The IT Law Wiki
Advertisement

Definitions

Computer security

An information owner is an

[o]fficial with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.[1]
organizational official with statutory, management, or operational authority for specified information and is responsible for establishing the policies and procedures governing the generation, collection, processing, dissemination, and disposal of specified information. In information-sharing environments, the information owner is responsible for establishing the rules for appropriate use and protection of the subject information (e.g., rules of behavior) and retains that responsibility when the information is shared with or provided to other organizations. The owner of the information processed, stored, or transmitted by information technology (IT) and industrial control system (ICS) may or may not be the same as the IT and ICS owner. Information owners provide input to IT and ICS owners about the cybersecurity requirements and controls for the systems where the information is processed, stored, or transmitted.[2]

FISMA

Under the Federal Information Security Management Act of 2002, an information owner is

an agency official with statutory or operational authority for specified information and responsibility for establishing the criteria for its creation, collection, processing, dissemination, or disposal, which responsibilities may extend to interconnected systems or groups of interconnected systems.[3]

General

An information owner is an

[o]fficial with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.[4]
entity whose information is stored and/or processed on a device; can be an application-specific provider, a digital provider, or an enterprise that allows access to resources from mobile devices.[5]

References

  1. CNSSI 4009.
  2. Electricity Subsector Cybersecurity Risk Management Process, App. F, at 73.
  3. 38 U.S.C. §5727(9).
  4. CNSSI 4009.
  5. National Security Agency, "Mobility Capability Package," at D-5 (Nov. 4, 2013) (full-text).
Advertisement