Ultimately, it is the responsibility of the owner of sensitive systems, data, and other resources to monitor their use and prevent abuses. A data owner should be responsible for:

• Disclosing to users any relevant legal, regulatory, or ethical issues surrounding the use or disclosure of the information
• Implementing a data classification system and rating the data according to its sensitivity, confidentiality, inherent value, and other factors
• Maintaining a list of authorized users
• Implementing procedures to safeguard information from unauthorized use, disclosure, alteration, or accidental or intentional destruction
• Developing a policy governing data retention and disposition
• Providing users with adequate training in the use and protection of the information

Owners of other sensitive resources should have similar responsibilities to classify their resources and safeguard them from unauthorized use or destruction.