CISSP domain 2: Asset security - What you need to know for the Exam [updated 2021]

Fakhar Imam
June 16, 2021 by
Fakhar Imam

What percentage of the CISSP exam material covers asset security?

Asset security falls into the second domain of the CISSP exam and makes up 10% of the questions for this test. Asset security includes the concepts, structures, principles and standards aimed at monitoring and securing assets covering anything that can be important to the organization, such as partners, employees, facilities, equipment and information.

The CISSP certification exam is based on the 2021 objectives tests on topics like the protection of data throughout its lifecycle, from initial creation through destruction, to compliance requirements. It also includes applying appropriate asset retention and addressing end-of-life (EOL) or end-of-support (EOS).

Successful candidates will need to understand the core concepts of asset security and their applications. The following topics are included in this domain, as per theOfficial (ISC)² Guide to the CISSP CBK:” 

  • Data management: maintain and determine ownership
  • Longevity and use: data security, access, sharing and publishing
  • Data standards: data lifecycle control, audit, specification and modeling, storage and arching and database maintenance
  • Ensure appropriate retention: media, personnel and hardware company data retention policies
  • Determine data security controls: data at rest, data in transit, baselines, tailoring and scoping

Earn your CISSP, guaranteed!

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Information classification

The essential metadata items attached to organizations’ valuable information are a classification level. The classification tag remains affixed throughout the asset lifecycle (acquisition, use, archival and disposal). Understanding the appropriate security controls within each lifecycle stage ensures the protection of information. And obviously, the destruction and handling requirements are different for each level.

The organization can choose the proper classification, according to the scope of its operation. The typical levels of commercial business and military data involve: 

  • Public data can be viewed by the general public and, therefore, the disclosure of this data could not cause any damage. For example, the general public can be aware of the organization’s upcoming projects. 
  • Sensitive information needs extraordinary precautions to ensure confidentiality and integrity. For example, sensitive data may include a company's financial information. 
  • Private data may include personal information, such as credit card data and bank accounts. Unauthorized disclosure can be disastrous. 
  • Confidential information is only used within the organization and, in the case of unauthorized disclosure, it could suffer serious consequences. 
  • Unclassified information is not sensitive, such as recruiting information in the military.
  • Secret information, if disclosed, can adversely affect national security, such as the release of military deployment plans. 
  • Top secret information, if disclosed, could cause massive damage to national security, such as the disclosure of spy satellite information. 

Exam tip: the terms “sensitive” and “private” are typically associated with non-governmental organizations (NGOs) and the terms “top secret,” “secret” and “unclassified” are related to government agencies. 

Caution: the classification rule must be applied to data irrespective of its format; it doesn’t matter whether the data is audio, video, fax, digital or paper.

Data ownership

The transit of information must complete its life cycle successfully. The various entities that make the lifecycle successful include the data owners, data custodian, system owner, security administrator, supervisor and user. Each has a unique role in protecting the organization’s assets. 

  • The data owner is a manager who ensures data protection and determines the classification level. It is the person responsible and accountable for a particular set of data as well as a stakeholder in the collection, quality and accessibility of information.
  • The system owner controls the working of the computer that stores data. This involves the software and hardware configurations but also supports services like related clouds. This professional is responsible for the operation and maintenance of systems, their updating and patching as well as related procurement activities.
  • The data custodian is responsible for the protection of data through maintenance activities, backing up and archiving, preventing the loss or corruption and recovering data. 
  • The security administrator is responsible for ensuring the overall security of the entire infrastructure. These professionals perform tasks that lead to the discovery of vulnerabilities, monitor the network traffic and configure tools to protect the network (like firewalls and antivirus software). They also devise security policies, plans for business continuity and disaster recovery and train staff.
  • Supervisors are responsible for overseeing the activities of all the entities above and all support personnel. They ensure the entire team activities are conducted smoothly and that personnel is properly skilled for the tasks assigned.
  • Users have got to comply with rules, mandatory policies, standards and procedures. For instance, the user should not share their account or other confidential information with other colleagues. Users have access to data according to their roles and their need to access certain info. 

Retention policies

Ensuring appropriate asset protection requires that sensitive data, when processed for any purpose, be preserved for a period of not less than what is required for the needs of the business, but also for no longer than necessary. While the regulatory and legal requirements may vary among business communities and countries, every organization must follow some form of data retention policy to reduce the risk of its loss, misuse and disclosure.

Businesses need to safeguard the assets through basic security controls used to enforce various levels of confidentiality, integrity and availability and act per security policies, standards, procedures and guidelines.

Domain two ensures the CISSP candidate can effectively assure the security of business environments by ensuring policies are respected and retained information are safeguarded through proper handling during all stages of its lifecycle.

How to develop a retention policy?

There are three fundamental questions that every retention policy must answer: 

1. How to retain data: the data should be kept in a manner so that it is accessible whenever required. To make this accessibility certain, the organization should consider some issues:

  • The taxonomy is the scheme for data classification. This classification involves various categories, including the functional (human resource and product developments), the organizational (executive and union employee) or any combination of these. 
  • The normalization develops tagging schemes that ensure that the data is searchable. Non-normalized data is kept in various formats such as audio, video, PDF files and more. 

