(ISC)² CBK Objectives
The 6 official learning areas of Domain 2. Click an objective for detail.
Identify and classify information and assets
Inventory assets (information, systems, media) and assign a classification level based on sensitivity and criticality. Classification drives every later control: protections follow classification, never the other way round.
Key points
- Classification (sensitivity) vs categorization (by impact/type)
- Military (Top Secret/Secret/Confidential) and private (Confidential/Private/Public) schemes
- The data owner sets classification; the custodian enforces it
Establish information and asset handling requirements
Define how to mark, label, store, transport and destroy assets according to their classification. Marking is human-visible; the label is system-readable metadata used for enforcement.
Key points
- Marking (human) vs labeling (enforcement metadata)
- Handling: storage, transport, access by sensitivity
- Declassification and end-of-life governed
Provision resources securely
Manage the asset life cycle (IT Asset Management): inventory, acquisition, deployment, maintenance, retirement. Define roles clearly: the owner is accountable, the custodian executes, and the inventory (ITAM/CMDB) is the single source of truth.
Key points
- IT Asset Management Life Cycle (acquisition to retirement)
- ITAM / CMDB inventory = single source of truth
- Owner accountable, custodian executes, controller vs processor
Manage the data life cycle
Track data from creation to destruction: create, store, use, share, archive, destroy. At each phase, suitable controls and defined roles (owner, custodian, controller, processor, subject) ensure protection and compliance.
Key points
- Data Security Life Cycle: 6 phases create -> destroy
- GDPR/NIST roles: controller, processor, owner, custodian, subject
- Data location, collection and maintenance
Ensure appropriate asset retention
Retain data neither too long (risk, cost, legal exposure) nor too little (legal and business obligations). Manage end-of-life (EOL) and end-of-support (EOS) of hardware and software, and data remanence on destruction.
Key points
- Retention policy: legal/business/risk balance
- EOL vs EOS of hardware and software
- Data remanence: Delete < Clear < Purge < Destroy
Determine data security controls and compliance requirements
Select controls from a baseline (reference minimum), then adjust via scoping (drop the irrelevant) and tailoring (adapt to context). Protect data in its three states (at rest, in transit, in use) and tool compliance (DLP, DRM, CASB).
Key points
- Baseline then scoping & tailoring
- Protect the 3 states: at rest, in transit, in use
- DLP, DRM, CASB; compliance standards
Key concepts
Data classification
Criteria: Value, Usefulness, Age, Association. Military: Top Secret > Secret > Confidential > Sensitive-but-unclassified > Unclassified. Private: Sensitive > Confidential > Private > Public.
Classification vs categorization
Classification is about ACCESS: marking information so only the right clearance levels can reach it. Categorization is about IMPACT: assessing the effect of a loss of confidentiality, integrity or availability (low/moderate/high). Categorization references: NIST SP 800-60 and FIPS 199.
Tangible and intangible assets
A tangible asset is physical (server, disk, building, the medium that stores information). An intangible asset is immaterial: the information itself, intellectual property, tacit knowledge not written down. The medium is tangible, the data it carries is intangible: both hold value to protect.
Asset inventory, CMDB, ITAM
The inventory lists all physical and virtual assets: hardware, software, data. The CMDB (Configuration Management Database) tracks what you own AND how it is configured, and acts as a restoration point. ITAM (IT Asset Management) governs the full hardware/software/data lifecycle; ISO/IEC 19770 is its standard.
IT asset lifecycle (plan → retire)
IT asset management lifecycle: plan → acquire/procure → deploy → operate/maintain → upgrade → retire/dispose. At each stage: marking, controls, and at end of life, sanitization before reuse or destruction.
Data security lifecycle (CSUSAD)
Six phases: Create (creation/acquisition, where privacy by design and classification apply), Store (storage, physical and logical controls), Use (processing, the most exposed moment), Share (sharing), Archive (retention), Destroy (secure destruction). Mnemonic CSUSAD.
