System Owner
System Owner
Copyright(c), 1995 - Management Analytics - All Rights Reserved
Responsibility for the protection of IT resources generally falls
into two broad categories: custodial and owner. The fulfillment of the
protection responsibilities of each is mandatory.
- 1. All information resources (hardware, software,
facilities, data and telecommunications) will be
assigned to an owner, designated in writing to the
Senior IRM Official of the operating unit. For
example, the "owner" of the resources contained within
a general support system may be the manager of that
facility. Resources located within user areas (i.e.,
offices or laboratories) may be "owned" by the manager
of those areas. To assist with the determination of
ownership, individual system boundaries must be
established. A system is identified by logical
boundaries being drawn around the various processing,
communications, storage and related resources. They
must be under the same direct management control with
essentially the same function, reside in the same
environment and have the same characteristics and
security needs. Each system will be designated either
a general support system or an application system.
Chapter 10.2 of this document and Section 2 of the "DOC
IT Security Manual" contain definitions for general
support and application systems.
- 2. Ownership of information and/or information processing
resources may be assigned to an organization,
subordinate functional element, a position , or a
specific individual. When ownership is assigned to an
organizational or functional element, the head of the
unit so designated shall be considered the resource
owner. Some, but not necessarily all factors to be
considered in the determination of ownership are:
- (a) The originator or creator of data.
- (b) The organization or individual with the greatest
functional interest.
- (c) Physical possession of the resource.
- 3. Some general support system owners are suppliers of
data processing services for applications owned by
other organizations. Typically these systems are
custodians of software, data, input and output produced
by the data processing facility to support one or more
application owners. Custodial responsibility includes
the obligation to comply with applicable security
policies and directives, and to administer application
owner specified controls and safeguards for the data
and programs of those owners. Many of the Department's
local area networks will fit into this category.
- 4. Each system owner shall be responsible to:
- (a) Determine the sensitivity of the resources for
which responsible.
- (b) Determine the appropriate level of security
required which is consistent with federal and DOC
laws, regulations and directives and the
protection requirements of the system for
confidentiality, integrity or available and ensure
that an adequate level of protection is
maintained.
- (c) Be the certifying official and complete all
required certification actions, issue a
certification statement and prepare an
accreditation package which will be forwarded to
the DAA for formal accreditation of the system,
every three years or when major changes occur to
the system, whichever is less. If the certifying
official is at a higher level in the organization,
the system owner will complete all required
certification actions and forward the
accreditation package to the certifying official,
who will issue the certification statement.
Chapter 10.3 of this document and Section 3 of the
"DOC IT Security Manual" contain certification
requirements.
- (d) Monitor compliance, and periodically re-evaluate
previously specified levels of sensitivity and
protection.
- (e) Ensure that all systems are audited for illegal
software at least annually and inventories of all
software on each individual system is maintained
to verify that only legal copies of software are
being used. Requirements for software copyright
protection, auditing and reporting are contained
in Section 10.12.1 of this document and Section
12.1 of the "DOC IT Security Manual."
- (f) Ensure that each automated data processing
position (including contract positions) are
properly designated in accordance with position
sensitivity criteria and receive appropriate
investigative processing. Refer to Section 9 of
the "DOC IT Security Manual" and the "DOC
Personnel Security Manual" for further guidance.
- (g) Appoint an individual to serve as the ITSSO with
responsibility to develop, implement and manage
the security of the system.