nerdexam
(ISC)2

CISSP · Question #335

What MUST each information owner do when a system contains data from multiple information owners?

The correct answer is A. Provide input to the Information System (IS) owner regarding the security requirements of the. When multiple information owners share a system, each owner must contribute their security requirements to the IS owner who is responsible for the overall system. This ensures all data classification and protection needs are incorporated into the system's security posture.

Submitted by katya_ua· Mar 5, 2026Asset Security

Question

What MUST each information owner do when a system contains data from multiple information owners?

Options

  • AProvide input to the Information System (IS) owner regarding the security requirements of the
  • BReview the Security Assessment report (SAR) for the Information System (IS) and authorize the
  • CDevelop and maintain the System Security Plan (SSP) for the Information System (IS) containing
  • DMove the data to an Information System (IS) that does not contain data owned by other

How the community answered

(45 responses)
  • A
    89% (40)
  • B
    2% (1)
  • C
    2% (1)
  • D
    7% (3)

Why each option

When multiple information owners share a system, each owner must contribute their security requirements to the IS owner who is responsible for the overall system. This ensures all data classification and protection needs are incorporated into the system's security posture.

AProvide input to the Information System (IS) owner regarding the security requirements of theCorrect

Each information owner is responsible for understanding the sensitivity and security requirements of their own data. When data from multiple owners resides on a shared system, each owner must provide input to the IS owner so those requirements can be incorporated into the System Security Plan and overall security controls. The IS owner cannot independently determine the protection needs of data they do not own, making this collaborative input mandatory under NIST and DoD information security frameworks.

BReview the Security Assessment report (SAR) for the Information System (IS) and authorize the

Reviewing the Security Assessment Report (SAR) and authorizing the system is the responsibility of the Authorizing Official (AO), not the information owner, making this an incorrect role assignment.

CDevelop and maintain the System Security Plan (SSP) for the Information System (IS) containing

Developing and maintaining the System Security Plan (SSP) is the responsibility of the Information System (IS) owner, not the individual information owners who share the system.

DMove the data to an Information System (IS) that does not contain data owned by other

Moving data to a separate system is not a required or practical obligation; shared systems are a common and acceptable architecture as long as appropriate security controls are in place for all data owners.

Concept tested: Information owner responsibilities in shared IS environments

Source: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

Topics

#information owner#data ownership#security requirements

Community Discussion

No community discussion yet for this question.

Full CISSP Practice