Domain introduction
Asset Security focuses on protecting information and other valuable assets throughout their lifecycle. In practice, this means knowing what data exists, who owns it, how sensitive it is, where it is stored, who may access it, how long it must be retained, and how it should be destroyed when no longer needed.
For ICT students, this domain connects data management with cybersecurity. Technical controls such as encryption, backups, access control, and data loss prevention only make sense when the organization first understands the value and sensitivity of the information being protected.
Learning outcome 1
Classify data
Explain how public, internal, confidential, and restricted data require different handling and protection measures.
Learning outcome 2
Manage lifecycle risks
Identify security risks during data creation, storage, use, sharing, archival, and disposal.
Learning outcome 3
Assign responsibility
Distinguish between data owners, custodians, stewards, and users in protecting organizational information.
Figures and mental models
Figure 1 — Data lifecycle
1. CreateData is generated by users, applications, sensors, or business processes.
2. StoreData is saved in files, databases, cloud platforms, or backups.
3. UseUsers and applications process the data for business or learning purposes.
4. ShareData is transferred internally or externally under defined rules.
5. ArchiveInactive data is retained for compliance, evidence, or historical reference.
6. DisposeData is securely deleted or media is sanitized when retention ends.
Figure 2 — Asset security roles
Data OwnerDecides classification, access rules, and business requirements for protection.
Data CustodianOperates systems and implements technical safeguards such as backups and encryption.
Data StewardMaintains data quality, consistency, and correct use across processes.
Case examples for class discussion
Case 1 — Lost laptop with student records
A teacher loses a laptop containing unencrypted student grades, email addresses, and study-progress notes while travelling by train.
- Asset issue: the laptop is physical equipment, but the main risk concerns the sensitive data stored on it.
- Controls: disk encryption, data minimization, remote wipe, access control, and secure storage policies reduce the impact.
- Discussion: Which data should never have been stored locally on the laptop?
Case 2 — Test database copied from production
A development team copies a production customer database into a test environment without masking personal information.
- Asset issue: test systems often have weaker controls, making copied production data especially risky.
- Controls: data masking, tokenization, access review, and separate test-data procedures should be applied.
- Discussion: When is realistic test data useful, and when does it create unacceptable privacy risk?
Glossary — 50 core terms
The definitions below reuse the approved Domain 2 terminology and are written for undergraduate ICT students.
| # | Term | Definition |
|---|---|---|
| 1 | Data Classification | Data classification is the process of assigning labels to information based on its sensitivity and value. These labels determine what security controls are required to protect the data. |
| 2 | Data Owner | A data owner is responsible for determining how specific data should be classified, protected, and used. This role typically belongs to a business manager rather than an IT specialist. |
| 3 | Data Custodian | A data custodian manages and maintains systems that store or process data. Custodians implement the security controls defined by the data owner. |
| 4 | Data Steward | A data steward focuses on maintaining data quality and integrity. This role ensures that information remains accurate, consistent, and usable across systems and processes. |
| 5 | Information Asset | An information asset is any data or information resource that has value to an organization and therefore requires protection against unauthorized access, alteration, or loss. |
| 6 | Sensitive Data | Sensitive data refers to information that must be protected from unauthorized disclosure because it could harm individuals or organizations if exposed. |
| 7 | Data Lifecycle | The data lifecycle describes the stages data goes through during its existence, including creation, storage, usage, sharing, archival, and secure destruction. |
| 8 | Data Creation | Data creation occurs when new information is generated by users, systems, or processes. Security controls should ensure that data is correctly classified from the moment it is created. |
| 9 | Data Storage | Data storage refers to how information is stored in databases, file systems, or cloud services. Secure storage requires encryption, access control, and monitoring mechanisms. |
| 10 | Data Usage | Data usage describes how information is accessed and processed by users or applications. Security policies define who can use the data and under what conditions. |
| 11 | Data Sharing | Data sharing involves distributing information to other users, departments, or organizations. Proper authorization and encryption are necessary to prevent unauthorized disclosure. |
| 12 | Data Archiving | Data archiving moves inactive information to long-term storage while preserving it for future reference, compliance, or legal requirements. |
| 13 | Data Retention | Data retention policies define how long information should be stored before it is archived or deleted. Legal regulations often influence retention requirements. |
| 14 | Data Disposal | Data disposal is the process of permanently removing information when it is no longer needed. Proper disposal prevents attackers from recovering sensitive data. |
| 15 | Secure Deletion | Secure deletion ensures that deleted data cannot be recovered. Techniques include overwriting storage sectors or physically destroying storage media. |
| 16 | Media Sanitization | Media sanitization removes data from storage devices before they are reused or discarded. This process prevents unauthorized recovery of previously stored information. |
