Comprehensive and Detailed Explanation (250–350 words) From Exact Extract from Chief Information Security Officer (CCISO) Documents:
According to the EC-Council CCISO Body of Knowledge, the data owner holds the primary responsibility for determining access rights requirements to information. CCISO guidance defines the data owner as the individual or role accountable for the classification, protection, and authorized use of specific data sets.
The data owner determines who should have access, what level of access is appropriate, and under what conditions access may be granted or revoked. This responsibility is based on business context, regulatory obligations, and risk considerations.
The CIO, CISO, and database engineers play supporting roles. The CIO oversees IT strategy, the CISO establishes security policies and controls, and database engineers implement access controls—but none of these roles define business-driven access requirements.
CCISO materials stress that access control decisions must be business-owned, not purely technical. This ensures accountability and alignment with organizational objectives.
Therefore, the correct and CCISO-validated answer is Data owner.