1 00:00:00,500 --> 00:00:02,070 Data Ownership. 2 00:00:02,070 --> 00:00:05,250 In this lesson, we are going to talk about data ownership 3 00:00:05,250 --> 00:00:07,870 and some of the things that are important inside of it. 4 00:00:07,870 --> 00:00:09,670 Now, when we talk about data ownership, 5 00:00:09,670 --> 00:00:12,740 this is the process of identifying the person responsible 6 00:00:12,740 --> 00:00:15,460 for the confidentiality, integrity, availability, 7 00:00:15,460 --> 00:00:18,120 and privacy of the information assets. 8 00:00:18,120 --> 00:00:19,740 Now, you might think that the data owner 9 00:00:19,740 --> 00:00:21,460 is the person who created that file, 10 00:00:21,460 --> 00:00:23,410 but that's not what we're talking about. 11 00:00:23,410 --> 00:00:25,790 In an enterprise environment, there are different roles 12 00:00:25,790 --> 00:00:28,490 that fall under this idea of data ownership. 13 00:00:28,490 --> 00:00:31,000 These include things like the data owner themselves, 14 00:00:31,000 --> 00:00:33,330 the data steward, the data custodian, 15 00:00:33,330 --> 00:00:35,040 and the privacy officer. 16 00:00:35,040 --> 00:00:36,750 Let's take a look at each of these. 17 00:00:36,750 --> 00:00:38,770 First, we have our data owner. 18 00:00:38,770 --> 00:00:41,270 This is going to be a senior executive role, 19 00:00:41,270 --> 00:00:43,030 and they have the ultimate responsibility 20 00:00:43,030 --> 00:00:45,330 for maintaining the confidentiality, integrity, 21 00:00:45,330 --> 00:00:48,180 and availability of the information asset. 22 00:00:48,180 --> 00:00:51,620 So what is their real role here as the data owner? 23 00:00:51,620 --> 00:00:53,320 It's not the person who created the file. 24 00:00:53,320 --> 00:00:54,770 It's the senior executive, 25 00:00:54,770 --> 00:00:56,790 and this data owner is going to be responsible 26 00:00:56,790 --> 00:00:59,360 for labeling the asset and ensuring that it's protected 27 00:00:59,360 --> 00:01:01,120 with the appropriate controls. 28 00:01:01,120 --> 00:01:04,920 So the data owner is going to say this type of information, 29 00:01:04,920 --> 00:01:06,330 when we're dealing with, let's say, 30 00:01:06,330 --> 00:01:08,300 the balance sheets for the corporation, 31 00:01:08,300 --> 00:01:11,100 they should be protected as financial information. 32 00:01:11,100 --> 00:01:13,560 So anybody who creates it will now follow my rules 33 00:01:13,560 --> 00:01:15,630 and label it as financial information. 34 00:01:15,630 --> 00:01:17,590 And we're going to protect financial information 35 00:01:17,590 --> 00:01:21,150 by doing X, Y, and Z, whatever those controls are. 36 00:01:21,150 --> 00:01:23,340 Now, the data steward is a role that's focused 37 00:01:23,340 --> 00:01:26,450 on the quality of the data and the associated metadata. 38 00:01:26,450 --> 00:01:28,130 This data steward is going to be somebody 39 00:01:28,130 --> 00:01:30,560 who is working for the data owner. 40 00:01:30,560 --> 00:01:33,000 They're going to be involved with making sure 41 00:01:33,000 --> 00:01:36,010 that the data is appropriately labeled and classified. 42 00:01:36,010 --> 00:01:38,480 So we said that all financial data 43 00:01:38,480 --> 00:01:40,200 should be labeled financial data, 44 00:01:40,200 --> 00:01:41,890 and it should be taken care of this way. 45 00:01:41,890 --> 00:01:43,440 That's going to be the role of the data steward, 46 00:01:43,440 --> 00:01:45,560 to make sure that's actually done. 47 00:01:45,560 --> 00:01:47,250 Now, as we go down even further, 48 00:01:47,250 --> 00:01:49,250 we get to our data custodian. 49 00:01:49,250 --> 00:01:50,640 This is a role that's responsible 50 00:01:50,640 --> 00:01:52,410 for handling the management of the system 51 00:01:52,410 --> 00:01:54,430 on which the data assets are stored. 52 00:01:54,430 --> 00:01:56,800 So who might be a data custodian? 53 00:01:56,800 --> 00:01:58,680 Well, a system administrator. 54 00:01:58,680 --> 00:01:59,910 These are the people responsible 55 00:01:59,910 --> 00:02:02,270 for enforcing the access control, the encryption, 56 00:02:02,270 --> 00:02:05,670 and the backup and recovery measures that protect this data 57 00:02:05,670 --> 00:02:08,830 based on the requirements set forth by that data owner. 