Asset lifecycle concepts have changed a bit in the 2021 common body of knowledge (CBK). The general asset/data lifecycle still applies below:

  • Identify/classify – this is where the information is created or collected, and both value and ownership are determined here.
  • Secure – the information is now secured based on its value/classification, typically articulated as baselines.
  • Monitor – the value of the asset should be monitored for changes, as this will have an impact on protection levels that are applied.
  • Recover – as the asset values change, you’ll need the ability to recover from those changes.  Typically this is considered backups, redundancy, restoration activities.  
  • Dispose – disposal can happen in two ways:
    • Archive – long term storage, retention periods apply, owner determines.
    • Defensible Destruction – eliminating and destroying in a controlled, compliant, and legal method.  Entities should have policies for this.

Categorization is the process of assigning an impact, such as high, medium, or low to the asset.  The category should indicate the level of impact when there is a loss to confidentiality, integrity, or availability of the asset.  

Note: the difference between classification and categorization is that classification indicates value, and categorization indicates impact.  Both will drive the security requirements.

There are some new “lifecycles” to be familiar with in the 2021 CBK as outlined below.

IT asset management lifecycle – the mnemonic is “PAADMR” (bear with me, I’ll explain). Try to think of this “lifecycle” as a process instead, because it’ll be easier to differentiate it from the other “lifecycles” presented here.

Planning is where you would identify the assets, put a value on them, and put them in the inventory.

Assigning the security needs, this is where you would classify and categorize the assets.  This step likely includes assigning the protection levels or baselines if they exist.

Acquiring the asset(s), whether that’s internally creating the software or purchasing the hardware.   

Deployment refers to deploying the assets and conducting training for all levels of users and support functions

Managing refers to the ongoing and continuous security assessment of the assets.  This step includes backup and recovery activities.

Retiring – obviously this step includes disposal.

As you can see, the acronym is “PAADMR”. So imagine yourself being the manager of a massive party pad/mansion. You’re effectively the “Pad Manager”, or PAADMR. This is the place you’ll host your party when you pass the exam. Be sure to invite us!

Now on to the Data Security Lifecycle. This concept was rebranded and moved from Domain 7, so you may recognize it:

  1. Create – obviously refers to creation or collection of the data. This might also be where we classify and value the data, and again, try to read between the lines with some of this stuff, this could be the step where we assign security requirements but not implement them just yet.
  2. Store – where to put the data as it is created/collected. This could be where we apply the protection levels (note: applying protections is different than “assigning” them). ISC2 says that the storage step is often done at the same time as the creation step.
  3. Use – processing of the data; using internally. It is typically unencrypted while “in process”.
  4. Share – sending the data outside to third parties; includes selling, publishing, data exchange agreements, etc. The common body of knowledge talks about having a digital rights management solution in place to control the flow of data, and a data loss prevention solution in place to detect information leakage.
  5. Archive – long term storage.  This is when it’s not regularly used, or basically when the data leaves active use. This is where things like the age of technology come into play, along with EOL, EOS, which need to be considered in terms of the data’s availability.  As always, protection levels at this phase depend on classification.
  6. Destruction – permanent destruction of the data.  The method of disposal depends on the data’s classification.

Data Classification and Categorization Policy

Data owners should follow these key guidelines when classifying and categorizing data:

  • Classification & Categorization: Define security levels based on protection needs and establish rules for reviewing or changing classifications throughout the data lifecycle.
  • Data Access: Specify who can access data and to what extent. For example:
    • Accounting clerks can view all accounts payable/receivable but cannot add accounts.
    • Employees can see colleagues’ names, departments, and managers, but only HR and managers can access pay grades, addresses, and contact details. HR managers alone can update sensitive employee data like Social Security numbers.
  • Data Security: Determine if data is restricted by default. For instance, access is typically denied to all users unless explicitly granted.
  • Data Retention: Ensure compliance with industry regulations on data storage durations based on legal and business needs.
  • Data Disposal: Classification affects disposal methods:
    • Printed data: May require crosscut shredding.
    • Digital data: Must be securely erased to prevent residual data from being recovered.
  • Data Encryption: Decide if encryption is necessary, often due to legal or contractual obligations (e.g., PCI DSS for credit card data).
  • Appropriate Data Use: Define whether data is:
    • Internal-use only
    • Restricted to certain roles
    • Publicly accessible
    • Subject to legal restrictions

Data Sensitivity Levels

Sensitivity labels indicate potential harm if data is compromised:

  • Highly Restricted: Exposure could threaten the organization’s survival, cause legal issues, or endanger lives.
  • Moderately Restricted: Could impact competitive advantage, revenue, or business operations.
  • Low Sensitivity (Internal Use Only): Could cause minor disruptions.
  • Public Data: Already published; no harm in disclosure.

Data Categorization Labels

These labels describe security requirements based on the data’s nature:

  • Human Safety Critical: Compromise could endanger lives.
  • Property Safety Critical: Could lead to equipment or property damage.
  • PII Critical: Includes personally identifiable information (PII).
  • Private Data: Restricted by internal agreements or contracts.
  • Proprietary Data: Covers business processes, logic, and decision-making.
  • Compliance Data: Subject to legal, regulatory, or contractual protections (e.g., HIPAA, FERPA).
  • Time-Critical Data: Delays or breaches could disrupt business operations.

Data can have multiple labels, such as “Highly Restricted, HIPAA, Human Safety Critical.” Clear classification ensures compliance and protects the organization from risks.

Data classification policy defines data classifications, who can access the data, how it should be used, how it is secured, retention periods, and methods of disposal

Some basic steps in creating a Record Retention Policy are as follows:

  1. Understand business needs and regulatory requirements
  2. Classify assets or records
  3. Establish retention periods and destruction methods
  4. Draft the policy
  5. Develop training, education, and awareness that discusses the policy
  6. Audit the policy and procedures
  7. Review the policy and procedures regularly
  8. Document the implementation and audit results

Data Loss Prevention (DLP)

Data Loss Prevention (DLP) refers to security measures organizations use to protect sensitive data and ensure compliance with policies and regulations. It helps prevent unauthorized access, sharing, or leakage of both structured and unstructured data.

DLP technology typically includes:

  • Data Discovery & Classification – Automatically identifies and labels data based on categories (e.g., confidential, financial, public).
  • Monitoring – Tracks how data is used, stored, or shared across networks, storage systems, and endpoints. It detects potential violations and alerts administrators.
  • Enforcement – Applies security policies to prevent unauthorized data access, transfer, or loss. Actions may include alerts, blocking transfers, or encryption.

DLP Deployment Models

  1. Data in Motion (DIM) – Monitors and protects data traveling across networks, such as emails and web traffic.
  2. Data at Rest (DAR) – Secures stored data on servers, databases, or cloud storage.
  3. Data in Use (DIU) – Protects data actively being used on devices, such as laptops or workstations.

DLP solutions must integrate well with encryption tools and avoid disrupting normal business processes. If misconfigured, they may incorrectly block legitimate activity. However, when properly implemented, DLP is a powerful defense against insider threats and data breaches.