GDPR personal-data roles
Data Subject (the individual). Controller: determines purposes and means of processing, legally responsible and accountable. Processor: processes on the controller's behalf, with NO legal accountability of its own. Data Steward (content/context/quality), Data Custodian (custody, transport, storage, technical protection), DPO (compliance/authority interface). The owner stays accountable for classification and destruction.
Data location and localization
With the cloud, knowing WHERE data resides becomes critical. Data localization laws require that certain data stay within a given jurisdiction, be stored, processed or accessed locally. The practitioner must map the locations and interconnections of vital data types, and manage encryption keys accordingly.
Marking and labeling
Media must carry a physical label stating sensitivity, whether the content is encrypted, a point of contact and the retention period. Ideally the system enforces labels, which in practice only happens under MAC; under DAC labels are not enforced uniformly and may be lost during transfers. Key rule: any media found WITHOUT a label is handled at the highest sensitivity level until analysis says otherwise.
Declassification
Lowering an asset's classification to a less sensitive level; marking, handling and storage are adjusted accordingly. The data owner plays a central role. May rely on obfuscation techniques: de-identification (anonymization) or tokenization (replacement with non-exploitable tokens).
Retention: minimums and maximums
Keep data only as long as required. There are minimums (e.g. finance mandates 7 years) imposed by law, contract or regulation, and maximums beyond which keeping data becomes a risk (exposure, cost, non-compliance). Classic mistake: take the longest retention and apply it everywhere. With no external requirement, the organization sets its own policy based on business need.
Scoping vs tailoring
You adopt a framework (NIST SP 800, ISO 27001) then adapt it. Scoping: decide which controls apply and to which assets (you REMOVE irrelevant controls); approved by the authorizing official. Tailoring: ADJUST the control set to the organization's characteristics and needs to avoid costly or overly complex approaches.
Baselines and standards selection
A baseline is the minimum set of controls to apply; it derives from a chosen framework. Standards selection is often forced by laws, regulations, contracts or market requirements: NIST SP 800-37 RMF, NIST CSF, PCI-DSS, HIPAA, GDPR, US DoDI RMF. The organization sets its baseline then scopes and tailors it.
DLP: components and topologies
DLP (Data Loss Prevention) stops loss or unauthorized access to sensitive data. Three components: data discovery/classification, policy engine (inspection and rules), enforcement/remediation (block, encrypt, alert). Three topologies by state: Data In Motion (DIM, on the network), Data At Rest (DAR, on storage) and Data In Use (DIU, on the endpoint).
DRM vs DLP
DRM (Digital Rights Management): tools and processes controlling the USE, modification and distribution of intellectual property across its lifecycle. DLP: technologies and practices ensuring sensitive data is neither lost nor accessed by unauthorized parties. DRM enforces usage rights; DLP prevents leakage.
CASB: 4 functions
A CASB (Cloud Access Security Broker) is a centralized control point between the cloud consumer (CSC) and the provider (CSP). Four functions: Visibility, Data security, Threat protection, Compliance. Deployed as forward proxy, reverse proxy or API-based.
Data in use and secure enclaves
Data in use = data being processed, analyzed or shared: it is in plaintext, hence the hardest state to protect. It is bounded by access controls, DLP and DRM, and by secure enclaves (isolated, memory-encrypted execution zones) that preserve confidentiality during computation.
Link vs end-to-end encryption
Link encryption: encrypts all traffic (payload AND headers) hop by hop; decrypted and re-encrypted at each node, so plaintext inside intermediate devices. End-to-end: encrypts only the payload from source to destination, headers stay visible for routing but content is never plaintext in transit. DIM relies on TLS, IPSec, PGP, S/MIME, VPN.
Data roles
Data Owner (decides classification, destruction), Data Custodian (applies day-to-day controls, backups), System Owner (security baseline), Administrator (permissions), End User (follows policies).
