# Security Roles and Responsibilities Backlink: [[Domain 1 - Index]] **Definition:** Defined duties for owners, custodians, users, and leadership ensure accountability and effective control operation. ## Key Facts - Senior management: ultimate accountability; approve policy. - Data owner: classifies data; sets handling requirements. - Custodian: operates controls, backups, access enforcement. - User: follows policy; protects credentials; reports incidents. - System owner vs. CISO roles; SoD and least privilege mitigate risk. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - “Who is responsible for…?” role mapping - Conflicts of interest and duty segregation >[!note] **Mnemonic** - “Own → Care → Use.” ### Example Q: Who approves user access to a dataset? A: Data owner (often via delegated workflow). ## Revision Checklist - [ ] Match 5 roles to duties - [ ] Identify SoD examples - [ ] Tie owner vs. custodian differences - [ ] Note leadership accountability ## Related [[Data Classification and Handling]] · [[Security Governance]] · [[Service Level Agreements and Contracts]] · [[Security Policy Types]] · [[Risk Management Process]] #cisSP #domain-1 #concept