Course — Domain 2 · 10% · 14 h

Asset Security

Domain 2 answers a deceptively simple question: how do you protect information across its whole life, from the moment it gains value to its safe destruction? You learn to identify assets, classify them by sensitivity (classification) and impact (categorization), assign roles (owner, custodian, controller, processor), drive the data lifecycle, and choose the right controls by data state (at rest, in transit, in use). It is a concrete domain, 10 % of the exam, bridging Domain 1 governance and Domain 3 engineering.

Learning outcomes

By the end of this course you will be able to

  • Distinguish classification (access, confidentiality) from categorization (impact, loss) and apply military and private schemes.
  • Build and maintain an asset inventory and a CMDB, and correctly assign owner, custodian, controller and processor.
  • Walk the data lifecycle (Create, Store, Use, Share, Archive, Destroy) and map controls onto it.
  • Pick the right destruction method by media type (clearing, purging, degaussing, physical destruction, crypto-shredding).
  • Protect data in its three states and select baselines through scoping and tailoring.
  • Deploy DLP, DRM and CASB and tie it all to compliance requirements (GDPR, HIPAA, PCI DSS, NIST).

Prerequisites : Be comfortable with the CIA triad, the notion of control (administrative, technical, physical) and risk-management basics (Domain 1).

Suggested path

Suggested path: 4 sessions of about 3 to 4 hours, spread over 2 to 3 weeks. Redo each module checkpoint before moving to the next session, then take the full quiz (160 Q) as a final review.

  1. Session 1 - Classify and handle

    MODULE 1 · MODULE 2

    Tangible/intangible assets, classification vs categorization, sensitivity levels, marking, handling, declassification.

  2. Session 2 - Inventory, ownership and lifecycle

    MODULE 3 · MODULE 4

    ITAM, CMDB, owner vs custodian, GDPR roles (controller/processor), data lifecycle, data localization.

  3. Session 3 - Retention, destruction and states

    MODULE 5 · MODULE 6

    Retention (min/max), remanence, sanitization (degaussing, crypto-shredding, NIST 800-88), 3 states and encryption (TLS, link vs end-to-end, enclaves).

  4. Session 4 - Controls and compliance

    MODULE 7

    Control types and defense in depth, baselines, scoping vs tailoring, DLP/DRM/CASB, standards (PCI DSS, HIPAA, GDPR, NIST).

Module 1 Objective A 125 min Foundational

Identify and classify information and assets

Prerequisites : None. Starting point of Domain 2, study it first.

Before protecting, you must know what you protect and why. This module sets the founding definitions: what an asset is (tangible and intangible), the difference between classification and categorization, the level schemes (military and private), and the criteria that drive the decision. It is the most structuring step of the domain: a wrong upstream classification produces unfit downstream controls.

Classification is above all an asset-owner decision, because only the owner knows the business value of the asset. But that decision must be consistent and repeatable across the whole organization, otherwise security looks arbitrary and loses employee trust.

Learning objectives

  • Define an asset and tell materials, supplies and assets apart, tangible and intangible.
  • Explain why classification and categorization are two distinct processes.
  • Apply the military and private classification schemes and their levels.
  • Identify the criteria and pitfalls of classification.

Success criteria

  • You classify a given asset in BOTH the military and private scheme without hesitating on order.
  • You explain to a non-specialist why 'classification = access' and 'categorization = impact'.
  • You name three sources of classification error and their fix.

1.1 What is an asset?

Materials and supplies feed the business process; tangible and intangible assets are its heart.
Figure 1.1 · Materials and supplies are consumed; assets (tangible and intangible) remain and carry the value.

Every organization relies on three kinds of resources. Materials are inputs consumed by a production process (components, plastics, packaging). Supplies are consumables that keep the business running (paper, ink, office supplies). Assets, by contrast, stay with the organization and carry lasting value: they are what security protects.

An asset can be tangible (server, building, storage media) or intangible (idea, data, procedure, intellectual property). The central point of Domain 2 is that information holds value the moment it is conceived, even before it is written down. A database illustrates this layering: the data is one intangible asset, the DBMS that manages it is another, the server that hosts it is a tangible asset, and the procedural know-how in the employee's head is a tacit asset.

Identifying assets, especially information assets, is therefore the first act of any security program. You cannot protect what you have not inventoried.

Key terms tangible asset intangible asset materials / supplies
Key points
  • Asset = lasting value kept by the organization; materials and supplies are consumed.
  • Information has value from creation, first tacit then explicit.
  • A single business object (e.g. a database) blends tangible and intangible assets.

1.2 Classification vs categorization

Comparison of classification (access/confidentiality axis) and categorization (impact/loss axis).
Figure 1.2 · Classification (access/confidentiality axis) and categorization (impact/loss axis).

The two words are often confused, and that is a recurring exam trap. Classification is primarily about access: it recognizes the impact of a compromise (confidentiality, integrity, availability, but also authenticity, non-repudiation, privacy, safety) and is derived from the organization's compliance mandates. It is the world of 'Secret', 'Top Secret', 'Confidential' labels.

Categorization is primarily about impact: it is the process of grouping sets of data with comparable sensitivities and similar protection needs mandated by law, contracts or compliance. The official references are NIST SP 800-60 and FIPS 199, which categorize impact as low, moderate, high.

A phrase to remember: a classification is not a label. The label is part of implementing the controls that protect classified information. For a long time the conversation was limited to the CIA triad; the textbook insists on broadening to CRUD actions (Create, Read, Update, Delete) because creating, updating and deleting data directly affects its integrity, availability and authenticity.

Key terms classification categorization FIPS 199 / NIST SP 800-60 CRUD
Key points
  • Classification = access/confidentiality; categorization = impact/loss.
  • FIPS 199 and NIST SP 800-60 are the categorization references (low/moderate/high).
  • A classification is NOT a label; the label is used to apply controls.

1.3 Schemes and levels: military and private

Classification pyramids: military scheme (5 levels) and private scheme (4 levels).
Figure 1.3 · Classification schemes: military (5 levels) and private (4 levels).

The military/government scheme has five levels, most to least sensitive: Top Secret, Secret, Confidential, Sensitive but Unclassified (SBU), Unclassified. Each level's compromise maps to a damage degree (exceptionally grave, serious, damage). These communities prioritize confidentiality above all.

The private/commercial scheme usually has four levels: Sensitive, Confidential, Private, Public, most to least sensitive. There is no mandatory nomenclature: each organization names its own levels. The Center for Internet Security, for example, offers a simple three-level scheme (sensitive, business confidential, public) mapping to low/medium/high.

Categorization, by contrast, is not always hierarchical: categories include PII, PHI, proprietary, human safety critical, time-critical, compliance data. A single asset can carry several labels at once, e.g. 'human safety critical, HIPAA, highly restricted'.

Key terms Top Secret > Secret > Confidential > SBU > Unclassified Sensitive > Confidential > Private > Public PII / PHI
Key points
  • Military: 5 levels (Top Secret → Unclassified) centered on confidentiality.
  • Private: 4 levels (Sensitive → Public), free nomenclature.
  • Categorization = non-hierarchical categories (PII, PHI, proprietary); multiple labels possible.

1.4 Sensitivity levels, labels and benefits

Visible marking and machine-readable security label
Figure 1.4 · Visible marking and machine-readable security label

Beyond the level names, each level captures in a word or two the possible harm if data is compromised. A typical private scale has four notches. Highly restricted: compromise could threaten the organization's very existence, even lead to loss of life, damage and the litigation that follows. Moderately restricted: loss of temporary competitive advantage, revenue, or disruption of planned investments. Low sensitivity (often 'internal use only'): compromise causes only minor disruptions or delays. Unrestricted public: data already published, no further harm possible.

Categorization labels, by contrast, do not necessarily rank from worst to least: they reflect the source or nature of the requirement. Examples: human safety critical (risk of death or injury), equipment/property safety critical (physical damage), PII critical (identifies a person), private data (distribution limited by agreement), proprietary data (internal business logic), compliance data (specific legal or contractual requirements), time-critical data (a delay makes an activity fail). A single asset can stack several labels, e.g. 'human safety critical, HIPAA, highly restricted'.

Classifying well brings benefits beyond protection: awareness among employees and customers of the organization's commitment, identification of critical information and its vulnerability to modification, focus on integrity controls, understanding the value of information, and meeting legal requirements.

Key terms highly / moderately restricted internal use only human safety critical proprietary / compliance / time-critical
Key points
  • 4 sensitivity notches: highly restricted, moderately restricted, low/internal, unrestricted public.
  • Non-hierarchical categorization labels; an asset can stack several.
  • Benefits: awareness, integrity focus, value of information, legal compliance.

1.5 Classification criteria and issues

Classification follows the data's CIA impact
Figure 1.5 · Classification follows the data's CIA impact

To set a classification, the asset owner answers a series of questions: who must access the data and under which roles? How is the data secured by default (open or off-limits)? How long must it be retained (e.g. seven years in finance)? How will it be destroyed? Must it be encrypted? What use is appropriate (internal, restricted, public)?

Classification is driven by the asset owner because they understand the asset's value. They may delegate the task (the responsibility) but never the accountability: they remain answerable for protection. The classic analogy is the ship's captain, who may delegate operation to a watch officer but remains ultimately accountable for the ship, crew and cargo.

Errors lurk: human error, inconsistent methods, arbitrary or capricious determinations, confusing or incomplete labeling. Inconsistent classification makes all security rules look arbitrary and destroys trust. When the data owner lacks knowledge, they tend to over-classify out of caution, needlessly inflating costs; a classification board with the right expertise corrects that bias.

Key terms accountability vs responsibility over-classification classification board
Key points
  • The owner may delegate the task but stays accountable (ship's captain).
  • Criteria: access, securing, retention, destruction, encryption, use.
  • Inconsistency = lost trust; over-classification = wasted cost; board = arbitration.

