing the backup and recovery process and restoration of data 
• Configuring antivirus software 

Job Title: Data custodians typically have IT roles like database administrator, data engineer, data manager or IT manager. Regardless of title, the data custodian plays a pivotal role in the integrity, security and accessibility of data across the organization. 

5. Administrator 

Definition: Another job title that might pop up in the CISSP exam is a data administrator. This role might be a security administrator who is interested in the implementation and maintenance of network appliances in software or a network administrator who is responsible for the availability and accessibility of data. 

Security Administrator Responsibilities: A security administrator is in charge of firewalls, IPS, IDS, security proxies, antimalware and other data loss prevention practices. 

Administrators typically perform the following tasks: 

• Grant and remove access control based on the principle of least privilege 
• Regular checkups on data integrity 
• Maintain records of access request approvals 
• Participate in compliance audits with access control information 

Network/Systems Administrator Responsibilities: A network or systems administrator is more concerned about configuring the network, server hardware and operating system. They are more involved in patch management and penetration testing, using vulnerability management for commercial off-the-shelf (COTS) and non-COTS solutions. 

Job Title: Job titles could include security administrator, network administrator or systems administrator. 

6. User 

Definition: A user is an individual legally allowed to access the system. These might be typical employees with enough access to perform their job duties. 

Responsibilities: The user is required to familiarize themselves with the security policy and uphold it by following all standard procedures. For example, they should not share passwords with other employees or attempt to gain access to unauthorized systems. 

Other responsibilities include: 

• Personal device (laptop, desktop or mobile device) protection 
• Compliance with company policies and procedures 
• Completion of security awareness training 

Job Title: A user is anyone utilizing the network system, infrastructure and applications, depending on their needs, so this job title could be a marketing coordinator, customer support manager, product manager, software engineer and more. 

7. Data controller and data processor 

Definition: According to EU law, the data controller is “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data […].” On the other hand, a data processor does not exercise responsibility for or control over the personal data. 

Responsibilities: These two terms are some of the most commonly confused, but EU law also states that “…two basic conditions for qualifying as processor are on the one hand being a separate legal entity with respect to the controller and on the other hand processing personal data on his behalf.” 

Job Title: A data processor could be an external market research firm, accounting agency or payroll provider. For example, a payroll company would be the data controller for its own staff, but it would also be the data processor for the staff payroll data it processes for client companies. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Understanding data and system ownership 

With different job titles and roles across different organizations, it’s best to prepare for the CISSP exam through thorough self-study, practice exams and online or in-person training. Explore the CISSP Boot Camp for the entire CISSP body of knowledge in whatever learning style suits you best.