Data Roles

This post summarizes the roles involved in managing data in IT systems.

These roles are based on USA’s NIST SP 800-18 Rev. 1 “Guide for Developing Security Plans for Federal Information Systems” or European Union’s General Data Protection Regulation (GDPR).

This data roles are questioned in CISSP exam, corresponding to CISSP Domain 2.

Data Roles

The roles that are reviewed in this post are:

  • Data owner
  • Asset/system owner
  • Business/mission owner
  • Data processor
  • Data controller
  • Data steward
  • Custodian
  • Administrator
  • User
  • Data Subject

Data Owner

A data owner (also known as organizational owner or senior manager) is the person that has ultimate organizational responsibility of the data.

Responsibilities, according to NIST SP 800-18 Rev. 1 “Guide for Developing Security Plans for Federal Information Systems”:

  • Establishes the rules for appropriate use and protection of the subject data/information (rules of behaviour)
  • Provides input to information system owners regarding the security requirements and security controls for the information system(s) where the information resides
  • Decides who has access to the information system and with what types of privileges or access rights
  • Assists in the identification and assessment of the common security controls where information reside

Asset/system Owner

An asset owner or system owner is the person who owns the asset or system that processes sensitive data.

Responsibilities, according to NIST SP 800-18 Rev. 1 “Guide for Developing Security Plans for Federal Information Systems”:

  • Develops a system security plan and ensures that the system is deployed and operated according to the agreed-upon security requirements
  • Maintains the system security plan and ensures that the system is deployed and operated according to the agreed-upon security requirements
  • Ensures that system users and support personnel receive appropriate security training, such as instruction on rules of behaviour (or an AUP)
  • Updates the system security plan whenever a significant change occurs
  • Assists in the identification, implementation, and assessment of the common security controls

Business/mission Owner

A business owner or mission owner is the person that owns the business processes that use systems.

Data Processor

A data processor, according to GDPR, is a person or entity that process data on behalf of a data controller.

It may be a third party.

Data Controller

A data controller, according to GDPR, is a person or entity that controls the processing of data delegated to a data processor.

Data Steward

A data steward is responsible for ensuring the quality and fitness for purpose of the organization’s data assets, including the metadata for those data assets.

It is acting as a liaison between the IT department and the business side of an organization.

Custodian

A custodian is a person that perform day-to-day tasks on a system, like backups, logs, etc. Nevertheless, they do not assign permission to data.

It is typically someone within the IT department.

Administrator

An administrator is a person that assigns permission to data, always following the requests by data owners.

User

A user is a person that access data in a system.

Data Subject

A data subject, according to GDPR, is a person that can be identified through an identifier.

You might also be interested in…

External references

  • NIST; “SP 800-18 Rev. 1
  • European Parliament; “General Data Protection Regulation
  • M. Chapple, J. M. Stewart, D. Gibson; “CISSP Official Study Guide Third Edition”; pp. 204-208; Wiley, 2021
  • M. Chapple, D. Seidl; “CISSP Official Practice Test Third Edition”; Chapter 2, Question 72, 79, 85, 87, 93 and 94; Wiley, 2021

Leave a Reply

Your email address will not be published. Required fields are marked *