Case studies

Case · Adapted official case

Salhos Hospital: classifying a medical-device fleet

Context : Adriana, Senior Security Engineer at a 400-person hospital specialized in rare diseases, runs a network scan that reveals thousands of medical devices missing from the hardware inventory. Many process health data (PHI/EPHI) and some are critical to patient care.

Question : How should Adriana run the identification then classification of these devices, and on what criteria?

Show analysis and answer

Identification starts with the inventory: enrich the CMDB with each device (make, model, serial, version, location, use). That is the prerequisite to any protection. Then comes the dual assessment: criticality to care (impact categorization - a ventilator is human safety critical) and sensitivity of the data processed (PHI falls under HIPAA, hence highly restricted).

Classification follows sensitivity, and controls follow classification: a device handling EPHI will require encryption at rest and in transit, access control, logging. Since some devices were unknown, apply the principle: an unlabeled asset is treated at the highest sensitivity until analyzed.

Takeaway : Inventory first, then a dual lens of criticality (impact) and sensitivity (access); with no label, assume the worst.

Exam pitfall

Classification ≠ categorization

Classification is about ACCESS (confidentiality, who may read). Categorization is about IMPACT (the loss to the organization, low/moderate/high - FIPS 199). If the question mentions 'impact level', think categorization.

Exam pitfall

A classification is not a label

Classification is a decision (recognizing the impact of a compromise). The label is the visible means of applying protective controls. Do not confuse the decision with its marking.

Checkpoint — Identify and classify

  1. In the PRIVATE-sector classification scheme, what is the descending order of sensitivity?

    • A Public > Private > Confidential > Sensitive
    • B Sensitive > Confidential > Private > Public
    • C Top Secret > Secret > Confidential > Unclassified
    • D Confidential > Sensitive > Private > Public
    Answer & rationale

    Answer : B — Sensitive > Confidential > Private > Public

    Private sector (descending): Sensitive > Confidential > Private > Public. Option C is the military scheme.

  2. Which process is primarily concerned with the IMPACT of a loss on the organization?

    • A Classification
    • B Categorization
    • C Labeling
    • D Declassification
    Answer & rationale

    Answer : B — Categorization

    Categorization = impact (FIPS 199, NIST SP 800-60: low/moderate/high). Classification = access/confidentiality.

  3. An asset owner delegates classification to an analyst. Who remains accountable for protecting the asset?

    • A The analyst the task was delegated to
    • B The asset owner
    • C The data custodian
    • D The CISO
    Answer & rationale

    Answer : B — The asset owner

    You may delegate responsibility (the task), never accountability. The owner stays answerable (captain analogy).

  4. A storage medium is found with no sensitivity label. How should it be handled?

    • A As public, until proven otherwise
    • B At the highest sensitivity until analyzed
    • C Destroy it immediately
    • D Return it to its last known user
    Answer & rationale

    Answer : B — At the highest sensitivity until analyzed

    Prudence principle: an unlabeled medium is presumed highest level until analyzed.

  5. Data whose compromise could threaten the organization's very existence falls into which sensitivity level?

    • A Low sensitivity (internal use only)
    • B Moderately restricted
    • C Highly restricted
    • D Unrestricted public
    Answer & rationale

    Answer : C — Highly restricted

    Highly restricted = compromise can threaten the organization's existence (loss of life, litigation). Moderately restricted = loss of advantage or revenue.

  6. Why is identifying and classifying information assets a critical first step in security?

    • A It lets you treat all assets uniformly and simply
    • B It helps determine the value of assets and choose appropriate controls
    • C It only concerns confidential information, not public
    • D Laws and regulations play no role in it
    Answer & rationale

    Answer : B — It helps determine the value of assets and choose appropriate controls

    Identifying and classifying lets you understand each asset's value and tailor controls accordingly (efficient resource allocation). Treating everything uniformly is inefficient and costly.

Key takeaways

  • Inventory and identification precede any protection: you only protect what you inventoried.
  • Classification = access/confidentiality; categorization = impact/loss (FIPS 199).
  • Military: 5 levels; private: 4 levels; categorization = non-hierarchical categories.
  • The owner classifies and stays accountable even after delegating the task.
Module 2 Objective B 95 min Foundational

Information and asset handling requirements

Prerequisites : Module 1 (classification and sensitivity levels).

Once an asset is classified, it must still be handled in line with its sensitivity. This module covers marking and labeling, handling, storage, declassification, and recording destructions. The guiding idea: each classification level maps to a coherent set of controls, from marking to destruction.

Marking only has value if everyone understands and respects it. That is why training the people who handle sensitive media is inseparable from labeling policies.

Learning objectives

  • Define marking and labeling requirements for media.
  • Describe handling and storage controls for sensitive media.
  • Explain declassification and its techniques (de-identification, tokenization).
  • Justify destruction recording and object-reuse control.

Success criteria

  • You list what a media label must show (sensitivity, encryption, contact, retention).
  • You explain why MAC enforces labels and DAC does not.
  • You describe declassification and the owner's central role.

2.1 Marking, labeling and enforcement

Marking (human) vs labeling (enforcement metadata)
Figure 2.1 · Marking (human) vs labeling (enforcement metadata)

As with physical assets, classified information assets must be clearly marked and labeled. Ideally systems enforce those labels automatically - but in practice that only happens in mandatory access control (MAC) systems. Discretionary access control (DAC) systems do not enforce labels uniformly, and labels may be lost as information moves from one system to another.

A media label must show the sensitivity of the information, state whether the media is encrypted, and may carry a point of contact and a retention period. The golden rule seen earlier: media found without a label is labeled at the highest sensitivity until analysis proves otherwise.

Traditional marking (physical labels, color codes) is still relevant for removable media and paper documents. On the digital side, productivity suites are starting to use keyword scanning and sentiment analysis to spot incorrect labels, but these techniques are not yet widespread.

Key terms MAC DAC labeling
Key points
  • Only MAC enforces labels uniformly; DAC lets them slip.
  • A label shows: sensitivity, encryption, contact, retention.
  • Unlabeled media = highest level until analyzed.

2.2 Handling and storage of sensitive media

Sensitive media handling: storage, transport, access
Figure 2.2 · Sensitive media handling: storage, transport, access

Only designated personnel should access sensitive media, and handling procedures must be distributed and taught. The security professional must remember that unencrypted media offers no digital accountability: heightened vigilance is required.

Storage combines physical and logical controls. Backup media should be encrypted and kept in a secure container (a safe). A separate encrypted off-site copy is recommended for disaster recovery, while on-site backups are placed in a fire-resistant box. In all cases the number of people with access to media is strictly limited, and separation of duties plus job rotation are implemented where cost-effective.

Key terms separation of duties job rotation off-site backup
Key points
  • Unencrypted media = no digital accountability, heightened vigilance.
  • Encrypted backups, safe, off-site copy for DR, fire-resistant box on-site.
  • Strictly limited access + SoD and job rotation when cost-effective.

2.3 Declassification and end of life

Declassification and end of life: from clearing to destruction
Figure 2.3 · Declassification and end of life: from clearing to destruction

Declassification lowers an asset's sensitivity level. Marking, handling and storage requirements must then be adjusted accordingly, and the owner plays a central role in that decision. The process may rely on obfuscation techniques such as de-identification (removing identifiers) or tokenization (replacing a sensitive value with a token).

Media no longer needed or defective must be destroyed rather than simply discarded. A destruction record is kept, consistent with media-handling logs. When a medium's sensitivity is unknown, apply object-reuse controls rather than recycling it as is: you must ensure no exploitable residue remains.

Key terms declassification de-identification / tokenization object reuse
Key points
  • Declassify = adjust marking, handling, storage; owner's decision.
  • De-identification and tokenization obfuscate data.
  • Tracked destruction + object reuse when sensitivity is unknown.

Case studies

Case · Adapted official case

Salhos Hospital: device handling procedures

Context : After the scan, Adriana gathers an IT team to track the devices and add them to the inventory. It is the right time to define handling, physical-security and labeling procedures.

Question : What handling, physical-security and labeling procedures should she recommend, and how should usage restrictions be communicated?

Show analysis and answer

Each device gets a label reflecting the sensitivity of the data it processes and stating whether it is encrypted. Physical access is restricted to designated staff, with sensitive zones locked. Handling procedures are written, distributed and taught - marking that nobody understands protects nothing.

Usage restrictions are communicated through training, signed policies and, ideally, technical enforcement via MAC where the device allows it. For unencrypted devices transmitting EPHI in clear text (a risk found at the hospital), encryption at rest and in transit must be prioritized before any broader rollout.

Takeaway : Label + restricted access + taught procedures + technical enforcement: handling is managed in layers.

Exam pitfall

Only MAC enforces labels

If the question asks which model uniformly enforces sensitivity labels, it is MAC (Mandatory Access Control). DAC lets labels slip between systems.

Checkpoint — Handling and marking

  1. Which access-control model automatically and uniformly enforces sensitivity labels?

    • A DAC
    • B MAC
    • C RBAC
    • D ABAC
    Answer & rationale

    Answer : B — MAC

    MAC (Mandatory Access Control) enforces labels. DAC does not enforce them uniformly and lets them slip.

  2. Which technique replaces a sensitive value with a token unusable out of context?

    • A Degaussing
    • B Tokenization
    • C One-way hashing
    • D Compression
    Answer & rationale

    Answer : B — Tokenization

    Tokenization substitutes a token for the sensitive value; it is used in declassification and obfuscation.

  3. A medium is no longer used and its sensitivity is unknown. What is the best practice?

    • A Recycle it as is to cut costs
    • B Apply object-reuse controls first
    • C Resell it secondhand
    • D Store it indefinitely untouched
    Answer & rationale

    Answer : B — Apply object-reuse controls first

    Unknown sensitivity: apply object-reuse controls (ensure no residue is recoverable) rather than recycling.

