Data Roles and Responsibilities PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Summary
This document describes the roles and responsibilities involved in data security, focusing on data owners, controllers, and processors. It emphasizes the importance of following data security guidelines to safeguard organizational data. It's relevant to a cybersecurity course.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Data Security Data Roles and Responsibilities...
Certified Cybersecurity Technician Exam 212-82 Data Security Data Roles and Responsibilities o o B o Data owners are individuals or steering committees having complete control over the data in an Data Owners | Data Owners I organization; they are solely responsible for the data assets of the organization. The data controller is a person who collects and controls the processing of data provided to the data Data Controller I processor Data Processor I The data processor is a person who processes the data given by the data controller for a specific purpose Data Steward/ J The data steward is accountable for business data sets, and the data custodian is accountable for Custodian Custodian U technical data assets for the storage and transport of data Privacy Privacy I * The privacy officer is a senior executive who is responsible for the privacy of the organization’s data Officer =* They maintain privacy policies as well as investigate and track incidents and security loopholes Data Protection The DPO ensures that sensitive information on the personnel, customers, or any other individual meets Officer (DPO) I the compliance requirements of the organization Data Roles and Responsibilities Data roles and responsibilities play an important role in the growth and development of an organization. They help in improving the visibility of duties and tasks assigned to employees based on their roles and responsibilities. Assigning data roles makes the sharing of work and resources easier and helps in collaboration, thereby improving the quality of work. Every organization should follow the General Data Protection Regulation (GDPR) guidelines and focus on data roles as following the specified security guidelines for each role safeguards the organization’s data. Discussed below are various data roles and their responsibilities generally found in an organization. Data Owners Data owners are individuals or steering committees having complete control over the data in an organization; they are solely responsible for the data assets of the organization. Only the data owners have the right and authority to make decisions as to who can access or modify data. Only data owners can approve the data glossaries of the organization or initiate quality data events, data requirements, and data solutions. Data owners are also responsible for accountability for data access, defining policies for information assets, creating trusted data, and eliminating redundancies. Data Controller The data controller is a person who collects and controls the processing of data provided to the data processor. The data controller determines “how” and “why” personal data are processed in an organization. The responsibilities of the data controller include collecting consent, storing data, and allowing access rights. The data Module 15 Page 1755 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security controller must have the ability to ensure compliance with the principles associated to the processing of personal data. = Data Processor The data processor is a person who processes the data given by the data controller for a specific purpose or duty that involves the processing of personal data. The processor does not own the personal data. They help controllers in diverse situations such as personal data breach notifications and data protection impact assessment. The main roles of the data processor include maintaining records of data processing activities, following instructions, ensuring compliance with the controller, regularly reviewing data processing instructions, and ensuring that compliance obligations are met. = Data Steward/Custodian Data steward and data custodian are the two roles given to the subject matter experts responsible for managing the data on a daily basis. The data steward is accountable for business data sets, and the data custodian is accountable for technical data assets for the storage and transport of data. The data custodian is similar to the IT department in that they maintain the infrastructure of the company, data security, configuration, asset management, business rule implementation, etc. The responsibilities of the data custodian include authorizing data access, appointing a data steward for every data set, data integrity, maintaining consistency between new data and the existing data model, and auditing data content. = Privacy Officer The privacy officer is a senior executive who is solely responsible for the privacy of the organization’s data. Their main responsibilities include implementing and maintaining privacy policies with the latest privacy concerns, investigating and tracking incident and security loopholes of the organization, monitoring and managing data protection measures, and conducting privacy awareness programs in the organization. = Data Protection Officer (DPO) The DPO is the security supervisor in the organization who safeguards the organization’s data. The DPO ensures that sensitive information on the personnel, customers, or any other individual meets the compliance requirements of the organization. The DPO should also ensure that the controllers are advised about their data protection rights and responsibilities. The DPQO’s responsibilities include educating employees about regulatory compliance, performing security audits, performance monitoring, providing advice on data protection, and maintaining a record of all data processing activities. Module 15 Page 1756 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security F, Data Classification » Data classification is the process of assigning sensitivity levels to data while the data are being generated, modified, saved, or passed over an information system » Data classification provides organizations a sense of data criticality Y and the level of security needed to be implemented for different types of business data o [D CD.. Top Top secret secret ’. Highly confidential information Data can be classified into five. Proprietary information levels:. Information for internal use '. Public documents Data Classification Data classification is the process of assigning sensitivity levels to data while the data are being generated, modified, saved, or passed over an information system. Data are a critical business asset; the protection of the confidentiality, integrity, and availability of data is important for business operations and market competitiveness. Data classification provides organizations a sense of data criticality and the level of security needed to be implemented for different types of business data. While some business data need to be stored and processed only within the organization, other information may be required to be distributed to related third parties. Therefore, confidential and sensitive data must be protected from being exposed. The sensitivity and importance of information determine how confidential it is and how it should be separated from the rest of the data. Data can be classified into five different levels as follows. 1. Top secret: This level includes highly sensitive information such as business plans and financial records. Exposing or leaking such information may cause severe damage to the organization’s assets and reputation, further leading to legal consequences. 2. Highly confidential information: This level includes confidential information such as corporate or customer data such as bank-account details, credit-card details, and social security numbers. Exposing this information can invite financial or legal risks to the organization. Only the authorized personnel can access this information. 3. Proprietary information: This level includes confidential internal information such as customer and employee reviews, third-party details, and technology upgrades of a new Module 15 Page 1757 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security product. This level may also include intellectual property (IP). Exposing such information may have an adverse impact on the organization’s business operations. 4. Information for internal use: This level includes internal information such as the organization’s charts and sales contest rules. Exposing this information may cause reputational damage to the organization. Such data should only be accessible to internal employees of the organization who have authorized access. 5. Public documents: This level includes information such as the contact details of the organization, product lists, and price lists, which are freely available to the public. Such data are available on official websites and should be protected from unauthorized modifications. Module 15 Page 1758 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security Data Security Technologies Data Access Control Authenticates and authorizes users to access data Protecting information by transforming it in such a way that SR Erczyption ErcIyption it cannot be read by an unauthorized party Protecting information by obscuring specific areas of data Data Maskin P) with random characters or codes Making a duplicate copy of critical data that can be used for Data Resilience restore and recovery purposes when a primary copy is lost and Backup or corrupted either accidentally or on purpose Destroying data, so that it cannot be recovered and used for Data Destruction di wrong motives Storing data securely for compliance or business requirements Data Security Technologies Data Access Control Data access controls enable authentication and authorization of users to access the data. It is an important component of security compliance programs that protect unauthorized access to confidential information. Data Encryption Protecting information by transforming it so that it becomes unreadable for an unauthorized party. It safeguards corporate secrets, classified information, and personal information. The encrypted data cannot be read by any unauthorized persons or entities. Data Masking Protecting information by obscuring specific areas of data with random characters or codes. Data masking protects sensitive data such as personally identifiable information, protected health information, payment card information, intellectual property, etc. Apart from this, data masking also protects against an insider threat. Implementing data masking will bolster the security strategies of an organization. Data Resilience and Backup Making a duplicate copy of critical data to be used for restoring and recovery purposes when the primary copy is lost or corrupted, either accidentally or on purpose. Data resilience allows the data to remain available to the applications if there is any failure in the hosted data. Retaining multiple copies of a data backup help in restoring the data with ease and mitigate the risks of data corruption or malicious attacks. Module 15 Page 1759 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Data Security = Data Destruction It involves destroying the data so that it cannot be recovered and used for a wrong motive. The destruction of old hard drives or electronic devices should be done securely and safely. Data destruction helps in physically destroying the old information of customers and employees. = Data Retention Storing data securely for compliance or business requirements. An organization should have policies and processes for retention and removal of data. Data retention programs have a tremendous impact on data security and can meet the expectations of customers and governments in safeguarding privacy. Module 15 Page 1760 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.