3. Data Classification 85%
All policies within the organization should include a section that includes all of the following, except: Policy adjudication Policy enforcement Policy review Policy maintenance
A. All the elements except adjudication need to be addressed in each policy. Adjudication is not an element of policy.
Copyright Punishment
Copyright infringement is usually dealt with as a civil case: the copyright owner has to bring a lawsuit against someone they believe has illegally copied or used their work. However, in some cases, demonstrated willful infringement can be investigated by the government as a criminal matter. In the United States, copyright is assigned the moment an expression is put into a tangible medium; the creator automatically holds the copyright when the work is created. However, enforcing these rights in a lawsuit against infringement will require some proof of the creator's claim.
Trademarks
Unlike copyrights, trademark protection is intended to be applied to specific words and graphics. Trademarks are representations of an organization—its brand. A trademark is meant to protect the esteem and goodwill that an organization has built among the marketplace, especially in public perception. A trademark can be the name of an organization, or a logo, a phrase associated with an organization, even a specific color or sound, or some combination of these. In order to have a trademark protected by law, it must be registered within a jurisdiction. Commonly, that is the U.S. Patent and Trademark Office (USPTO), the federal entity for registering trademarks. Trademarks registered with the USPTO can use the ® symbol to signify registration. States also offer trademark registration, and trademarks registered with state offices often use the ™ symbol. Trademarks last into perpetuity, as long as the trademark owner continues to use them for commercial purposes. Trademark infringement is actionable, and trademark owners can sue in court for remedy for infringement.
Data Retention
As with all matters involving our profession, the organization's data retention program should start with and be based on a strong, coherent policy. The data retention policy should include the following: Retention Periods: How long the data should be kept by the organization. This usually refers to data that is being archived for long-term storage—that is, data not currently being used in the production environment. The retention period is often expressed in a number of years and is frequently set by regulation or legislation. Data retention periods can also be mandated or modified by contractual agreements. Applicable Regulation: As we just mentioned, the retention period can be mandated by statute or contract; the retention policy should refer to all applicable regulatory guidance. This is especially true in cases where there is conflicting regulation; the policy should then also highlight any such disparity, and include mention of senior management's decision for how to approach and resolve this conflict with the policy as an appropriate mechanism. For instance, states may impose different retention periods for specific kinds of data, and the organization might operate in states with differing mandated periods; the policy should then explicitly state the conflicting periods, as well as the period senior management determined as the solution. Retention Formats: The policy should contain a description of how the data is actually archived—that is, what type of media it is stored on, and any handling specifications particular to the data. For example, some types of data are required by regulation to be kept encrypted while in storage. In these cases, the policy should include a description of the encryption engine, key storage and retrieval procedures, and reference to the applicable regulation(s) (see earlier).
Data Audit
As with all other assets, the organization needs to regularly review, inventory, and inspect usage and condition of the data it owns. Data audit is a powerful tool for effecting these efforts. As with the other elements of data management, the organization should have a policy for conducting audits of its data. The policy should include detailed descriptions of: Audit periods Audit scope Audit responsibilities (internal and/or external) Audit processes and procedures Applicable regulations Monitoring, maintenance, and enforcement As with all types of audits, the organization should be particularly careful about ensuring that auditors do not report to anyone in the management structure that owns or is affected by the data they are auditing; conflicts of interest must be avoided for the audits to have validity and utility.
DRM solutions should generally include all the following functions, except: Dynamic policy control Automatic expiration Automatic self-destruct Persistency
C. DRM tools should include all the functions listed except for self-destruction, which might hurt someone.
What is the aspect of the DMCA that has often been abused and places the burden of proof on the accused? Online service provider exemption Puppet plasticity Takedown notice Decryption program prohibition
C. The DMCA provision for takedown notices allows copyright holders to demand removal of suspect content from the web, and puts the burden of proof on whoever posted the material; this function has been abused by griefers and trolls and overzealous content producers. The OSP exemption provides a safe harbor provision for web hosts. The decryption program prohibition makes DeCSS and other similar programs illegal. Puppet plasticity is a nonsense term used for a red herring.