  4. What is the primary purpose of marking and labeling a sensitive asset?

    • A Make assets visually appealing and organized
    • B Implement encryption of digital assets
    • C Easily identify security level, classification, distribution limits and handling caveats
    • D Streamline physical storage and disaster recovery
    Answer & rationale

    Answer : C — Easily identify security level, classification, distribution limits and handling caveats

    Marking/labeling helps quickly identify security level, classification, distribution limits and handling caveats. Encryption is a separate control.

Key takeaways

  • One classification level = one coherent set of controls (marking → destruction).
  • MAC enforces labels, DAC does not; an unlabeled medium is handled at the highest level.
  • Declassification = owner decision + control adjustment + obfuscation techniques.
  • Tracked destruction and object reuse guard against leakage via residue.
Module 3 Objective C 105 min Intermediate

Provision resources securely: inventory and ownership

Prerequisites : Module 1 (classification). Domain 1 governance notions help.

Provisioning a resource securely means registering it, assigning an owner and tying it to policies before it is even used. This module covers the two lifecycles that structure the domain - the IT Asset Management Life Cycle and the Data Security Life Cycle - then focuses on inventory, CMDB and ownership roles.

The inventory is the foundation: it is the first step of any asset-management process, and it is itself an asset that must be protected and maintained.

Learning objectives

  • Describe the stages of the IT Asset Management Life Cycle.
  • Explain the role of the asset inventory and the CMDB.
  • Distinguish asset-owner from data-custodian responsibilities.
  • Relate ITAM, ISO 19770 and asset valuation.

Success criteria

  • You name the 5 ITAM stages and the key security activity of each.
  • You explain what a CMDB adds beyond a plain inventory list.
  • You assign owner vs custodian responsibilities without error.

3.1 The IT Asset Management Life Cycle

ITAM lifecycle: Plan, Acquire, Deploy, Manage, Retire with each stage's security activity.
Figure 3.1 · ITAM lifecycle: Plan, Acquire, Deploy, Manage, Retire.

Two lifecycle models frame information security: the IT Asset Management Life Cycle (hardware, software, data) and the Data Security Life Cycle (the data itself). The first has five major stages.

Planning: align the asset with objectives, identify and value it (total cost to acquire and operate, expected revenues, competitive advantage, potential harm if compromised). It is also when security needs are assigned via classification and categorization. Acquiring: acquire or develop the asset, baking in the identified security requirements from design. Deployment: put into service, train users and support on security aspects. Managing: operate and monitor continuously (do controls still work? has the threat landscape shifted?), plan recovery and archive. Retiring: retire the asset, handling destruction and remanence, and briefing staff.

Two paths lead to management: a deliberate, requirements-driven path, and a discovery path (systems enumeration, baselining) for pre-existing assets. Both converge on the same first step: making the inventory.

Key terms Plan → Acquire → Deploy → Manage → Retire systems enumeration asset valuation
Key points
  • 5 stages: Plan, Acquire, Deploy, Manage, Retire.
  • Valuation (cost, revenue, advantage, harm) happens at Planning.
  • Deliberate path and discovery path converge on the inventory.

3.2 Inventory, ITAM and CMDB

Asset inventory (ITAM / CMDB)
Figure 3.2 · Asset inventory (ITAM / CMDB)

The asset inventory lists all physical and virtual assets: hardware, software, data. IT Asset Management (ITAM) is the set of governance and management practices for those assets; the reference standard is ISO 19770.

The Configuration Management Database (CMDB) goes beyond a plain list: it records the make, model, serial number, type and version of each asset. It traces not only what you own but also how it is configured, and provides a restoration point (e.g. to rebuild a user's workstation to the right version, hardware and software included).

A subtle point stressed by the textbook: enumeration tools can tell which applications are installed and where files reside, but they cannot spot an information asset in the business sense - for example 'the annual budget', scattered across databases, spreadsheets and emails. That is why the information-asset inventory is also built top-down, from critical business processes. And the register itself is an asset to protect.

Key terms ITAM / ISO 19770 CMDB restoration point
Key points
  • ITAM = management practices (ISO 19770); inventory = complete list.
  • CMDB = inventory + configuration + restoration point.
  • Enumeration tools miss the business information asset: top-down approach needed.

3.3 Ownership: owner accountable, custodian executes

Ownership: owner accountable, custodian executes
Figure 3.3 · Ownership: owner accountable, custodian executes

Identifying a responsible owner is a central act of asset management. The asset owner (or information owner, or information steward) imposes security and quality requirements for the asset: they decide who accesses it and at what permission level, how long it is kept, whether it may be shared. They do not build or maintain the controls themselves - it is a business function - but they are accountable.

Typical owner responsibilities: determine the information's impact on the mission, estimate its replacement cost, decide who needs access and under what release criteria, and know when information is inaccurate or should be destroyed.

The data custodian executes day to day: protecting, maintaining and keeping data accessible to the right operators. Their tasks: adhere to data policy, ensure access while maintaining the security level, perform fundamental maintenance (storage, archiving), document, and validate quality through periodic audits. The exam rule: the owner DECIDES, the custodian EXECUTES.

Key terms asset / information owner data custodian information steward
Key points
  • Owner = business function, decides (classification, access, retention, destruction), accountable.
  • Custodian = executes (protection, backups, maintenance, audits).
  • Owner DECIDES, custodian EXECUTES: recurring exam trap.

Case studies

Case · Adapted official case

The hotel chain: visible and invisible assets

Context : A mentor of Adriana works with international hotel chains. Adriana asks about their approach to asset management: which assets, which are most valuable, why track them tightly.

Question : What are a hotel chain's assets, and what does the asset register represent for the organization?

Show analysis and answer

A hotel chain blends tangible assets (real estate, linens, TVs, coffee) and intangible ones (guest registries, marketing data, software licenses, OS versions, serial numbers). Both matter equally: even running out of coffee can hurt reputation. The most strategic value often lies in customer data, which calls for privacy protection.

The CMDB records make, model, serial, type and version of each asset. It tracks the fleet and also enables rebuilding a workstation identically after an incident. The register is itself an asset: without it you know neither what you own nor how it is configured. Tracking it tightly is what enables risk and business-impact assessment.

Takeaway : Tangible and intangible assets matter equally; the CMDB tells not just what you have but how it is configured; the register is an asset.

Exam pitfall

Owner vs custodian

The data owner DECIDES (classification, who accesses, retention, destruction) and stays accountable. The data custodian EXECUTES (day-to-day protection, backups, maintenance). Do not swap them.

Exam pitfall

CMDB ≠ plain list

A CMDB is more than an inventory: it records configuration (make/model/serial/version) and serves as a restoration point. If the question contrasts 'plain list' with 'details + restoration', pick the latter.

Checkpoint — Inventory and ownership

  1. What does a CMDB primarily add over a plain inventory list?

    • A It automatically encrypts assets
    • B It records configuration and provides a restoration point
    • C It replaces the classification policy
    • D It removes the need for an owner
    Answer & rationale

    Answer : B — It records configuration and provides a restoration point

    The CMDB records make/model/serial/version (configuration) and lets you rebuild an asset: it is a restoration point.

  2. Who is responsible for day-to-day data protection, on the owner's instructions?

    • A The data owner
    • B The data custodian
    • C The data subject
    • D The auditor
    Answer & rationale

    Answer : B — The data custodian

    The data custodian executes day-to-day protection (backups, maintenance, access) per the owner's instructions.

  3. At which ITAM stage is asset valuation (cost, revenue, advantage, harm) performed?

    • A Planning
    • B Deployment
    • C Managing
    • D Retiring
    Answer & rationale

    Answer : A — Planning

    Valuation and assigning security needs (classification) happen at Planning, ahead of acquisition.

  4. What is a PRIMARY responsibility of asset owners in an information security framework?

    • A Perform penetration testing on the assets
    • B Keep the information asset inventory up to date
    • C Enforce acceptable-use policies for processors
    • D Oversee supply-chain management
    Answer & rationale

    Answer : B — Keep the information asset inventory up to date

    The owner keeps the asset inventory up to date (tracking, documenting changes). Pen testing is for specialists; acceptable use and supply chain are not their primary responsibility.

Key takeaways

  • Two lifecycles: ITAM (hardware/software/data) and Data Security Life Cycle (the data).
  • ITAM: Plan, Acquire, Deploy, Manage, Retire; both paths converge on the inventory.
  • CMDB = inventory + configuration + restoration point; ISO 19770 frames ITAM.
  • Owner decides and is accountable; custodian executes.
Module 4 Objective D 125 min Intermediate

Data lifecycle and roles

Prerequisites : Modules 1 and 3 (classification, inventory and ownership).

Data lives: it is created, stored, used, shared, archived, then destroyed. This module walks the Data Security Life Cycle and maps controls onto it, then details the roles that compliance (notably the GDPR) requires you to distinguish: subject, controller, processor, steward, custodian, owner, DPO.

The most exam-tested distinction pits the controller (accountable, decides purposes and means) against the processor (acts on the controller's behalf, with no accountability). Misassigning these roles misallocates legal responsibility.

Learning objectives

  • Walk the six stages of the Data Security Life Cycle and their controls.
  • Distinguish the GDPR roles and their respective accountabilities.
  • Explain data collection, data location/localization and data maintenance.
  • Relate data states (at rest, in use, in motion) to maintenance.

Success criteria

  • You recite Create, Store, Use, Share, Archive, Destroy and one control per stage.
  • You correctly assign controller vs processor on a scenario.
  • You explain the data-localization stake for an international expansion.

4.1 The Data Security Life Cycle

Data lifecycle: Create, Store, Use, Share, Archive, Destroy.
Figure 4.1 · Data lifecycle: Create, Store, Use, Share, Archive, Destroy.

