All information assets must have an owner clearly defined.
Once the organization has identified each and every asset, an owner or several owners for said asset must be defined. The assignment of ownership guarantees the implementation and execution of security controls as well as improvements in the identification process and security risk mitigation. Critical information assets include but are not limited to: Financial information, patents, intellectual property and employee information.
Defining the owner of an asset is part of the Asset Management process. The asset owner is responsible of assuring the security of the information asset.
Each of the owners must have certain responsibilities over the asset which should at least include:
Classification and value of Information Assets.
Establishing the security requirements and best practices that should be followed in order to prevent all possible security risks that could attempt against the integrity of the asset.
Define, manage and approve the allowed access rights and privileges for the asset users.
Guarantee that the security requirements are met for each of the information assets.
Identify and manage possible risks that could compromise the integrity of the information assets.
ISO 27005 - Risk management for an ISMS with ISO 27005.
Consulting - Define the Information Asset Inventory.
ISO 27003 - ISO 27003 Guide.
Consulting - Establishing the Owner of an Information Asset.
Consulting - Answering the Information Asset Inventory Questionnaire.
An anonymous person or employee executes actions that attempt against the security of any of the organization’s information assets, since the affected assets do not have an owner assigned the incident is not managed.
Layer: Resource layer
Asset: Information assets
Type of control: Procedure
BSIMM9 SM1.1: Publish process (roles, responsibilities, plan), evolve as necessary.
HIPAA Security Rules 164.308(a)(2): Assigned Security Responsibility: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.
HIPAA Security Rules 164.310(d)(2)(iii): Accountability (A): Maintain a record of the movements of hardware and electronic media and any person responsible therefore.