Role: Data Owner
-
Self Assessment
—
by
Review your systems and procedures regularly to ensure the tasks for this risk level are applied.
-
Data minimization
—
by
Limit the storage and collection of data at this risk level to that which is necessary to accomplish the legitimate purpose for which it is collected.
-
Data inventory
—
by
Create and maintain an information inventory that includes classification level, information owner, and users with access.
-
Application inventory
—
by
Create and maintain an application inventory that includes assigned risk classification level, data volume, and users with access.
-
Review user access
—
by
Review which user accounts have access to information at this level regularly – at least annually.
-
Revoke permissions
—
by
Revoke permissions when a user no longer needs access to information (e.g., upon project completion or job change).
-
Security responsibilities training
—
by
Train all users with access to ensure understanding of their responsibilities with regard to handling information.
-
Security awareness training
—
by
Train all users with access to ensure awareness of the risks to information and data