Whos responsibility is it to delegate day to day maintenance to the data custodian?

The data owner, who obviously has enough on his plate, delegates responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian.Data CustodianThe data custodian (information custodian) is responsible for maintaining and protecting thedata.This role is usually filled by the IT department, and the duties include performing regularbackups of the data, periodically validating the integrity of the data, restoring data from backupmedia, retaining records of activity, and fulfilling the requirements specified in the company'ssecurity policy, standards, and guidelines that pertain to information security and dataprotection.System OwnerThe system owner is responsible for one or more systems, each of which may hold and processdata owned by different data owners.A system owner is responsible for integrating security considerations into application and systempurchasing decisions and development projects.The system owner is responsible for ensuring that adequate security is being provided by thenecessary controls, password management, remote access controls, operating systemconfigurations, and so on.This role needs to ensure that the systems are properly assessed for vulnerabilities and mustreport any to the incident response team and data owner.Security AdministratorA security administrator's tasks are many, and include creating new system user accounts,implementing new security software, testing security patches and components, and issuing newpasswords.The security administrator role needs to make sure that access rights that are given to userssupport the policies and data owner directives.Security AnalystThis role works at a higher, more strategic level than the previously described roles and helps todevelop policies, standards, and guidelines and set various baselines.

Roles

A Data Owner has administrative control and has been officially designated as accountable for a specific information asset dataset.  This is usually the senior most officer in a division.  Some examples of Data Owners include the Registrar and student data; the Treasurer and financial data; the VP of Human Resources and employee data.  In most cases, the Data Custodian is not the Data Owner.

A system administrator or Data Custodian is a person who has technical control over an information asset dataset.  Usually, this person has the administrator/admin, sysadmin/sysadm, sa, or root account or equivalent level of access.  This is a critical role and it must be executed in accordance with the access guidelines developed by the Data Owner.

Data Users also have a critical role to protect and maintain TCNJ information systems and data.  For the purpose of information security, a Data User is any employee, contractor or third-party provider who is authorized by the Data Owner to access  information assets.

General Responsibilities of the Data Owner

1.  Ensure compliance with TCNJ policies and all regulatory requirements as they relate to the information asset.

2.  Assign an appropriate classification to information assets.

TCNJ recognizes three classifications of information assets:

Category I
College data protected specifically by federal or state law such as FERPA, HIPPA, PCI, Sarbanes-Oxley, Gramm-Leach-Bliley, contractual agreements requiring confidentiality, integrity, or availability considerations, or specific student or employee data.

Category II
College data not otherwise classified as Category I but is available for open public records act (OPRA) requests.

Category III
College data not otherwise classified as Category I or Category II.  This information is considered publicly available and has no requirement for confidentiality, integrity, or availability.

3.  Determine appropriate criteria for obtaining access to information assets.

A Data Owner is accountable for who has access to information assets within their functional areas.   A Data Owner may decide to review and authorize each access request individually or may define a set of rules that determine who is eligible for access based on business function, support role, etc.  Access must be granted based on the principles of least privilege as well as separation of duties. For example, a simple rule may be that all students are permitted access to their own transcripts or all staff members are permitted access to their own health benefits information.  These rules must be documented in a concise manner.

The Data Owner is also responsible for reviewing who has been given access twice per year to ensure accuracy.

General Responsibilities of the Data Custodian

1.  Assign and remove access to others based upon the direction of the Data Owner.

Assigning access to the information asset dataset so others can perform their respective job functions is an important and necessary part of the Data Custodian’s job.

2.  Produce reports or derivative information for others.

In many cases the Data Custodian is also responsible for producing, interpreting, and distributing information based on the datasets to which he or she has access.

3.  Log all information provided and access granted to others.

A log of all information that is disseminated must be kept including the dataset used, the receiving party, and the date.  Likewise, access granted to others must be logged including the access level granted and the dataset in question.

4.  Implement appropriate physical and technical safeguards to protect the confidentiality, integrity, and availability of the information asset dataset.

Data Custodians are expected to work with Data Owners to gain a better understanding of these requirements.  Security controls must be documented and shared with the Data Owner.

General Responsibilities of the Data User

1.  Adhere to policies, guidelines and procedures pertaining to the protection of information assets.

Users are required to follow all specific policies, guidelines, and procedures established by departments, schools, or business units with which they are associated and that have provided them with access privileges.  This includes information confidentiality and any reports from the dataset should not be shared or made accessible to others without express permission of the Data Owner.  The Data User is also charged with ensuring the security of any sensitive organizational data and should not leave copies of this data in unencrypted form on laptops or removable media.

2.  Report actual or suspected security and/or policy violations/breaches to an appropriate authority.

During the course of day-to-day operations, Data Users may come across a situation where they feel the security of information assets might be at risk. For example, a Data User comes across sensitive information on a website that he or she feels shouldn’t be accessible. If this happens, it is the Data Users responsibly to report the situation.

Requirements of the Data Custodian and Data User

In all cases, second hand data access requires written administrative permission of the respective Data Owner for the Data Custodian to assign access, re-distribute, or use the data.  Access requests must be specific and include justification.

In no event shall any type of access be granted without permission of the Data Owner.

Which one of the following is a key responsibility for the data custodian?

What is the role of a data custodian?

What are the three types of data ownership and their responsibilities?

What is the chief security responsibility of a data owner?