The CISSP information lifecycle explains how organizations manage and secure data from the moment it is collected or created until it is permanently destroyed. In CISSP Domain 2 (Asset Security), the lifecycle is driven by one step that many real-world programs skip: data classification. This guide walks through the CISSP-aligned lifecycle that adds classification and shows how it determines the security controls used across every stage.
If the CISSP sounds interesting to you heres a quick overview. What is the CISSP?
For a solid study guide check out: Destination CISSP: A Concise Guide
What is the CISSP Information Protection Lifecycle?
The CISSP information protection lifecycle is a risk-based process for protecting information from creation to destruction. The CISSP-aligned lifecycle steps are:
- Collect or Create
- Classify
- Label and Handle
- Store
- Use and Process
- Share and Transmit
- Retain and Archive
- Destroy and Dispose
Classification is the control decision point. It determines the required protections for data at rest, in use, and in transit.
CISSP Information Protection Lifecycle (Domain 2 – Asset Security)
1) Collect or Create
Data enters the organization through customer forms, applications, logs, file uploads, third-party sources, and internal business processes.
What CISSP expects you to understand:
- Collect only what is necessary (data minimization)
- Identify the data owner early
- Consider legal, regulatory, and privacy requirements at the point of collection
Excess collection increases breach impact, compliance exposure, and long-term cost.
2) Classify (The Critical Step)
After collection or creation, the data owner assigns a classification based on potential business impact if the data is:
- Disclosed (Confidentiality impact)
- Altered (Integrity impact)
- Unavailable (Availability impact)
CISSP Classification Levels
| Commercial Classification (CISSP) | Government Equivalent | Meaning | Typical Examples |
|---|---|---|---|
| Public (Class 0) | Unclassified (Class 0) | No meaningful harm if disclosed | Public website content, press releases, published research |
| Sensitive (Class 1) | Confidential (Class 1) | Organization-owned information not intended for public release; moderate operational or competitive impact if exposed | Internal procedures, internal reports, business plans, internal communications |
| Private (Class 2) | Secret (Class 2) | Sensitive information where unauthorized disclosure could cause significant damage | Customer data, contracts, financial reports, employee records |
| Confidential/ Proprietary (Class 3) | Top Secret (Class 3) | Highly sensitive or regulated information where disclosure would cause severe or critical damage | PII (SSNs), medical records, payment data, critical intellectual property |
Classification determines security requirements such as encryption, access restrictions, monitoring depth, retention periods, and secure disposal methods. Without classification, controls become inconsistent and difficult to defend.
2b) Labeling and Handling
Classification must be made visible and enforceable through labeling and handling rules. Labeling can be implemented via document markings, metadata tags, system classification fields, or email markings.
Handling rules define:
- Who may access the data (need-to-know and least privilege)
- Where the data may be stored (approved systems only)
- How the data may be transmitted (approved secure channels)
- Whether copying, printing, or forwarding is allowed
In CISSP terms: classification without labeling and handling procedures has limited practical value.
3) Store (Data at Rest)
Data is stored in databases, file systems, cloud storage, backups, and archives. Storage controls scale with classification.
- Public: minimal restrictions
- Proprietary: internal access controls and basic monitoring
- Confidential / Private: encryption at rest, role-based access control, strong audit logging, and encrypted backups
Storage protections should be consistent with the classification decision made earlier.
4) Use and Process (Data in Use)
Data in use includes anything being accessed, displayed, modified, or processed by systems or people.
Common controls for sensitive data:
- Strong authentication and authorization
- Least privilege access
- Session controls (timeouts, re-authentication for sensitive actions)
- Data masking or tokenization where appropriate
- Activity logging and monitoring
Many breaches and insider incidents occur here because organizations grant too much access by default.
4b) Share and Transmit (Data in Transit)
This goes along with Use. However, I seperated this out so that we can analyze the points security can get dismissed. Sharing increases risk because data leaves its original boundary. Sharing includes system-to-system transfers, user-to-user distribution, and third-party/vendor access.
Required protections typically include:
- Encryption in transit (for example: TLS, VPN, secure file transfer)
- Data Loss Prevention (DLP) where applicable
- Sharing only the minimum required fields (data minimization applied again)
- Transfer logging and monitoring
- Third-party risk management and contractual handling obligations
5) Retain and Archive
Retention must be policy-based and aligned to legal, regulatory, and business requirements. Keeping data “just in case” increases risk and cost.
Retention decisions should be driven by:
- Regulatory and legal requirements
- Business needs
- Classification level
The goal is to keep data only as long as required, and no longer.
6) Destroy and Dispose
When data is no longer needed, it must be permanently destroyed. For sensitive information, destruction should be verifiable and documented.
Common destruction approaches include:
- Logical sanitization: approved wiping/overwriting methods for storage media
- Cryptographic erasure: destroying encryption keys so protected data becomes unrecoverable
- Physical destruction: shredding, crushing, or otherwise destroying media when required
Roles and Responsibilities in the Lifecycle
- Data Owner: Determines classification and defines protection requirements
- Custodian: Implements technical controls and maintains systems that store/process data
- User: Accesses data appropriately and follows handling rules
The Three Data States CISSP Expects You to Know
CISSP commonly frames protections around data states. Controls must protect information when it is:
- At Rest (stored)
- In Use (being processed or accessed)
- In Transit (being transmitted)
Classification determines how strong those controls must be in each state.
Where Organizations Typically Fail
Many incidents trace back to predictable lifecycle breakdowns:
- Data was never classified
- Too many users had access (no least privilege)
- Sensitive data was stored without appropriate protection
- Data was retained longer than necessary
- Information was shared without secure transmission or vendor controls
The root cause is often simple: no classification decision was made at creation.
Key Takeaway
The CISSP information protection lifecycle is a risk management model. The lifecycle becomes consistent and defensible when you:
- Collect only what you need
- Classify immediately
- Label and enforce handling rules
- Apply controls based on impact across rest, use, and transit
- Retain only as long as required
- Destroy data securely when it is no longer needed
Frequently Asked Questions
Which CISSP domain covers the information protection lifecycle?
The information protection lifecycle is primarily covered in CISSP Domain 2: Asset Security, including data classification and handling requirements.
Who is responsible for data classification in CISSP?
In CISSP, the data owner is responsible for determining the classification level and defining protection requirements. Custodians implement the controls.
Why does the CISSP lifecycle add a classification step?
Because classification is the control pivot. It determines the appropriate protections for storage, access, transmission, retention, and secure destruction.
What are the CISSP commercial classification levels?
A commonly referenced CISSP commercial model uses: Public, Proprietary, Confidential, and Private. Organizations may use different names, but CISSP testing focuses on the concept: higher sensitivity requires stronger controls.
Leave a Reply
You must be logged in to post a comment.