Who can best decide what are the adequate technical security controls in a computer-based application system
in regards to the protection of the data being used, the criticality of the data, and its sensitivity level?

A.
System Auditor

B.
Data or Information Owner

C.
System Manager

D.
Data or Information user

Explanation:
The data or information owner is ultimately responsible for the protection of the information and can decide
what security controls would be required to protect the Databased on the sensitivity and criticality of the data.
Incorrect Answers:
A: The auditor is responsible for ensuring that the correct controls are in place and are being maintained
securely, and that the organization complies with its own policies and the applicable laws and regulations.
C: The system manager is responsible for managing and maintaining a system, and ensuring that the system
operates as expected. The system manager is not responsible for determining which security measures should
be implemented.
D: The user is an individual who uses the data for work-related tasks. The user must have the necessary level
of access to the data to perform the duties within their position. The user is not responsible for determining
which security measures should be implemented.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 114, 121-122, 125