PM-19 / A.5.12 / CIS-3.12 NIST SP 800-53 Rev 5

Owners assigned per data type

Demonstrate that every data classification type or category maintained by the organization has an explicitly assigned, documented owner with defined responsibilities for data governance and protection.

Description

What this control does

This control requires formal assignment of accountable data owners for each defined data classification type or category within the organization's inventory. Data owners are responsible for determining access rights, classification levels, retention policies, and acceptable use for their assigned data types. The control establishes clear lines of accountability for data governance decisions and ensures that sensitive information has designated stewards who understand its business context and risk profile.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Unauthorized access granted due to absence of accountable authority to approve or deny data access requests
Data breaches escalate without clear incident ownership, delaying containment and notification decisions
Inconsistent classification and handling of sensitive data across business units due to lack of centralized stewardship
Regulatory non-compliance when data subject access requests or deletion obligations cannot be routed to responsible parties
Over-retention of regulated data because no owner exists to authorize disposition or destruction
Intellectual property loss through inadequate protection when business value and sensitivity are not understood by custodians
Orphaned datasets accumulate without lifecycle management, expanding attack surface and storage costs

Testing procedure

How an auditor verifies this control

Obtain the organization's data classification policy and data inventory or data catalog documentation
Extract the complete list of data types, data categories, or data classification levels defined by the organization
Request the data ownership register, RACI matrix, or equivalent document mapping owners to data types
Select a representative sample of data types spanning all classification levels and business functions
Verify each sampled data type has a named individual or role designated as data owner with documented contact information
Interview a subset of assigned data owners to confirm they acknowledge their responsibilities and understand data sensitivity
Review evidence that data owners have exercised their authority within the past 12 months, such as access approvals, retention decisions, or classification reviews
Identify any data types in the inventory lacking assigned owners and assess whether gaps exist in coverage

Evidence required Collect the data classification policy, data inventory or catalog export showing all data types, data ownership assignment matrix or register with owner names and contact details, role descriptions or charter documents defining data owner responsibilities, and samples of access request approvals, data handling decisions, or periodic review records signed or approved by assigned data owners.

Pass criteria All data types and classification categories documented in the organization's data inventory have explicitly assigned data owners with documented names, roles, and contact information, and sampled owners demonstrate awareness of their responsibilities through documented governance activities.

Where this control is tested

Audit programs including this control

Data Classification Snapshot

Do you actually classify data — and is the classification reflected in access control, encryption and retention? Quick…