🔑 1. Key Concepts

• Asset Classification
• Data Ownership & Roles
• Data Lifecycle
• Data Security Controls
• Data Retention & Disposal
• Privacy Protection
• Data Handling Requirements
• Data Loss Prevention (DLP)

---

📖 2. Deep Dive (Expanded)

---

🔹 Asset Classification

Assets (data, systems, devices) must be classified based on sensitivity and value.

Common Classification Levels:

• Public
• Internal
• Confidential
• Restricted / Highly Confidential

Why it matters:
Not all data needs the same level of protection. Classification ensures appropriate controls are applied.

Exam insight:
Higher classification = stricter controls.

---

🔹 Data Ownership & Roles

Clear roles are essential for proper data governance.

Key Roles:

• Data Owner
  • Defines classification
  • Determines access requirements
  • Ultimately responsible
• Data Custodian
  • Implements controls
  • Manages storage and protection
• User
  • Uses data according to policy

Why it matters:
Ensures accountability and proper handling of data.

Exam insight:
Ownership = responsibility, Custodian = implementation.

---

🔹 Data Lifecycle

Data goes through several stages:

1. Creation
2. Storage
3. Use
4. Sharing
5. Archiving
6. Destruction

Why it matters:
Security must be applied at every stage, not just storage.

Exam insight:
Controls differ per phase (e.g., encryption in storage, access control in use).

---

🔹 Data Security Controls

Protect data using different types of controls:

• Administrative → policies, procedures
• Technical → encryption, access control
• Physical → locks, secure facilities

Why it matters:
A layered approach ensures better protection.

---

🔹 Data Retention

Defines how long data must be kept.

• Based on legal and business requirements
• Must balance:
  • compliance
  • storage cost
  • risk

Why it matters:
Keeping data too long increases risk.

---

🔹 Data Disposal

Secure destruction of data when no longer needed.

Methods:

• Shredding
• Degaussing
• Cryptographic erasure
• Overwriting

Why it matters:
Improper disposal can lead to data breaches.

Exam insight:
Always match disposal method to data sensitivity.

---

🔹 Privacy Protection

Focuses on protecting personal data.

Key principles:

• Data minimization
• Purpose limitation
• Consent
• Transparency

Examples:

• GDPR

Why it matters:
Legal requirement and protects individuals’ rights.

---

🔹 Data Loss Prevention (DLP)

Technologies and processes to prevent data leakage.

• Monitor data movement
• Detect sensitive data
• Block unauthorized transfers

Why it matters:
Prevents accidental or malicious data exposure.

---

🧠 3. Manager Mindset

• Data is a business asset
• Protect based on value and sensitivity
• Ownership defines accountability
• Balance security with usability

👉 Always think: What level of protection is appropriate?

---

❓ 4. Practice Questions

1

Who is responsible for classifying data?
A. User
B. Custodian
C. Data Owner
D. Auditor

---

2

What is the primary purpose of data classification?
A. Reduce storage
B. Apply appropriate security controls
C. Improve performance
D. Enable backups

---

3

Who implements data protection controls?
A. Data Owner
B. Custodian
C. User
D. Auditor

---

4

What is the first stage of the data lifecycle?
A. Storage
B. Use
C. Creation
D. Destruction

---

5

What is the main goal of data retention policies?
A. Store data forever
B. Meet legal and business requirements
C. Reduce encryption
D. Improve performance

---

6

Which method is used for secure data destruction?
A. Backup
B. Encryption
C. Shredding
D. Logging

---

7

What does data minimization mean?
A. Store less data
B. Delete all data
C. Use minimal controls
D. Compress data

---

8

What is the role of a data custodian?
A. Own data
B. Define policy
C. Implement controls
D. Audit systems

---

9

What is the purpose of DLP?
A. Encrypt data
B. Prevent data leakage
C. Backup data
D. Monitor systems

---

10

Which classification requires the highest protection?
A. Public
B. Internal
C. Confidential
D. Restricted

---

11

What is the main risk of keeping data too long?
A. Performance loss
B. Increased security risk
C. Storage failure
D. Data corruption

---

12

What is cryptographic erasure?
A. Deleting files
B. Destroying encryption keys
C. Formatting disk
D. Backup deletion

---

13

Who is accountable for data protection?
A. User
B. Custodian
C. Management / Owner
D. IT

---

14

What is the purpose of data classification labels?
A. Improve speed
B. Identify sensitivity
C. Encrypt data
D. Backup data

---

15

Which control type is encryption?
A. Administrative
B. Physical
C. Technical
D. Operational

---

16

What is the purpose of privacy regulations?
A. Protect systems
B. Protect individuals
C. Improve security
D. Reduce costs

---

17

What is the BEST way to protect highly sensitive data?
A. Backup
B. Classification + strong controls
C. Logging
D. Monitoring

---

18

What is the purpose of data ownership?
A. Store data
B. Define responsibility
C. Encrypt data
D. Audit data

---

19

What is the BEST first step in protecting data?
A. Encrypt it
B. Classify it
C. Backup it
D. Monitor it

---

20

What is the biggest concern during data disposal?
A. Speed
B. Cost
C. Data exposure
D. Storage

---

✅ 5. Answers + Reasoning

---

1

C. Data Owner
The data owner is responsible for determining the classification level because they understand the value and sensitivity of the data.

---

2

B. Apply appropriate security controls
Classification ensures that data receives the correct level of protection based on its sensitivity and importance.

---

3

B. Custodian
Custodians are responsible for implementing and maintaining the security controls defined by the data owner.

---

4

C. Creation
Data must be classified and protected from the moment it is created.

---

5

B. Meet legal and business requirements
Retention policies ensure compliance and reduce unnecessary risk from storing data too long.

---

6

C. Shredding
Physical destruction methods like shredding ensure data cannot be recovered.

---

7

A. Store less data
Data minimization means collecting and storing only the data that is necessary.

---

8

C. Implement controls
Custodians handle the operational side of protecting data.

---

9

B. Prevent data leakage
DLP solutions monitor and control data movement to prevent unauthorized disclosure.

---

10

D. Restricted
Higher classification levels require stronger protection.

---

11

B. Increased security risk
The more data you store, the greater the risk of exposure or breach.

---

12

B. Destroying encryption keys
Without the key, encrypted data becomes unreadable, effectively destroying it.

---

13

C. Management / Owner
Ownership implies accountability for protecting data.

---

14

B. Identify sensitivity
Labels help determine how data should be handled and protected.

---

15

C. Technical
Encryption is a technical control that protects data confidentiality.

---

16

B. Protect individuals
Privacy regulations focus on protecting personal data and individual rights.

---

17

B. Classification + strong controls
Protection starts with classification, followed by appropriate security measures.

---

18

B. Define responsibility
Ownership ensures accountability for data protection decisions.

---

19

B. Classify it
You must first understand the sensitivity of data before applying controls.

---

20

C. Data exposure
Improper disposal can lead to data being recovered and exposed.

---

⚠️ 6. Exam Traps

• Confusing owner vs custodian
• Skipping classification step
• Choosing technical controls before understanding data
• Ignoring data lifecycle

---

🔄 7. Flash Review

• Classify data first
• Owner = responsibility
• Custodian = implementation
• Data lifecycle matters
• Dispose data securely
• Privacy protects individuals

---

📊 8. Score

Score: ___ / 20

• 16–20 → ✅ Strong
• 10–15 → ⚠️ Review
• <10 → ❌ Re-study Domain 2