Data Roles and Retention – CompTIA Security+ SY0-501 – 5.8

Who owns your data, and how long do you keep copies of your data? In this video, you’ll learn about specific data roles and options for data retention.

<< Previous Video: Handling Sensitive Data Next: Cryptography Concepts >>


In most organizations, data doesn’t exist on its own. There is a relationship between the data and the people that need access to the data. This list of people that need certain types of rights and permissions to this data are usually created based on the responsibilities they have in the organization.

One type data role is the owner of the data. This is usually someone who is a senior officer or director in the organization. Someone like a vice president of sales, for example, would own all of the customer relationship data, and the treasurer of the organization might own the financial information. The role of the data steward is someone who is managing the accuracy of the data, the privacy of the data, and confirming that there is security of the data. This person is usually assigning security labels to the data, or parts of the data. And they’re making sure that if there are any compliance regulations, that everything they’re doing as an organization is following all of the applicable laws and standards for that data.

The data custodian is then responsible for implementing the controls that were defined by the data steward. All of the access rights to the data will be defined and created by the data custodian. And in some cases, the data custodian and the data steward are the same person.

And overseeing all of that organization’s data would be the privacy officer. This is someone responsible for the overall data privacy for the entire organization. And they’re usually responsible for setting policies and procedures to make sure that all of the data remains secure going forward.

Different organizations have different policies on how much data is retained and how often. Many organizations like to keep certain types of data around, especially if it changes often, so that you can perform a version control. It’s common to keep different versions of a file available going back for at least a week and, in some cases, perhaps even longer. Another important application of data retention is being able to recover if the data is damaged. For example, if there’s a virus infection, you may need to go back 30 days or even longer to get a known good version of a particular file.

And the type of data retention in your organization may not be under your control. There may be legal requirements to keep certain types of data around for a certain amount of time. For example, it’s common to have email storage be retained for years at a time, and some organizations may be legally required to store certain types of data for much longer. Some compliance regulations will even dictate how the data is to be stored and if some of that data on the storage medium must be in an encrypted form.