2.4 Manage data lifecycle

  • Data roles (owners, controllers, custodians, processors, users/subjects)
  • Data collection
  • Data location
  • Data maintenance
  • Data retention
  • Data remanence
  • Data destruction

Who owns the data? 

Data Owner.  The data owner is the person who created the data, or who oversees the people who created the data.  In general, the data owner always has full access to the data (to read the data).  An organization may choose to prohibit a data owner from modifying or deleting the data after it has been created.  The rules for using the data and protecting it are set by the data owner.

The data owner decides who can access the data and what they can do with it.  The data owner works with the system administrators to ensure that a good security program is implemented.

Asset Owner.  The asset owner owns the asset that holds the data.  The system owner must coordinate with information owners to establish the necessary security controls.  He also provides user with access and trains them to use the system in accordance with the security policies.

The system owner might also be the data owner but does not have to be.  In a large organization, the IT department manages the systems that hold the data but do not necessarily own the data.

System Administrator.  The system administrator manages the system that holds the data.  The system administrator has full access to the data (to read, modify, and delete the data).  There must be safeguards in place to prevent a malicious system administrator from deleting data and causing harm to the organization.  There must also be safeguards in place to monitor what a system administrator can access and ensure that the system administrator has appropriate security clearance. 

Consider the case of Edward Snowden, and more recently Joshua Schulte, both of whom stole classified government data.  A system administrator should not be able to remove data from a system, certainly not without authorization from another person.  This goes back to having separation of duties and other safeguards to protect against unauthorized copying.

Business Owner.  The Business Owner owns the processes that use the data.  The business owner makes sure that the systems deliver value to the business.  If we waste too much money on the IT or make the security controls inefficient, then the business won’t benefit from the data.  The business might fight with the IT department if the IT department is a drain on the profits.  We can use Control Objectives for Information and Related Technology to balance the needs of the business with the IT.

Custodian.  The custodian protects the data security and integrity by maintaining the audit logs and certifying that the data is stored in accordance with the policies.  The administrator might also be the custodian.

User.  A user is a person with access to some data.  The user may be able to read or modify the data.  The user is granted access based on his role in the organization, which can be controlled by group policy.  The user must not be provided with more access than required.

Privileged User.  A privileged user has additional rights above normal users.  The privileged user may be able to grant other users with access.

Executive User.  An executive user is a person like a CEO, COO, CFO, or CIO.  This person may require access to all organizational data so that he can properly perform his job.  In theory, this person has access to everything, but in reality, he will not need access to everything.  The executive is a high-value target, and his account should be tightly controlled so that it is not compromised.

Data Controller.  The data controller is a person who determines how the data is processed.

Data Processor.  The data processor is a person who processes the data.  The Data Processor might be a third party to the organization that owns the data.

Subject.  The subject is the person who the data pertains to.  Not all data has a subject.  In general, health information and personal information has a subject.  The subject may have a right to view the data.

Like assets, data follows a life cycle

  • Collect – we gather or generate the data.  We might gather the data from consumers, automatically generate data from business processes or sensors, or create the data.

  • Store – we store the data.

  • Use – we use the data

  • Share – we share the data with third parties

  • Retain – we keep the data in storage

  • Destroy – we destroy the data when we don’t need it anymore

Record Retention is how we retain data.  We should not store data for any longer than required. The law might require us to store data for a minimum period or a maximum period.

For each type of data, we should create policies for how the data is protected.  The policies limit

  • Where the data can be stored
  • Who has access to the data
  • How the data can be transmitted
  • Whether the data should be encrypted and what method we use to encrypt it
  • How to destroy the data when it is no longer required and how to destroy the media

Data Remanence is data that stays on media after the data has been erased.  The best way to make sure that all of the data is gone to destroy the media, but this is not always cost-effective.

Data Destruction – we must destroy the data when it is no longer required, or when we are no longer permitted to store it.  We must establish policies for how the data is destroyed.  There are many different methods depending on the medium that the data is stored on.