All information assets must have an owner clearly defined.
Once the organization
has identified each and every asset,
an owner or several owners for said asset must be defined.
The assignment of ownership guarantees
the implementation and execution of security controls
as well as improvements in the identification process
and security risk mitigation.
Critical information assets include but are not limited to:
Financial information, patents, intellectual property
and employee information.
Defining the owner of an asset
is part of the Asset Management process.
The asset owner
is responsible of assuring the security of the information asset.
Each of the owners must have
certain responsibilities over the asset
which should at least include:
Classification and value of Information Assets.
Establishing the security requirements and best practices
that should be followed
in order to prevent all possible security risks
that could attempt against the integrity of the asset.
Define, manage and approve
the allowed access rights and privileges for the asset users.
Guarantee that the security requirements
are met for each of the information assets.
Identify and manage possible risks
that could compromise the integrity of the information assets.
ISO 27005 - Risk management for an ISMS with ISO 27005.
Consulting - Define the Information Asset Inventory.
ISO 27003 - ISO 27003 Guide.
Consulting - Establishing the Owner of an Information Asset.
Consulting - Answering the Information Asset Inventory Questionnaire.
An anonymous person or employee
executes actions that attempt against
the security of any of the organization’s information assets,
since the affected assets do not have an owner assigned
the incident is not managed.
Layer: Resource Layer.
Asset: Information Assets.
Type of Control: Procedure.
Publish process (roles, responsibilities, plan), evolve as necessary.
HIPAA Security Rules 164.308(a)(2):
Assigned Security Responsibility: Identify the security official
who is responsible for the development and implementation
of the policies and procedures required by this subpart for the entity.