# Information and Asset Ownership One-sentence definition: Business/data owners define classification and access; system owners and custodians implement and maintain protections. ## Key Facts - Data Owner: sets classification, handling, access, and accepts risk. - System Owner: ensures systems meet owner requirements. - Custodian: implements controls, backups, and day-to-day ops. - Users: follow AUP and report issues; no ownership of enterprise data. - Third-party roles defined in contracts and DPAs. - Ownership documented in CMDB/asset register for accountability. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Map tasks (e.g., labeling, approval) to the correct role. **Mnemonic:** “Owner decides; Custodian does.” ## Mini Scenario Q: Who approves granting a new role read access to HR data? A: The data owner. ## Revision Checklist - Define owner vs system owner vs custodian. - Name two owner responsibilities. - Identify how ownership is recorded. ## Related [[Data Inventory and Asset Register]] · [[Data Classification Levels and Handling Rules]] · [[Access Control to Data Assets]] · [[Data Handling in Third-Party Contexts]] · [[Record Management and Data Retention]] · [[Domain 2 - Index]]