Domaine 2 · 10% Exam weight

Asset Security

Identify, classify and protect data across its lifecycle: create, store, transmit, archive, destroy. Ownership (owner, custodian, user) and remanence are central.

(ISC)² CBK Objectives

The 6 official learning areas of Domain 2. Click an objective for detail.

Objective A

Identify and classify information and assets

Diagramme — Identify and classify information and assets

Inventory assets (information, systems, media) and assign a classification level based on sensitivity and criticality. Classification drives every later control: protections follow classification, never the other way round.

Key points

  • Classification (sensitivity) vs categorization (by impact/type)
  • Military (Top Secret/Secret/Confidential) and private (Confidential/Private/Public) schemes
  • The data owner sets classification; the custodian enforces it
Objective B

Establish information and asset handling requirements

Diagramme — Establish information and asset handling requirements

Define how to mark, label, store, transport and destroy assets according to their classification. Marking is human-visible; the label is system-readable metadata used for enforcement.

Key points

  • Marking (human) vs labeling (enforcement metadata)
  • Handling: storage, transport, access by sensitivity
  • Declassification and end-of-life governed
Objective C

Provision resources securely

Diagramme — Provision resources securely

Manage the asset life cycle (IT Asset Management): inventory, acquisition, deployment, maintenance, retirement. Define roles clearly: the owner is accountable, the custodian executes, and the inventory (ITAM/CMDB) is the single source of truth.

Key points

  • IT Asset Management Life Cycle (acquisition to retirement)
  • ITAM / CMDB inventory = single source of truth
  • Owner accountable, custodian executes, controller vs processor
Objective D

Manage the data life cycle

Diagramme — Manage the data life cycle

Track data from creation to destruction: create, store, use, share, archive, destroy. At each phase, suitable controls and defined roles (owner, custodian, controller, processor, subject) ensure protection and compliance.

Key points

  • Data Security Life Cycle: 6 phases create -> destroy
  • GDPR/NIST roles: controller, processor, owner, custodian, subject
  • Data location, collection and maintenance
Objective E

Ensure appropriate asset retention

Diagramme — Ensure appropriate asset retention

Retain data neither too long (risk, cost, legal exposure) nor too little (legal and business obligations). Manage end-of-life (EOL) and end-of-support (EOS) of hardware and software, and data remanence on destruction.

Key points

  • Retention policy: legal/business/risk balance
  • EOL vs EOS of hardware and software
  • Data remanence: Delete < Clear < Purge < Destroy
Objective F

Determine data security controls and compliance requirements

Diagramme — Determine data security controls and compliance requirements

Select controls from a baseline (reference minimum), then adjust via scoping (drop the irrelevant) and tailoring (adapt to context). Protect data in its three states (at rest, in transit, in use) and tool compliance (DLP, DRM, CASB).

Key points

  • Baseline then scoping & tailoring
  • Protect the 3 states: at rest, in transit, in use
  • DLP, DRM, CASB; compliance standards

Key concepts

Data classification

Criteria: Value, Usefulness, Age, Association. Military: Top Secret > Secret > Confidential > Sensitive-but-unclassified > Unclassified. Private: Sensitive > Confidential > Private > Public.

Classification vs categorization

Classification is about ACCESS: marking information so only the right clearance levels can reach it. Categorization is about IMPACT: assessing the effect of a loss of confidentiality, integrity or availability (low/moderate/high). Categorization references: NIST SP 800-60 and FIPS 199.

Tangible and intangible assets

A tangible asset is physical (server, disk, building, the medium that stores information). An intangible asset is immaterial: the information itself, intellectual property, tacit knowledge not written down. The medium is tangible, the data it carries is intangible: both hold value to protect.

Asset inventory, CMDB, ITAM

The inventory lists all physical and virtual assets: hardware, software, data. The CMDB (Configuration Management Database) tracks what you own AND how it is configured, and acts as a restoration point. ITAM (IT Asset Management) governs the full hardware/software/data lifecycle; ISO/IEC 19770 is its standard.

