In discretionary access environments, which of the following entities is authorized to grant information access to
other people?

A.
Manager

B.
Group Leader

C.
Security Manager

D.
Data Owner

Explanation:
The data owner (information owner) is usually a member of management who is in charge of a specific
business unit, and who is ultimately responsible for the protection and use of a specific subset of information.
The data owner has due care responsibilities and thus will be held responsible for any negligent act that results
in the corruption or disclosure of the data. The data owner decides upon the classification of the data she is
responsible for and alters that classification if the business need arises. This person is also responsible for
ensuring that the necessary security controls are in place, defining security requirements per classification and
backup requirements, approving any disclosure activities, ensuring that proper access rights are being used,
and defining user access criteria. The data owner approves access requests or may choose to delegate this
function to business unit managers.
Incorrect Answers:
A: While the data owner is usually a member of management, this is not always the case. Therefore, the
person authorized to grant information access to other people is not always the manager so this answer is
incorrect.
B: A Group Leader is not the person authorized to grant information access to other people (unless the groupleader is also the data owner).
C: The role of Security Manager does not give you the authority to grant information access to other people.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 121