Domain 2: Asset Security

Last updated: December 1, 2025 in CISSP Domains

Protecting What Matters Most

Domain 2 covers approximately 10% of the CISSP exam. In practice, this means understanding how organizations identify, classify, and protect information assets throughout their lifecycle—from creation through destruction.

You can deploy the most sophisticated security controls in the world, but if you don’t know what you’re protecting or where it lives, those controls become expensive guesswork.

DATA LIFECYCLE CREATE STORE USE SHARE ARCHIVE DESTROY

Data Classification: The Foundation of Protection

Classification schemes assign sensitivity levels to information based on the potential impact of unauthorized disclosure. Government classification follows well-defined categories per Executive Order 13526: Top Secret, Secret, and Confidential.

Commercial organizations typically use: Confidential (or Restricted), Internal Use Only, and Public. The data owner—typically a business executive—assigns classification levels.

Data States and Protection Requirements

  • Data at Rest sits in storage—databases, file servers, laptops. Protection involves encryption, access controls, and physical security per NIST SP 800-111.
  • Data in Transit moves across networks. TLS encryption has become the baseline expectation.
  • Data in Use gets processed by applications. This state presents the most challenging protection problem.

AT REST • Encryption • Access Control • Physical Security • Backup Controls IN TRANSIT • TLS/SSL • VPN Tunnels • Certificate Mgmt • Segmentation IN USE • Memory Protection • Secure Enclaves • App Controls • DLP Monitoring

Retention and Destruction

Retention requirements come from legal mandates, regulatory requirements, contractual obligations, and business needs. Secure destruction ensures data cannot be recovered per NIST SP 800-88.

Data Roles and Responsibilities

The data owner holds business responsibility—they decide classification levels and approve access. Data custodians implement technical controls. Data stewards manage data quality. Data users access information according to permissions.

DATA ASSET DATA OWNER Classification CUSTODIAN Implementation STEWARD Quality Assurance DATA USER Authorized Access

Privacy and Personal Data

The GDPR defines personal data broadly—any information relating to an identified or identifiable natural person, including IP addresses and location data.

Connecting to Other Domains

Domain 1 establishes the governance framework. Domain 5 implements access controls based on classification. The practice questions test your understanding of roles and lifecycle stages.

Asset Security determines what gets protected and how. Organizations that master it know exactly what sensitive data they hold, where it lives, and who can access it.

author avatar
Christine Mills Project Manager
Christine Mills is a cybersecurity professional and lifelong tech enthusiast with experience that reaches back to her early start in IT during high school. Outside of work Christine is an avid boater who enjoys spending time on the water whenever she can.
See Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *