Asset Security focuses on the protection of information and information assets throughout their lifecycle. As the second domain in the CISSP Common Body of Knowledge (CBK), it ensures that information is handled with the appropriate level of sensitivity and security.
Key Concepts in Asset Security
Asset Security involves classifying, labeling, and handling information assets to ensure confidentiality, integrity, and availability. It also defines ownership responsibilities and control measures throughout the asset’s lifecycle.
Data Classification and Ownership
Proper classification ensures data is protected according to its value, sensitivity, and criticality. Key elements include:
- Data Owner: Responsible for determining classification and access requirements
- Data Custodian: Implements protection mechanisms as directed by the data owner
- Data Users: Follow prescribed procedures for handling data
Common classification levels:
- Public
- Internal/Private
- Confidential
- Restricted/Top Secret
Each level dictates the corresponding handling procedures.
Data Lifecycle
Information must be secured at every phase of its lifecycle:
- Creation: Defining ownership and classification
- Storage: Applying access controls and encryption
- Use: Ensuring secure access and usage
- Sharing: Applying least privilege and need-to-know principles
- Archiving: Retaining data in compliance with policies
- Destruction: Sanitizing or securely deleting data
Failure to secure data at any stage can lead to compromise.
Data Handling Requirements
Security professionals must enforce appropriate controls for data access and handling:
- Labeling: Ensures classification is visible and understood
- Marking: Provides additional context (e.g., “Confidential – Internal Use Only”)
- Storage: Based on classification (e.g., encrypted storage for sensitive data)
- Transmission: Use of secure protocols (e.g., TLS, IPsec)
- Destruction: Deletion (logical) or shredding/degaussing (physical)
Privacy Protection
Protecting personally identifiable information (PII) is a critical aspect:
- Understand PII, SPI, and regional laws (e.g., GDPR, CCPA)
- Apply data minimization, purpose limitation, and consent management
- Implement data subject rights: access, correction, erasure
Privacy isn't just compliance—it's a trust enabler.
Media Security
Media (e.g., USBs, HDDs, backup tapes) must be controlled to avoid data leakage:
- Inventory tracking
- Access controls
- Secure transport
- Wiping and destruction protocols
Media mismanagement is a leading source of data breaches.
Preparing for the CISSP Exam
When studying Domain 2 for the CISSP exam, focus on:
- Understanding data classification schemes and ownership roles
- Knowing how data should be handled and protected throughout its lifecycle
- Learning privacy principles and regional data protection laws
- Identifying secure destruction and sanitization methods
Pro Tip: Use visual aids to memorize the data lifecycle and classification levels.
Study Questions
Test your knowledge with these sample questions:
- What is the difference between a data owner and a data custodian?
- List the six phases of the data lifecycle and key security concerns for each.
- What methods are used for secure data destruction?
- How does data classification impact storage and transmission requirements?
Conclusion
Domain 2 emphasizes the importance of protecting information assets through structured classification, proper handling, and lifecycle security. Mastering this domain reinforces the operational security posture of any organization and is vital for CISSP success.
Stay tuned for our next post, where we'll dive into Domain 3: Security Architecture and Engineering.