CISSP · Question #335
What MUST each information owner do when a system contains data from multiple information owners?
The correct answer is A. Provide input to the Information System (IS) owner regarding the security requirements of the. When multiple information owners share a system, each owner must contribute their security requirements to the IS owner who is responsible for the overall system. This ensures all data classification and protection needs are incorporated into the system's security posture.
Question
What MUST each information owner do when a system contains data from multiple information owners?
Options
- AProvide input to the Information System (IS) owner regarding the security requirements of the
- BReview the Security Assessment report (SAR) for the Information System (IS) and authorize the
- CDevelop and maintain the System Security Plan (SSP) for the Information System (IS) containing
- DMove the data to an Information System (IS) that does not contain data owned by other
How the community answered
(45 responses)- A89% (40)
- B2% (1)
- C2% (1)
- D7% (3)
Why each option
When multiple information owners share a system, each owner must contribute their security requirements to the IS owner who is responsible for the overall system. This ensures all data classification and protection needs are incorporated into the system's security posture.
Each information owner is responsible for understanding the sensitivity and security requirements of their own data. When data from multiple owners resides on a shared system, each owner must provide input to the IS owner so those requirements can be incorporated into the System Security Plan and overall security controls. The IS owner cannot independently determine the protection needs of data they do not own, making this collaborative input mandatory under NIST and DoD information security frameworks.
Reviewing the Security Assessment Report (SAR) and authorizing the system is the responsibility of the Authorizing Official (AO), not the information owner, making this an incorrect role assignment.
Developing and maintaining the System Security Plan (SSP) is the responsibility of the Information System (IS) owner, not the individual information owners who share the system.
Moving data to a separate system is not a required or practical obligation; shared systems are a common and acceptable architecture as long as appropriate security controls are in place for all data owners.
Concept tested: Information owner responsibilities in shared IS environments
Source: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
Topics
Community Discussion
No community discussion yet for this question.