Whose role is it to assign classification level to information?

A.
Security Administrator

B.
User

C.
Owner

D.
Auditor

Explanation:
The data owner (information owner) is usually a member of management who is in charge of a specific
business unit, and who is ultimately responsible for the protection and use of a specific subset of information.
The data owner has due care responsibilities and thus will be held responsible for any negligent act that results
in the corruption or disclosure of the data. The data owner decides upon the classification of the data she is
responsible for and alters that classification if the business need arises. This person is also responsible for
ensuring that the necessary security controls are in place, defining security requirements per classification and
backup requirements, approving any disclosure activities, ensuring that proper access rights are being used,
and defining user access criteria. The data owner approves access requests or may choose to delegate this
function to business unit managers.
Incorrect Answers:
A: The security administrator is responsible for implementing and maintaining specific security network devices
and software in the enterprise. It is not the role of the security administrator to assign classification level to
information.
B: The user is any individual who routinely uses the data for work-related tasks. It is not the role of the user to
assign classification level to information.
D: The auditor ensures that the correct controls are in place and are being maintained securely. It is not the role
of the auditor to assign classification level to information.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 121-125