Data goes through six major stages. Create: generating or acquiring content - the preferred moment to classify, since controls depend on that classification. Store: committing to media, most often at the same time as creation; apply encryption, access control, logging, redundancy by classification. Use: data is read, processed, modified; often the most vulnerable state because it is in clear text; rely on DLP, DRM and access control. Share: information is shared with others; once shared, it escapes the organization's control, so share only by classification and with authorized recipients; DLP detects unauthorized sharing, DRM keeps control. Archive: data leaves active use for long-term storage; retention challenges (will the media still be readable in ten years?), protection maintained by classification, legal requirements. Destroy: defensible destruction, per written processes, by authorized personnel.

These stages are not a rigid sequence: creation comes first and destruction last, but storage, use, sharing and archiving chain in any order, as many times as needed. The model is a framework to map controls onto each phase.

Key terms Create, Store, Use, Share, Archive, Destroy data in use defensible destruction
Key points
  • 6 stages: Create, Store, Use, Share, Archive, Destroy (order not rigid).
  • Classify at creation; share by classification.
  • Data in use = most vulnerable state (in clear text).

4.2 Data roles (GDPR and NIST)

Role relationships: subject, owner, controller, processor, steward, custodian, DPO.
Figure 4.2 · Roles and accountability: owner, controller, processor, steward, custodian, DPO, subject.

Data protection requires a clear distinction of roles, their accountabilities and responsibilities. NIST SP 800-18 and the GDPR give comparable definitions.

Data subject: the natural person described or identified by the data. Data controller: determines the purposes and means of processing; accountable, ensures all obligations (GDPR or other) are met; negotiates data processing agreements with processors. Data processor: performs processing on the controller's behalf (acquire, use, modify, dispose); may be responsible for protecting the data, but accountability stays with the controller. Data owner: decides who accesses at which levels, ensures quality, integrity and protection; takes or delegates the controller role. Data steward: responsible for content, context and business rules of the data. Data custodian: protects the data while in their custody (safe transport, storage, processing). Data protection officer (DPO): advises on compliance and interfaces with supervisory authorities; becomes mandatory when the organization processes sensitive data (health, genetics, origin, religion).

The accountability hierarchy is the key: the subject has a reasonable expectation of privacy and integrity; the controller answers for everything; the processor is never accountable in the controller's place.

Key terms data controller data processor data subject DPO data steward
Key points
  • Controller = accountable (purposes + means); processor = acts for it, not accountable.
  • Owner decides access; steward handles content/rules; custodian protects daily.
  • DPO mandatory for sensitive data; interfaces with authorities.

4.3 Collection, location and maintenance

Collection, location and maintenance in the lifecycle
Figure 4.3 · Collection, location and maintenance in the lifecycle

Data collection is the first phase: creating and acquiring content, updating existing content. This is where data owners are appointed and classifications assigned, to apply the right controls as early as possible. Secure-defaults and privacy-by-design principles apply from this phase.

Data location and localization become critical with the cloud. Where to store data depends on local law, especially for personal data treated differently across countries. Before collecting, map local and global requirements: allowed storage locations, expected protection mechanisms, retention periods. Some data-localization laws can even gate the decision to operate in a region: expansion into a new market may be slowed by costly local requirements.

Data maintenance aims to preserve confidentiality, integrity and availability across the data's life, via controls fit for each state. Data at rest, seemingly the easiest to protect, still requires identifying all repositories, encrypting, managing access and backing up. This phase is also where the eternal functionality-versus-security trade-off is arbitrated.

Key terms privacy by design data localization functionality vs security
Key points
  • Appoint owners and classify at collection (privacy by design).
  • Data localization can gate the decision to operate in a country.
  • Maintenance = CIA per state; even at rest needs encryption, access, backups.

Case studies

Case · Adapted official case

Social platform: who plays which role?

Context : Adriana reviews the lifecycle and roles with a friend running a US social platform. Registration is required; once registered, the user has messaging, groups, posts and comments.

Question : How do data owner, controller, steward, custodian, processor and subject fit together on this platform, and where are conflicts of interest?

Show analysis and answer

The data owner is accountable for the data's value and sets access policies. The data controller, working for the owner, is accountable for protection through proper control implementation. The data steward handles content, context and business rules. The data custodian protects the data while in custody. The data processor processes on the controller's behalf: it may be responsible for protecting, but accountability stays with the controller. The data subject (the user) has a reasonable expectation of privacy (GDPR, HIPAA depending on context) and data integrity.

Friction points: user location changes legal expectations (an EU user falls under GDPR); a negligent processor exposes the controller; and the commercial interest in exploiting data can conflict with the subject's privacy expectation. That very conflict, mishandled, sits at the heart of the big data scandals.

Takeaway : Controller accountable, processor not; the subject's location changes the applicable law; the commercial-interest vs privacy conflict is structural.

Case · Adapted official activity

Applying a data-lifecycle policy in your organization

Context : At an ISC2 chapter meeting, you are asked, as a manager, how you would concretely apply data-lifecycle policy considerations to a real dataset in your organization.

Question : For this dataset: who accesses it? What use is appropriate? How is it secured? How long is it retained? How is it destroyed?

Show analysis and answer

Access and use: the owner defines authorized roles under least privilege and the permitted use (internal, restricted, public), based on the data's classification. Securing: apply one control per state - encryption at rest, TLS/IPSec in transit, access control and secure enclaves in use - sized to the classification level.

Retention: the period is set by law or contract (minimums) and bounded by minimization (maximums), then documented in a retention schedule. Destruction: a defensible method fit to the media (clearing, purging, degaussing, physical destruction; crypto-shredding for SSDs), traced. Key point: all these decisions flow from the classification set at creation, and replay at each lifecycle phase.

Takeaway : A lifecycle policy answers, for each dataset, five questions - who accesses, what use, how to secure, how long, how to destroy - all driven by classification.

Exam pitfall

Controller vs processor

The data controller determines purposes and means and stays accountable. The data processor acts only on the controller's behalf and is never accountable in its place. Question 'who is accountable for compliance' → controller.

Checkpoint — Lifecycle and roles

  1. In a GDPR environment, who is accountable for protecting personal data and ensuring compliance?

    • A Data processor
    • B Data subject
    • C Data controller
    • D Data steward
    Answer & rationale

    Answer : C — Data controller

    The controller determines purposes and means and stays accountable. The processor acts on its behalf without accountability.

  2. At which lifecycle stage is it best to classify data?

    • A Create
    • B Archive
    • C Share
    • D Destroy
    Answer & rationale

    Answer : A — Create

    Classify at creation (Create), because all later controls depend on that classification.

  3. Which role is responsible for the content, context and business rules of a dataset?

    • A Data custodian
    • B Data steward
    • C Data processor
    • D DPO
    Answer & rationale

    Answer : B — Data steward

    The data steward handles content, context and business rules; the custodian protects daily; the DPO advises on compliance.

  4. A company hesitates to enter a market because of laws mandating local storage of citizens' data. Which concept is this?

    • A Data remanence
    • B Data localization
    • C Data masking
    • D Data deduplication
    Answer & rationale

    Answer : B — Data localization

    Data-localization laws dictate where data may reside and can gate the decision to operate in a region.

  5. What is the primary purpose of the data lifecycle model in security?

    • A Impose a rigid, uniform process on all organizations
    • B Determine the physical location of data
    • C Help organizations address security needs at each phase
    • D Minimize the use of external systems
    Answer & rationale

    Answer : C — Help organizations address security needs at each phase

    The model guides the organization to understand and address security needs at each phase (Create, Store, Use, Share, Archive, Destroy). It is not rigid and does not set location.

Key takeaways

  • 6 stages: Create, Store, Use, Share, Archive, Destroy; classify at Create.
  • Controller accountable, processor not; owner decides access; steward handles content.
  • DPO mandatory for sensitive data; custodian protects daily.
  • Data localization can gate geographic footprint.
Module 5 Objective D Objective E 125 min Intermediate

Retention, destruction and remanence

Prerequisites : Module 4 (data lifecycle).

Keeping data has a cost and a risk; destroying it badly has another. This module covers retention (how long, why), remanence (what remains after deletion) and destruction methods, from simple erasure to physical destruction. It is one of the most trap-laden exam topics, especially around media: what works on an HDD may not work on an SSD.

The through-line: destruction must be defensible, i.e. conducted per written, traceable, compliant processes, not improvised under pressure.

Learning objectives

  • Define a retention policy (minimums vs maximums) and its 8 steps.
  • Explain data remanence and its sources.
  • Rank destruction methods by assurance level.
  • Pick the right method by media type (HDD, SSD, optical).

Success criteria

  • You explain why retaining too long is a risk as much as a cost.
  • You rank clearing, purging, degaussing and physical destruction.
  • You justify why degaussing is unfit for SSDs.

5.1 Data retention: neither too much nor too little

Retention balance: legal minimums vs maximums (minimization).
Figure 5.1 · Retention balance: legal minimums versus maximums (minimization).

Information should be kept only as long as required. Industry standards, laws and regulations set durations (e.g. seven years in finance). Absent external requirements, the organization defines its own retention policy, applicable to paper and digital copies alike.

Retention has two bounds. Minimums are imposed by law or contract: keeping less is non-compliance. Maximums stem from minimization: keeping longer than needed raises storage cost, exposure risk and 'noise' in searches, and may violate external requirements. The classic mistake is to take the longest retention period and apply it blindly to everything: that is waste and risk.

A sound retention policy follows eight steps: evaluate legal, litigation and business requirements; classify record types; determine periods and destruction practices; draft and justify the policy; train staff; audit retention and destruction practices; review periodically; document policy, implementation, training and audits. To execute all this, an accurate inventory is essential (location, period, destruction requirements of each asset).

Key terms retention minimums vs maximums record retention schedule data minimization
Key points
  • Too little = non-compliance (minimums); too much = cost + risk + noise (maximums).
  • Do not apply the longest period to everything without analysis.
  • Retention policy = 8 steps, backed by an accurate inventory.