2. How long to retain data: the classical data retention longevity approaches were “the keep everything” camp and “the keep nothing” camp. But in modern times, these approaches are dysfunctional in many circumstances, particularly when an organization encounters a lawsuit. 

Unfortunately, there is no universal pact on data retention policies. Nevertheless, the rules of thumb or general guidelines for data retention longevity are described in table one, which is taken from the Comparitech CISSP Cheat Sheet series that gives typical data retention durations.

3. What data to retain: the data related to business management, third-party dealings or partnership is valuable for any organization.

Protecting privacy

Organizations need to consider both security and privacy in their information systems. In general terms, personal data need to be shared only if and when required to an authorized party. 

Data owners play a vital role in privacy protection as they directly or indirectly decide who has access to particular data.   

Data remnants are still left even after the deletion of data and they could badly threaten privacy. The data deletion operation just marks the memory available for other data without erasing the original data. There are four approaches used to counter data remanence:

  1. Overwriting makes the original data unrecoverable by replacing its memory location with the fixed or random patterns of zeros and ones.
  2. Degaussing removes the magnetic field patterns on tapes or disk drives to return them to their original state with data wiped and unrecoverable.  
  3. Encryption is obvious protection for data. In cryptography, encryption (the process that scrambles readable text) makes the data unusable even after deletion because the key is always attached to data and is only available to the person who has the secret code, or decryption key. 
  4. Shredding is a form of media sanitization that involves the physical destruction of the media.

Data collection limitation is an important way that an organization can protect its personal or sensible information in the first place. Data collection needs to be always limited to the minimum amount of data the company needs to provide services or manage its operations.

Data security controls

Determining data security controls is a very big task for those involved in asset handling requirements. However, the standards, scoping and tailoring are employed to choose the controls used to protect data in three different states: data at rest, data in motion and data in use.

  • Scoping and tailoring: scoping is a process to determine which standard will be used by the organization. The tailoring helps in customizing the standard for organizations.
  • Drive encryption is the control for the protection of data at rest.
  • Secure protocols protect data in motion and transmitted across the network. Table two shows examples of insecure network protocols and their reliable solutions: 


Handling requirements

To protect information throughout its life cycle are handling requirements that include proper marking, handling, storing and destroying of sensitive media under the policies and procedures. 

  • Marking data: this ensures that personnel can easily recognize the data’s value, protect them accordingly and ensure its proper availability, confidentiality and integrity.
  • Handling data: a method to provide the same level of protection for the data during transport as it has when it is stored. Appropriate secure transportation is based obviously on the value and classification of the information being transferred.
  • Storing data: appropriate security needs to be applied to data when stored according to their sensitivity. Encryption, as well as backup options, are ways to ensure the protection of data against loss due to theft or compromise.
  • Destroying data: when data is no longer needed, it should be destroyed in such a way to ensure there is no data remanence left on electronic media.

How is this information useful in the real world?

Asset security is important regardless of industry, type and location for any organizations including: 

  • Business communities 
  • Governmental organizations (law enforcement, military and more) 
  • Non-governmental organizations (NGOs) 

It also assists in resolving cases that include fraudulent activities and sometimes criminal jurisdictions.

Most countries have protections in place for the privacy of their citizens and have promulgated appropriate legislation. Some examples include Canada's Security of Information Act, China's law on guarding state secrets and the United Kingdom's Official Secrets Acts. Data protection has also been addressed thoroughly in Europe through the General Data Protection Regulation (GDPR) and in the United States by data-protection laws such as the California Consumer Privacy Act (CCPA). 

Where should I focus my time studying?

Studying the right material is very important. The official books and material recommended by the (ISC)² to take the CISSP exam, include:

  1. “Official (ISC)² CISSP CBK Reference,” Fifth Edition
  2. Official (ISC)² CISSP Study Guide
  3. Official (ISC)² CISSP practice tests
  4. Official CISSP study and practice tests apps
  5. Official CISSP flashcards 

It is always a good idea to challenge yourself with practice questions and attempt the mock exams to test your current command of the subject.

For a more complete preparation for the test, it is also important to peruse the material offered on the web by reputable training providers. CISSP is a popular certification, and you will be able to find many learning options online to match your learning style and needs.

CISSP domain two training

As you study CISSP domain two, consider the official courseware developed by (ISC)² as well as the study materials and courses from reputable training providers like Infosec, which offers an Exam Pass Guarantee with their live CISSP boot camps. Both are able to deliver the most relevant, up-to-date course content that’s mapped to the exam.

In addition, be sure to check out the free ebook, CISSP exam tips from students and instructors, which collects some of the most common CISSP exam tips and strategies gathered from those who have passed the exam.

Earn your CISSP, guaranteed!

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Understanding domain two to earn your CISSP

Earning a CISSP credential means the candidate has the right knowledge and skills to design, implement and manage an effective cybersecurity program.

To master domain two, exam candidates will need to be familiar with topics that include the basics of protecting privacy, the identification of data roles and the classification and labeling data to apply proper security controls, retention policies and handling requirements.


Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.