All of the following regions have at least one country with an overarching, federal privacy law protecting personal data of its citizens, except: Europe South America The United States Asia
C. The United States does not have a single, overarching personal privacy law; instead, the U.S. often protects PII by industry (HIPAA, GLBA, FERPA, and so forth.). All EU member countries adhere to the Data Protection Regulation. Argentina's Personal Data Protection Act cleaves to the EU Regulation, as does Japan's Act on the Protection of Personal Information. WRONG D
Metadata-Based Discovery (Data Discovery Methods)
Colloquially referred to as "data about data," metadata is a listing of traits and characteristics about specific data elements or sets. Metadata is often automatically created at the same time as the data, often by the hardware or software used to create the parent data. For instance, most modern digital cameras create a vast amount of metadata every time a photograph is taken, such as date, time, and location where the photo was shot, make and model of the camera, and so forth; all that metadata is embedded in the picture file, and is copied and transferred whenever the image itself is copied or moved. Data discovery can therefore use metadata in the same way labels might be used; specific fields of the metadata might be scanned for particular terms, and all matching data elements collected for a certain purpose.
Data Analytics (Data Discovery Methods)
Current technological options provide additional options for finding and typing data. In many cases, these modern tools create new data feeds from sets of data already existing within the environment. These include Datamining: The term for the family of activities that the other options on this list derive from. This kind of data analysis is an outgrowth of the possibilities offered by regular use of the cloud, also known as "big data." When the organization has collected various data streams and can run queries across these various feeds, the organization can detect and analyze previously unknown trends and patterns that can be extremely useful. Real-time Analytics: In some cases, tools can provide datamining functionality concurrently with data creation and use. These tools rely on automation and require efficiency to perform properly. Agile Business Intelligence: State-of-the-art datamining involves recursive, iterative tools and processes that can detect trends in trends, and identify even more oblique patterns in historical and recent data.
Data labels could include all the following, except: Source Jurisdiction Handling restrictions Delivery vendor
D. All the others might be included in data labels, but we don't include delivery vendor, which is nonsense in context. WRONG A
What is the federal agency that accepts applications for new patents? OSHA SEC USDA USPTO
D. The U.S. Patent and Trademark Office accepts, reviews, and approves applications for new patents. The USDA creates and enforces agriculture regulation. OSHA oversees workplace safety regulations. The SEC regulates publicly traded corporations.
Data Retention Part 2
Data Classification: The organization should have an overarching data classification policy that serves as guidance for data creators, owners, curators, and users, describing how and when data should be classified, and security procedures and controls for handling the various classifications (as well as enforcement mechanisms for dealing with policy infractions). In addition to the main policy, the data retention policy should include specific mention of how the various classes of data will be archived and retrieved. Archiving and Retrieval Procedures: Having data in storage is useful; stored data can be used to correct production errors, can serve as business continuity and disaster recovery (BC/DR) backups, and can be datamined for business intelligence purposes. But stored data is only useful if it can be retrieved and put back into production in an efficient and cost-effective manner. The policy should include a detailed description of the processes both for sending data into storage and for recovering it. This element of the policy (the detailed processes) might be included as an attachment or mentioned by reference to the actual documentation for the processes; the processes might require more frequent updates and editing than the policy and could be kept separate. Monitoring, Maintenance, and Enforcement: As with all policies in the organization, the policy should list, in detail, how often the policy will be reviewed and amended, by whom, consequences for failure to adhere to the policy, and which entity within the organization is responsible for enforcement.
Asia (Jurisdictional Requirements)
Disparate levels of intellectual property protection. Data privacy protection levels differ greatly by country, with Japan adhering to the EU model, and other countries following much-reduced guidance.
Content-Based Discovery (Data Discovery Methods)
Even without labels or metadata, discovery tools can be used to locate and identify specific kinds of data by delving into the content of datasets. This technique can be as basic as term searches or can use sophisticated pattern-matching technology.
Every security program and process should have which of the following?
Foundational policy
Europe (Jurisdictional Requirements)
Good intellectual property protections. Massive, exhaustive, comprehensive personal privacy protections, including the EU Data Directive and the General Data Protection Regulation. The EU privacy laws will be a big driver for any organization wanting to do business in or with Europe. For exam purposes, you should be versed in both the original guidance (the EU Data Directive), and the recently updated law (the EU General Data Regulation), as well as the mechanisms used in the United States to comply with these laws (the Safe Harbor program and the Privacy Shield, respectively).
