What is the difference between data owner, data custodian and system owner?

Question

I just started studying up for the CISSP and am having trouble understanding few concepts:

Data owner
Data custodian
System owner

Somewhere I read:

The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information.

The data custodian (information custodian) is responsible for maintaining and protecting the data

But in the practical world, what exactly is the boundary for these roles? Both seems to be protecting data.

Any real-world example helps.

I'm a little confused by your confusion. "member of management who is in charge of a specific business unit" vs "responsible for maintaining and protecting the data" seems pretty clear. Head of Finance owns the financial data. The server admin who maintains the server on which the finance system lives. — schroeder, Sep 15 '19 at 17:00
so you mean Head of the finance is data owner and server admin is data custodian. great, thanks. then who is system owner? Is it operations? — kudlatiger, Sep 16 '19 at 02:11

Overmind · Accepted Answer · 2019-09-16T09:39:22.417

2

Real example:

Data Owner - the administrator/CEO/board/president of a company

Data custodian - the ones taking care of the actual data - like IT staff (generally) or HR staff (for HR-related data)

System owner is the individual that is in charge of one or more systems, which may contain and operate data owned by various data owners.

Example, from a pure CISSP perspective: the IT servers staff. They are responsible for creating information plans together with data owners, the system administrator and end users. They must maintain the system security plan by the pre-agreed security requirements and he in involved in many security aspects of all systems that hold the data.

Limited Example: a HR employee that has a PC with company data on it is in theory a system owner, but not a data owner. He will operate on the data but the data does not belong to him. So the system owner may be considered an operator in such a limited case. Although in most cases such employees should be just users, in many cases they are not only that, therefore they can be put under this category.

edited Sep 16 '19 at 09:39

answered Sep 16 '19 at 09:10

Overmind

8,779
3
19
28

Now, where I can plug in "Information owner", Can I consider that one system owner can have multiple information owners? – kudlatiger Sep 17 '19 at 10:52
Yes, that is possible because, for example, multiple owners can host their information on the same system/hardware. – Overmind Sep 18 '19 at 05:06
Is security admin is data custodian? – kudlatiger Oct 17 '19 at 03:19
Yes, if that admin hosts your data. – Overmind Oct 17 '19 at 05:13

What is the difference between data owner, data custodian and system owner?

1 Answers1