PrepAway - Latest Free Exam Questions & Answers

Which of the following is NOT a responsibility of an in…

Which of the following is NOT a responsibility of an information (data) owner?

PrepAway - Latest Free Exam Questions & Answers

A.
Determine what level of classification the information requires.

B.
Periodically review the classification assignments against business needs.

C.
Delegate the responsibility of data protection to data custodians.

D.
Running regular backups and periodically testing the validity of the backup data.

Explanation:
The data owner defines the backup requirements. However, the data owner does not run the backups. This is
performed by the data custodian.
The data owner is usually a member of management who is in charge of a specific business unit, and who is
ultimately responsible for the protection and use of a specific subset of information. The data owner has due
care responsibilities and thus will be held responsible for any negligent act that results in the corruption or
disclosure of the data. The data owner decides upon the classification of the data she is responsible for and
alters that classification if the business need arises. This person is also responsible for ensuring that the
necessary security controls are in place, defining security requirements per classification and backup
requirements, approving any disclosure activities, ensuring that proper access rights are being used, and
defining user access criteria.
The data custodian (information custodian) is responsible for maintaining and protecting the data. This role is
usually filled by the IT or security department, and the duties include implementing and maintaining security
controls; performing regular backups of the data; periodically validating the integrity of the data; restoring data
from backup media; retaining records of activity; and fulfilling the requirements specified in the company’s
security policy, standards, and guidelines that pertain to information security and data protection.
Incorrect Answers:
A: Determining what level of classification the information requires is the responsibility of the data owner.
B: Periodically reviewing the classification assignments against business needs is the responsibility of the data
owner.
C: Delegating the responsibility of data protection to data custodians is the responsibility of the data owner.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 121


Leave a Reply