| 17 | Data Masking | Data masking replaces sensitive information with fictitious values so that the data can be used safely for testing or analysis without revealing confidential information. |
| 18 | Tokenization | Tokenization replaces sensitive data with random identifiers called tokens. The real data is stored separately in a secure system. |
| 19 | Encryption at Rest | Encryption at rest protects stored data by converting it into unreadable form unless the correct cryptographic key is used to decrypt it. |
| 20 | Secure Storage | Secure storage refers to the use of technical and administrative controls to protect stored information from unauthorized access, alteration, or loss. |
| 21 | Backup | A backup is a copy of data stored separately from the original source so it can be restored if the primary data is lost or corrupted. |
| 22 | Backup Strategy | A backup strategy defines how often backups occur, where they are stored, and how quickly data can be restored after an incident. |
| 23 | Full Backup | A full backup copies all selected data during each backup operation. Although reliable, full backups require more storage space and time. |
| 24 | Incremental Backup | An incremental backup stores only data that has changed since the previous backup. This method saves storage space and reduces backup time. |
| 25 | Differential Backup | A differential backup stores all changes made since the last full backup. It provides faster recovery than incremental backups. |
| 26 | Cold Backup | A cold backup is performed when the system is offline. This method ensures data consistency but requires system downtime. |
| 27 | Hot Backup | A hot backup is performed while the system is running. This allows continuous system operation but requires mechanisms to maintain data consistency. |
| 28 | Data Redundancy | Data redundancy stores multiple copies of data in different locations to improve reliability and availability. |
| 29 | Data Replication | Data replication automatically copies data from one system to another to ensure availability and disaster recovery readiness. |
| 30 | Storage Encryption | Storage encryption protects data stored on disks, databases, or cloud storage systems using cryptographic algorithms. |
| 31 | Secure File Transfer | Secure file transfer protocols ensure that files are transmitted between systems without exposing sensitive information during transmission. |
| 32 | Data Leakage | Data leakage occurs when sensitive information is unintentionally exposed to unauthorized parties through misconfiguration, user error, or insecure systems. |
| 33 | Data Loss Prevention | Data loss prevention technologies monitor and control data movement to prevent sensitive information from leaving the organization without authorization. |
| 34 | Information Labeling | Information labeling involves marking data with classification labels that indicate its sensitivity level and handling requirements. |
| 35 | Data Minimization | Data minimization is the principle of collecting and storing only the data necessary for a specific purpose to reduce privacy and security risks. |
| 36 | Data Governance | Data governance defines policies, procedures, and responsibilities for managing data throughout its lifecycle within an organization. |
| 37 | Metadata | Metadata is data that describes other data, such as file creation dates, authorship, and classification labels. |
| 38 | Database Security | Database security includes the controls that protect databases from unauthorized access, misuse, or modification. |
| 39 | Record Management | Record management ensures that organizational records are stored, retained, and disposed of according to legal and operational requirements. |
| 40 | Information Sensitivity | Information sensitivity measures how harmful the exposure or alteration of specific data could be to individuals or organizations. |
| 41 | Storage Security Controls | Storage security controls include encryption, access controls, monitoring, and physical protections used to secure data storage systems. |
| 42 | Secure Data Handling | Secure data handling ensures that employees follow appropriate procedures when accessing, processing, or transferring sensitive information. |
| 43 | Information Asset Inventory | An information asset inventory lists all data assets owned by an organization so they can be properly classified and protected. |
| 44 | Data Escrow | Data escrow stores encrypted copies of critical information with a trusted third party so the data can be recovered if necessary. |
| 45 | Secure Media Transport | Secure media transport ensures that physical storage devices containing sensitive data are transported safely and tracked during movement. |
| 46 | Information Classification Policy | An information classification policy defines how data should be categorized and protected within the organization. |
| 47 | Data Handling Policy | A data handling policy specifies how classified information must be stored, transmitted, and destroyed to prevent unauthorized disclosure. |
| 48 | Secure Archiving | Secure archiving protects stored historical data using encryption and strict access controls. |
| 49 | Information Lifecycle Management | Information lifecycle management ensures that data is managed appropriately from creation through destruction according to business and legal requirements. |
| 50 | Data Protection Controls | Data protection controls include encryption, access management, monitoring, and backup mechanisms designed to protect sensitive information. |
Teaching reference basis: CISSP Domain 2 concepts, ISC2-style asset-security terminology, data lifecycle management, NIST-style media protection concepts, and privacy-aware data handling principles.
Review questions
- Why is data classification necessary before selecting technical security controls?
- How do the responsibilities of data owners, custodians, and stewards differ?
- Why can production data in test environments create serious privacy and security risks?
- What is the difference between data deletion and secure deletion?
- How do retention requirements influence backup, archival, and disposal decisions?