Data owners are responsible for determining who accesses sensitive information as well as the level of access (e.g., read, write, etc.), but at what point should data owner approval be checked by the security team? In other words, when is it appropriate for the security administrator to deny an owner-approved request for access?
Before answering this question, let's take a look at the role a data owner plays. Data maintained by an organization is actually the property of the business owners and customers. In the case of publicly traded companies, the business owners are the shareholders. Customer-owned data includes personally identifiable information (PII) and electronic protected health information (ePHI). Employees responsible for determining trust levels and access controls are simply the stewards of sensitive information, but we typically refer to them as data owners for the purpose of making security control decisions.
Except in cases where data is generated and stored strictly for the purpose of network or system management, IT personnel are not data owners. Rather, they are data custodians responsible for implementing and managing security controls in accordance with data owner wishes. This is also true of security team members.
Security is responsible to help data owners understand risk to information resources and ways to mitigate that risk. However, data owners usually have the final say as to the level of controls — and the appropriate costs — associated with sensitive data.
I say usually because there are instances in which data owners make decisions that might put business owners or customers into a high-risk situation. For example, data owner directives that violate regulatory standards, such as HIPAA, should not be implemented without review by executive management.
During my years as a security professional, I've found data owners to be very responsible when making data protection decisions. These members of the business management team are usually department managers who take their stewardship role very seriously. Still, there are rare instances in which decisions are made that throw off the control/productivity balance by elevating risk to a high level in order to implement what is seen as a business-critical process. I believe that in such cases it is the responsibility of the security department to take appropriate steps to block implementation until an executive review is performed.
Delaying implementation of high-risk solutions is relatively easy at my place of employment. Security has to sign off on all changes to the production environment. If the security analyst is uncomfortable with the level of trust provided to data within an upgraded or new solution, he or she declines to sign off.
In some cases, executive management has decided to push forward anyway. When this happens, the executive manager making the decision is asked to sign off on the change instead of the security department. Having an executive take written responsibility for a high-risk situation usually gives that executive a whole new perspective, and he or she often asks the data owner to take another approach.
Security can't always prevail when a high-risk situation presents itself. The final decision rests with executive management. However, we should ensure that questionable data owner decisions are reviewed before access is granted or controls implemented.