IT asset lifecycle (plan → retire)

IT asset management lifecycle: plan → acquire/procure → deploy → operate/maintain → upgrade → retire/dispose. At each stage: marking, controls, and at end of life, sanitization before reuse or destruction.

Data security lifecycle (CSUSAD)

Six phases: Create (creation/acquisition, where privacy by design and classification apply), Store (storage, physical and logical controls), Use (processing, the most exposed moment), Share (sharing), Archive (retention), Destroy (secure destruction). Mnemonic CSUSAD.

GDPR personal-data roles

Data Subject (the individual). Controller: determines purposes and means of processing, legally responsible and accountable. Processor: processes on the controller's behalf, with NO legal accountability of its own. Data Steward (content/context/quality), Data Custodian (custody, transport, storage, technical protection), DPO (compliance/authority interface). The owner stays accountable for classification and destruction.

Data location and localization

With the cloud, knowing WHERE data resides becomes critical. Data localization laws require that certain data stay within a given jurisdiction, be stored, processed or accessed locally. The practitioner must map the locations and interconnections of vital data types, and manage encryption keys accordingly.

Marking and labeling

Media must carry a physical label stating sensitivity, whether the content is encrypted, a point of contact and the retention period. Ideally the system enforces labels, which in practice only happens under MAC; under DAC labels are not enforced uniformly and may be lost during transfers. Key rule: any media found WITHOUT a label is handled at the highest sensitivity level until analysis says otherwise.

Declassification

Lowering an asset's classification to a less sensitive level; marking, handling and storage are adjusted accordingly. The data owner plays a central role. May rely on obfuscation techniques: de-identification (anonymization) or tokenization (replacement with non-exploitable tokens).

Retention: minimums and maximums

Keep data only as long as required. There are minimums (e.g. finance mandates 7 years) imposed by law, contract or regulation, and maximums beyond which keeping data becomes a risk (exposure, cost, non-compliance). Classic mistake: take the longest retention and apply it everywhere. With no external requirement, the organization sets its own policy based on business need.

Scoping vs tailoring

You adopt a framework (NIST SP 800, ISO 27001) then adapt it. Scoping: decide which controls apply and to which assets (you REMOVE irrelevant controls); approved by the authorizing official. Tailoring: ADJUST the control set to the organization's characteristics and needs to avoid costly or overly complex approaches.

Baselines and standards selection

A baseline is the minimum set of controls to apply; it derives from a chosen framework. Standards selection is often forced by laws, regulations, contracts or market requirements: NIST SP 800-37 RMF, NIST CSF, PCI-DSS, HIPAA, GDPR, US DoDI RMF. The organization sets its baseline then scopes and tailors it.

DLP: components and topologies

DLP (Data Loss Prevention) stops loss or unauthorized access to sensitive data. Three components: data discovery/classification, policy engine (inspection and rules), enforcement/remediation (block, encrypt, alert). Three topologies by state: Data In Motion (DIM, on the network), Data At Rest (DAR, on storage) and Data In Use (DIU, on the endpoint).

DRM vs DLP

DRM (Digital Rights Management): tools and processes controlling the USE, modification and distribution of intellectual property across its lifecycle. DLP: technologies and practices ensuring sensitive data is neither lost nor accessed by unauthorized parties. DRM enforces usage rights; DLP prevents leakage.

CASB: 4 functions

A CASB (Cloud Access Security Broker) is a centralized control point between the cloud consumer (CSC) and the provider (CSP). Four functions: Visibility, Data security, Threat protection, Compliance. Deployed as forward proxy, reverse proxy or API-based.

Data in use and secure enclaves

Data in use = data being processed, analyzed or shared: it is in plaintext, hence the hardest state to protect. It is bounded by access controls, DLP and DRM, and by secure enclaves (isolated, memory-encrypted execution zones) that preserve confidentiality during computation.

Link vs end-to-end encryption

Link encryption: encrypts all traffic (payload AND headers) hop by hop; decrypted and re-encrypted at each node, so plaintext inside intermediate devices. End-to-end: encrypts only the payload from source to destination, headers stay visible for routing but content is never plaintext in transit. DIM relies on TLS, IPSec, PGP, S/MIME, VPN.

