Asset Security
Classification is the master input: classify first, then every other control follows from the label
Asset Security is the discipline of protecting information and the assets that hold it across their whole life, and the single decision that drives all of it is classification: assigning each information type a sensitivity and criticality grade based on the harm that losing its confidentiality, integrity, or availability would cause. The point is proportionality: you cannot afford to protect everything to the highest standard, so you grade once and let the grade answer every downstream question. Handling rules, the hardening baseline a new asset is built to, lifecycle protections, retention periods, and the strength of the data-security controls are all derived from the classification label, never invented per asset. On the exam this is the recurring move: when a scenario onboards new data, the BEST first step is to have its owner classify it, because that label is the input every later safeguard reads.
The owner classifies and sets requirements; the custodian only implements, and accountability never delegates
One ownership model runs through data-classification, secure-provisioning, and the data-lifecycle roles. The information (data) owner is a senior, business-side role who decides the classification label and the protection requirements; the custodian (typically IT/operations) implements and maintains those controls but never decides the label. The dividing line the exam tests is decision-versus-execution: the actor who 'determines the classification,' 'sets the retention schedule,' or 'approves declassification' is always the owner. Critically, you can delegate or outsource the work of protecting data (even to a cloud provider) but accountability for the data stays with the owner: responsibility to perform a task moves, answerability does not.
Pick the protection by the data's STATE; pick its strength by the data's LABEL
Two orthogonal selectors choose a control together. The data's state, at rest (storage encryption plus access control), in transit (transport encryption such as TLS or IPsec), or in use (the hard state, where the CPU needs cleartext and you fall back to tight access control, memory hygiene, and confidential-computing enclaves), decides which class of control applies, because each state faces a different threat. The classification label then decides how strong that control must be: higher sensitivity or criticality justifies stronger encryption, tighter access, heavier monitoring, and more thorough destruction. Control selection itself starts from a baseline keyed to the system's FIPS 199 impact level (the high-water mark across all its information types), which is then scoped and tailored to the system, every deviation documented so an assessor can trace why a control was removed or substituted.
Provisioning, inventory, and ownership form one loop: you cannot protect what you cannot see
Secure provisioning builds each asset to a documented, change-controlled baseline configuration in a known-good hardened state before it is trusted in production, rather than deploying defaults and tightening later. That only works if the asset has an owner who set the required protection level and an inventory that records the asset, its owner, and its configuration. NIST SP 800-53 CM-8 requires a complete, accurate, non-duplicating component inventory carrying the owner field, updated on every install, removal, and change: a complete current inventory is the foundation for the whole domain, because you cannot classify, patch, monitor, or assign accountability for an asset you do not know exists. Break any link in the loop and you get the classic failures: shadow IT no one owns, default credentials left in place, and orphaned systems that silently miss patches.
Retention decides WHEN to dispose; the data lifecycle decides HOW to destroy, and SP 800-88 grades the how
Disposal is two separable decisions that the exam keeps distinct. Asset retention owns the timing: each data class is kept for the longest binding external obligation (NIST SP 800-53 SI-12), over-retention is itself a liability that enlarges the breach blast radius, and a legal hold overrides the schedule by suspending destruction the moment litigation is reasonably anticipated. The data lifecycle then owns the method: because deleting or formatting leaves recoverable data remanence, NIST SP 800-88 chooses a sanitization category by the data's confidentiality first and media type second: Clear (resists simple recovery, media reusable), Purge (resists laboratory recovery, media reusable: degaussing, firmware Secure Erase, or cryptographic erase), or Destroy (recovery infeasible and the media unusable), and sanitization is not finished until it is validated and recorded on a certificate.
Which Asset Security subtopic owns the decision
| Decision in front of you | Subtopic that owns it | The governing rule |
|---|---|---|
| How sensitive/critical is this data, and who decides? | Data Classification | Owner grades it by harm (FIPS 199 high-water mark); accountability cannot be delegated |
| How must this labeled asset be marked, stored, moved? | Asset Handling | One handling standard per classification tier; marking is human-readable, labeling is system-enforced |
| How do I stand up this asset securely? | Secure Provisioning | Build to a change-controlled hardened baseline; record it in the CM-8 inventory under an owner |
| Which control protects this data, and how is data governed end to end? | Data Lifecycle / Data Security Controls | Control chosen by state (rest/transit/use), strength by label; baseline scoped and tailored |
| WHEN may I dispose of this, and can I right now? | Asset Retention | Keep for the longest binding obligation (SI-12); a legal hold overrides the schedule |
| HOW do I destroy the data so it cannot be recovered? | Data Lifecycle | NIST SP 800-88 Clear / Purge / Destroy, chosen by confidentiality first; validate and certify |