Data Roles

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> We've classified our data,
00:00
but now we need to talk about data roles.
00:00
Just because you know what
00:00
the most important data in your Cloud environment is,
00:00
doesn't mean you know who is truly responsible for it.
00:00
In this lesson,
00:00
>> we're going to talk about the data roles,
00:00
>> the data responsibilities associated with each role,
00:00
and talk about the interdependence
00:00
between data roles and responsibilities.
00:00
Within an organization,
00:00
there really are two very important roles
00:00
>> when it comes to data: governance and protection.
00:00
>> First, the data owner,
00:00
also often referred to as the data custodian,
00:00
is a person who is responsible
00:00
for a particular set of data,
00:00
either within an application or within an organization.
00:00
That data owner,
00:00
>> they own all aspects of protecting
00:00
>> that data from a governance
00:00
and decision-making perspective.
00:00
They are the one who truly gets to determine,
00:00
well, based on this data's value,
00:00
I think it needs to be classified
00:00
>> in X or Y particular way.
00:00
>> They get to determine any changes to the protection
00:00
>> or classification of data in their scope of ownership.
00:00
>> Now, they are really helped
00:00
and complemented by the data custodian role.
00:00
The data custodian is the person who is really
00:00
applying and maintaining any of the technical controls,
00:00
and labeling that it's dictated by the data owner.
00:00
Many of you watching this right now,
00:00
maybe you find yourself in a data custodian role
00:00
>> where you're the network administrator,
00:00
>> or someone on the security team,
00:00
or perhaps in privacy or data governance
00:00
>> helping to figure out,
00:00
>> well, this data has been classified by
00:00
>> the organization as highly confidential.
00:00
That means we need to apply encryption to this standard
00:00
and make sure that logical access is reviewed
00:00
>> at this interval.
00:00
>> Or this data needs to be stored
00:00
>> in this particular manner
00:00
>> and destroyed on this cadence.
00:00
>> Making sure that those controls are enforced
00:00
>> and properly setup is really the responsibility
00:00
>> of the data custodian.
00:00
Now, in a broader legal sense,
00:00
there are two roles that often come up
00:00
in regulations when it comes to data.
00:00
The data processor and the data subject.
00:00
The data processor is really an organization
00:00
or an individual application that manipulates,
00:00
stores, or moves data on behalf of the data owner.
00:00
The data processor,
00:00
>> for the legal perspective is often the Cloud provider.
00:00
>> Any Cloud provider, because the data is hosted there,
00:00
they are a data processor.
00:00
Even if it's another entities data,
00:00
if it's on your system,
00:00
you are considered a data processor
00:00
in the eyes of many regulations.
00:00
The data subject, this is different than
00:00
the data owner in that the data owner
00:00
>> is more an organizational level role
00:00
>> where the data subject is really the individual
00:00
>> to whom the data relates or respond,
00:00
>> it's your data.
00:00
>> If you submit information to a websites
00:00
or put your information in a SaaS software,
00:00
you are the data subject of that information.
00:00
There are particular rules
00:00
and regulations that we'll go into more detail
00:00
later in the course about how
00:00
data subjects need to be protected.
00:00
There are data needs to be secured,
00:00
and how their privacy needs to be maintained
00:00
in order to properly secure their data.
00:00
Now, we talked about
00:00
>> how the data custodian executes
00:00
>> the will of the data owner
00:00
>> when it comes to enforcing security requirements
00:00
>> as well as changes to data classification.
00:00
>> Then in an external aspect,
00:00
the data processor is the organization that is
00:00
manipulating or storing of individual data subjects.
00:00
Data subjects are granted certain rights
00:00
>> and protections depending on the jurisdiction,
00:00
>> where the data is stored
00:00
>> or where those subjects find themselves.
00:00
>> Quiz question; a system administrator
00:00
wants to change the classification of a data table
00:00
>> because new business priorities
00:00
>> have made that information less relevant.
00:00
Who should the administrator contact
00:00
>> before relabeling and moving the data?
00:00
>> The administrator has the latitude to move data
00:00
>> and label data as business needs to change.
00:00
>> The data owner ultimately decides
00:00
the appropriate data label and storage location.
00:00
The data owner should decide the label,
00:00
but the data custodian should implement
00:00
>> the appropriate protections and storage.
00:00
>> If you said the data owner should decide
00:00
>> the label of the data custodian should implement
00:00
>> the appropriate protection
00:00
>> and the storage, you are correct.
00:00
>> This one really gets to the heart of this,
00:00
that the data owner is
00:00
making these high level decisions about
00:00
the sensitivity of the data
00:00
and the appropriate protections.
00:00
But the data custodian is the one really
00:00
implementing those recommendations and directives.
00:00
In summary, we talked about the common data roles.
00:00
We talked about the responsibilities
00:00
that comes with each of those roles.
00:00
Then we also talked about the importance
00:00
of how these roles work in concert
00:00
>> to enforced data governance and data protection.
00:00
>> I will see you in the next lesson.
Up Next