Data Audit Logs
In most organizations and enterprises, audit is predicated on logging. Logging can happen in many forms: event logging, security logging, traffic logging, and so forth. Logs can be generated by applications, OSs, and devices, and for general or specific purposes. Log review and audit is a specialized task for personnel with specific training and experience. Logging is fairly easy; most software and devices in modern enterprises can effectively log anything and everything the organization might want to capture. Reading and analyzing these logs, however, can prove challenging: Log review and analysis is not often a priority. Most organizations do not have the wherewithal to dedicate the personnel required to effectively analyze log data. Usually, log review becomes an additional duty for someone tasked to another office (the security department, for instance). And many additional duties do not get accomplished because the personnel assigned to them become task-saturated with their other, regular job tasks. Log review is mundane and repetitive. Reviewing logs takes a certain kind of person: someone who can sift through loads of data in order to spot the minute portion that might vary from the norm. This is not exciting work, and even the best analyst can become lax through repetition. Log review requires someone both new to the field and experienced. This can become a management quandary: the log reviewer must be someone junior enough that they can be assigned to perform log reviews without incurring too much trade-off cost to the organization (that is, other functions they might be performing are not more expensive or valuable than the log reviews), yet the person needs to have sufficient experience and training to perform the activity in a worthwhile manner. The reviewer needs to have an understanding of the operation. If the reviewer cannot distinguish between what is authorized activity and what is not, they are not adding security value to the process. A natural inclination of a security practitioner might be to log everything; people in our field notoriously loathe to part with data, and want to know everything about everything. The problem with doing so? Logging everything creates additional risks and costs. Having so much log data aggregated creates additional vulnerabilities, and requires additional protections, and the storage required for logging everything will entail a wholesale duplication of storage systems and space.
Data Destruction/Disposal
In the legacy environment, where the organization has ownership and control of all the infrastructure, including the data, hardware, and software, data disposal options are direct and straightforward. In the cloud, data disposal is much more difficult and risky. First, a review of data disposal options in the legacy environment: Physical Destruction of Media and Hardware: Any hardware or portable media containing the data in question can be destroyed by burning, melting, impact (beating, drilling, grinding, and so forth), or industrial shredding. This is the preferred method of sanitization, since the data is physically unrecoverable. Degaussing: This involves applying strong magnetic fields to the hardware and media where the data resides, effectively making them blank. It does not work with solid-state drives. Overwriting: Multiple passes of random characters are written to the storage areas (particular disk sectors) where the data resides, with a final pass of all zeroes or ones. This can be extremely time-consuming for large storage areas. Cryptoshredding (AKA Cryptographic Erasure): This involves encrypting the data with a strong encryption engine, and then taking the keys generated in that process, encrypting them with a different encryption engine, and destroying the keys. In the cloud, many of these options are unavailable or not feasible. Because the cloud provider, not the data owner, owns the hardware, physical destruction is usually out of the question. Moreover, because of the difficulty of knowing the actual specific physical location(s) of the data at any given moment (or historically), it would be next to impossible to determine all the components and media that would need to be destroyed. Likewise, for that same reason, overwriting is not a practical means of sanitizing data in the cloud. That leaves cryptoshredding as the sole pragmatic option for data disposal in the cloud. As with the other data management functions, the organization needs to create a policy for data disposal. This policy should include detailed descriptions of the following: The process for data disposal Applicable regulations Clear direction of when data should be destroyed Of course, we are also concerned with data remanence—that is, any data left over after sanitization and disposal methods have been attempted. If cryptoshredding is performed correctly, there should be no remanence; however, material that is somehow not included in the original encryption (say, a virtual instance that was offline during the encryption process, then added to the cloud environment) might be considered remanence. As in all cryptographic practices, proper implementation is essential for success.
Intellectual Property Protections
Intellectual property is that class of valuable belongings that are intangible; literally, assets of the mind.
Data Classification (3)
Much like categorization, data classification is the responsibility of the data owner, takes place in the Create phase, and is assigned according to an overall organizational motif based on a specific characteristic of the given dataset. Sensitivity-This is the classification model used by the military. Data is assigned a classification according to the sensitivity of the data, based on the negative impact an unauthorized disclosure would cause. In models of this kind, classification must be assigned to all data, even in the negative, so material that is not deemed to be sensitive must be assigned the "unclassified" label. Jurisdiction-The geophysical location of the source or storage point of the data might have significant bearing on how that data is treated and handled. For instance, Personally Identifiable Information (PII) data gathered from citizens of the European Union (EU) is subject to the EU privacy laws, which are much more strict and comprehensive than privacy laws in the United States. Criticality-Data that is deemed critical to organizational survival might be classified in a manner distinct from trivial, basic operational data. As we know from previous lessons, the BIA helps us determine which material would be classified this way.
