Certified: The Security+ Prepcast

In the last episode, we looked at different governance structures and how authority is distributed through boards, committees, and centralized or decentralized models. In this episode, we focus on another key component of security governance—roles and responsibilities for data and systems. These roles must be clearly defined so that everyone involved in managing, using, or protecting information understands what they are accountable for. When roles are ambiguous, mistakes are made, risks go unmanaged, and incidents are harder to contain. But when roles are clear and enforced, governance becomes stronger, faster, and far more effective.
Let’s begin by defining the role of a data or system owner. This person has ultimate accountability for a particular system or dataset. Owners are typically high-level managers or business leaders who are responsible for the value and integrity of the information under their control. They decide who can access the data, how it should be protected, and what its classification level should be. They also approve risk assessments, accept residual risk, and sign off on changes that could impact system performance or security.
For example, in a healthcare organization, the chief medical officer might be designated as the data owner for patient health records. This individual is not the one configuring firewalls or encrypting backups. But they are responsible for ensuring that proper controls are in place and that the data is used in accordance with both legal and organizational standards. They are the authority who signs off on who gets access and under what conditions.
Next, we turn to data controllers. The term “controller” is often used in regulatory contexts, particularly in privacy laws like the General Data Protection Regulation. A data controller is the entity—or sometimes the individual—that determines the purpose and means of processing personal data. In other words, controllers decide what data is collected, why it is collected, and how it will be used.
Controllers may also set policies for how long data should be retained and when it should be deleted. They are responsible for communicating privacy practices to users and for responding to requests to access, modify, or delete data. Controllers may delegate tasks to other parties, but they remain legally responsible for how the data is handled.
For example, an online retailer that collects customer data to fulfill orders and send promotional emails would be considered the data controller. The retailer decides what information to collect, how to store it, and what analytics to perform. Even if the actual processing is handled by a cloud service provider, the controller bears the legal responsibility for the data’s protection.
That leads us to the next role: data processors. A processor is any party that handles data on behalf of the controller. This could be a cloud hosting provider, a payroll company, a marketing agency, or any other service that processes data based on the instructions of the controller. Processors do not get to decide what the data is used for—they only perform the tasks they have been contracted to carry out.
Processors must implement appropriate security measures to protect the data they handle, and they are often required to sign data processing agreements that define their responsibilities and liability. While controllers are responsible for the purpose of the data, processors are responsible for executing the technical and operational tasks required to manage it securely.
A good example involves a university that hires a third-party firm to manage student surveys. The university, acting as the data controller, specifies what questions are asked and what information is collected. The vendor, as the data processor, builds and hosts the survey platform, manages submissions, and provides results. The vendor cannot use the data for its own purposes, and it must follow the university’s instructions for storing and deleting the results.
Now let’s examine the roles of custodians and stewards. These terms are sometimes used interchangeably, but they serve specific functions within a governance framework. A data custodian is the technical professional responsible for implementing the data owner's decisions. Custodians manage the infrastructure, apply access controls, and ensure backups, logging, and encryption are in place. They maintain the system but do not make high-level decisions about how data is used.
For instance, in an enterprise resource planning system, the information technology administrator who configures user permissions and manages backups is acting as the data custodian. They carry out the technical tasks necessary to enforce the policies set by the owner and controller. Their role is operational, not strategic.
A data steward, on the other hand, focuses more on the quality and consistency of the data. Stewards ensure that data is accurate, standardized, and aligned with business definitions. In many organizations, stewards work with multiple departments to make sure that data is entered correctly, validated appropriately, and formatted consistently across systems. They often serve as a bridge between business users and technical teams.
Consider a customer relationship management platform where multiple departments enter client information. A data steward might be responsible for ensuring that job titles are formatted the same way, that phone numbers follow a standard convention, and that customer records are not duplicated. This improves reporting, compliance, and customer service—and reduces the chances of data corruption or misuse.
When these roles are clearly defined and coordinated, governance becomes much easier to enforce. Each person knows what they are accountable for, and there is less risk of confusion or overlap. But when roles are blurred or left undefined, security efforts break down. For example, if no one knows who the data owner is, critical decisions about access control or classification may be delayed or made inconsistently. If no custodian is assigned, systems may go unpatched or misconfigured. And without a steward, data quality may degrade, impacting business performance and decision-making.
Let’s bring these ideas to life with a practical scenario. Imagine a pharmaceutical company rolling out a new application to manage clinical trial data. The data owner is the head of clinical research, who defines what information must be collected and ensures regulatory compliance. The data controller is the organization itself, which decides how the data will be processed and stored. A contracted cloud provider acts as the processor, handling the hosting and encryption. An internal database administrator is the custodian, responsible for backups and access control. And a compliance analyst plays the role of data steward, reviewing the data for accuracy and alignment with documentation standards. This layered approach creates a governance model where every role is assigned, and every responsibility is fulfilled.
For the Security Plus exam, you need to know these roles and what each one is responsible for. Expect questions that ask you to identify the appropriate role based on a description of duties. You may also see scenario questions that describe a data incident and ask who should take action. Be prepared to distinguish between strategic roles like owners and controllers, and operational roles like processors and custodians.
Here is a tip for remembering these distinctions. Owners approve access. Controllers define purpose. Processors execute tasks. Custodians maintain systems. And stewards ensure quality. Think of it as a chain of responsibility from strategy to execution. The more precise you are in matching duties to roles, the better your performance on this domain will be.
For more governance examples, downloadable study tools, and practice questions that match the Security Plus exam format, visit us at Bare Metal Cyber dot com. And if you need a complete, exam-focused guide with diagrams, explanations, and test-taking strategies, pick up your copy of Achieve CompTIA Security Plus S Y Zero Dash Seven Zero One Exam Success at Cyber Author dot me.