For professionals looking to advance their careers, the Certified Information Systems Security Professional (CISSP) certification is designed to give you a complete picture of what it takes to keep data safe in today’s digital world. It also offers a deep dive into understanding who does what when it comes to data in the world of cybersecurity.
In this article, we’ll break down the key data roles one should know for the CISSP certification exam—owners, custodians, controllers, processors, and users—and provide real-world examples of how these roles function across different industries.
What is CISSP Certification?
Awarded by the International Information Systems Security Certification Consortium (ISC2), CISSP certification is one of the more advanced tiers of cybersecurity training, requiring candidates to have at least five years of experience in two or more of the eight CISSP domains.
To meet the CISSP certification requirement, you’ll need to pass a rigorous exam that tests your knowledge in all aspects of information security—from risk management to software development. Employers highly value CISSP training and certification when filling mid- and senior-level positions. In fact, the ISC2 2024 Cybersecurity Workforce Study found that over 60% of hiring managers prioritize candidates with cybersecurity certifications for these roles. Moreover, organizations with significant skills gaps are nearly twice as likely to experience a material breach compared to those without.
CISSP and ITIL – Intersection of Cybersecurity and IT Service Management
What Types of Data Roles and Responsibilities Do I Need To Know for the CISSP?
When preparing for the CISSP certification exam, you’ll explore several key data roles to understand how they work together to create a secure and compliant environment. Here are the main CISSP roles you need to know:
- Data Owner: Sets the direction for data management and makes critical decisions.
- Data Custodian: Safeguards and manages the data, ensuring systems run smoothly.
- Data Controller/Processor: Handles day-to-day operations and enforces policies.
- User: Accesses and utilizes data while following security guidelines.
Data Owner
The data owner is responsible and accountable for the classification and protection of one or more data sets within an organization. They decide how to keep data secure while ensuring that those who need access can use it effectively to drive business growth.
Roles and Responsibilities
Data owners are typically management-level executives—such as department heads from HR, payroll, or customer services. According to NIST SP 800-18, a data owner’s main responsibilities include:
- Data Classification: Determining the sensitivity of different data types and the level of protection each requires.
- Access Control: Establishing who can access which data and under what conditions.
- Security Requirements: Setting data usage rules, backup frequency, and technical controls based on importance and legal obligations.
Real-World Examples of Data Owner Roles
Healthcare:
In a hospital, the CIO or head of IT typically manages patient data—deciding what information to collect, how to organize it, and setting security rules to ensure doctors have access while maintaining patient privacy and compliance with regulations like HIPAA.
Banking and Finance:
Senior leaders such as the CFO or head of risk management act as data owners for financial records, determining storage methods, access permissions, and security measures to protect sensitive customer information.
Data Custodian
A data custodian is responsible for the technical protection of your data. They implement and maintain the security controls set by the data owner, ensuring systems run smoothly.
Roles and Responsibilities
Typically IT professionals, data custodians translate high-level security policies into actionable technical solutions. Their key responsibilities include:
- Implementing Security Policies: Configuring firewalls, encrypting data, and setting up access controls as directed by data owners.
- Controlling User Access: Managing user accounts, enforcing security checks, and monitoring access logs.
- Protecting Data: Planning for incidents such as ransomware attacks or hardware failures by patching vulnerabilities and managing antivirus solutions.
- Setting Up Backup Systems: Ensuring data is securely stored and can be quickly restored following any data loss.
Data Owner vs. Data Custodian
Although the data custodian handles day-to-day technical tasks, they do not make the policy decisions—that responsibility lies with the data owner.
Real-World Examples of Data Custodian Roles
Government IT Department: A city council’s IT team manages public records and resident data by ensuring regular backups, timely security updates, and robust network defenses that align with official policies.
Manufacturing IT Team: In a manufacturing facility, the IT department protects production and operational data from connected machinery by employing network segmentation and securing industrial control systems.
Data Controller and Data Processor
Under the General Data Protection Regulation (GDPR), a data controller is an entity that determines how and why personal data is processed. When multiple organizations share this decision-making, they become joint controllers and must share responsibilities. Conversely, a data processor manages personal data on behalf of a controller, executing data processing strictly as directed.
Roles and Responsibilities
Data controllers must ensure personal data is processed lawfully, fairly, and transparently. Their key responsibilities include:
- Accountability: Supporting data protection principles and conducting impact assessments while appointing a Data Protection Officer (DPO) if necessary.
