Who of the following is responsible for ensuring that proper controls are in place to address integrity,
confidentiality, and availability of IT systems and data?

A.
Business and functional managers

B.
IT Security practitioners

C.
System and information owners

D.
Chief information officer

Explanation:
Both the system owner and the information owner (data owner) are responsible for ensuring that proper
controls are in place to address integrity, confidentiality, and availability of IT systems and data.
The system owner is responsible for one or more systems, each of which may hold and process data owned by
different data owners. A system owner is responsible for integrating security considerations into application and
system purchasing decisions and development projects. The system owner is responsible for ensuring that
adequate security is being provided by the necessary controls, password management, remote access
controls, operating system configurations, and so on. This role must ensure the systems are properly assessed
for vulnerabilities and must report any to the incident response team and data owner.
The data owner (information owner) is usually a member of management who is in charge of a specific
business unit, and who is ultimately responsible for the protection and use of a specific subset of information.
The data owner has due care responsibilities and thus will be held responsible for any negligent act that results
in the corruption or disclosure of the data. The data owner decides upon the classification of the data she is
responsible for and alters that classification if the business need arises. This person is also responsible for
ensuring that the necessary security controls are in place, defining security requirements per classification and
backup requirements, approving any disclosure activities, ensuring that proper access rights are being used,
and defining user access criteria. The data owner approves access requests or may choose to delegate this
function to business unit managers.
Incorrect Answers:
A: Business and functional managers are not responsible for ensuring that proper controls are in place to
address integrity, confidentiality, and availability of IT systems and data.
B: IT Security practitioners implement the security controls. However, they are not ultimately responsible for
ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and
data.
D: The Chief Information Officer (CIO) is responsible for the strategic use and management of information
systems and technology within the organization. The CIO is not responsible for ensuring that proper controls
are in place to address integrity, confidentiality, and availability of IT systems and data.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 121