5.2 Data remanence: what remains

Data remanence: what remains depending on the erasure method
Figure 5.2 · Data remanence: what remains depending on the erasure method

Data remanence is the residual representation of data on a medium after a supposed erasure. Insufficient deletion can compromise information. Almost all equipment retains data after the processing step: CPU or GPU registers, RAM, temporary files, display circuitry hold values until overwritten, from milliseconds to several minutes after power is removed.

The crucial point: deleting a file does not actually remove the data. The system merely marks the directory entry as deleted and returns the space to the free list; the data stays physically present until overwritten. That is why a disk 'emptied' by simple deletion remains recoverable with the right tools. Temporary files are an often-overlooked source of remanence.

Key terms data remanence logical deletion temporary files
Key points
  • Remanence = data recoverable after a supposed erasure.
  • Deleting a file merely marks the space as free.
  • RAM, registers, temporary files retain data after use.

5.3 Destruction methods and media choice

Destruction ladder: clearing, purging/degaussing, physical destruction; SSD and crypto-shredding.
Figure 5.3 · Assurance ladder: clearing, purging/degaussing, physical destruction; SSD = crypto-shredding.

The official reference is NIST SP 800-88 (Guidelines for Media Sanitization). Methods escalate by assurance level. Clearing: rewrite patterns (often random) across the whole medium. 'Zeroizing' (writing zeros) is a variant, but with the risk that a missed block stays recoverable. Clearing protects against recovery via normal system functions and suffices in many operational environments. Purging: strongly eliminate the chance of recovery, even in a lab. Degaussing (a powerful magnetic field) belongs here - but it applies only to magnetic media (HDD, tapes) and also destroys the servo track, making the disk unusable. Physical destruction: shredding, incineration, pulverizing, acid - the ultimate remedy to remanence.

The major trap: degaussing does NOT work on SSDs (flash memory, non-magnetic). For an SSD, prefer crypto-shredding (destroy the encryption keys to render data unusable) or physical destruction. Finally, defensible destruction requires all this to be conducted per written processes, by authorized personnel, and traced - otherwise the destruction is not legally defensible.

Key terms clearing / purging degaussing crypto-shredding NIST SP 800-88 defensible destruction
Key points
  • Ladder: clearing < purging/degaussing < physical destruction.
  • Degaussing = magnetic only (HDD); destroys the servo track.
  • SSD → crypto-shredding or physical destruction; NIST SP 800-88 is the bible.

Case studies

Case · Real-world case

SolarWinds: retention and the supply chain

Context : Discovered in December 2020, the SolarWinds attack was a sophisticated supply-chain attack targeting the Orion software. Attackers compromised the development process and injected malicious code into updates distributed to many organizations, including government agencies.

Question : How does this incident touch asset security, retention and privacy?

Show analysis and answer

The attack shows that asset security does not stop at the organization's border: a widely deployed third-party software becomes a critical asset whose compromise exposes sensitive data. On retention and privacy, the incident raised fears of exposure of retained data, a reminder that any retained data is data at risk. The less you keep (minimization), the smaller the exposure surface in a breach.

The Domain 2 link: an up-to-date inventory and correct classification of data handled by third-party tools let you assess the real impact of such a compromise. Managing third-party relationships (contracts, audits, audit rights) extends asset security beyond the internal perimeter.

Takeaway : Any deployed third-party asset is a critical asset; minimizing retention shrinks the exposure surface.

Case · Teaching scenario

Retiring a banking server

Context : A bank retires a server holding customer data. Some sits on magnetic HDDs, some on encrypted SSDs. The CISO requires defensible, auditable destruction.

Question : What destruction plan should be applied media by media?

Show analysis and answer

For magnetic HDDs: degaussing (purging) or multi-pass overwrite, then physical destruction (shredding) if sensitivity demands. For encrypted SSDs: degaussing is ineffective (non-magnetic); use crypto-shredding (destroying the encryption keys), which instantly renders data unusable, supplemented by physical destruction if needed. Each step is logged in a chain-of-custody record: who, when, which medium, which method, what result.

The logic: choose the method by media type (never the reverse), escalate assurance by data classification, and trace everything so the destruction is legally defensible.

Takeaway : Method follows media: HDD → degaussing/destruction; SSD → crypto-shredding/destruction. Everything is traced.

Case · Official applied scenario

Waxbill project: multi-party retention and SOC 1 Type 2

Context : MLZ Systems is the lead contractor for an environmental-observation drone (Waxbill), with software partners in Israel, a screening team in Chicago, R&D in Boston and university partners. MLZ must update its data retention policy, applicable to all parties. The primary client, Dr Smythe-Beecham, additionally requests a SOC 1 Type 2 report for the last three years, on MLZ and its subcontractors.

Question : What should the retention policy prioritize, and why would a client request a SOC 1 Type 2 report?

Show analysis and answer

The retention policy must stay specific, succinct and easy to follow: a long, complex document would risk partners misunderstanding it. It must set durations by data type (aligned with legal and contractual requirements), be enforced, monitored, and any breach must trigger disciplinary consequences. In a multi-party project, it is shared with everyone who must comply.

The SOC 1 Type 2 report is third-party assurance: over a defined period, it attests to the operating effectiveness of an organization's controls (here on aspects that may affect the client's financial reporting). By requesting it for MLZ and its subcontractors, the client seeks to verify that the whole chain masters its risks - a supply-chain check. The scenario also recalls that underpaying key staff can create bribery or coercion risk: asset security includes the human factor, from researcher to janitor.

Takeaway : Short, enforced, monitored retention policy; SOC 1 Type 2 = third-party assurance on control effectiveness, extended to the supply chain.

Case · Adapted official profile

Managing the health-data lifecycle (PHI / HIPAA)

Context : The hospital's HIPAA officer asks Adriana to define a process ensuring HIPAA compliance for the electronic protected health information (EPHI) generated by medical devices, from collection to destruction.

Question : What practices ensure HIPAA-compliant management of the EPHI lifecycle (collection, storage, transmission, retention, destruction)?

Show analysis and answer

Collection and classification: mark EPHI as highly restricted at creation and assign a data owner. Storage: compliant encryption at rest (FIPS algorithms), strict access control (least privilege), encrypted backups. Transmission: TLS or IPSec, never in clear (SSL banned). Use: logging and auditing, secure enclaves where possible, since data is in clear during processing.

Retention: a period compliant with HIPAA and state requirements, recorded in a documented schedule. Destruction: traced defensible destruction, fit to the media. Responsibilities: the data controller stays accountable; any cloud provider falls under shared responsibility framed by a dedicated contract (Business Associate Agreement, BAA).

Takeaway : PHI = highly restricted: encryption at rest and in transit, strict access, auditing, HIPAA-compliant retention and destruction, and contracted shared responsibility (BAA).

Case · Capstone case study

Securely decommissioning SSD laptops holding classified data

Context : An organization refreshes its fleet and must retire 200 laptops whose drives are SSDs (flash memory, non-magnetic). Some held Confidential data, others public data. Management proposes degaussing everything and reselling the machines to save money.

Question : Is degaussing suitable for SSDs? Which sanitization method fits each classification, and how do you ensure defensible destruction?

Topics covered Data remanence and sanitization methodsDegaussing (magnetic) vs crypto-erase vs physical destructionClassification -> protection levelDefensible destruction (proof, certificates, chain of custody)End-of-life (EOL) and asset reuse
Show analysis and answer

Degaussing works through a magnetic field: it erases magnetic media (HDD, tape), but it is INEFFECTIVE on SSDs (flash memory, non-magnetic). Proposing it here would leave recoverable data: a classic exam trap.

The method follows classification (protection follows classification). For public data, clearing (overwrite) or crypto-erase suffices before resale. For Confidential data on SSDs, two reliable options: crypto-erase (purging the keys if the drive was end-to-end encrypted, making data unreadable) or physical destruction (shredding/incineration) if resale is not required or sensitivity demands it.

Defensible destruction means you can PROVE, in a dispute or audit, that destruction followed a policy, used the right method for the media, and was traced: destruction certificates, chain of custody, a log (who, what, when, method). Without this traceability, the organization stays exposed even if the data is wiped.

Takeaway : Degaussing does not erase SSDs; pick the method by media AND classification, and document it for defensible destruction.

Key learning points
  • Degaussing erases MAGNETIC media (HDD, tape), not SSDs (flash).
  • The sanitization method follows the media AND the data classification.
  • Crypto-erase = wiping the keys of an encrypted drive makes data unreadable.
  • Defensible destruction = being able to prove destruction (policy, method, traceability).
  • Reuse/resale is possible only after suitable, verified sanitization.
Exam pitfall

Degaussing does not work on SSDs

Degaussing works via a magnetic field: effective on HDDs and tapes, useless on SSDs (flash memory). For an SSD: crypto-shredding or physical destruction. This is the most common D2 trap.

Exam pitfall

Clearing vs purging vs destruction

Clearing resists recovery via normal system functions. Purging resists even lab recovery (e.g. degaussing). Physical destruction = ultimate remedy. Assurance rises in that order.

Checkpoint — Retention and destruction

  1. You replace laptops with SSD models. Which data-destruction method would be the LEAST effective on those SSDs?

    • A Crypto-erasure
    • B Degaussing
    • C Shredding
    • D Melting
    Answer & rationale

    Answer : B — Degaussing

    Degaussing only acts on magnetic media. An SSD being flash memory, degaussing is ineffective.

  2. What is the main consequence of retaining data well beyond its useful period?

    • A Better automatic compliance
    • B Higher storage cost, exposure risk and noise
    • C Improved integrity
    • D Reduced legal obligations
    Answer & rationale

    Answer : B — Higher storage cost, exposure risk and noise

    Beyond the useful period (maximums/minimization): cost, exposure risk and noise rise, with non-compliance risk.