Digital rights management (DRM) Functions (6)
Persistent Protection: The DRM should follow the content it protects, regardless of where that content is located, whether it is a duplicate copy or the original file, or how it is being utilized. The protection should not be rendered useless through simple operation in the production environment. Dynamic Policy Control: The DRM tool should allow content creators and data owners to modify ACLs and permissions for the protected data under their control. Automatic Expiration: Because of the nature of some legal protections of intellectual property (described earlier in this lesson), a significant amount of digital content will not be protected in perpetuity. The DRM protections should cease when the legal protections cease. Conversely, licenses also expire; access and permissions for protected content should likewise expire, no matter where that content exists at the end of the license period. Continuous Auditing: The DRM should allow for comprehensive monitoring of the content's use and access history. Replication Restrictions: Much of the purpose of DRM is to restrict illegal or unauthorized duplication of protected content. Therefore, DRM solutions should enforce these restrictions across the many forms of copying that exist, to include screen-scraping, printing, electronic duplication, email attachments, and so on. Remote Rights Revocation: The owner of the rights to specific intellectual property should have the ability to revoke those rights at any time; this capability might be used as a result of litigation or infringement.
Digital rights management (DRM) Challenges (5)
Replication Restrictions: Because DRM often involves preventing unauthorized duplication, and the cloud necessitates creating, closing, and replicating virtualized host instances (including user-specific content stored locally on the virtual host), DRM might interfere with automatic resources allocation processes. Jurisdictional Conflicts: The cloud extends across boundaries and borders, often in a manner unknown or uncontrolled by the data owner, which can pose problems when intellectual property rights are restricted by locale. Agent/Enterprise Conflicts: DRM solutions that require local installation of software agents for enforcement purposes might not always function properly in the cloud environment, with virtualization engines, or with the various platforms used in a bring your own device (BYOD) enterprise. Mapping Identity and Access Management (IAM) and DRM: Because of the extra layer of access control (often involving content-specific Access Control Lists (ACLs), the DRM IAM processes might conflict or not work properly with the enterprise/cloud IAM. This is even truer when cloud IAM functions are outsourced to a third party, such as a cloud access security broker (CASB). API Conflicts: Because the DRM tool is often incorporated into the content, usage of the material might not offer the same level of performance across different applications, such as content readers or media players.
Digital rights management (DRM) Application (5)
Rudimentary Reference Checks: The content itself can automatically check for proper usage or ownership. For instance, in many vintage computer games, the game would pause in operation until the player entered some information that could only have been acquired with the purchase of a licensed copy of the game, like a word or a phrase from the manual that shipped with the game. Online Reference Checks: Microsoft software packages, including Windows operating systems and Office programs, are often locked in the same manner, requiring users to enter a product key at installation; the program would then later check the product key against an online database when the system connected to the Internet. Local Agent Checks: The user installs a reference tool that checks the protected content against the user's license. Again, gaming engines often work this way, with gamers having to download an agent of Steam or GOG.com when installing any games purchased from those distributors; the agents check the user's system against the online license database to ensure the games are not pirated. Presence of Licensed Media: Some DRM tools require the presence of licensed media, such as disks, in the system while the content is being used. The DRM engine is on the media, often installed with some cryptographic engine that identifies the unique disk and the licensed content, and allowing usage based on that relationship. Support-Based Licensing: Some DRM implementations are predicated on the need of continual support for content; this is particularly true of production software. Licensed software might be allowed ready access to updates and patches, while the vendor could prevent unlicensed versions from getting this type of support.
Digital rights management (DRM)
Solutions that are used to protect intellectual property, in order to comply with the relevant protections, and to maintain ownership rights. DRM can be implemented in enterprises, by manufacturers, vendors, or content creators. Usually, material protected by DRM solutions need some form of labeling or metadata associated with the material in order for the DRM tool to function properly.
The United States (Jurisdictional Requirements)
Strong intellectual property protections, including stringent, multiple legal frameworks. No singular, overarching federal privacy statute; instead, the United States tends to address privacy with industry-specific legislation (GLBA, HIPAA, and so forth), or with contractual obligations (PCI). Many strong, granular data breach notification laws exist that are enforced by states and localities.
