← Back to Resources

Asset Security in CISSP

Domain 2: Essential Insights
for Exam Preparation

Copy Link

Asset security and protection are a fundamental part of cybersecurity, and it's
the second domain of the CISSP exam, which covers approximately 10% of the
questions of the test. It includes the concepts, structures, and controls aimed at
protecting the organization's assets—anything that it's important or valuable.

What is the CISSP domain 2?

The ISC2 CISSP certification exam outline includes topics closely related to data
protection and security controls throughout its lifecycle with compliance
requirements, as seen in domain 2. As per the official ISC2 guide, a security
professional must understand data management, longevity and use, addressing
end-of-life (EOL) or end-of-support (EOS), and determining data security controls.

Why is asset security important?

Asset protection requires security professionals to be vigilant about protecting
assets. A single minor vulnerability can cause a whole system to be exposed to
a potential attack, resulting in loss of funds and data and potentially
compromising the entire company. A good security professional protects their
assets by knowing what they have, classifying them, and protecting them based
on their importance to the organization. If you don't understand its significance,
you won't be able to protect it.

CISSP Domain 2: Asset Security

overview
Asset security is easy to understand but hard to implement, especially for larger
companies with considerable assets to protect. Domain 2 provides an overview
of the steps involved in asset security to address some issues that security
professionals often encounter while implementing them. The following is an
overview of every critical point of CISSP domain 2.

2.1. Identify and classify

information and assets
Asset Classification
Asset classification can be defined as assigning assets the level of protection
they require based on their value to the organization. The protection should
always be found in the asset value, and the owners of the asset are always in
the best position to understand the actual value that the asset represents to the
organization.

Expect to be tested on: Value of asset classification

Classification Process
Data classification ensures that data receive an appropriate level of protection. It
sounds simple, but it's a complex process. It requires the right tools, procedures,
education, and training to be effective. As a result, many organizations struggle
with optimizing their data classification.

Expect to be tested on: Asset classification steps

Classification versus Categorization
Classification by itself is simply a system of classes set up by an organization to
differentiate asset values and, therefore, protection levels. The act of assigning a
classification level to an asset is called categorization. Ideally, all assets should
be categorized into a classification system to allow them to be protected based
on value.

Labeling and Marking

Labeling refers to the classification of the asset and is system readable, whereas
marking refers to the handling instructions of the asset and is human readable. It
should be consistently applied to all assets within an organization.
Expect to be tested on:

Main differences between labeling and marking

Cost-effectiveness of different labeling approaches

2.2 Establish information and

asset handling requirements
Media Handling
Information and handling requirements are other essential elements to consider
when classifying assets. The more valuable the asset, the more controls are
needed to restrict who can handle that asset. Handling requirements are based
on the classification of the asset, not the type of media.

2.3 Provision resources securely

Data Classification Roles and Responsibilities
Data Owner/Controller: the person who directly interacts with the asset
the most and is accountable for the protection of data.
Data Processor: responsible for processing data on behalf of the
owner/controller.
Data Custodian: they hold technical responsibility for data and are
responsible for the custody of systems/databases
Data Steward:they hold business responsibility for data.
Data Subject:individual to whom personal data pertains.
Expect to be tested on:
 The classification process begins with identifying the owners
Owners are ultimately accountable for an asset
Understand different roles and responsibilities
Data Classification Policy
Data classification policy is concerned with managing information to ensure that
sensitive and valuable information is protected and handled accordingly, and
considers laws, regulations, privacy requirements, customer requirements, cost
of creation, operational impact, liability, and reputation.

2.4 Manage data life cycle

Information Life Cycle
The concept of the information life cycle is founded on the principle that proper
controls should be in place at the time of creation and throughout the life cycle.
Data must be protected at each stage:

Data Destruction
Depending upon how data is removed from media, remnants of that data
typically remain. This means that a significant amount of that data may be
recovered by a determined individual. Various methods exist to ensure data
removal, and the focus these days is on what is known as defensible destruction
—or proving that there's no possible way for anyone to recover destroyed data.

