CISSP Mastery

CISSP Mastery · Module 2 / 8

Domain 2: Asset Security

From classification to destruction — know your data. Domain 2 frames ownership, privacy, and lifecycle controls so every other domain can safely build on top of the right assets.

Your progress

Domain 2 of 8 25%

Module 2

10%

Exam weight

Data

Core lens

2 / 8

Domain focus

Privacy

GDPR · CCPA · HIPAA

Open preview · Domain overview

What Domain 2 is really about

Asset Security is where the CISSP forces you to speak the language of data. Before a control can be picked, you must know: who owns the data, how sensitive it is, where it lives, and how long it is allowed to live there.

Domain 2 sits between the governance mindset of Domain 1 and the access control mechanics of Domain 5. Get the data layer right and every downstream control stacks cleanly on top of it.

Data-centric thinking

Security starts at the data layer. Classification, labeling, and handling standards drive every downstream control (IAM, crypto, operations, disposal).
Ownership & accountability

CISSP loves role clarity. Data Owner (business) approves classification; Data Custodian (IT) enforces controls; users consume within the boundaries set by both.
Privacy as a first-class citizen

GDPR, CCPA, HIPAA, PIPEDA, LGPD — every privacy regime maps to the same vocabulary: lawful basis, purpose limitation, minimization, retention, subject rights.
Lifecycle, not snapshot

Assets are managed from create → store → use → share → archive → destroy. The exam tests lifecycle phases the way it tests the CIA triad in Domain 1.

Data classification

Classification, labeling & ownership

Classification is a business decision anchored in impact. The higher the potential harm if compromised, the stronger the required controls and the tighter the handling rules.

Classification levels

Public / Internal / Confidential / Restricted (commercial) — Unclassified / Confidential / Secret / Top Secret (government). Pick the tier that matches the impact of disclosure, tampering or loss.
Data Owner vs Data Custodian

Owner (business) assigns classification and approves access. Custodian (IT) enforces technical controls — backup, encryption, patching, integrity checks, recovery.
Labeling & handling

Labels (visual, metadata, watermarks) drive handling standards: who can read, print, export, share externally, and under what encryption and retention rules.
Asset inventory

You cannot protect what you cannot see. Maintain a living inventory of data, systems, and media — the baseline for classification, DLP, and incident response.

Privacy & personal data

GDPR, CCPA, HIPAA & the global privacy stack

Privacy regulations share DNA: lawful basis for processing, data minimization, purpose limitation, transparency, individual rights, and breach notification obligations.

GDPR (EU)

Six lawful bases of processing, DPIA for high-risk processing, 72-hour breach notification, rights of access/erasure/portability, DPO requirement for specific activities.
CCPA / CPRA (California)

Rights to know, delete, correct, opt-out of sale/share. Sensitive Personal Information (SPI) category with extra restrictions, and a dedicated California Privacy Protection Agency.
HIPAA (US healthcare)

Privacy Rule + Security Rule protect PHI. Covered entities and business associates must enforce administrative, physical, and technical safeguards with signed BAAs.
Controller vs Processor

Controller decides the purpose and means. Processor acts on documented instructions. The CISSP expects you to map responsibilities, contracts (DPA/BAA), and sub-processors.

Data lifecycle

From creation to destruction

The data lifecycle is the exam’s favorite mental model for Domain 2. Every control you select should be mapped to the lifecycle phase it protects.

Create & classify

At creation, apply classification, labels, and ownership. No orphan data — every new object has a tier and an owner of record.
Store & protect

Match storage to classification: encryption at rest, key management (HSM/KMS), access reviews, DLP, and geographic/residency constraints when regulated.
Use & share

At rest / in transit / in use — three states, three control sets. TLS, VPN, tokenization, masking, and confidential computing keep data protected in flight and during processing.
Archive & retire

Retention aligned with legal, contractual, and business requirements. Legal holds override routine deletion schedules until the matter is resolved.

Retention & secure disposal

Keep the right data, destroy the rest — provably

Over-retention is a liability. Under-retention is non-compliance. Build a defensible policy, enforce it automatically, and prove destruction when the retention window ends.

