Back

Assign an information owner to organizational assets, as necessary.


CONTROL ID
12729
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Asset Management program., CC ID: 06630

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • For each application system, AIs should preferably assign an individual as the information owner. The information owner normally needs to work with the TRM and IT functions to ensure confidentiality and integrity of information, and to protect the information in accordance with the level of risk pre… (3.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Each application should have an owner which will typically be the concerned business function that uses the application (Critical components of information security 11) c.1., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Classification and assignment of ownership of information assets (Information Security Governance ¶ 4 Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • ownership of information assets, and the roles and responsibilities of the staff managing the information assets; and (§ 3.3.1(c), Technology Risk Management Guidelines, January 2021)
  • Each system has a designated system owner. (Security Control: 1071; Revision: 1, Australian Government Information Security Manual, March 2021)
  • Each system has a designated system owner. (Control: ISM-1071; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Each system has a designated system owner. (Control: ISM-1071; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Under CPS 234, an APRA-regulated entity must have information security controls to protect its information assets commensurate with, amongst other things, the stage at which the information assets are within their life-cycle. This includes ensuring that information security controls remain effective… (34., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Provide the business with procedures and tools, enabling it to address its responsibilities for ownership of data and information systems. Owners should make decisions about classifying information and systems and protecting them in line with this classification. (PO4.9 Data and System Ownership, CobiT, Version 4.1)
  • have a designated custodian of these health information assets (see 8.1.2); (§ 8.1.1 Health-specific control ¶ 1(b), ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • The source (authorship) of publicly available health information should be stated and its integrity should be protected. (§ 14.1.3.1 Health-specific controls ¶ 3, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • The name and address of the beneficial owner of such account; (§ 240.17a-3 (a)(9)(i), 17 CFR Part 240.17a-3 - Records to be made by certain exchange members, brokers and dealers)
  • Bind the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and (AU-10(1)(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and (AU-10(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Bind the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and (AU-10(1)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Bind the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and (AU-10(1)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and (AU-10(1) ¶ 1a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)