Three data states
At Rest (AES encryption), In Motion (TLS/HTTPS), In Use (scoping & tailoring of controls).
Remanence and destruction
Sanitizing (complete), Degaussing (magnetic, unrecoverable), Erasing (software), Overwriting/Shredding, Zero fill, Physical destruction, Encryption. Remanence is the residual trace left after incomplete deletion; deleting a file does not remove the data from the medium, only the directory is marked free.
Clearing, purging, destruction
Three increasing levels of sanitization (NIST SP 800-88). Clearing: overwrite with random patterns (clobbering/zeroizing); a missed block may stay recoverable, and data remains within the same environment. Purging: eliminate residual physical traces, resists lab recovery (e.g. degaussing for magnetic media). Destruction: shredding, incineration, pulverizing, acid; the ultimate remedy to remanence.
Policies, standards, guidelines
Regulatory (mandatory), Advisory (recommended), Informative (guidance). Baseline = minimum. Procedures = concrete steps.
Frameworks & standards
| Framework | Role |
|---|---|
| NIST SP 800-88 | Sanitization and remanence guidelines (clearing, purging, destruction). |
| NIST SP 800-145 | Cloud computing standards. |
| NIST SP 800-60 | Categorization guide: map an information type to an impact level. |
| FIPS 199 | Categorizes systems by impact (low/moderate/high) on C, I, A. |
| NIST SP 800-53 | Catalog of security and privacy controls; basis for baselines to scope/tailor. |
| NIST SP 800-37 (RMF) | Risk Management Framework: categorize, select, implement, assess, authorize, monitor. |
| NIST CSF | Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover. |
| ISO/IEC 27001 / 27002 | 27001: requirements for a certifiable ISMS; 27002: code of practice for controls. |
| ISO/IEC 19770 | IT asset management (ITAM) standard: governance processes and data. |
| PCI-DSS | Payment card data protection standard (encryption, scope). |
| GDPR | EU regulation on personal data: controller/processor/DPO roles, subject rights. |
| HIPAA | Protects health data (PHI/EPHI) in the United States. |
| FIPS | Federal Information Processing Standards. |
Acronyms
| Acronym | Meaning |
|---|---|
| AES | Advanced Encryption Standard |
| NIST | National Institute of Standards and Technology |
| FIPS | Federal Information Processing Standards |
| EFS | Encrypting File System |
| ITAM | IT Asset Management |
| CMDB | Configuration Management Database |
| DLP | Data Loss Prevention |
| DRM | Digital Rights Management |
| CASB | Cloud Access Security Broker |
| PII | Personally Identifiable Information |
| PHI | Protected Health Information |
| EPHI | Electronic Protected Health Information |
| GDPR | General Data Protection Regulation |
| DPO | Data Protection Officer |
| HDD | Hard Disk Drive |
| SSD | Solid State Drive |
| RMF | Risk Management Framework |
| CSF | Cybersecurity Framework |
| MAC | Mandatory Access Control (enforces labels) |
| DAC | Discretionary Access Control (labels not uniform) |
| TLS | Transport Layer Security |
| IPSec | Internet Protocol Security |
| PGP | Pretty Good Privacy |
| S/MIME | Secure/Multipurpose Internet Mail Extensions |
| VPN | Virtual Private Network |
Mnemonics
3 states = 3 controls. At rest → encryption. In motion → TLS. In use → scoping.
Owner DECIDES (classification, destruction). Custodian EXECUTES (backups, daily controls).
Military (descending): Top Secret > Secret > Confidential > Sensitive-but-unclassified > Unclassified.
Degaussing = MAGNETIC media only (HDD yes, SSD no). SSD → crypto-shredding or physical destruction.
CSUSAD = Create, Store, Use, Share, Archive, Destroy. The six data-lifecycle phases, in order.
Scoping = REMOVE out-of-scope controls. Tailoring = ADJUST the ones that remain. Scope first, tailor next.