  3. Why does 'deleting' a file not protect against data remanence?

    • A Because the file is immediately encrypted
    • B Because the system only marks the space as free, without erasing the data
    • C Because the recycle bin keeps a legal copy
    • D Because degaussing applies automatically
    Answer & rationale

    Answer : B — Because the system only marks the space as free, without erasing the data

    Logical deletion marks the entry as free; data stays physically present and recoverable until overwritten.

  4. Which term denotes destruction conducted per written, traceable, compliant processes?

    • A Zeroizing
    • B Defensible destruction
    • C Clearing
    • D Object reuse
    Answer & rationale

    Answer : B — Defensible destruction

    Defensible destruction is controlled, legally defensible and regulation-compliant destruction.

Key takeaways

  • Retention: legal minimums vs maximums (minimization); do not keep everything at the longest.
  • Remanence: deleting is not enough; data stays until overwritten.
  • Destruction: clearing < purging/degaussing < physical destruction (NIST SP 800-88).
  • Degaussing magnetic only; SSD → crypto-shredding; always defensible and traced.
Module 6 Objective F 105 min Advanced

Data states and cryptographic controls

Prerequisites : Module 4 (lifecycle and data states).

At any moment, data is in one of three states: at rest, in transit (in motion) or in use. These states are assumed atomic and mutually exclusive, and each calls for its own controls. Grasping this grid is essential to picking the right protection mechanism.

The key message: data in use is the hardest to protect, because it must be in clear text to be processed. Secure enclaves are the emerging answer to that problem.

Learning objectives

  • Define the three data states and their risks.
  • Choose controls fit for each state (encryption, TLS, enclaves).
  • Distinguish link encryption from end-to-end encryption.
  • Explain why data in use is the most exposed.

Success criteria

  • You map each state to its dominant control without hesitation.
  • You explain the link vs end-to-end difference and their trade-offs.
  • You justify the role of secure enclaves for data in use.

6.1 The three states: at rest, in transit, in use

Three data states and their controls: at rest (encryption), in transit (TLS), in use (enclaves).
Figure 6.1 · Three states and their controls: at rest, in transit, in use.

Data at rest: data stored on media, neither transmitted nor processed. The risk is unauthorized physical or logical access to the medium. The reference protection is encryption (algorithms limiting access to key holders), complemented by access controls, redundancy and backups. Removable media and mobile devices (laptops, tablets, smartphones, wearables) must be encrypted.

Data in transit (or in motion): data moving, typically over a network, not being processed. The risk - the same as data at rest - is interception, modification, unavailability. The protection is encryption, at the data level, network level, or both. Sensitive web interfaces use TLS; SSL, in all its forms, is considered breakable and deprecated. Email is not secure by default (sent in clear text): use PGP or S/MIME. Off the web, encrypt at the application level, or failing that at the network level via IPSec or SSH tunnels.

Data in use: data processed by software, hardware or a user. It is the hardest state to protect because the data must be in clear text for its structure and values to be readable. The main controls are access control, auditing and non-repudiation. A trivial example of risk: the over-the-shoulder attack, where a bystander reads a user's screen.

Key terms data at rest data in transit / in motion data in use over-the-shoulder attack
Key points
  • At rest → encryption + access + backups; In transit → TLS/IPSec/SSH (not SSL).
  • In use → clear text, most exposed; access control, auditing, non-repudiation.
  • Email insecure by default: PGP or S/MIME for sensitive data.

6.2 Link vs end-to-end encryption

Comparison of link encryption (by carriers, encrypts routing) and end-to-end encryption.
Figure 6.2 · Link encryption (encrypts routing) versus end-to-end encryption.

Data is encrypted over a network in two ways. Link encryption is done by carriers: it encrypts all data along a communications path (satellite link, telephone circuit, T-1 line), including routing information. Consequence: each node must decrypt to keep routing, then re-encrypt. An attacker compromising a node can therefore see the message in clear there. In return, since routing is encrypted, link encryption offers better traffic confidentiality: it hides addressing information and prevents inferences about the existence of exchanges between two parties.

End-to-end encryption is done by the end user: data is encrypted at the source and only decrypted at the destination. It stays encrypted across the network, but routing information remains visible. A VPN is an example. The trade-off is the reverse of link encryption: better end-to-end content protection, but routing stays observable.

Key terms link encryption end-to-end encryption traffic confidentiality
Key points
  • Link: carriers, encrypts routing, decrypts/re-encrypts at each node → traffic confidentiality.
  • End-to-end: user, encrypted end to end, routing visible (VPN).
  • Each approach protects what the other leaves exposed.

6.3 Protecting data in use: enclaves

Data in use: secure enclave and encrypted memory
Figure 6.3 · Data in use: secure enclave and encrypted memory

Protecting data during processing is the hardest challenge, since it must be decrypted to be processed. The industry approach is the secure enclave: a zone isolated from the rest of the architecture where processing happens. Data is still processed in clear text there, but the enclave is designed to be impervious to vulnerabilities and malware present elsewhere in the system. The word 'enclave' indeed denotes a territory isolated from another.

Beyond enclaves, classic controls remain relevant: strict access control, logging and auditing to detect abnormal use, non-repudiation. Detecting usage anomalies, combined with forensic techniques, uncovers fraud and abuse. The risk remains: accidental or malicious alteration, unauthorized exposure (the over-the-shoulder attack being the simplest example).

Key terms secure enclave non-repudiation anomaly detection
Key points
  • Data in use = decrypted to process → hardest to protect.
  • Secure enclave = isolated zone, impervious to the rest of the system's vulnerabilities.
  • Add-ons: strict access, auditing, non-repudiation, anomaly detection.

Case studies

Case · Adapted official case

Medical devices transmitting EPHI in clear text

Context : During the inventory, Adriana finds some devices send and receive EPHI in clear text. Leadership asks for a plan ensuring stored and transmitted data is appropriately encrypted.

Question : How to apply encryption to data at rest and in transit, and ensure only authorized personnel interact with the devices?

Show analysis and answer

In transit: replace clear-text transmissions with TLS for the devices' web interfaces, and with application-level encryption or IPSec/SSH for non-web traffic. SSL is banned. At rest: encrypt local storage of the devices and adjacent servers with FIPS-compliant algorithms. In use, where data must be processed in clear text, rely on strict access controls and logging.

On access: restrict interaction to authorized personnel via strong authentication and periodic permission reviews (least privilege). As this is PHI, HIPAA compliance frames it all: encryption, access control, traceability, and managing shared responsibilities with any cloud providers.

Takeaway : One control per state: TLS/IPSec in transit, FIPS encryption at rest, strict access + audit in use; HIPAA frames PHI.

Exam pitfall

Data in use = hardest to protect

Data in use must be in clear text to be processed: it is the most exposed state. If the question asks the hardest state to protect, it is in use (answer: enclaves, access control, auditing).

Exam pitfall

SSL is deprecated

For data in transit, the right protocol is TLS. SSL (all versions) is breakable and deprecated - an 'SSL' answer to a modern protection question is a distractor.

Checkpoint — States and encryption

  1. Which data state is hardest to protect and why?

    • A Data at rest, because it is stored a long time
    • B Data in transit, because it crosses the network
    • C Data in use, because it must be in clear text to be processed
    • D All states are equivalent
    Answer & rationale

    Answer : C — Data in use, because it must be in clear text to be processed

    Data in use is in clear text (decrypted) to be processed, hence most exposed. Answers: enclaves, access control, auditing.

  2. Which encryption approach hides routing information and offers better traffic confidentiality?

    • A End-to-end encryption
    • B Link encryption
    • C Application TLS
    • D Crypto-shredding
    Answer & rationale

    Answer : B — Link encryption

    Link encryption also encrypts routing (decrypted at each node), hiding addressing: better traffic confidentiality.

  3. To protect sensitive data in transit on a web interface, which protocol should you prefer?

    • A SSLv3
    • B TLS
    • C FTP
    • D Telnet
    Answer & rationale

    Answer : B — TLS

    TLS is the modern standard. SSL (all versions) is deprecated; FTP and Telnet transmit in clear text.

  4. Which data-state / primary-control mapping is correct?

    • A At rest -> TLS ; in transit -> enclaves ; in use -> degaussing
    • B At rest -> encryption ; in transit -> TLS/IPSec ; in use -> access control and enclaves
    • C At rest -> enclaves ; in transit -> encryption ; in use -> TLS
    • D All three states use exactly the same control
    Answer & rationale

    Answer : B — At rest -> encryption ; in transit -> TLS/IPSec ; in use -> access control and enclaves

    At rest = encryption (+ access control, backups); in transit = TLS/IPSec/SSH; in use = access control, auditing and secure enclaves (data is in clear there).

Key takeaways

  • 3 states: at rest (encryption, access, backups), in transit (TLS/IPSec/SSH), in use (hardest).
  • Link encryption encrypts routing (traffic confidentiality); end-to-end protects content.
  • Data in use → secure enclaves + access control + auditing + non-repudiation.
  • TLS yes, SSL no; email insecure by default (PGP/S-MIME).
Module 7 Objective F 150 min Advanced

Baselines, scoping/tailoring, DLP and compliance

Prerequisites : Modules 1 and 6 (classification, data states, the notion of control).

How do you go from a generic control catalog to a setup fit for YOUR organization? Through baselines (minimum level of protection), then scoping and tailoring. This module also covers the technologies that enforce those choices - DLP, DRM, CASB - and the compliance standards to know.

The most-tested trap: scoping removes inapplicable controls, tailoring adjusts the remaining controls to context. Confusing the two is a classic exam error.

Learning objectives

  • Define a security baseline and its role as a minimum reference.
  • Distinguish scoping (remove) from tailoring (adjust).
  • Describe DLP (components, topologies), DRM and CASB.
  • Relate compliance standards (NIST, ISO, PCI DSS, GDPR, HIPAA) to control choices.

