Ultimately, it is the responsibility of the owner of sensitive systems, data, and other resources to monitor their use and prevent abuses. A data owner should be responsible for:
Disclosing to users any relevant legal, regulatory, or ethical issues surrounding the use or disclosure of the information
Implementing a data classification system and rating the data according to its sensitivity, confidentiality, inherent value, and other factors
Maintaining a list of authorized users
Implementing procedures to safeguard information from unauthorized use, disclosure, alteration, or accidental or intentional destruction
Developing a policy governing data retention and disposition
Providing users with adequate training in the use and protection of the information
Owners of other sensitive resources should have similar responsibilities to classify their resources and safeguard them from unauthorized use or destruction.