compliances , policies , security

Information Ownership Policy

February 6, 2012

New Centrality Of Information: Information is no longer simply something, which supports the provision of a product or service.  Information itself has become the product or service that many businesses like “Corporate” provide.  The new centrality of information necessitates the establishment of new roles and responsibilities to properly manage and protect it.  To this end, this policy defines the information security roles and responsibilities of Owners, Custodians, and Users. Information security can no longer be a concern of technical specialists alone — it must instead be addressed by a large team of individuals, each of which makes their own unique contribution.

Policy Scope and Applicability: This policy applies to the handling of all “Corporate” production information, regardless of the origin of this information (card holder transactions, third party market research, etc.).  “Production information” is information routinely used to perform important business activities or routinely used to support management decision making.  This policy applies no matter what information handling technology is used, no matter where the information resides, no matter how the information is employed to meet business needs, and no matter which Users have access to the information.  This policy applies to all “Corporate” units, all geographical regions, and all subsidiaries.

Roles and Responsibilities of Owners: Information Owners are senior business unit managers (“Corporate” employees) with the authority for acquiring, creating, and maintaining information and information systems within their assigned area of control.  Owners are responsible for categorizing the information for which they have been designated an Owner using classifications defined in the Data Classification Policy [link to that document via the intranet].  To assist with contingency planning efforts, Owners are also responsible for categorizing information (or specific application systems) according to a criticality scale defined by the Information Security Department.  Owners are additionally responsible for authorizing User access to information based on the need-to-know.  Owners must also make decisions about the permissible uses of information including relevant business rules.  Owners are furthermore responsible for choosing relevant controls for information consistent with policies and standards issued by the Information Security department.  For example, Owners must define the validation rules used to verify the correctness and acceptability of input data.  These validation rules and other controls for protecting information must be formally approved in writing by the relevant Owner before major modifications can be made to production application systems.  Separately, Owners must understand the uses and risks associated with the information for which they are accountable.  This means that they are responsible for the consequences associated with improper disclosure, insufficient maintenance, inaccurate classification labeling, and other security related control deficiencies pertaining to the information for which they are the designated Owner.
Roles and Responsibilities Of Custodians: Information Custodians are individuals (often staff within the Information Systems Department or departmental systems administrators) in physical or logical possession of information from Owners.  Custodians are charged with provision of information systems services consistent with the instructions of Owners, including information security measures such as encryption.  Using physical and logical access control systems, Custodians must protect the information in their possession from unauthorized access, alteration, destruction, or usage.  Custodians are also responsible for providing and administering general controls such as back-up and recovery systems consistent with the policies and standards issued by the Information Security Department.

Custodians are likewise responsible for establishing, monitoring, and operating information systems in a manner consistent with policies and standards issued by the Information Security Department.  Furthermore, Custodians must provide Owners with regular reports about the resources consumed on their behalf (often via a charge-back system), as well as reports indicating User activities.  Custodians are forbidden from changing the production information in their possession unless they have received explicit and temporary permission from either the Owner or an authorized User.

Roles and Responsibilities Of Users: Information Users are individuals who have been granted explicit authorization to access, modify, delete, and/or utilize information by the relevant Owner.  Users must use the information only for the purposes specifically approved by the Owner.  Users must also comply with all security measures defined by the Owner, implemented by the Custodian, and/or defined by the Information Security Department.  Users must additionally refrain from disclosing information in their possession (unless it has been designated as Public) without first obtaining permission from the Owner.  Users must additionally report to the Information Security Department all situations where they believe an information security vulnerability or violation may exist.  Local management must also provide Users with sufficient time to receive periodic information security training.  Users of personal computers have special responsibilities (for example relating to back-up and virus screening), which are defined in the Personal Computer Security Policy [link to that document via intranet].

Note:  Weblink’s need to be extablished.

Multiple Roles And Responsibilities: It is likely that individuals will act in multiple capacities with respect to certain types of information.  For example, an employee may be the creator of a new type of production information, which is stored in a desktop personal computer.  This employee must, at least temporarily, act in the capacity of Owner, Custodian, and User.  To achieve a more secure operating environment, in general the roles of Owner, Custodian, and User should be performed by separate individuals wherever production information has more than one User.  Creators of new types of production information must promptly inform the Information Architecture Department so that appropriate roles and responsibilities may be established.

