PrepAway - Latest Free Exam Questions & Answers

He does not determine, maintain, or evaluate controls, so what is Jared’s role?

Jared plays a role in his company’s data classification system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jared’s role?

PrepAway - Latest Free Exam Questions & Answers

A.
Data owner

B.
Data custodian

C.
Data user

D.
Information systems auditor

Explanation:
C: Any individual who routinely uses data for work-related tasks is a data user. Users must have the necessary level of access to the data to perform the duties within their
position and are responsible for following operational security procedures to ensure the data’s confidentiality, integrity, and availability to others. This means that users must
practice due care and act in accordance with both security policy and data classification rules.
A is incorrect because the data owner has a greater level of responsibility in the protection of the data. Data owners are responsible for classifying the data, regularly
reviewing classification levels, and delegating the responsibility of the data protection duties to the data custodian. The data owner is typically a manager or executive in the
organization and is held responsible when it comes to protecting the company’s information assets.
B is incorrect because the data custodian is responsible for the implementation and maintenance of security controls as dictated by the data owner. In other words, the data
custodian is the technical caretaker of the controls that protects the data. Her duties include making backups, restoring data, implementing and maintaining countermeasures,
and administering controls.
D is incorrect because an information systems auditor is responsible for evaluating controls. After evaluating the controls, the auditor provides reports to management,
illustrating the mapping between the set acceptable risk level of the organization and her findings. This does not have to do with using the data or practicing due care with the
use of data.


Leave a Reply