CISSP Domain 2 Asset Security
CISSP Domain 2 Asset Security
Domain Overview
Objective: Understand the classification, ownership,
protection, retention, and handling of organizational
information and assets.
Asset Security focuses on:
o Protecting assets by understanding their value and
ensuring their confidentiality, integrity, and
availability.
o Proper management of data lifecycle: creation,
storage, usage, archiving, and disposal.
Key Concepts
1. Data Classification
Purpose: Helps prioritize and allocate security resources to
protect assets appropriately.
Levels of Classification (Example for both public and
private sectors):
o Government: Top Secret, Secret, Confidential,
Unclassified.
o Commercial: Confidential, Proprietary, Sensitive,
Public.
Steps in Classification:
1. Identify assets.
2. Assign ownership.
3. Define classification levels.
4. Classify assets based on criteria (e.g., sensitivity,
value, impact of compromise).
5. Communicate classification to users.
2. Ownership Roles
Data Owner:
o Responsible for determining the classification of
information and ensuring its protection.
o Defines access policies and reviews them
periodically.
Data Custodian:
o Implements and manages security controls to protect
assets (e.g., backups, permissions).
Data User:
o Accesses and uses data following security policies
and guidelines.
Security Administrator:
o Ensures the implementation of the security controls
and monitors compliance.
3. Data Lifecycle
The lifecycle of data typically includes:
1. Creation:
o Data is generated or acquired.
o Apply classification immediately after creation.
2. Storage:
o Protect data with appropriate security controls
(encryption, physical security).
o Define retention policies.
3. Usage:
o Limit access to authorized personnel only.
o Monitor data usage to prevent unauthorized
activities.
4. Sharing/Distribution:
o Use secure transmission methods (e.g., TLS, VPNs).
o Ensure compliance with legal and regulatory
requirements.
5. Archiving:
o Move infrequently accessed data to secure storage.
o Retain according to policy and compliance mandates.
6. Disposal:
o Use secure methods like shredding, degaussing, or
digital wiping.
o Ensure proper documentation and verification of
disposal.
4. Retention Policies
Purpose: Ensure data is retained as long as necessary for
legal, operational, or compliance reasons.
Factors influencing retention:
o Legal and regulatory requirements.
o Business needs.
o Data sensitivity.
6. Privacy Protection
Ensure compliance with privacy laws such as:
o GDPR (General Data Protection Regulation).
o HIPAA (Health Insurance Portability and
Accountability Act).
o CCPA (California Consumer Privacy Act).
Implement principles like:
o Data minimization: Only collect what’s necessary.
o Purpose limitation: Use data only for its intended
purpose.
o Consent: Obtain explicit user consent where required.
Best Practices
1. Labeling and Marking:
o Clearly mark data with its classification level.
o Train staff to recognize and handle labeled data.
2. Training and Awareness:
o Educate users on the importance of data security.
o Conduct regular compliance and security training.
3. Policy Enforcement:
o Create and enforce policies for access, storage, and
disposal of assets.
4. Regular Audits:
o Conduct periodic assessments of data classification,
protection mechanisms, and access controls.
Exam Tips
Focus on understanding roles and responsibilities (e.g.,
owner, custodian).
Know the steps of data lifecycle management and
associated controls.
Understand the difference between data masking and
tokenization.
Be familiar with legal requirements for data protection in
various jurisdictions.
2. Privacy Protection
3. Information Retention
5. Data Lifecycle
2. Data Protection
Retention and Destruction
o Follow data retention policies based on business,
legal, and regulatory requirements.
o Proper disposal techniques include:
Physical Destruction: Shredding, degaussing,
or pulverizing.
Digital Erasure: Overwriting, cryptographic
erasure.
Data Encryption
o Ensure encryption is applied based on data
sensitivity.
o Examples:
Data at Rest: Full disk encryption, database
encryption.
Data in Transit: TLS, IPsec, VPNs.
Privacy Protection
o Implement measures for compliance with privacy
laws (e.g., GDPR, CCPA).
o Use anonymization, pseudonymization, and masking
techniques.
5. Asset Lifecycle
Lifecycle Stages
1. Acquisition: Determine the purpose and security
requirements of the asset.
2. Deployment: Implement and configure the asset
securely.
3. Use: Ensure proper handling, access, and security
during operational use.
4. Maintenance: Apply updates, patches, and audits.
5. Disposition: Retire or dispose of assets securely.
Key Takeaways:
Asset Classification and Protection: Properly classify
and label assets based on sensitivity and importance,
implementing necessary security measures to protect
them.
Ownership and Accountability: Clear ownership and
accountability of assets help ensure that security
measures are applied correctly.
Compliance and Legal Considerations: Ensure
compliance with relevant privacy and security laws, and
have a solid understanding of data retention and disposal
requirements.
Data Integrity and Confidentiality: Protect data
integrity and confidentiality through encryption, access
controls, and data handling procedures.
2. Privacy Protection
5. Data Encryption
9. Data Integrity
Scenario-Based Question
16. Scenario:
A company stores customer data in a database. This
database is accessed by multiple departments, each
requiring different levels of access. What approach should
the company take to secure the data?
o A. Implement a single sign-on (SSO) solution for
access
o B. Use role-based access control (RBAC) to restrict
access
o C. Encrypt all data with a public key
o D. Use multi-factor authentication for all employees
Answer: B
True/False Questions
6. Encryption is a required control for data in use.
Answer: False