“Let’s see. Who owns customer name and address? Yes, that must be Joe who manages the New Accounts Department. Okay Joe, you own name and address. You must approve every use – past, present and future – of customer name and address. You have to sign off on all computer programs and business processes that use name and address. You must approve all movement of data files and documents containing names and addresses, their storage and disposal. You must be aware of all new programs and business processes and procedures that use name and address and approve their use. And if even one name and address combination were to go astray or is misused, or is inappropriately disclosed, we will hold you personally responsible.”
Joe doesn’t show up for work the next day, or the next, or the next … So much for laying off the risk onto business managers.
But if you don’t do that, then you are avoiding the issue, aren’t you? So let’s try something a little different. New scenario …
“Announcement: The Information Security department has established the Data Use and Protection Executive Committee, also known as the DUPE Committee. The role of the Committee is to classify all data and review and approve the use of the data. Joe from the New Accounts Department will chair the Committee.”