Success criteria

  • You explain scoping vs tailoring with an example of each.
  • You name the 3 DLP components and its 3 topologies.
  • You distinguish DLP, DRM and CASB and their respective roles.

7.1 Control types and defense in depth

Three control types (administrative, technical, physical) layered as defense in depth.
Figure 7.1 · Three control types layered: administrative, technical, physical.

To protect assets, you combine three broad control types. Administrative controls are policies, procedures, standards and training - the human and organizational framework. Technical (or logical) controls are implemented by technology: encryption, access control, DLP, logging. Physical controls protect the environment: locks, badges, cameras, environmental controls.

Controls also sort by mode of action (preventive, detective, corrective, deterrent, recovery, compensating), but that categorization is not absolute: a single control can fall into several categories depending on its implementation.

The key point for asset security: relying on a single control type or category creates a single point of failure. By combining several types and categories, you force the attacker to prepare multiple attack paths instead of one - that is defense in depth, which deters, slows down and raises the chance of detecting an attack.

Key terms administrative / technical / physical defense in depth single point of failure
Key points
  • 3 types: administrative (policies), technical/logical (encryption, DLP), physical (badges).
  • A single control type = single point of failure.
  • Combining types and categories = defense in depth (deters, slows, detects).

7.2 Baselines: the minimum reference

Baseline matrix by classification level (High, Medium, Low) and control category.
Figure 7.2 · Minimum baseline broken down by level: High, Medium, Low.

A security baseline is a minimum level of protection serving as a reference point. It ensures that any evolution of technology or architecture stays above an understood, accepted threshold. Once controls are in place, everything is measured against the baseline.

Baselines break down by classification level. If you classify as high, medium, low, you define a baseline for each: for example, high = strong passwords + NDA + 128-bit symmetric encryption for creation, storage and transmission + watermark + real-time monitoring; low = simple owner-approved access process, no encryption, no labeling, no monitoring. Baselines can also be technical (the minimum configuration of a Windows machine before joining the network) or non-technical (wearing a badge, escorting visitors). In short: a baseline is a consistent reference point, defining the minimum required and breaking down into per-architecture configurations.

Key terms baseline per-classification baseline
Key points
  • Baseline = minimum protection level serving as a reference.
  • One baseline per classification level (high/medium/low).
  • Technical (config) and non-technical (badge, escort) baselines.

7.3 Scoping and tailoring

From catalog to applied baseline: scoping removes, tailoring adjusts.
Figure 7.3 · From catalog to applied baseline: scoping removes, tailoring adjusts.

You rarely adopt a framework as is: you scope and tailor it to your context. These two operations are distinct and frequently confused at the exam.

Scoping: the process of determining which controls apply and to which assets, by removing from the general baseline the recommendations that do not apply. Several considerations influence how controls are applied; the system security plan must clearly identify which controls were scoped and describe the decisions made, approved by the authorizing official.

Tailoring: the process of modifying the control set to fit the organization's specific characteristics and requirements. It gives more flexibility and avoids costly or needlessly complex approaches. Formally, tailoring includes applying scoping, specifying compensating controls if needed, and defining organization-specific parameters. Remember: scoping REMOVES what does not apply, tailoring ADJUSTS what remains.

Key terms scoping tailoring compensating control authorizing official
Key points
  • Scoping = remove inapplicable baseline controls.
  • Tailoring = adjust/modify remaining controls to context (+ compensating).
  • The system security plan documents scoping decisions, approved by the authorizing official.

7.4 DLP, DRM and CASB

DLP architecture: components (discovery, monitoring, enforcement) and DIM/DAR/DIU topologies.
Figure 7.4 · DLP: components (discovery, monitoring, enforcement) and DIM/DAR/DIU topologies.

Data Loss Prevention (DLP) groups the controls that keep certain data compliant with policies. It rests on three components: discovery & classification (map and automatically classify data), monitoring (watch usage across locations and platforms, the key function), enforcement (interrogate data and compare its location, use or destination against policies, then alert, log, block, reroute or encrypt). DLP depends heavily on reliable data identification: without prior discovery, classification and labeling, it is much harder to operate. It is one of the few technologies effective against insider threat.

Three deployment topologies, aligned with states: Data in Motion (network/gateway DLP, near the gateway, watching HTTP/HTTPS/SMTP/FTP), Data at Rest (storage DLP, where data is stored), Data in Use (endpoint/client DLP, on workstations). DRM (Digital Rights Management) encrypts data within the file itself (format-preserving) and controls its use, modification and distribution across the intellectual property's life; if DLP does not integrate with DRM, it cannot read the protected files. Finally, the CASB (Cloud Access Security Broker) is a control point between the cloud consumer (CSC) and provider (CSP); it provides four functions - visibility, data security, threat protection, compliance - and deploys as a forward proxy, reverse proxy or via API.

Key terms DLP DIM / DAR / DIU DRM CASB
Key points
  • DLP = discovery/classification + monitoring + enforcement; effective against insider threat.
  • DLP topologies: DIM (network), DAR (storage), DIU (endpoint).
  • DRM encrypts within the file; CASB = control point CSC↔CSP, 4 functions, proxy/API.

7.5 Selecting compliance standards

Standards and regulations: NIST RMF/CSF, ISO 27001, PCI DSS, GDPR, HIPAA.
Figure 7.5 · Standards and regulations: NIST RMF/CSF, ISO 27001, PCI DSS, HIPAA, GDPR.

Organizations adopt standards (sometimes called frameworks) to structure their security posture, understand baseline controls and assess their maturity. Depending on activity, some are mandatory (law or regulation): PCI DSS for card data, HIPAA for health, GDPR for European personal data. On steering frameworks: NIST SP 800-37 (Risk Management Framework), NIST Cybersecurity Framework, NIST SP 800-53 (control catalog), ISO 27001/27002 (ISMS), plus entities like ENISA or the ITU.

The professional must know this landscape and that contractual or legal requirements can directly dictate a control (PCI DSS mandates encryption of card data, for instance). You rarely adopt a framework wholesale: you implement parts of it through scoping and tailoring, to target genuinely relevant risks without waste. The overall Domain 2 logic closes here: classify to know value, choose a baseline by that value, scope and tailor to fit it, and enforce it all with the right technical and compliance controls.

Key terms NIST SP 800-37 (RMF) NIST SP 800-53 PCI DSS / HIPAA / GDPR ISO 27001 / 27002
Key points
  • Some standards are mandatory (PCI DSS, HIPAA, GDPR), others steering (NIST RMF/CSF, ISO 27001).
  • A legal/contractual requirement can directly dictate a control (e.g. PCI DSS encryption).
  • You implement parts via scoping and tailoring, not the whole framework.

Case studies

Case · Real-world case

Cambridge Analytica / Facebook: the data that got away

Context : In 2018, the Cambridge Analytica scandal revealed the unauthorized exploitation of about 87 million Facebook users' data, harvested via a third-party app ('This Is Your Digital Life') and used for political psychographic profiling. Facebook was criticized for inadequate protections and lax control of third-party apps.

Question : Which data security controls would have limited the incident?

Show analysis and answer

Several Domain 2 levers failed. Requirements management: stricter vetting of third-party apps, with regular compliance audits. Security restrictions: enforce least privilege by limiting the types and volume of data accessible to third-party apps, via granular permission models. Retention and possession: rigorous lifecycle policies, with defined retention periods and secure deletion - unneeded data should have been destroyed, shrinking the exposure surface. Categorization and ownership: categorizing data by sensitivity and clearly defining ownership and permitted uses would have added protection layers against third-party misuse.

The cross-cutting lesson: asset security does not stop at collection; it plays out across the whole lifecycle, through destruction, and in mastering third-party relationships.

Takeaway : Least privilege on third parties, minimal retention + secure deletion, clear ownership and categorization: undestroyed data is data at risk.

Case · Capstone case - domain synthesis

Capstone: securing a multi-party project's data end to end

Context : An industrial consortium builds a complex system with several international subcontractors and shared cloud hosting. As the security professional, you must build the asset-security strategy end to end - from identification to destruction - and extend it to third parties.

Question : What end-to-end approach should you apply, which Domain 2 topics are involved, and what are the key learning elements?

Show analysis and answer

Topics covered (the whole of Domain 2): (1) asset inventory and identification via CMDB and ITAM; (2) classification (access axis) and categorization (impact axis); (3) ownership - owner accountable, custodian executes, controller/processor under GDPR; (4) data lifecycle (Create, Store, Use, Share, Archive, Destroy) with controls per phase; (5) data states (at rest, in transit, in use) and encryption (link vs end-to-end); (6) retention (minimums/maximums) and defensible destruction (degaussing, crypto-shredding, NIST SP 800-88); (7) scoped and tailored baselines; (8) DLP, DRM and CASB; (9) compliance (PCI DSS, HIPAA, GDPR) and third-party assurance (SOC 1/2, BAA, supply chain).

Approach: inventory then classify and categorize assets; assign owners and roles; apply a per-level baseline, scoped and tailored; protect each state with the right control; drive retention and destruction defensibly and traceably; govern third parties with contractual clauses, audit rights, SOC reports and BAAs. The single policy is shared with all parties who must comply, enforced and monitored.

Takeaway : Key learning elements: classify before protecting; the owner stays accountable (non-delegable); one control per state; degaussing useless on SSDs; scoping removes / tailoring adjusts; asset security extends to the supply chain (SOC, BAA).

Exam pitfall

Scoping (remove) vs tailoring (adjust)

Scoping = remove from the baseline the controls that do not apply. Tailoring = modify/adjust the retained controls to context (and add compensating ones). 'Limit by removing what does not apply' → scoping.

Exam pitfall

DLP ≠ DRM ≠ CASB

DLP prevents data leakage (discovery/monitoring/enforcement). DRM controls intellectual-property usage by encrypting within the file. CASB is the control point between cloud consumer and provider. Do not confuse them.