Retention policy

Anchor retention in legal, regulatory, and business drivers. Document the rationale, approval chain, and trigger events for destruction or archival transition.
Data remanence

Deleted ≠ gone. Plan against remanence: use cryptographic erasure, degaussing (magnetic), overwriting (multiple passes), or physical destruction (shred/incinerate) per media type.
Certificates of destruction

When a third party destroys media, require a signed certificate of destruction. Keep it as audit evidence tied to the asset inventory entry.
Backups & archives

Apply the same classification, encryption, and retention logic to backups and archives. They are not a loophole — regulators treat them as live copies.

Deep dive

Processes — expand to master

Click each heading to unfold the step-by-step flow. Use the numbered order as a memory anchor on the exam.

The data classification workflow A repeatable 5-step flow owners use to classify new datasets and keep labels accurate over time.

01

Identify the data

Catalog the dataset, its source system, and the business process it supports.
02

Assess impact

Evaluate impact of disclosure, tampering, and loss on people, finances, operations, and reputation.
03

Assign classification

Map impact to your classification scheme (e.g., Public / Internal / Confidential / Restricted).
04

Apply controls

Deploy handling standards: labels, encryption, access, DLP, backup, retention — aligned to the tier.
05

Review & re-classify

Re-classify on trigger events: merger, new regulation, system migration, or data sensitivity change.

GDPR Article 6 — lawful bases of processing Every GDPR processing activity must stand on at least one of these six legs. Memorize them cold.

01

Consent

Freely given, specific, informed, unambiguous — revocable at any time.
02

Contract

Processing necessary for a contract with, or at the request of, the data subject.
03

Legal obligation

Required by EU or Member State law binding the controller.
04

Vital interests

Protect life or physical integrity of the subject or another person.
05

Public task

Performance of a task in the public interest or official authority.
06

Legitimate interests

Controller’s or third party’s interests — balanced against subject rights (LIA required).

Secure data destruction — choose the right method One method does not fit all media. Match technique to media type and classification.

01

Overwriting

Multiple passes (e.g., 3–7) on magnetic disks. Cheap and reusable but unsuitable for damaged drives.
02

Degaussing

Magnetic field wipe for tapes and magnetic HDDs. Not effective on SSDs or optical media.
03

Cryptographic erasure

Destroy the encryption key so ciphertext becomes unrecoverable. Ideal for cloud & SSDs with built-in encryption.
04

Physical destruction

Shred, pulverize, or incinerate. The default for Top Secret / Restricted or end-of-life media you cannot re-use.

Exam-grade takeaways

Expert insights & pro tips

Short, high-signal anchors — same bar as Domain 1 callouts.

Exam cue

Always classify before you control

If a question gives you a mixed scenario, your FIRST step is always classify the data. Controls, encryption, or access models come after you know the tier.

Pro tip

Owner decides, custodian enforces

Watch the verbs. “Approve classification” → Data Owner. “Implement backup encryption” → Data Custodian. The exam loves this distinction.

Trap

Backups are still regulated data

A common trap: candidates exclude backups from retention, privacy, or destruction obligations. Regulators do not. Treat backups as live copies with the same rules.

Concept map

Data lifecycle — conceptual diagram

Create → Store → Use → Share → Archive → Destroy. Hover, tap, or Tab each stage for asset-security focus and exam cues — every Domain 2 control still maps to one of these six phases.

Data lifecycle

Stage

Hover, tap, or Tab on a stage for asset-security focus and an exam cue.

Every control — classification, encryption, DLP, retention, sanitisation — maps to one of these six stages. Use the panel for CISSP-style cues per stage.

Quick check

Domain 2 quiz

One question at a time — instant feedback. Pair it with the diagrams and Pro-Tip callouts above.

Quiz progress

Question 1 of 5 · 20%

Q 1

Question 1 of 5

1.What is the PRIMARY purpose of an enterprise data retention schedule?

Ready for Domain 3?

Module 2 covers classification, ownership, and the data lifecycle — the foundation every later domain builds on. Review the diagrams, finish the quick check, then continue through the remaining domains. All eight modules are free to study; the Final Mock Exam adds randomized questions and diagnostics when you are ready.

Back to Domain 1 · Security & Risk Management Final Mock Exam Continue · Domain 3 · Security Architecture & Engineering