🏠 Back to Exam Syllabus πŸ“Ί RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 5.4 - Understanding Data Roles

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series sorts out the Domain 2 question of who does what with data β€” the chain of roles that turns data protection from a guessing game into clear accountability, so that when something goes wrong there is never any doubt about whose job it was to guard the information involved.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

Who is the data owner?

The person who holds ultimate responsibility for a set of data, usually a senior leader like a department head or an executive. The owner decides the classification, ensures the data is labeled correctly, and confirms the right controls are in place. This is a duty with teeth β€” an owner who neglects it can be held liable for negligence.

What do data controllers and processors do?

A controller decides the why and the how of using personal data, setting the purpose and the means even if they never touch the data themselves. A processor is the outside party that actually handles the data on the controller’s behalf. A company that runs payroll for its staff is the controller, and the outside payroll firm it hires is the processor, which may only use the data for the job it was given and nothing more.

Who watches over privacy compliance?

A dedicated privacy leader, often called a data protection officer. This role exists to make sure the organization actually follows the privacy laws that apply to it, since cross-border rules can be dense and full of legal fine print, and someone needs to own that complexity full time. Under some regulations, appointing this officer is not optional but required.

What does a data custodian handle?

The hands-on, day-to-day protection of the data. Owners set the direction, then delegate the routine work to custodians β€” in practice the administrators who run backups, apply permissions, and keep the audit logs. If the owner is the architect of the plan, the custodian is the builder who carries it out every day.

Who counts as a user or a subject?

A user is anyone who accesses data to get their job done, and they should only ever reach the data their tasks require. A subject is different β€” it is the actual person the data describes, so if a file holds details about a specific customer, that customer is the data subject. One touches the data, the other is described by it.

πŸ“š Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 5.4 - Understanding Data Roles.