Checkpoint — Baselines, scoping and DLP

  1. Which definition matches scoping?

    • A Altering baselines to apply more specifically
    • B Limiting baseline recommendations by removing those that do not apply
    • C Adding compensating controls everywhere
    • D Encrypting all data at rest
    Answer & rationale

    Answer : B — Limiting baseline recommendations by removing those that do not apply

    Scoping = remove inapplicable controls from the baseline. Option A describes tailoring (modification/adjustment).

  2. What are the three functional components of a DLP solution?

    • A Encryption, hashing, signing
    • B Discovery & classification, monitoring, enforcement
    • C Forward proxy, reverse proxy, API
    • D Clearing, purging, destruction
    Answer & rationale

    Answer : B — Discovery & classification, monitoring, enforcement

    DLP rests on discovery & classification, monitoring (the key function) and enforcement. The proxies describe a CASB.

  3. An organization wants a centralized control point between its users and several cloud services (visibility, data security, compliance). Which technology?

    • A DRM
    • B CASB
    • C Degaussing
    • D RAID
    Answer & rationale

    Answer : B — CASB

    The CASB sits between CSC and CSP and provides visibility, data security, threat protection and compliance.

  4. Which standard contractually mandates encryption of payment-card data?

    • A HIPAA
    • B PCI DSS
    • C FERPA
    • D ISO 19770
    Answer & rationale

    Answer : B — PCI DSS

    PCI DSS is a contractual requirement mandating, among others, the encryption of card data.

  5. Why should you not rely on a single control type to protect an asset?

    • A Because it is more expensive
    • B Because it creates a single point of failure
    • C Because the law forbids it
    • D Because technical controls are always enough
    Answer & rationale

    Answer : B — Because it creates a single point of failure

    A single control type or category = single point of failure. Combining administrative, technical and physical = defense in depth.

Key takeaways

  • Baseline = minimum reference, broken down per classification level.
  • Scoping REMOVES inapplicable controls; tailoring ADJUSTS the remaining ones.
  • DLP (discovery/monitoring/enforcement, DIM/DAR/DIU topologies) vs DRM vs CASB.
  • Compliance: PCI DSS/HIPAA/GDPR mandatory; NIST RMF/CSF, ISO 27001 to steer.

Domain summary

Asset security distinguishes two forms of information assets: intangible assets (ideas, data, knowledge) and the tangible assets (hardware, software, media) that record and move them. Two lifecycles frame the practice: the IT asset management lifecycle (Plan, Acquire, Deploy, Manage, Retire) and the data lifecycle (Create, Store, Use, Share, Archive, Destroy).

The overall logic is cumulative: classify to recognize value and sensitivity, categorize to gauge impact, then derive the controls that due care and due diligence require, applied across the three data states (at rest, in transit, in use). The inventory and the assignment of an accountable owner form the foundation; baselines, scoped and tailored, set the minimum protection per level; controlled retention and defensible destruction bound end of life. Finally, compliance (PCI DSS, HIPAA, GDPR) and mastering third-party relationships (SOC reports, supply chain) extend protection beyond the internal perimeter.

Glossary (Terms & Definitions)

The key Domain 2 terms, to master in English for the exam.

TermDefinition
AssetAnything of value owned by an organization, tangible (systems, physical property) or intangible (intellectual property).
AccountabilityAssurance that actions can be traced to a responsible party and only authorized users access the system properly.
ResponsibilityObligation for doing something; it can be delegated (unlike accountability).
InventoryA complete list of all items owned by the organization.
RecoveryThe process of jointly addressing business resiliency and restoring critical infrastructure and functionality after a disruption.
ClassificationRecognizing the impacts to the organization if information suffers a compromise to its CIA, privacy, or safety characteristics.
CategorizationGrouping data with comparable sensitivities (impact or loss ratings) and similar security needs mandated by law or contracts.
Data Classification LevelsA sensitivity scale (e.g. public, internal, confidential, restricted/secret) that drives the controls applied at each level.
BaselineA documented, lowest level of security configuration allowed by a standard or organization.
ScopingLimiting general baseline recommendations by removing those that do not apply.
TailoringModifying a control baseline through scoping, compensating controls, and organization-defined parameters.
SupplementationAdding extra controls to a baseline to address specific risks not covered by default.
ClearingRemoving sensitive data so it cannot be reconstructed using normal system functions or software recovery utilities.
PurgingRemoving sensitive data with the intent that it cannot be reconstructed by any known technique.
DegaussingApplying a strong magnetic field to erase data on magnetic media (HDD, tape); ineffective on SSDs.
Crypto-shreddingDestroying the encryption keys so encrypted data becomes permanently unreadable (crypto-erase).
Defensible DestructionEliminating data in a controlled, legally defensible, and regulatory-compliant way.
Media SanitizationThe process of removing data from media per NIST SP 800-88 (Clear, Purge, Destroy), chosen by sensitivity.
Data RemanenceResidual data remaining on media after nominal erasure, a leakage risk if sanitization is insufficient.
Data OwnerThe person accountable for classifying, protecting, and authorizing use of an information asset; a non-delegable role.
Data CustodianThe individual managing day-to-day permissions and protection of an asset per the data owner's instructions.
Data ControllerEntity (GDPR) that determines the purposes and means of processing personal data; legally responsible for the processing.
Data ProcessorEntity (GDPR) that processes personal data on behalf of and on instruction from the data controller.
Data StewardResponsible for data quality, consistency, and proper business use under data governance rules.
Data SubjectThe identified or identifiable natural person to whom personal data relates.
PIIPersonally Identifiable Information: any data that can directly or indirectly identify an individual.
PHIProtected Health Information: identifiable health data protected notably by HIPAA in the US.
Cardholder Data (PCI)Cardholder data (PAN, expiry, code) protected by the PCI DSS standard.
Sensitive DataData whose disclosure, alteration, or loss causes harm, requiring heightened controls.
Need-to-KnowPrinciple limiting access to only the information strictly necessary for a person's task.
Data StatesThe three states of data: at rest (stored), in transit/in motion (transmitted), and in use (in memory/processing).
Data at RestData stored on media (disk, database, backup), protected mainly by encryption at rest.
Data in TransitData being transmitted over a network, protected by TLS/IPsec and transport encryption.
Data in UseData loaded in memory or being processed, protected by access control, isolation, and confidential computing.
Encryption at RestEncrypting stored data (FDE, TDE, object encryption) to protect it if the media is stolen.
Data LifecycleThe data lifecycle: create, store, use, share, archive, and destroy.
Information Lifecycle ManagementManaging policies applied to information at each phase of its lifecycle according to value.
IT Asset Management LifecycleThe IT asset management lifecycle (acquire, deploy, maintain, retire) that influences classification.
Data RetentionThe period data must be kept before deletion, driven by legal and business requirements.
Record RetentionPolicies governing retention and scheduled destruction of records for legal compliance.
End-of-Life (EOL)The point where a vendor stops selling a hardware or software product.
End-of-Support (EOS)The point where vendor patches and support stop; an EOS asset becomes an unpatchable vulnerability.
Data SovereigntyThe principle that data is subject to the laws of the country where it is physically stored.
Data ResidencyA requirement defining the geographic location where data must reside.
Data LocalizationA legal mandate to store and process certain data within a country's borders.
GDPRGeneral Data Protection Regulation: EU regulation on personal data protection with fines and individual rights.
De-identification / TokenizationRemoving or substituting direct identifiers; tokenization replaces a sensitive value with a token that is not reversible without a mapping table.
AnonymizationIrreversible transformation preventing any re-identification, removing data from personal-data scope.
PseudonymizationReplacing identifiers with pseudonyms reversible via a separately stored key (GDPR).
Data MaskingHiding sensitive values (obscured or substituted) while preserving format for non-production use.
WatermarkingEmbedding a visible or invisible mark in content to trace leak source or prove ownership.
DLPData Loss Prevention: technology detecting and blocking exfiltration of sensitive data by classification.
DRMDigital Rights Management: technical controls restricting use, copying, and distribution of protected content.
CASBCloud Access Security Broker: a policy enforcement point between users and cloud services.
CMDBConfiguration Management Database: a repository of configuration items and their relationships.
Configuration ItemAn identified component under configuration control (hardware, software, service) tracked in the CMDB.
ITAMIT Asset Management: managing the financial, contractual, and inventory lifecycle of IT assets.
Asset InventoryAn up-to-date record of all hardware and software assets, the foundation of asset management and security.
Hardware AssetA physical asset (server, endpoint, network device, storage media) to be inventoried and protected.
Software AssetA software asset (applications, licenses) managed for license compliance and security posture.
Provenance / LineageTraceability of a data item's origin and successive transformations across processing.
Golden Record / MDMMaster Data Management: a single authoritative record consolidating reference data.
Data AuditA review verifying data classification, access, compliance, and usage against policy.
QualitativeMeasuring without numbers, using adjectives, scales, or grades.
QuantitativeMeasuring with numbers, usually monetary values (e.g. SLE, ALE).

Domain key takeaways

What you must remember

  • Assets are protected across their whole lifecycle, from creation to destruction, with technical, physical and administrative controls.
  • Identifying and classifying assets is the founding step: you only protect well what you know the value, sensitivity and criticality of.
  • Classification = access/confidentiality; categorization = impact (FIPS 199); a classification is not a label.
  • The owner decides and stays accountable; the custodian executes; the controller is accountable, the processor is not.
  • Controls are chosen by data state (at rest, in transit, in use) and combined into defense in depth to avoid any single point of failure.
  • Balanced retention (legal minimums, maximums via minimization) and defensible destruction fit to the media (magnetic degaussing, crypto-shredding for SSD, NIST SP 800-88).
  • Baselines are scoped and tailored; compliance (PCI DSS, HIPAA, GDPR) and third-party relationships (SOC, supply chain) extend security beyond the internal perimeter.

Going further