CISA Certified Information Systems Auditor – Question0952
Who is mainly responsible for protecting information assets they have been entrusted with on a daily basis by defining who can access the data, it's sensitivity level, type of access, and adhering to corporate information security policies? A. Data Owner B. Security Officer C. Senior Management D. End User
Correct Answer: A
Explanation:
Explanation:
The Data Owner is the person who has been entrusted with a data set that belong to the company. As such they are responsible to classify the data according to it’s value and sensitivity. The Data Owner decides who will get access to the data, what type of access would be granted. The Data Owner will tell the Data Custodian or System Administrator what access to configure within the systems.
A business executive or manager is typically responsible for an information asset. These are the individuals that assign the appropriate classification to information assets. They ensure that the business information is protected with appropriate controls.
Periodically, the information asset owners need to review the classification and access rights associated with information assets. The owners, or their delegates, may be required to approve access to the information. Owners also need to determine the criticality, sensitivity, retention, backups, and safeguards for the information. Owners or their delegates are responsible for understanding the risks that exist with regards to the information that they control.
The following answers are incorrect:
Executive Management/Senior Management – Executive management maintains the overall responsibility for protection of the information assets. The business operations are dependent upon information being available, accurate, and protected from individuals without a need to know.
Security Officer – The security officer directs, coordinates, plans, and organizes information security activities throughout the organization. The security officer works with many different individuals, such as executive management, management of the business units, technical staff, business partners, auditors, and third parties such as vendors. The security officer and his or her team are responsible for the design, implementation, management, and review of the organization’s security policies, standards, procedures, baselines, and guidelines.
End User – The end user does not decide on classification of the data
Reference:
CISA review manual 2014 page number 108
Official ISC2 guide to CISSP CBK 3rd Edition Page number 342
Please disable your adblocker or whitelist this site!