Data owners aren't always the final word in data protection

Data owners are responsible for determining who accesses sensitive information as well as the level of access (e.g., read, write, etc.), but at what point should data owner approval be checked by the security team? In other words, when is it appropriate for the security administrator to deny an owner-approved request for access?

Before answering this question, let's take a look at the role a data owner plays. Data maintained by an organization is actually the property of the business owners and customers. In the case of publicly traded companies, the business owners are the shareholders. Customer-owned data includes personally identifiable information (PII) and electronic protected health information (ePHI). Employees responsible for determining trust levels and access controls are simply the stewards of sensitive information, but we typically refer to them as data owners for the purpose of making security control decisions. 

Except in cases where data is generated and stored strictly for the purpose of network or system management, IT personnel are not data owners. Rather, they are data custodians responsible for implementing and managing security controls in accordance with data owner wishes. This is also true of security team members.

Security is responsible to help data owners understand risk to information resources and ways to mitigate that risk. However, data owners usually have the final say as to the level of controls -- and the appropriate costs -- associated with sensitive data.

I say usually because there are instances in which data owners make decisions that might put business owners or customers into a high-risk situation. For example, data owner directives that violate regulatory standards, such as HIPAA, should not be implemented without review by executive management. 

During my years as a security professional, I've found data owners to be very responsible when making data protection decisions. These members of the business management team are usually department managers who take their stewardship role very seriously. Still, there are rare instances in which decisions are made that throw off the control/productivity balance by elevating risk to a high level in order to implement what is seen as a business-critical process. I believe that in such cases it is the responsibility of the security department to take appropriate steps to block implementation until an executive review is performed. 

Delaying implementation of high-risk solutions is relatively easy at my place of employment. Security has to sign off on all changes to the production environment. If the security analyst is uncomfortable with the level of trust provided to data within an upgraded or new solution, he or she declines to sign off. 

In some cases, executive management has decided to push forward anyway. When this happens, the executive manager making the decision is asked to sign off on the change instead of the security department. Having an executive take written responsibility for a high-risk situation usually gives that executive a whole new perspective, and he or she often asks the data owner to take another approach.

Security can't always prevail when a high-risk situation presents itself. The final decision rests with executive management. However, we should ensure that questionable data owner decisions are reviewed before access is granted or controls implemented.


Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...


Tom has some very good information as well as Mark's response. Thank you all.


Tom, Not all companies have the controls and policies in place that you're referring to. To most, even larger firms, this is more or less a pipe dream. I met with a F50 firm just this week and their issue is that they are spinning their wheels trying to establish a data security framework with policy based data controls. They are just starting the process. Wouldn't it be desirable to have a tool or system that would allow the data owners to perform their functions as they normally would, while providing security the ability to define and ENFORCE the data access, access expiration, data retention, and data destruction policies set forth? Of course you'd want the policies to be defined per user or group, but also applied to the data itself, which data, by whom, between which times, etc. The system would have to be completely transparent to the data owners and others that require access to the sensitive data. This would completely eliminate the possibility of a data owner making a potentially risky mistake - even if it was done without malice. Until companies progress to the point in which they have the controls you describe, there are tools available to help security implement and enforce policies. These policies can be enforced transparently to the users and applications, and stay persistently with the sensitive data -regardless of where that data resides. I completely agree that security must be the 'watchdogs' of sensitive company data, but they should also be the 'enforcers' of the policies they put in place. Mark Buczynski EVP Product Management & Marketing BitArmor Systems, Inc.

Editor's Picks