Domain 5 · 5.1 Security Governance

5.1.5 Roles & Responsibilities

Owners, controllers, processors, custodians.

13 min

Organizations must define specific roles and responsibilities to ensure data is protected, legally compliant, and technically sound throughout its lifecycle.

Data Ownership and Governance - Data Owner: The entity (usually the organization, not an individual) that holds legal rights, copyrights, or trademarks to the information. The owner defines the sensitivity level, determines classification, and has the ultimate authority to sell, destroy, or delegate data. - Data Controller: A role emphasized by the GDPR; this entity determines the *purpose* and *means* of processing personal data. They are responsible for ensuring overall compliance with privacy laws and reporting data handling systems. - Data Processor: A third-party entity that handles data on behalf of the controller. They do not own the data and must follow the specific instructions and guidelines provided by the controller. - Data Custodian: The individual responsible for the technical environment and database management. They handle the "hands-on" work, including backups, encryption, integrity checks, and maintaining storage systems.

Access Control Roles - Role-Based Access Control (RBAC): A non-discretionary model where permissions are tied to predefined roles (e.g., Manager, Auditor, Specialist) rather than individual users. - Assignment: Unlike Discretionary Access Control (DAC), the resource owner cannot always grant access; typically, an administrative-level user must assign a user to the appropriate role. - Hierarchy: Roles are established based on job functions, such as supervisory or data-entry roles, ensuring users only inherit the privileges necessary for their specific business duties.

Third-Party Considerations - Contractual Ownership: Many disputes arise concerning data created during a service contract. Organizations must establish clear agreements with third parties to ensure they retain ownership of data processed on external systems. - Privacy Compliance: Multi-national corporations often adopt GDPR-style roles globally to standardize how they protect Personally Identifiable Information (PII) and avoid legal disputes regarding unauthorized disclosure.

Exam tips - Data Owner = Ultimate legal responsibility and classification authority. - Data Controller = Decides *why* and *how* data is used (GDPR focus). - Data Processor = Performs the actual data tasks for the controller. - Data Custodian = Manages the technical implementation (backups/security). - RBAC = Uses job functions (roles) to manage access, not individual user accounts.