Which choice below BEST describes the difference between the System Owner and the Information
Owner?

A.
The System Owner is responsible for establishing the rules for appropriate use of the information.

B.
The Information Owner is responsible for defining the system’s operating parameters.

C.
One system could have multiple information owners.

D.
There is a one-to-one relationship between system owners and information owners.

Explanation:
The System Owner is responsible for ensuring that the security plan is prepared and for
implementing the plan and monitoring its effectiveness. The System Owner is responsible for
defining the system’s operating parameters, authorized functions, and security requirements. The
information owner for information stored within, processed by, or transmitted by a system may or
may not be the same as the System Owner. Also, a single system may utilize information from
multiple Information Owners. The Information Owner is responsible for establishing the rules for
appropriate use and protection of the subject data/information (rules of behavior). The Information
Owner retains that responsibility even when the data/information are shared with other
organizations. Source: NIST Special Publication 800-18, Guide for Developing Security Plans for
Information Technology Systems.