CISSP-2.1-Domain8-v3

[Audio] This is Domain 2, Chapter 2.1 - asset classification. The whole point of Domain 2 is simple: figure out how sensitive your data is, then protect it at a level that matches its value - no more, no less..

[Audio] By the end you'll know how to classify data, who owns and maintains it, the states and lifecycle data moves through, and how to retain and securely dispose of it..

[Audio] Classification means assigning a sensitivity level to data based on the impact if it were disclosed - its value, sensitivity, criticality, and any legal or regulatory requirements. The goal is to match protection to value: over-protecting wastes money, under-protecting invites a breach..

[Audio] There are two common schemes. Governments use Top Secret, Secret, Confidential, and Unclassified. Commercial organizations use labels like Confidential, Private, Sensitive, and Public. Either way, the higher the level, the stricter the handling..

[Audio] Know the roles. The data owner - usually a senior business leader - classifies the data and is accountable for it. The custodian implements and maintains the controls. The steward looks after data quality and appropriate use. And the processor acts only on the owner's or controller's instructions. Remember: the owner classifies, not IT..

[Audio] Protect data in all three states - at rest, in transit, and in use. And manage it across its whole lifecycle - create, store, use, share, archive, and finally destroy. Security applies at every stage, not just storage..

[Audio] Mark and label media at the highest classification it contains, and apply stricter handling as the level rises. Retain data only as long as legal and business needs require - not forever, which only increases risk and cost..

[Audio] When you dispose of data, remember data remanence - deleting a file doesn't truly remove it. Sanitize by the right method: clearing, purging, or destruction. Match the method to the media - degauss magnetic drives, cryptographically erase SSDs, and physically destroy media for the highest assurance..

[Audio] Three traps. The data owner classifies data - not the custodian or IT. Classify by the impact of disclosure - not by where it's stored or its file format. And deletion is not destruction - because of remanence, you must purge or destroy to be sure..

[Audio] Recap. Classify data by the impact of disclosure. Government and commercial schemes set the levels. The owner classifies; the custodian protects. Protect data at rest, in transit, and in use, across its lifecycle. Retain per requirements and dispose securely - deletion isn't destruction. Now practice the Domain 2 questions in Domain8..