58 00:02:08,830 --> 00:02:12,150 And so you can see how this all goes upward as you go. 59 00:02:12,150 --> 00:02:13,900 Then we have our privacy officer. 60 00:02:13,900 --> 00:02:15,570 Now, this is a role that's responsible 61 00:02:15,570 --> 00:02:18,760 for the oversight of any kind of privacy-related data, 62 00:02:18,760 --> 00:02:22,040 things like PII, SPI, or PHI, 63 00:02:22,040 --> 00:02:23,870 any of those things that are managed by the company 64 00:02:23,870 --> 00:02:26,240 fall under the realm of the privacy officer. 65 00:02:26,240 --> 00:02:28,030 This is the person who's going to really be on the hook 66 00:02:28,030 --> 00:02:29,060 if you have a data breach, 67 00:02:29,060 --> 00:02:30,960 because normally when you have a data breach, 68 00:02:30,960 --> 00:02:33,430 what people are concerned about is the private user data 69 00:02:33,430 --> 00:02:34,560 that has been expelled. 70 00:02:34,560 --> 00:02:36,700 And so that is going to be what they're focused on. 71 00:02:36,700 --> 00:02:38,150 They have to make sure that we are complying 72 00:02:38,150 --> 00:02:40,100 with the legal and regulatory frameworks 73 00:02:40,100 --> 00:02:41,660 and make sure that we have the right purpose, 74 00:02:41,660 --> 00:02:43,100 limitations and consent, 75 00:02:43,100 --> 00:02:45,350 we're doing data minimization, data sovereignty, 76 00:02:45,350 --> 00:02:47,590 data retention, all the stuff we've been talking about 77 00:02:47,590 --> 00:02:50,900 in this section falls under that privacy officer. 78 00:02:50,900 --> 00:02:53,990 Now, the real question is, who should own the data? 79 00:02:53,990 --> 00:02:55,460 Now, in a lot of organizations, 80 00:02:55,460 --> 00:02:59,270 they try to make the CIO or the IT department be in charge 81 00:02:59,270 --> 00:03:01,720 of all the information and be the data owners, 82 00:03:01,720 --> 00:03:05,400 but that is the wrong answer because as the IT personnel, 83 00:03:05,400 --> 00:03:06,840 we don't know about the data. 84 00:03:06,840 --> 00:03:08,570 We know about the systems. 85 00:03:08,570 --> 00:03:10,860 We should be the data custodians. 86 00:03:10,860 --> 00:03:13,250 Instead, the data owner should be somebody 87 00:03:13,250 --> 00:03:14,650 from the business side, 88 00:03:14,650 --> 00:03:16,970 the people who are creating this information, 89 00:03:16,970 --> 00:03:19,500 and each data owner can actually be specified 90 00:03:19,500 --> 00:03:21,290 inside their own department. 91 00:03:21,290 --> 00:03:23,860 So for instance, you might have the accounting department 92 00:03:23,860 --> 00:03:26,080 have their leader be the data owner, 93 00:03:26,080 --> 00:03:28,630 and they would have a data owner over their information 94 00:03:28,630 --> 00:03:30,970 because if I, as the IT person, 95 00:03:30,970 --> 00:03:33,100 am looking at some accounting data, 96 00:03:33,100 --> 00:03:35,400 I don't know it well enough to be able to classify it 97 00:03:35,400 --> 00:03:36,540 at the right level. 98 00:03:36,540 --> 00:03:37,750 And so this is one of those things 99 00:03:37,750 --> 00:03:39,030 that I think is really important, 100 00:03:39,030 --> 00:03:42,000 that the IT people should not be the data owners 101 00:03:42,000 --> 00:03:43,990 and the data owners should really be the people 102 00:03:43,990 --> 00:03:45,620 who know more about the data 103 00:03:45,620 --> 00:03:47,490 based on the content of the company. 104 00:03:47,490 --> 00:03:49,670 If your company is a software development company, 105 00:03:49,670 --> 00:03:51,170 then the software design department 106 00:03:51,170 --> 00:03:52,570 should probably be the data owner. 107 00:03:52,570 --> 00:03:53,820 If you're an accounting firm, 108 00:03:53,820 --> 00:03:56,430 it should be the financial department or the CFO. 109 00:03:56,430 --> 00:03:58,200 Somebody who knows about the data 110 00:03:58,200 --> 00:03:59,300 who can make the right decisions 111 00:03:59,300 --> 00:04:01,180 as far as labeling and classification, 112 00:04:01,180 --> 00:04:03,080 that is who should be your data owner.