5.1 Security governance
📘CompTIA Security+ (SY0-701)
In IT security governance, every piece of data, system, or application has people responsible for it. Knowing these roles ensures accountability, compliance, and proper protection of data. The main roles are:
1. Data Owners
Who they are:
- The person or group who has the legal authority or responsibility for a piece of data or an IT asset.
Key responsibilities:
- Decide who can access the data.
- Determine the classification of data (like public, internal, confidential, or restricted).
- Approve security policies for their data.
IT example:
- A database administrator (DBA) may own the customer database. They decide that only sales and support staff can access customer records.
- Another example: The HR manager owns employee records and decides who can see payroll information.
2. Data Controllers
Who they are:
- The person or organization that determines why and how data is processed.
Key responsibilities:
- Set rules on how data is collected, stored, and used.
- Ensure compliance with regulations like GDPR or HIPAA.
IT example:
- A cloud service provider may store user data but the client company is the controller—they decide the purpose of storing it (e.g., marketing analysis).
- In an HR system, HR decides which employee data will be processed and for what purpose (payroll, performance review, etc.).
3. Data Processors
Who they are:
- The person or organization that processes data on behalf of the controller. They do not own or control the data, just manage it according to instructions.
Key responsibilities:
- Follow the controller’s instructions.
- Ensure data is protected during processing.
- Maintain records of data processing activities.
IT example:
- A cloud hosting company running an application for a client processes data but doesn’t decide its use.
- An IT outsourcing company managing payroll software for HR is a processor—they process the data but HR is the controller.
4. Custodians / Stewards
Who they are:
- Individuals or teams responsible for the day-to-day maintenance and protection of data.
Key responsibilities:
- Implement and manage security controls.
- Perform backups, patching, and access control.
- Ensure data integrity and availability.
IT example:
- IT staff who manage servers and apply security patches to databases.
- System administrators who monitor network access logs to ensure only authorized personnel access systems.
Summary Table for Easy Exam Recall
| Role | Responsibility | IT Example |
|---|---|---|
| Owner | Owns the data, decides access and classification | HR manager deciding who can view payroll records |
| Controller | Determines how and why data is used | HR sets rules for processing employee data |
| Processor | Processes data as instructed | IT outsourcing firm managing payroll software |
| Custodian/Steward | Maintains and protects data | System admin performing backups and patching |
Important Exam Tips
- Owner ≠Controller ≠Processor – Know the difference:
- Owner = decides who owns it and who can access it
- Controller = decides why and how data is used
- Processor = follows instructions to handle data
- Custodian = keeps data safe and maintained
- Think about the flow of responsibility in IT systems: Ownership → Control → Processing → Custody.
- Regulatory frameworks like GDPR often test your knowledge of controllers vs processors, so focus on that distinction.