Data roles

Data Owner (decides classification, destruction), Data Custodian (applies day-to-day controls, backups), System Owner (security baseline), Administrator (permissions), End User (follows policies).

Three data states

At Rest (AES encryption), In Motion (TLS/HTTPS), In Use (scoping & tailoring of controls).

Remanence and destruction

Sanitizing (complete), Degaussing (magnetic, unrecoverable), Erasing (software), Overwriting/Shredding, Zero fill, Physical destruction, Encryption. Remanence is the residual trace left after incomplete deletion; deleting a file does not remove the data from the medium, only the directory is marked free.

Clearing, purging, destruction

Three increasing levels of sanitization (NIST SP 800-88). Clearing: overwrite with random patterns (clobbering/zeroizing); a missed block may stay recoverable, and data remains within the same environment. Purging: eliminate residual physical traces, resists lab recovery (e.g. degaussing for magnetic media). Destruction: shredding, incineration, pulverizing, acid; the ultimate remedy to remanence.

Policies, standards, guidelines

Regulatory (mandatory), Advisory (recommended), Informative (guidance). Baseline = minimum. Procedures = concrete steps.

Frameworks & standards

FrameworkRole
NIST SP 800-88 Sanitization and remanence guidelines (clearing, purging, destruction).
NIST SP 800-145 Cloud computing standards.
NIST SP 800-60 Categorization guide: map an information type to an impact level.
FIPS 199 Categorizes systems by impact (low/moderate/high) on C, I, A.
NIST SP 800-53 Catalog of security and privacy controls; basis for baselines to scope/tailor.
NIST SP 800-37 (RMF) Risk Management Framework: categorize, select, implement, assess, authorize, monitor.
NIST CSF Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover.
ISO/IEC 27001 / 27002 27001: requirements for a certifiable ISMS; 27002: code of practice for controls.
ISO/IEC 19770 IT asset management (ITAM) standard: governance processes and data.
PCI-DSS Payment card data protection standard (encryption, scope).
GDPR EU regulation on personal data: controller/processor/DPO roles, subject rights.
HIPAA Protects health data (PHI/EPHI) in the United States.
FIPS Federal Information Processing Standards.

Acronyms

AcronymMeaning
AES Advanced Encryption Standard
NIST National Institute of Standards and Technology
FIPS Federal Information Processing Standards
EFS Encrypting File System
ITAM IT Asset Management
CMDB Configuration Management Database
DLP Data Loss Prevention
DRM Digital Rights Management
CASB Cloud Access Security Broker
PII Personally Identifiable Information
PHI Protected Health Information
EPHI Electronic Protected Health Information
GDPR General Data Protection Regulation
DPO Data Protection Officer
HDD Hard Disk Drive
SSD Solid State Drive
RMF Risk Management Framework
CSF Cybersecurity Framework
MAC Mandatory Access Control (enforces labels)
DAC Discretionary Access Control (labels not uniform)
TLS Transport Layer Security
IPSec Internet Protocol Security
PGP Pretty Good Privacy
S/MIME Secure/Multipurpose Internet Mail Extensions
VPN Virtual Private Network

Mnemonics

Memo · 3 états des données

3 states = 3 controls. At rest → encryption. In motion → TLS. In use → scoping.

Memo · Owner vs Custodian

Owner DECIDES (classification, destruction). Custodian EXECUTES (backups, daily controls).

Memo · Classification

Military (descending): Top Secret > Secret > Confidential > Sensitive-but-unclassified > Unclassified.

Memo · Destruction

Degaussing = MAGNETIC media only (HDD yes, SSD no). SSD → crypto-shredding or physical destruction.

Memo · Cycle de vie : CSUSAD

CSUSAD = Create, Store, Use, Share, Archive, Destroy. The six data-lifecycle phases, in order.

Memo · Scoping vs Tailoring

Scoping = REMOVE out-of-scope controls. Tailoring = ADJUST the ones that remain. Scope first, tailor next.

Memo · Controller vs Processor

Controller = aCCountable (decides purposes/means). Processor = executes, NO legal accountability of its own.