Expect to be tested on:

Categories of sanitization
Most effective/secure method of sanitization
The best method for dealing with data remanence in the cloud

2.5 Ensure appropriate asset

retention
Data Archiving
Data archiving is part of the asset life cycle and includes requirements for
protecting archived data. An appropriate retention policy should drive it. Laws,
regulations, industry standards, and similar guidelines can all play a role in
determining retention requirements and how data is archived.

Expect to be tested on:

Considerations related to data archiving

Elements of data archiving policies
2.6 Determine data security
controls and compliance
requirements
Data can be in one of three states at any given time: data at rest, data in transit,
and data in use. The data security controls that protect data may be completely
different depending on which of these states the data is in. It is therefore
important to understand what security controls are required for each state.

Protecting Data at Rest

Data at rest refers to data that is stored somewhere. This section comprises
methods to protect data in transit—encryption, access control, backup, and
restoration.

Expect to be tested on: The best way to protect the confidentiality of data being
migrated to the cloud

Protecting Data in Transit

Data in transit, also sometimes referred to as data in motion, refers to data that is
moving across networks, like an organization's internal network or the internet.
This section comprises methods to protect data in transit—end-to-end
encryption, link encryption, and onion network.

End-to-end encryption: data portion of a packet is encrypted immediately

upon transmission from the source node, and the data remains encrypted
through every node
Link encryption: the packet header and data are encrypted between each
node. Encrypting the packet header hides the routing information of packets
traversing a network. However, unlike with end-to-end encryption, the header
and data are decrypted at each node, so header information and plaintext
content are also available at each node.
Onion Network: a very effective method of protecting data in transit, as it
essentially provides complete confidentiality and anonymity through the use
 of multiple layers of encryption. By providing confidentiality of data as well as
anonymity, an onion network makes it very difficult to determine the sender
and receiver while data is in transit.

Expect to be tested on:

The best way to protect the confidentiality of data being migrated to the
cloud
An onion network provides anonymity and protection of data

Protecting Data in Use

Data in use refers to data that is being used in some type of computational
activity. Ways to protect data in use are through homomorphic encryption, role-
based access control (RBAC), and digital rights protection (DRP) or data loss
prevention (DLP).

Information Obfuscation Methods

Obfuscation is the action of making something obscure, unclear, or unintelligible;
in other words, hiding it. It makes something harder to understand. Security
professionals need to know different obfuscation methods for the CISSP domain
2.

Concealing data: it completely removes access to sensitive data.

Information Pruning/Pruning Data:primarily takes place in nonproduction
environments and involves the removal of sensitive data from attributes.
Fabricating data:creating fake data to replace real data or sensitive data
Trimming dataremoves part of an attribute's value and is typically used for
identification purposes.
Encrypting data:creates ciphertext of a value and can be done at the
attribute, table, or database levels.

Expect to be tested on: Why obfuscation is used

Digital Rights Management (DRM)

DRM protects intellectual property (IP) assets and the rights of asset owners.
Security awareness must take DRM techniques into account and know that it is
the legal basis for protection in the United States through the Digital Millennium
Copyright Act (DMCA).

To achieve these ends, DRM techniques include:

Licensing agreements that restrict access

Encryption
Embedding of digital tags that tie content to specific license holders,
theoretically preventing sharing with others
Use of related technologies that restrict copying or viewing of certain
content

Data Loss Prevention (DLP)

Data loss prevention focuses on identifying, monitoring, and protecting data. It
takes place in three contexts: data in use, data in motion, and data at rest. In
each context, DLP tools attempt to detect and prevent data breaches and
potential data exfiltration.

DLP system can be used to protect:

Data in use
Data in motion
Data at rest

Copyright © 2024 Destination Certification Inc.

Victoria, BC, Canada
All rights reserved.

CISSP® & CCSP® are registered trademarks of ISC2, Inc.

CISSP Company

CISSP MasterClass About Us

Sample Class Videos Contact Us

About the CISSP 1 on 1 Mentoring

CISSP Guidebook

Flashcard App Legal

FREE MindMaps
Privacy Policy
Practice Questions App
Terms of Use
Success Stories

CISSP Mini MasterClass

CCSP

CCSP MasterClass

Flashcard App

Follow Us

Sign up for our Newsletter!