3.1.2. Asset Ownership Roles
💡 First Principle: Accountability for information security requires clearly defined ownership — someone who is answerable for what happens to data and who has the authority to make decisions about it. When ownership is unclear, nobody is accountable; when it's clear, security decisions have a named decision-maker.
The five key data roles — precision required:
| Role | Who | Accountable For | Does NOT Do |
|---|---|---|---|
| Data Owner | Business manager / executive | Classification, acceptable use policy, access authorization decisions | Day-to-day data management or technical storage |
| Data Custodian | IT / Security staff | Implementing controls the owner requires, backups, storage, access provisioning | Deciding classification or acceptable use |
| Data User | Employees accessing data for job functions | Handling data per policy and classification requirements | Modifying access controls or classification |
| Data Controller | Organization (GDPR concept) | Determining the purpose and means of processing personal data | Necessarily the same as data owner (may overlap) |
| Data Processor | Third party processing on controller's behalf | Following controller's instructions; implementing required safeguards | Making decisions about processing purposes |
GDPR role nuance: The controller-processor distinction is legally significant. A payroll provider processing employee data on behalf of a company is a processor — the company is the controller. The processor must have a Data Processing Agreement (DPA) with the controller. Liability flows to the controller by default; the processor is jointly liable if they cause or contribute to a breach.
Asset ownership in practice:
- A marketing database containing customer email addresses: Data Owner = VP Marketing; Custodian = Database Administrator; Users = Marketing analysts
- Customer health records in an EHR: Data Owner = Chief Medical Officer; Custodian = Health IT team; Users = Clinicians with need-to-know
- Financial transaction logs: Data Owner = CFO; Custodian = Finance IT; Users = Auditors and finance staff with authorization
💡 Key Point: Ownership does not follow technical custody. The IT department that manages the server storing HR data does not own that data — the HR director does. This distinction creates the proper accountability structure: the data owner makes security decisions for their data; the custodian implements them.
⚠️ Exam Trap: A very common wrong answer on CISSP questions about data roles assigns ownership to the IT team or the CISO. Security professionals are never data owners for business data — they are advisors, implementers, and auditors. Data owners are always business stakeholders with accountability for the business use of that data.
Reflection Question: A legal hold notice requires preserving all email communications related to a lawsuit for the next three years. Identify the data owner, custodian, and user for the email system, and explain what action each role must take in response to the legal hold.