Memo · Sanitization croissante

Clearing < Purging < Destruction. The higher the sensitivity, the higher you climb the scale (NIST 800-88).

Exam pitfalls

Pitfall

Owner ≠ Custodian

Data Owner DECIDES; Data Custodian EXECUTES. Frequent exam trap.

Pitfall

Degaussing does not work on SSD

Degaussing is magnetic-media only. SSD: physical destruction or crypto-shredding.

Pitfall

Classification (access) ≠ Categorization (impact)

If the question is about who can ACCESS and clearance levels → classification. If it is about the IMPACT of a C/I/A loss (low/moderate/high, NIST 800-60, FIPS 199) → categorization.

Pitfall

Scoping ≠ Tailoring

Scoping = decide which controls apply (you remove some). Tailoring = adjust/refine the ones kept. The exam often swaps the two.

Pitfall

Controller accountable, Processor not

Under GDPR, the data controller determines purposes and means and bears legal accountability. The data processor processes on its behalf and has no legal accountability of its own. Do not confuse with owner/custodian.

Pitfall

Clearing < Purging < Destruction

Clearing overwrites but may leave recoverable blocks. Purging resists lab recovery. Destruction is physical and irreversible. The right answer depends on sensitivity level and the medium's future use.

Pitfall

Data in use = plaintext, the hardest

During processing, data is plaintext in memory: the hardest state to protect. Rely on DLP, DRM, access controls and secure enclaves, not on classic at-rest encryption.

Pitfall

A classification is not a label

Classification is the sensitivity-level decision; the label/marking is the tag that materializes it on the medium. Media found WITHOUT a label → handled at the highest level until analysis.

Pitfall

Accountability cannot be delegated

The data owner may delegate execution (to the custodian, to the processor) but stays accountable for classification, protection and destruction. Delegating a task does not transfer ultimate responsibility.

Real-world cases

Case · Teaching scenario

Retiring an old banking server

Server with customer data. Plan: 1) crypto-shredding (destroy keys), 2) multi-pass overwriting, 3) physical disk destruction. Log every step in the chain-of-custody record.

Case · Real case (illustrative)

SolarWinds: supply chain

A compromised software update spread a backdoor to thousands of customers. D2 lesson: software assets and their dependencies must be inventoried (ITAM/CMDB), versioned and integrity-checked; an unmanaged third-party asset becomes a leakage vector for the data it processes.

Case · Real case (illustrative)

Cambridge Analytica / Facebook

Personal data collected for one purpose was reused for others, with no legal basis or use limitation. D2/GDPR lesson: the controller must define and bound purpose and means, govern the processor through a processing agreement, and honor use limitation and data minimization.

Case · Teaching scenario

Hospital medical devices

Connected devices store and transmit PHI/EPHI. Plan: inventory each device (CMDB), categorize its criticality (FIPS 199), encrypt DAR and DIM (TLS/IPSec), apply HIPAA retention, and plan NIST 800-88 sanitization before servicing or disposal.

10-second recap

10-second recap

  • Owner decides and stays accountable, Custodian executes, User complies.
  • Classification = access; Categorization = impact (NIST 800-60, FIPS 199).
  • Data lifecycle: CSUSAD (Create, Store, Use, Share, Archive, Destroy).
  • Inventory + CMDB + ITAM (ISO 19770) to govern assets from plan to retire.
  • GDPR: controller accountable, processor executes; DPO as compliance interface.
  • Scoping removes out-of-scope controls, tailoring adjusts the kept ones from a baseline.
  • 3 data states = 3 controls (AES, TLS/IPSec, DLP/scoping); data in use = plaintext, the hardest.
  • Increasing sanitization: clearing < purging < destruction (NIST 800-88).
  • Destruction: degaussing magnetic-only, physical destruction or crypto-shredding for SSDs.
  • DLP prevents leakage (DIM/DAR/DIU), DRM controls IP usage, CASB covers the cloud (4 functions).

Domain quiz

Three levels available. Pick one based on the time you have.

🔒 Sign-up required for quizzes

Exam-style quizzes are members-only (free). Sign in with a magic link or a passkey to practise and save your scores.