The data custodian is the person who is responsible for implementing and maintaining security controls to protect the data entrusted to them by the data owner. The data custodian is typically a system administrator or a security systems administrator who has the technical skills and access rights to manage the security systems and processes that safeguard the data. The data custodian’s responsibilities include, but are not limited to: Installing, configuring, and updating security systems such as firewalls, anti-virus software, encryption tools, etc. Monitoring network trafficand system logs to detect and respond to security incidents. Conducting regular security assessments and audits to ensure compliance with security policies and standards. Implementing backup and recovery procedures to ensure data availability and integrity. The data custodian works under the direction and guidance of the data owner, who is the person who has the authority and accountability for the data and its use. The data owner defines the data classification, the data retention period, and the data access rights and privileges. The data owner also approves any changes to the security controls or the data itself. The data owner is typically a senior manager or a business unit leader who has the business knowledge and responsibility for the data. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.3: Data Classification, pp. 11-131