Australia/New Zealand (Jurisdictional Requirements)
Strong intellectual property protections. Very strong privacy protections, with the Australian Privacy Act mapping directly to the EU statutes.
Patents
The U.S. Patent and Trademark Office (USPTO), as the name indicates, is also responsible for registering patents. Patents are the legal mechanism for protecting intellectual property in the form of inventions, processes, materials, decorations, and plant life. In securing a patent, the patent owner gains exclusivity in the production, sale, and importation of the patented property. Patents typically last for 20 years from the time of the patent application. There is some provision for extension, since the process of getting a patent can take many months, or even years. Some kinds of patented properties, such as pharmaceuticals, can also gain additional extensions; conversely, the exclusivity of marketing some pharmaceuticals under a particular name is granted not by the USPTO, but by the FDA, and this period of marketing exclusivity is much shorter in duration. Patent infringement, as with the other intellectual property protections, is cause to sue for relief in federal court.
Copyright Use and Exceptions
The creator is the only entity legally allowed to: Perform the work publically Profit from the work Make copies of the work Make derivative works from the original Import or export the work Broadcast the work Sell or otherwise assign these rights There are exceptions to the exclusivity of these rights. Exceptions include: Fair Use: There is a family of exceptions to copyright exclusivity, known as "fair use." Fair use includes: Academic Fair Use: Instructors can make limited copies or presentations of copyrighted works for educational purposes. Critique: The work may be reviewed or discussed for purposes of assessing its merit, and portions of the work may be used in these critical reviews. News Reporting: Because an informed populace is essential to a free society, we have waived some intellectual property protections for reporting purposes. Scholarly Research: Similar to academic fair use, but among researchers instead of teachers and students. -------------------------------------------------------------- Satire: A mocking sendup of the work may be created using a significant portion of the original work. Library Preservation: Libraries and archives are allowed to make limited numbers of copies of original works in order to preserve the work itself. Personal Backup: Someone who has legally purchased a licensed work may make a single backup copy for themselves, for use if the original fails. This explicitly includes computer programs. Versions for People with Physical Disabilities: It is legal to make specialized copies of licensed works for use by someone with a disability. This could, for instance, include making a Braille or audio copy of a book for use by the blind.
Data Categorization (4)
The data owner will be in the best position to understand how the data is going to be used by the organization. This allows the data owner to appropriately categorize the data. Regulatory Compliance- Different business activities are susceptible to different regulations. The organization may want to create categories based on which regulation(s) apply to a specific dataset. This might include Graham-Leach-Bliley Act (GLBA), Payment Card Industry (PCI), Sarbanes-Oxley (SOX) and/or HIPPA. Business Function- The organization might want to have specific categories for different uses of data. Perhaps the data is tagged based on its use in billing, marketing, or operations. Functional Unit- Each department or office might have its own category, and keep all data it controls within its own category. By Project- Some organizations might define datasets by the projects they are associated with, as a means of creating discrete, compartmentalized projects.
Data Labeling
The label should indicate who the data owner is, usually in terms of the office or role, instead of an individual name or identity (because, of course, personnel can change roles with an organization, or leave for other organizations). Labels should be evident and communicate the pertinent concepts without necessarily disclosing the data they describe.
Copyright Definition
The legal protection for expressions of ideas is known as "copyright." In the United States, copyright is granted to anyone who first creates an expression of an idea. Usually, this involves literary works, films, music, software, and artistic works. Copyright does not cover ideas, specific words, slogans, recipes, or formulae. Those things can often be secured with other intellectual property protections. Oddly, copyright does not include titles of works. For instance, while you cannot copy and sell the film Star Wars, you could, theoretically, write, produce, and sell a new movie that you call Star Wars, as long as it does not cover the same material as the other film with that name. We don't, however, recommend it. Copyright protects the tangible expression of an idea, not the form of an idea. For instance, copyright protects the content of a book, not the hardcopy version of a book itself; illegal copying of content of a book would be a copyright infringement, whereas stealing a physical book would be theft. The copyright belongs to the author or whomever the author sells or grants the rights to, not to someone who currently holds the physical copy of the book. The U.S. Copyright Office allows copyright holders to register their works as means of securing this proof. It is not mandatory to register works in order to own them. The fact that something is copyrighted is often communicated by attaching the copyright symbol to it, sometimes with additional text that emphasizes this fact. The duration of copyrights vary based on the terms under which they were created, depending on if an individual created the work themselves or if the work was created under contract (a "work-for-hire"). Typically, copyright lasts for either 70 years after the author's death, or 120 years after the first publication of a work for hire.
