# Security Roles and Responsibilities One-sentence definition: Defined accountabilities for protecting information across owners, custodians, users, and oversight bodies. ## Key Facts - Data/Business Owner: classifies data, defines acceptable risk, approves access. - System Owner: budgets and maintains the system meeting owner requirements. - Custodian/Administrator: implements and operates controls, backups. - Users: follow AUP, protect credentials, report incidents. - Security Manager/Officer: designs program, policies, risk processes. - Privacy Officer/DPO: oversees personal data compliance and rights handling. - Auditor: independent assurance of control design/effectiveness. - **Label:** **Accountability** rests with owners; responsibility is shared. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Map actions to the correct role in scenario questions. **Mnemonic:** “Owner decides; Custodian does; User uses.” ## Mini Scenario Q: Who approves classification labels and access rules for a dataset? A: The data/business owner. ## Revision Checklist - Match each role to one responsibility. - Identify who accepts risk. - Distinguish owner vs system owner vs custodian. ## Related [[Security Governance]] · [[Data Classification (Governance Overview)]] · [[Acceptable Use Policy (AUP)]] · [[Security Policy Hierarchy]] · [[Compliance and Regulatory Concepts]] · [[Domain 1 - Index]]