Data owner vs Data custodian - What's the difference?
I just started studying up for the CISSP and am having trouble understanding few concepts:
Data owner
Data custodian
System owner
Somewhere I read:
The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information. The data custodian (information custodian) is responsible for maintaining and protecting the data But in the practical world, what exactly is the boundary for these roles? Both seem to be protecting data.
Real example of Data owner vs Data custodian: Data Owner - the administrator/CEO/board/president of a company Data custodian - the ones taking care of the actual data - like IT staff (generally) or HR staff (for HR-related data) System owner is the individual that is in charge of one or more systems, which may contain and operate data owned by various data owners. Example, from a pure CISSP perspective: the IT servers staff. They are responsible for creating information plans together with data owners, the system administrator and end users. They must maintain the system security plan by the pre-agreed security requirements and they are involved in many security aspects of all systems that hold the data. Limited Example: a HR employee that has a PC with company data on it is in theory a system owner, but not a data owner. He will operate on the data but the data does not belong to him. So the system owner may be considered an operator in such a limited case. Although in most cases such employees should be just users, in many cases they are not only that, therefore they can be put under this category.