What MUST each information owner do when a system contains data from multiple information owners?

 The information owner is the person who has the authority and responsibility for the data stored, processed, or transmitted by an Information System (IS). When a system contains data from multiple information owners, each information owner must provide input to the IS owner regarding the security requirements of the data, such as the classification, sensitivity, retention, and disposal of the data. The IS owner is the person who has the authority and responsibility for the operation and maintenance of the IS. The IS owner must ensure that the security requirements of the data are met and that the IS complies with the applicable laws and regulations. Reviewing the Security Assessment Report (SAR), developing and maintaining the System Security Plan (SSP), and moving the data to another IS are not the responsibilities of the information owner, but they may involve the information owner’s participation or approval. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, page 48; Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 1: Security and Risk Management, page 40.