- Transparency: Informing data subjects about processing details including legal basis, retention periods, and data sharing practices.
- Compliance: Identifying the legal grounds for processing and ensuring any data transfers outside the EEA meet GDPR standards.
- Record-Keeping & Security: Maintaining detailed processing records and implementing robust security measures.
- Contracting: Managing relationships with data processors through binding contracts.
- Breach Notification: Reporting data breaches to the relevant authorities and affected individuals.
- Cooperation: Working with data protection authorities as needed.
Data Processors’ Responsibilities
- Following Controller Instructions: Carrying out all processing activities exactly as directed.
- Maintaining Records: Keeping detailed logs of processing operations.
- Ensuring Security: Implementing technical and organizational measures to protect data during processing.
- Upholding Contractual Obligations: Adhering strictly to the terms of the controller-processor agreement.
- Managing Sub-processors: Obtaining authorization before engaging sub-processors and ensuring contractual parity.
- Reporting Breaches: Promptly notifying the controller of any data breaches.
- Appointing a DPO: If required, and cooperating with authorities.
Data Controller vs. Data Processor
The key difference lies in decision-making authority: if you set the processing rules, you are the controller; if you follow someone else’s instructions, you are the processor. For example, a payroll company might be a controller for its internal data while serving as a processor for another business.
Real-World Examples of Data Controller and Data Processor Roles
Hotel Chain Example: A hotel collects guest information and sets policies for its use, acting as the data controller, while a third-party reservation service processes bookings and guest data on its behalf.
Market Research Firms: Such firms typically process survey data strictly according to guidelines provided by their clients, who remain the data controllers.
Joint Controllers: An online retailer partnering with a logistics provider to manage customer orders may share control over the data, classifying them as joint controllers under GDPR.
User
Users are the individuals who interact with data and systems daily, typically with only the minimum access necessary as dictated by the principle of least privilege. Whether they are employees, contractors, or customers, their actions directly impact organizational security.
Roles and Responsibilities
- Adhere to Security and Privacy Guidelines: Follow organizational policies and understand applicable privacy regulations (such as GDPR or HIPAA).
- Protect Access: Keep login credentials confidential, create strong passwords, and remain vigilant against phishing attempts.
- Report Problems: Notify IT or security teams of any suspicious activities or security issues immediately.
- Handle Data Carefully: Store, transmit, and dispose of data in accordance with best practices and company protocols.
Real-World Examples of Data User Roles
Retail Associates: Sales representatives use POS systems to process transactions, safeguarding sensitive customer data by logging off or locking devices when not in use.
Healthcare Providers: Nurses and doctors work with electronic health record (EHR) systems, strictly adhering to security protocols to protect patient confidentiality.
Remote IT Support Contractors: When assisting an employee, a contracted IT specialist uses secure VPN connections and multi-factor authentication, ensuring all actions are logged and compliant.
Final Thoughts
Let’s recap: Data owners define policies and classify data, data custodians implement those policies through technical controls, data controllers set the rules for processing personal data, data processors execute those operations, and users are on the front line interacting with data. With over 165,000 CISSP professionals worldwide, earning your CISSP certification isn’t just a testament to your technical skills—it’s a comprehensive understanding of how these roles interlock to create a secure framework.
In the end, even the most robust technical controls rely on people. Whether you’re establishing access controls or managing daily security tasks, designing solutions that align with user behavior—and ensuring everyone understands the “why” behind security—makes it easier for your organization to stay protected.
Preparing for CISSP Certification
If you’re ready to get started, our Official ISC2 Certified in Cybersecurity Certification Boot Camp is designed for you. The course combines an entry-level review of cybersecurity fundamentals with industry best practices and Training Camp’s award-winning exam preparation for ISC2 exams. Here’s what it offers:
- Official ISC2 Courseware: Engage with interactive exercises that bring theory into practice.
- Focused Exam Preparation: Benefit from detailed instruction and realistic mock tests covering exam content and format.
- Comprehensive Study Materials and Resources: Access the latest CISSP insights, exam tips, student success stories, and industry analysis.
- Expert Support: Receive guidance from ISC2-certified professionals ready to help you succeed.
No prior experience is necessary—just a desire to learn and the drive to succeed in a field full of opportunities. Ready to take your first step towards CISSP training?
Get ISC2 CISSP Certified, Fast.
Accelerate your cybersecurity career and command higher salaries with the industry-recognized CISSP certification that demonstrates your expertise in designing, implementing, and managing best-in-class security programs.
