Is there a difference between the data owner and the data controller for CISSP?
-
In Adam's notes in the CISSP 2021 course he lists 7 roles relating to data lifecycle management. Two of those roles are: data owner and data controller. These roles as described seem to be the same and when I search for clarity on the Internet, the two terms appear synonymous with each other. The one caveat to that is I have seen statements like "the data controller is the same as data owner when a true data owner does not exist." Of course no where do they ever explain what a "true data owner" is.
Are they the same thing in reality or is there some slight distinction that you could explain between the two preferably with examples?
Thanks!
Doug
-
Hey there @Doug-Campbell
The way most approach those two roles is to use one or the other. However, from a role based perspective, the Data Owner is ACCOUNTABLE and the Data Controller is RESPONSIBLE for the data. This is in a typical RACI chart. Responsible parties work with and "control the actions used upon the data" whereas the parties that are Accountable are "liable for the actions used on the data and the final conditions of the data". In an environment where there are no official data owners to assign, the Data Controller would take on the accountability aspects.
Overall, I wouldn't worry too much about the delineation between the two. Hope that helps Doug!
-
Thanks @Chris-Ward-1! That does really help clarify things for me. Much appreciated!
-
@Chris-Ward-1: Can you clear something for me on the Accountable Vs. Responsible piece? If you're the Data Owner, and I'm the Data Controller, and I completely mess up the data in some way, does that mean you're liable for the data even though I messed it up? This may be way above my pay grade (fancy way of saying "over my head"). Thanks!
-
Hey @David-Thompson
Pretty much. What you'll find is that many people will double up on roles in small to medium size companies. Plus, in an ISO 27001 environment, the organization's Board of Directors is ultimately accountable for much of what happens in the company. What typically happens is that the person responsible will be working closely with the accountable person with a reporting structure to the accountable and support in resources to the responsible. It's supposed to be a two way street. In reality, this can become an issue if there isn't appropriate communication and well-defined tasks. And in the case of your example, if it was a bad enough incident, you'd be fired. :-)
Great question David!!
