Dear Tim,

That's such a great question I'll have to break my duck and post to the list for the first time - please be gentle everyone. 

My take on this would focus on the information governance structure. The Head of Function has responsibility for the implementation of the institutional records policy but oversight at unit level may be devolved to a member of staff acting as a records management focal point. All members of the unit including the Head of Function will create information assets subject to regulation through the institution's RM policy and as such all should be treated as information creators. The Information Asset Owner in this regard is the institution.  

Regards,

Garret McMahon

On 27 June 2017 at 05:16, Tim Lucas <[log in to unmask]> wrote:
Dear Records Management Community,

Apologies if this is not the correct mailing list, and please do direct me if there is a more appropriate one.

I have a question regarding information asset owners, end user classification and the associated security and handling rules.

From a dataset perspective, for example a database; an information asset owner e.g. Head of business function (Department or Faculty) would define which datasets correspond to which information security classifications e.g. Public, Restricted or Confidential, based on sensitivity and value, and the classification would in turn determine the associated security controls and handling rules.  

Now in the case of email or an office document which the end user is required to mark with an appropriate information classification, are they considered a creator of information and/or the information asset owner?  I believe they are the creator of information, and classifying based on the rules set out by the information owner.  For example an HR staff member composes a staff email to discuss recruitment with an internal manager of a department.  The information owner i.e head of HR in this example would have previously defined a rule along the lines of; communication internally within the organisation for limited distribution, but without personally identifiable information PII = classify as Restricted.  If also containing PII mark as Confidential.  Based on this the HR staff end user creating the email would apply these rules and select the appropriate information classification for the email to be sent.

I'm currently working on a set of policies and documenting for what constitutes an Information Asset Owner and providing examples. I have seen differing opinions with regard to the end user, and if they are solely a creator of information, enacting upon the direction of the information owner and the defined rules, or if they are also the information owner themselves.

I would welcome your comments and thought on this matter.

Best wishes,
Tim

Tim Lucas, MSc, CISSP

IT Security Manager

Information Technology

Birmingham City University

To view the list archives go to: https://www.jiscmail.ac.uk/cgi-bin/webadmin?A0=RECORDS-MANAGEMENT-UK To unsubscribe from this list, send an email to [log in to unmask] with the words UNSUBSCRIBE RECORDS-MANAGEMENT-UK For any technical queries re JISC please email [log in to unmask] For any content based queries, please email RECORDS-MANAGEMENT-UK-request@jiscmail.ac.uk



--
10 Ard Righ Place
Arbour Hill
Dublin
Ireland
D07 W7K
To view the list archives go to: https://www.jiscmail.ac.uk/cgi-bin/webadmin?A0=RECORDS-MANAGEMENT-UK To unsubscribe from this list, send an email to [log in to unmask] with the words UNSUBSCRIBE RECORDS-MANAGEMENT-UK For any technical queries re JISC please email [log in to unmask] For any content based queries, please email [log in to unmask]