Designating Owners: If there are several potential information Owners, higher-level management must assign Ownership responsibility to the senior manager of the business unit which makes the greatest use of the information.  When acting in his or her capacity of Owner, this individual must take into consideration the needs and interests of other stakeholders which rely upon or have an interest in the information.  With the exception of operational computer and network information, managers in the Information Systems Department must not be an Owner for any information.  An Owner’s roles and responsibilities may be delegated to any manager in the Owner’s business unit.  An Owner’s roles and responsibilities may not be assigned or delegated to contractors, consultants, or individuals at outsourcing firms or external service bureaus.

Designating Custodians: Management must specifically assign responsibility for the control measures protecting every major production type of information.  Owners are responsible for identifying all those individuals who are in possession of the information for which they are the designated Owner.  These individuals by default become Custodians.  Although special care must be taken to clearly specify security-related roles and responsibilities when outsiders are involved, it is permissible for Custodians to be contractors, consultants, or individuals at outsourcing firms or external service bureaus.

Designating Users: Users may be employees, temporaries, contractors, consultants, or third parties with whom special arrangements (such as non-disclosure agreements) have been made.  All Users must be known to and authorized by Owners.  The security-relevant activities of all Users must be tracked and logged by Custodians.  To allow proper privilege assignment and activity logging, Users must always be specific individuals; Users must not be defined as departments, project teams, or other groups.

Changes In Status: Due to promotions, transfers, retirements, etc., the individuals who play the roles of information Owners, Custodians, and Users will change on a regular basis.  It is the responsibility of the local manager of all individuals to promptly report status changes to the Corporate Human Resources Department.  As soon as they are known, status changes must be immediately reflected in the Corporate Human Resources database.  Custodians must maintain access control systems so that previously-provided User privileges are no longer provided whenever there has been a User status change.  When a Custodian has a change in status, it is the responsibility of the Owner to promptly assign a new Custodian.  When an Owner has a change in status, it is the Chief Information Officer’s responsibility to promptly designate a new Owner.

Handling Of Information Following Status Changes: Users who change their status must leave all production information with their immediate manager. Soon after a User has a change of status, both computer-resident files and paper files must be reviewed by the User’s immediate manager to determine who should be given possession of the files, and/or the appropriate methods to be used for file disposal or destruction.  The manager must then promptly reassign the User’s duties as well as specifically delegate responsibility for information formerly in the User’s possession.

Externally-Supplied Information: In the course of normal business activities, “Corporate” often takes possession of third party sensitive information.  Whenever a non-disclosure agreement (NDA) has been signed, an Owner must be assigned for the information in question.  The manager of the business unit utilizing the information is ordinarily designated as the Owner.  The Owner must promptly report the existence of this third party information to the Information Architecture Department for inclusion in the corporate data dictionary.  This third party information must also be labeled with the appropriate data classification category and treated as though it was “Corporate” internal information with the same classification.  The roles and responsibilities for Custodians and Users are also relevant to externally-supplied information.
Corporate Data Dictionary: To assist with the management of information, the Information Systems Department must compile and annually update a corporation-wide data dictionary and other high-level descriptions of the major “Corporate” information assets found in production systems.  It is the responsibility of the Chief Information Officer to ensure that this data dictionary includes an up-to-date indication of the Owners for all major “Corporate” production information assets.
Supporting Role Of Information Architecture Department: Although not directly involved with Owners, Custodians, and Users in day-to-day information handling activities, the Information Architecture Department is responsible for developing and maintaining an enterprise information architecture.  The Information Architecture Department is also responsible for the creation and maintenance of a corporate data dictionary, including appropriate definitions for various types of production information.

The Information Architecture Department is furthermore responsible for building a database which tracks the people playing the roles of Owner and Custodian.  Working in conjunction with the Information Security Department, the Information Architecture Department is additionally responsible for fostering the efficient and appropriately secured sharing of “Corporate” production information.

System-Of-Record: Each Owner must designate a “system-of-record” which will serve as the most authoritative copy of the information under his or her care.  Updates to this information must be made to the system-of-record before or at the same time that updates are made to other systems containing this information.  It is the Owner’s responsibility to ensure that all production copies of the information for which he or she is the designated Owner are maintained with appropriate controls to ensure a reasonable degree of information accuracy, timeliness, and integrity.

Risk Acceptance Process: In rare circumstances, exceptions to information security policies and standards will be permitted if the information Owner, the Director of the Information Security Department, and the Chief Information Officer have all signed a properly completed risk acceptance form.  In the absence of such management approval reflected on a risk acceptance form, all Owners, Custodians, and Users must consistently observe relevant “Corporate” information security policies and standards.

www.bestitdocuments.com