Which of the following is the responsibility of information asset owners?

The information asset custodian is responsible for safeguarding the information, including implementing access control systems to prevent inappropriate disclosure, and making back-ups so that critical information will not be lost.  Information asset custodians are individuals in physical or logical possession of information. Custodians are also required to implement, operate, and maintain the security measures defined by information asset owners.

The information user is responsible for specific information assets, ensuring the security of the information and adhering to all information security policies, standards and procedures.

Internal audit must check for compliance with related information security policies, standards and procedures.

The Information Asset Owner is accountable to the SIRO for ensuring risks associated with handling confidential information are properly managed.

The Owner is equivalent to the Data Owner as defined in the UCL Data Protection Policy. Within a study, this is typically the PI and must be a UCL employee, not an Honorary. The Owner must be in a position to mandate responsibilities within the team, such as training and will be in a position to secure funds and resources to ensure information will be properly handled within the study. If the PI is not employed by UCL then a similarly senior UCL staff member closely involved with the project should be appointed as Owner. In research this will most often be the UCL grant holder.

Responsibilities of the Information Asset Owner

The Information Asset Owner must ensure:

• Their own Information Governance training is maintained
• A record is maintained of training for all team members, including the Owner
• Risks associated with data transfers have been assessed and additional security controls implemented where required
• The physical security of the team's work environment, or any changes to this, is assessed and, if necessary, improved
• Suitable standard operating procedures are documented and implemented
• Technical measures are in place to protect all personal data form unauthorised access
• Appropriate data processing contracts are in place where external parties are processing personal data under UCL's behalf
• All members of the research team handling personal data have suitable UCL contracts
• Contractual requirements, relating to data in use by the study, are met
• Suitable joiners, movers and leavers processes are in place
• Records are kept of all information assets that they are responsible for
• Incidents are reported promptly
• Data is securely destroyed when no longer needed
• There is a legal basis for holding personal data
• All onward sharing of data is legal

In addition, the Owner must ensure that all members of the study team understand their responsibilities. In particular, team members must receive Information Governance training before being given access to personal data.

Many Owners will want someone they employ to be responsible for the day-to-day operations of a project such as assigning access rights to data. This is possible by assigning an information asset administrator ('Administrator'). Administrator responsibilities are outlined here.

It is the responsibility of owners to define the criticality levels of information assets. Implementation of information security within an application is the responsibility of the data custodians. Implementation of access rules is a responsibility of data custodians. Provision of physical and logical security for data is the responsibility of the security administrator.

Who is the information asset owner NHS?

Who should own an information asset register?

What is information asset user?

What is the importance of information assets?