Asset lifecycle concepts have changed a bit in the 2021 common body of knowledge (CBK). The general asset/data lifecycle still applies below:

  • Identify/classify – this is where the information is created or collected, and both value and ownership are determined here.
  • Secure – the information is now secured based on its value/classification, typically articulated as baselines.
  • Monitor – the value of the asset should be monitored for changes, as this will have an impact on protection levels that are applied.
  • Recover – as the asset values change, you’ll need the ability to recover from those changes.  Typically this is considered backups, redundancy, restoration activities.  
  • Dispose – disposal can happen in two ways:
    • Archive – long term storage, retention periods apply, owner determines.
    • Defensible Destruction – eliminating and destroying in a controlled, compliant, and legal method.  Entities should have policies for this.

Categorization is the process of assigning an impact, such as high, medium, or low to the asset.  The category should indicate the level of impact when there is a loss to confidentiality, integrity, or availability of the asset.  

Note: the difference between classification and categorization is that classification indicates value, and categorization indicates impact.  Both will drive the security requirements.

There are some new “lifecycles” to be familiar with in the 2021 CBK as outlined below.

IT asset management lifecycle – the mnemonic is “PAADMR” (bear with me, I’ll explain). Try to think of this “lifecycle” as a process instead, because it’ll be easier to differentiate it from the other “lifecycles” presented here.

Planning is where you would identify the assets, put a value on them, and put them in the inventory.

Assigning the security needs, this is where you would classify and categorize the assets.  This step likely includes assigning the protection levels or baselines if they exist.

Acquiring the asset(s), whether that’s internally creating the software or purchasing the hardware.   

Deployment refers to deploying the assets and conducting training for all levels of users and support functions

Managing refers to the ongoing and continuous security assessment of the assets.  This step includes backup and recovery activities.

Retiring – obviously this step includes disposal.

As you can see, the acronym is “PAADMR”. So imagine yourself being the manager of a massive party pad/mansion. You’re effectively the “Pad Manager”, or PAADMR. This is the place you’ll host your party when you pass the exam. Be sure to invite us!

Now on to the Data Security Lifecycle. This concept was rebranded and moved from Domain 7, so you may recognize it:

  1. Create – obviously refers to creation or collection of the data. This might also be where we classify and value the data, and again, try to read between the lines with some of this stuff, this could be the step where we assign security requirements but not implement them just yet.
  2. Store – where to put the data as it is created/collected. This could be where we apply the protection levels (note: applying protections is different than “assigning” them). ISC2 says that the storage step is often done at the same time as the creation step.
  3. Use – processing of the data; using internally. It is typically unencrypted while “in process”.
  4. Share – sending the data outside to third parties; includes selling, publishing, data exchange agreements, etc. The common body of knowledge talks about having a digital rights management solution in place to control the flow of data, and a data loss prevention solution in place to detect information leakage.
  5. Archive – long term storage.  This is when it’s not regularly used, or basically when the data leaves active use. This is where things like the age of technology come into play, along with EOL, EOS, which need to be considered in terms of the data’s availability.  As always, protection levels at this phase depend on classification.
  6. Destruction – permanent destruction of the data.  The method of disposal depends on the data’s classification.

Data classification policy defines data classifications, who can access the data, how it should be used, how it is secured, retention periods, and methods of disposal

Some basic steps in creating a Record Retention Policy are as follows:

  1. Understand business needs and regulatory requirements
  2. Classify assets or records
  3. Establish retention periods and destruction methods
  4. Draft the policy
  5. Develop training, education, and awareness that discusses the policy
  6. Audit the policy and procedures
  7. Review the policy and procedures regularly
  8. Document the implementation and audit results