Data Authority or Data Owner
It is the responsibility of the data authority or data owner to work with the Information Security Officer to identify an acceptable level of risk related to data access, use, storage, and protection of a particular type or collection of data. The data authority or data owner is an individual, not a group, department, or committee. This individual may delegate tasks to other employees. For assistance in identifying data owners in ambiguous situations, please see the CSU Information Security Assessment Management Standard.
The Data Authority or Data Owner's responsibilities must be performed throughout the life cycle of the data until it is properly disposed of.
Those responsibilities include:
- Inventory and classification of data according to the CSU Information Asset Management Policy and CSU Information Security Data Classification Standard;
- Compliance with the CSU Access Control Standard in authorizing, tracking and documenting end users of data, uses of data and stewards of data (individuals who store and protect data);
- Specify and document data controls and communicate those to the data users, data stewards and the Information Security Officer. These controls must comply with the CSU Information Security Asset Management Standard, the CSUB Physical Security Standard, and the CSUB Access Security standard. These controls include, but are not limited to passwords, access control, encryption, physical locks, and backups;
- Work with the Information Security Officer to approve, justify, and document exceptions to security controls;
- Appoint and authorize a Data Steward to both store and protect the data;
- Annually confirm with the Data Steward that controls are in place and review access lists;
Data Steward
It is the responsibility of the Data Steward to store and protect the data they are responsible for as appointed by the Data Authority or Data Owner. The Data Steward must perform regular backups of data (what should be the timeframe?), restore data from backup media (what should be the timeframe?), implement and follow all controls specified by the Data Owner and the Information Security Officer, notify the Data Authority or Data Owner and Information Security Officer of any vulnerabilities impacting the security of the data, and any actual or attempted violations of security policies, standards, practices, and procedures. Data Stewards may include: Systems Administrators, Database Administrators, and Managers of physical storage locations or facilities.
Principle of Least Privilege (POLP)
The idea that at any user, program, or process should have only the bare minimum privileges necessary to perform its function. For example, a user account created for pulling records from a database doesn't need admin rights, while a programmer whose main function is updating lines of legacy code doesn't need access to financial records.
Related Documents/Links
- CSU Access Control Standard
- CSU Information Asset Management Policy
- CSU Information Security Asset Management Standard
- CSU Information Security Data Classification Standard
- CSU Information Security Roles and Responsibilities Standard
- ICSUAM 8015 Organizing Information Security
- ICSUAM 8015.S000 Information Security Roles and Responsibilities Standard
Office of Information Security
InformationSecurity@csub.edu
(661) 654-3425
Doug Cornell
Information Security Officer
dcornell@csub.edu
(661) 654-3474
Office: LIB ITV2C
Return to Information Security Home