Exam CISSP topic 1 question 132 discussion

Information/ data owner does the classification and can delegate job for transfer to custodian

B. OSG 9th Edition PG. 207. Data owners often delegate day-day tasks to the custodian.

Data owner = authority

key word is authoritative, that is the data/information owner

Scope: Information Owner: Focuses on the strategic management, policies, and decision-making related to specific data assets. Data Custodian: Primarily concerned with the technical implementation, storage, and security of data assets. Decision-Making Authority: Information Owner: Holds decision-making authority regarding data policies, access controls, and overall data strategy. Data Custodian: Implements decisions made by the information owner and focuses on technical execution. Accountability: Information Owner: Ultimately accountable for the governance, quality, and strategic use of the data assets they own. Data Custodian: Accountable for the secure storage, processing, and technical aspects of data management. Involvement in Governance: Information Owner: Actively involved in data governance, policy creation, and ensuring alignment with organizational goals. Data Custodian: Implements and enforces governance policies but may not be directly involved in setting high-level data strategy.

Answer B) Information Owner https://blog.idatainc.com/data-governance-roles

B. OSG 9th Edition. Keyword "authoritative".

I go with B. Data custodian doesn’t have any authoritative over data, they are just responsible for the day to day activities including data backup etc, after being advised by the Information Owner.

Answer:C Data Owner has ultimate responsibility of the data and hence the classification of the data. Once classification is decided, it is delegated to Data Custodian to carry out the task.

I think its B due to "authoritative" being used. plus 9th edition Page 204 has insight on data owners being the main personnel to make those decisions.

data owner, or data custodian, may seem the correct answer/s

CISSP 9th Edition, Page 204....

I go with B The National Institute of Standards and Technology (NIST) Special Publication 800-171, which provides guidance for protecting CUI in nonfederal systems and organizations, states that the "information owner is responsible for identifying and marking CUI and specifying the safeguarding or dissemination controls to be applied to the information."

i voted C, owner only classified data

The authoritative guidance for the transfer of Controlled Unclassified Information (CUI) between systems of differing security classifications is provided by the Information Owner. The Information Owner is responsible for ensuring that the information is appropriately protected and managed throughout its lifecycle, including during transfer between systems. In this case, the Information Owner should consult with the organization's information security manager and follow any applicable policies, procedures, and guidelines for handling CUI.

data/info owner

D. Mission/Business Owner is the role that provides the authoritative guidance for the transfer of project-related Controlled Unclassified Information (CUI) between systems of differing security classifications. The mission/business owner is responsible for the overall mission or business objectives of the organization and has the authority to make decisions about the handling of project-related CUI, including the transfer of CUI between systems with differing security classifications. A. The Project Manager (PM) is responsible for the planning, execution, and closing of the project, but not for the Security/protective measures of the information/data. B. Information owner is responsible for determining the level of protection and access controls required for the CUI. C. Data Custodian is responsible for the physical and technical protection of the information and systems containing the CUI. Source: openai