Geek-Guy.com

Domain 2: Asset Security

Exam Weight: 10%

Domain 2 is often considered one of the easier domains, but its importance is massive because it defines what we are protecting. If you don’t classify and inventory your assets correctly, your security controls in the other seven domains will either be overkill (wasting money) or insufficient (leaving gaps).

1. Data Classification

Classification is the process of labeling data so that the appropriate level of protection can be applied.

  • The Goal: To ensure that the cost of protecting the data is proportional to its value.
  • Commercial/Private Labels:
    • Public: No harm if disclosed (e.g., marketing brochures).
    • Sensitive: Internal data that isn’t a secret but shouldn’t be public (e.g., organizational charts).
    • Private: Personal information (PII) like HR records.
    • Confidential: The most sensitive data; high impact if leaked (e.g., trade secrets, source code).
  • Government/Military Labels: Top Secret (Grave damage) > Secret (Serious damage) > Confidential (Damage) > Unclassified.

2. Data Roles & Responsibilities

The exam loves to test the difference between who is accountable and who is responsible.

  • Data Owner (Accountable): Usually a senior manager or executive. They determine the classification of the data and define the Business Need for access.
  • Data Custodian (Responsible): Usually IT or Security staff. They implement the technical controls (backups, encryption, ACLs) mandated by the owner.
  • Data Controller (GDPR focus): The entity that determines the purposes and means of processing personal data.
  • Data Processor (GDPR focus): The entity that processes data on behalf of the controller (e.g., a cloud provider).

3. The Data Lifecycle & States

Data must be protected differently depending on its state.

  • Data States:
    • At Rest: Stored on a disk or cloud. Control: AES-256 Encryption.
    • In Transit: Moving across a network. Control: TLS 1.3 or VPN.
    • In Use: Residing in RAM or CPU cache while being processed. Control: Trusted Execution Environments (TEE) or Homomorphic Encryption.

4. Media Sanitization & Destruction

When an asset reaches the end of its life, you must ensure no Data Remanence (leftover data) remains.

  • Clearing: Overwriting data with random bits so it can’t be recovered by standard tools (logical protection).
  • Purging: Using strong methods like Degaussing (strong magnetic field) to render data unrecoverable even by lab techniques.
  • Destruction: The most secure method—physical incineration, shredding, or melting of the media.
  • Crypto-shredding: Deleting the encryption keys to render the encrypted data permanently unreadable (common in cloud environments).

5. Privacy Protections

As a CISSP, you must understand how to protect PII (Personally Identifiable Information) and PHI (Protected Health Information).

  • Data Minimization: Only collect the data you strictly need for a specific purpose.
  • Anonymization: Removing all identifying links so the data can no longer be traced to an individual.
  • Pseudonymization: Replacing identifiers with aliases (reversible with a key).