Data and system ownership

Status: Live

The organization will ensure that appropriate procedures and tools are provided to address the responsibilities of data and system ownership. [UCF ID 00772]

Supporting and supported controls

This control directly supports:

Maintain the IT staff structure in line with strategic goals [UCF Control ID 00764]

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 1.3, ¶ .20 § 1.3, ¶ .24 § 1.3, ¶ .29 § 1.3; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-3.a(7); Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources, § 8(b)(3)(c); Federal Information System Controls Audit Manual (FISCAM), February 2009, AC-2.1; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, Exhibit 6; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.2.2; CobiT 4.1, PO4.9; The Standard of Good Practice for Information Security, SM1.1.2(c), SM1.2.3(b), SM3.1.3(b), SM3.2.1 thru SM3.2.4, CB2.1.1, CB5.1.1, CB5.2.4(a), CI1.1.1, CI5.1.1, CI5.3.4(a), NW1.1.1, NW4.3.4(a), SD2.1.1, UE1.1.1, UE1.4.1, UE1.4.2; ISO 17799:2005 Code of Practice for Information Security Management, § 6.1.3, § 7.1.2; ISO 27001:2005, Information Security Management Systems - Requirements, § 4.2.1(d), Annex A.7.1.2; ISO/IEC 27002-2005 Code of practice for information security management, § 6.1.3, § 7.1.2; OGC ITIL: Security Management, § 4.2.1; Guidelines for Media Sanitization, NIST Special Publication 800-88, September, 2006, § 3.4; Archer Control Table, ATCS-020, ATCS-023, ATCS-024, ATCS-026, ATCS-028, ATCS-032, ATCS-034, ATCS-035, ATCS-041, ATCS-044, ATCS-046, ATCS-048, ATCS-049, ATCS-052, ATCS-121, ATCS-183, ATCS-184, ATCS-185, ATCS-189, ATCS-191, ATCS-219, ATCS-226, ATCS-280, ATCS-281, ATCS-285, ATCS-295, ATCS-330, ATCS-347, ATCS-394, ATCS-426, ATCS-429, ATCS-432, ATCS-438, ATCS-714, ATCS-715, ATCS-764, ATCS-768, ATCS-769, ATCS-785, ATCS-786, ATCS-801, ATCS-851

Sarbanes Oxley Guidance

The ownership and responsibility for resources and systems should be assigned. [¶ .17 § 1.3, ¶ .20 § 1.3, ¶ .24 § 1.3, ¶ .29 § 1.3, AICPA Suitable Trust Services Principles and Criteria]

US Federal Security Guidance

Each file and/or data group on the system should have an appointed owner. [§ 2-3.a(7), Army Regulation 380-19: Information Systems Security, February 27, 1998]

Each file and/or data group on the system should have an appointed owner. [§ 8(b)(3)(c), Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources]

[AC-2.1, Federal Information System Controls Audit Manual (FISCAM), February 2009]

US Internal Revenue Guidance

Federal Tax Information must have an assigned owner who will review all authorized and unauthorized accesses. [Exhibit 6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.2.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

Information owners should ensure maintenance personnel who repair media on site are supervised continuously and ensure all users know the sensitivity of the information they are using and the sanitization requirements for the information. [§ 3.4, Guidelines for Media Sanitization, NIST Special Publication 800-88, September, 2006]

ISO Guidance

Responsibilities for the protection of individual assets or systems should be clearly defined. These responsibilities may be delegated to others, but the delegator remains responsible. Each asset should be owned by a designated part of the organization. This ownership can be assigned to an individual or business unit; an application; a defined set of data; or a defined set of activities. The owner is responsible for ensuring the information and assets are properly classified and periodically reviewing the access restrictions and classifications. [§ 6.1.3, § 7.1.2, ISO 17799:2005 Code of Practice for Information Security Management]

All assets of the Information Security Management System should be identified, along with the owner of the assets. [§ 4.2.1(d), Annex A.7.1.2, ISO 27001:2005, Information Security Management Systems - Requirements]

Responsibilities for the protection of individual assets or systems should be clearly defined. These responsibilities may be delegated to others, but the delegator remains responsible. Each asset should be owned by a designated part of the organization. This ownership can be assigned to an individual or business unit; an application; a defined set of data; or a defined set of activities. The owner is responsible for ensuring the information and assets are properly classified and periodically reviewing the access restrictions and classifications. [§ 6.1.3, § 7.1.2, ISO/IEC 27002-2005 Code of practice for information security management]

ITIL Guidance

[§ 4.2.1, OGC ITIL: Security Management]

General Guidance

The organization should provide the business with procedures and tools enabling it to address its responsibilities for ownership of data and information systems. Owners make decisions about classifying information and systems and protecting them in line with this classification. [PO4.9, CobiT 4.1]

Top management should assign ownership responsibilities for identifying, safeguarding, and classifying information and systems to appropriate individuals. Each application, system, installation, network, and end user environment should have an assigned owner. These individuals should be identified in the information security policy. Each information owner should approve the assigned classification for his/her information. The owners' responsibilities should include developing Service Level Agreements, ensuring the information and systems are protected, authorizing changes to the system or new systems, helping on security audits and reviews, determining authorized users for the system and information, and informing users of the information security responsibilities. All owners should be provided with the tools and staff necessary to perform their jobs. Procedures should be in place to reassign the position when the owner leaves and to have a secondary owner assigned in case the owner is unavailable. A business manager should be assigned as the owner and who is responsible for the overall security. A local security coordinator should be appointed and act as the point of contact for information security issues. [SM1.1.2(c), SM1.2.3(b), SM3.1.3(b), SM3.2.1 thru SM3.2.4, CB2.1.1, CB5.1.1, CB5.2.4(a), CI1.1.1, CI5.1.1, CI5.3.4(a), NW1.1.1, NW4.3.4(a), SD2.1.1, UE1.1.1, UE1.4.1, UE1.4.2, The Standard of Good Practice for Information Security]