If you don’t know who owns a piece of data, how can you go through a formal access approval process? You can’t, at least not as effectively. Similarly, you can’t properly account for assets if you don’t know which department owns them, or assign the right type of laptop for high-risk travel if you don’t have the assets classified.
Data owners are responsible for classifying the data they own. In larger companies, an asset management department handles asset classification. A custodian is a hands-on role that implements and operates solutions for data (e.g., backups and restores). A system owner is responsible for the computer environment (hardware, software) that houses data; this is typically a management role with operational tasks handed off to the custodian.
All workers need to be aware of the company’s privacy policies and procedures and know how to contact data owners in the event of an issue. Key terms to understand include the following:
- Data owners. Data owners are usually members of the management or senior management team. They approve access to data (usually by approving the data access policies that are used day to day).
- Data processors. Data processors are the users who read and edit the data regularly. Users must clearly understand their responsibilities with data based on its classification. Can they share it? What happens if they accidentally lose it or destroy it.
- Data remanence. Data remanence occurs when data is deleted but remains recoverable. Whenever you delete a file, the operating system marks the space the file took up as available. But the data is still there, and with freely downloadable tools, you can easily extract that data. Organizations need to account for data remanence to ensure they are protecting their data. There are a few options:
- Secure deletion or overwriting of data. You can use a tool to overwrite the space that a file was using with random 1s and 0s, either in one pass or in multiple passes. The more passes you use, the less likely it is that the data can be recovered.
- Destroying the media. You can shred disk drives, smash them into tiny pieces, or use other means to physically destroy them. This is effective but renders the media unusable thereafter.
- Degaussing. Degaussing relies on the removal or reduction of magnetic fields on the disk drives. It is very effective and complies with many government requirements for data remanence.