Data Control
The organization also needs to protect data in life-cycle phases other than Create. Industry standards and best practices require the creation, use, and enforcement of a host of data management policies and practices, including the areas of data retention, audit, and disposal. Each aspect of data management—retention, audit, and disposal—will need a specific policy addressing it. There is no reason, however, that you cannot include all three policies under one overarching policy, such as a data management policy. Just be sure each area is addressed thoroughly and with sufficient granularity; don't let any individual subpolicy slip in quality or comprehensiveness simply because you're aggregating your required governance.
Categorization VS Classification
There are no industry-defined, statutory-mandated definitions for "categorization" versus "classification" of data, except in those areas covered by specific regulations (for instance, the military uses classification constructs defined by federal law). The terms can often be used interchangeably. For the purposes of discussion in this course, we will try to adhere to this understanding of the terms: data is categorized by its use and classified by a certain trait. Again, this is not an industry standard, and the International Information System Security Certification Consortium, or (ISC)2, does not create a bright-line distinction between the terms.
Trade Secrets
Trade secrets are intellectual property that involve many of the same aspects as patented material: processes, formulas, commercial methods, and so forth. They can also include some things that aren't patentable, such as aggregations of information (this might include lists of clients or suppliers, for instance). Trade secrets are also somewhat like copyrights in the United States, in that protections for them exist upon creation, without any additional requirement for registration. However, unlike other intellectual property protections, material considered trade secrets must be just that: secret. They cannot be disclosed to the public, and efforts must be made to maintain secrecy in order to keep this legal protection. Trade secrets are then provided legal protection from illicit acquisition; anyone who tries to acquire trade secrets by theft or misappropriation can be sued in civil court (similar to other forms of intellectual property), but can also be prosecuted in federal court for this crime. Trade secret protection does not, however, confer the exclusivity granted by other intellectual property protections. Anyone other than the owner of the trade secret who discovers or invents the same or similar methods, processes, and information through legal means is justified and legally free to use that knowledge to their own benefit. In fact, someone who discovers someone else's trade secret through legitimate means is also free to patent it (assuming there is no existing patent on the same material or concept). Like a trademark, a trade secret lasts into perpetuity, as long as the owner is still using it in commercial activity.
South/Central America (Jurisdictional Requirements)
Various intellectual property mechanisms. Generally lax privacy protection frameworks, with the notable exception of Argentina, which is in direct correlation with the EU legislation.
Label-Based Discovery (Data Discovery Methods)
With accurate and sufficient labels, the organization can readily determine what data it controls, and what amounts of each kind. This is another reason why the habit and process of labeling is so important. Labels can be especially useful when the discovery effort is undertaken in response to a mandate with a specific purpose, such as a court order or a regulatory demand: if all data related to "X" is required, and all such data is readily labeled, it is easy to collect and disclose all the appropriate data, and only the appropriate data.
Data Discovery Methods
a term that can be used to refer to several kinds of tasks: it might mean that the organization is attempting to create that initial inventory of data it owns, or that the organization is involved in electronic discovery ("ediscovery," the legal term for how electronic evidence is collected as part of an investigation or lawsuit), and it can also mean the modern use of datamining tools to discover trends and relations in the data already in the organization's inventory.
data custodian
any organization or person who manipulates, stores, or moves the data on behalf of the data owner. Within the organization, a data custodian might be a database administrator. In the cloud context, the data custodian is usually the cloud provider. From an international perspective, the data custodian is also known as the data processor. Data custodians do not necessarily all have direct relationships with data owners; custodians can be third parties, or even further removed down the supply chain.
data owner
the organization that has collected or created the data, in general terms. Within the organization, we often assign a specific data owner as being the individual with rights and responsibilities for that data; this is usually the department head or business unit manager for the office that has created or collected a certain dataset. From a cloud perspective, the cloud customer is usually the data owner. Many international treaties and frameworks refer to the data owner as the data controller. Data owners remain legally responsible for all data they own. This is true even if data is compromised by a data custodian several times removed from the data owner.