Controller = aCCountable (decides purposes/means). Processor = executes, NO legal accountability of its own.
Clearing < Purging < Destruction. The higher the sensitivity, the higher you climb the scale (NIST 800-88).
Exam pitfalls
Owner ≠ Custodian
Data Owner DECIDES; Data Custodian EXECUTES. Frequent exam trap.
Degaussing does not work on SSD
Degaussing is magnetic-media only. SSD: physical destruction or crypto-shredding.
Classification (access) ≠ Categorization (impact)
If the question is about who can ACCESS and clearance levels → classification. If it is about the IMPACT of a C/I/A loss (low/moderate/high, NIST 800-60, FIPS 199) → categorization.
Scoping ≠ Tailoring
Scoping = decide which controls apply (you remove some). Tailoring = adjust/refine the ones kept. The exam often swaps the two.
Controller accountable, Processor not
Under GDPR, the data controller determines purposes and means and bears legal accountability. The data processor processes on its behalf and has no legal accountability of its own. Do not confuse with owner/custodian.
Clearing < Purging < Destruction
Clearing overwrites but may leave recoverable blocks. Purging resists lab recovery. Destruction is physical and irreversible. The right answer depends on sensitivity level and the medium's future use.
Data in use = plaintext, the hardest
During processing, data is plaintext in memory: the hardest state to protect. Rely on DLP, DRM, access controls and secure enclaves, not on classic at-rest encryption.
A classification is not a label
Classification is the sensitivity-level decision; the label/marking is the tag that materializes it on the medium. Media found WITHOUT a label → handled at the highest level until analysis.
Accountability cannot be delegated
The data owner may delegate execution (to the custodian, to the processor) but stays accountable for classification, protection and destruction. Delegating a task does not transfer ultimate responsibility.
Real-world cases
Retiring an old banking server
Server with customer data. Plan: 1) crypto-shredding (destroy keys), 2) multi-pass overwriting, 3) physical disk destruction. Log every step in the chain-of-custody record.
SolarWinds: supply chain
A compromised software update spread a backdoor to thousands of customers. D2 lesson: software assets and their dependencies must be inventoried (ITAM/CMDB), versioned and integrity-checked; an unmanaged third-party asset becomes a leakage vector for the data it processes.
Cambridge Analytica / Facebook
Personal data collected for one purpose was reused for others, with no legal basis or use limitation. D2/GDPR lesson: the controller must define and bound purpose and means, govern the processor through a processing agreement, and honor use limitation and data minimization.
Hospital medical devices
Connected devices store and transmit PHI/EPHI. Plan: inventory each device (CMDB), categorize its criticality (FIPS 199), encrypt DAR and DIM (TLS/IPSec), apply HIPAA retention, and plan NIST 800-88 sanitization before servicing or disposal.
10-second recap
10-second recap
- Owner decides and stays accountable, Custodian executes, User complies.
- Classification = access; Categorization = impact (NIST 800-60, FIPS 199).
- Data lifecycle: CSUSAD (Create, Store, Use, Share, Archive, Destroy).
- Inventory + CMDB + ITAM (ISO 19770) to govern assets from plan to retire.
- GDPR: controller accountable, processor executes; DPO as compliance interface.
- Scoping removes out-of-scope controls, tailoring adjusts the kept ones from a baseline.
- 3 data states = 3 controls (AES, TLS/IPSec, DLP/scoping); data in use = plaintext, the hardest.
- Increasing sanitization: clearing < purging < destruction (NIST 800-88).
- Destruction: degaussing magnetic-only, physical destruction or crypto-shredding for SSDs.
- DLP prevents leakage (DIM/DAR/DIU), DRM controls IP usage, CASB covers the cloud (4 functions).
Domain quiz
Three levels available. Pick one based on the time you have.
🔒 Sign-up required for quizzes
Exam-style quizzes are members-only (free). Sign in with a magic link or a passkey to practise and save your scores.