The relationship between the information owner and information custodians must be clearly defined, and enforced by process, if sensitive data is to be properly protected.  That’s one of the reasons I paid special attention to a Charles Cresson Wood sample policy I received this week with my CSI Alert. 

The policy deals with information owner roles in deciding when and how information is released or made available to third party information processing organizations.  I agree, in principle, this is a needed policy.  However, I disagree with an assertion in Cresson Wood’s accompanying comments.

Before addressing where I disagree, let’s step back and review where this policy fits in an overall security program.  Cresson Wood’s policy is restricted to information owner involvement in outsourcing relationships.  This policy should be part of a larger, more comprehensive data classification and access control policy.  (Download an example.) 

A data classification and access control policy should accomplish the following:

  1. Establish a data classification scheme.  All data should be classified so information owners and custodians can make the right decisions about access controls, storage requirements, etc.  Information owners are responsible for assigning a specific classification to data, while custodians (typically IS) design, implement, and manage appropriate controls.
  2. Clearly define the role of information/data owner.  No confusion should exist about the responsibilities of information owners.  A data owner assignment document is a great way to formally ask a department head, for example, to assume responsibility for a data set.

The program-level policy must cover all instances of data access, including outsourcing situations.  Up to this point, Cresson Wood and I conceptually agree.  In fact, the download available above is loosely based on some of his work, available from various sources, including Information Security Policies Made Easy, Version 10.  But I disagree with his approach to information sharing, made in his sample policy explanation.

Cresson Wood writes that, once IS security defines specific criteria, the information owners should be left to decide when and to whom data is exposed.  I strongly disagree.  Even in the presence of well-defined criteria, information owners don’t always make the right choice.  I know of several cases in which well-intentioned information owner decisions were blocked by IS security.  In other words, information owner’s can’t sanction regulatory non-compliance or make decisions that clearly constitute corporate negligence. 

Finally, Cresson Wood believes reliance on checklists helps avoid bad security decisions.  I conditionally disagree.  It depends on who is using them. 

Checklists assume all decisions about information access conform to predefined scenarios.  Though most scenarios are usually considered, many are difficult to foresee.  Dependence on checklists might result in decisions that are too restrictive, in addition to those that may unreasonably expose data.  Use of lists to manage risk should fall only to those who understand when to make exceptions, exceptions that streamline business operations while continuing to protect sensitive information.  In most cases, meeting this objective requires oversight, and a final review, by security.