CISSP: Domain 2 - Asset Security - Module 2


CISSP: Domain 2, Module 2
Ensure Appropriate Retention

This course is the 2nd and final module of two modules within Domain 2 of the CISSP, covering asset security.


Learning Objectives

The objectives of this course are to provide you with and understanding of:

  • How to ensure the appropriate retention using archiving, retention policies and best practices
  • How to determine data security controls, focusing on critical tenets, data encryption, the security content automation protocol (SCAP), in addition to considerations and baselines
  • Establishing handling requirements where we look at the importance of labeling and destruction of different media types

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Welcome back to the Cloud Academy's presentation of the CISSP examination preparation review seminar. We're going to continue our discussion in domain two, Ensure Appropriate Retention. 

So, in our previous discussion, we were talking about how we identify and classify our information assets. Part of that program, of course, is to understand where the data exists, taking that classification and the definitions that we've established through this program, and then we're going to have to take them and deal with the ending stages of the information lifecycle, where we have to manage the data through retention, archive, recovery, and ultimately, some form of disposition. Most commonly thought of as being destruction. In trying to design this program, we will, of course, have to identify and engage with all of the stakeholders in this process, typically, various information owners and executives and senior management members in our organization. But it will involve various parties, organizations, generally, outside of our organization who will require various forms of information from us, some of which will come from the archive data that we have. 

When we meet with these stakeholders, or when we examine the kinds of documents that state what the external stakeholders may require of us, it gives us the basis for establishing the objectives and finding commonality for supporting the archive and retention policies that we're going to have to define and put in place. They will describe the kinds of industry standard or best practice that we'll have to implement to ensure that we're identifying and managing this data properly. And then, as with every other process we're going to do, we're going to have to monitor how it works and periodically review and update the guidance documents that form, shape, and guide the performance of our tasks in this program. 

So, some tasks that we're going to have to indulge in in creating a sound records retention policy. We're going to have to look at the statutory requirements, whether these are actually in the law at the federal or state level, or they come from industry standards, or they come from simple accounting practices. Whatever these requirements are, we need to define them clearly. We're going to have to identify litigation that may come our way, or has come our way, and what the kind of requirements are that we face during that period, and then, for our own business needs, too. We've already gone through our classification program, classification and categorization of the various information assets we have. From the various sources, we're going to have to determine what the retention periods are that we have to put in place, and we have to research to find out what the accepted destruction practices will be to ensure that we reduce and assuredly destroy an object when that time comes. 

From all of these sources, we're going to draft and justify our record retention policies and practices. Staff will, of course, have to be trained in how to perform these things and how to verify that they've done it in the right manner. We'll have to define an audit process so that when we examine what we're actually doing in this program, we'll be able to know that we are doing it the right way or identify where there are discrepancies between the defined correct way and the way we are actually performing them, and that our destruction policies are, in fact, in place, being performed, and producing the assured destroyed residual that cannot be reassembled into a human-readable form. And with our guidance documents and processes, these things have to undergo periodic review to ensure that if there is anything that has been put out by any of these external sources that we must account for in this guidance that it has been identified, captured, and that we have accounted for it in the policy, in the program that we have implemented, which must match the policy, that the training that we give matches both, and that the audits we perform have identified the necessary evidence of our actions and our product, and that they align as well. 

Now, as we begin this process, and these need to be asked and addressed again throughout, who needs access to the archive data, and why? How fast do they need it? Simple questions on their face, but who will be accessing this archive data, and why, goes to the question of, what is the source of the request for the data, and what is their justification for asking? And, are they, in fact, authorized to make these? How fast do they need it? Typically, it is the case that a subpoena will have a deadline built into it, and thus we have to recover the data and provide it prior to that deadline expiring. If it happens to be a search warrant, the deadline is now. They are going to execute it the moment that they present it to us, and that means that there has to be a way to respond even then in a timely manner. 

Do the requirements change as the archives age? Normally, the requirements for these things will indeed change, and as the requirements changes, as the archives age, the need for our protection, the type of protection, the depth of it, the strength of it, those attributes may also have to change. One thing that we want to do is make sure that we always protect the information in accordance with its value, but along with that, we need to be sure that we're not over or under-protecting it in accordance with its value. How long do we need to keep the archive data? Well, that's typically specified in the source of the guidance that we're using. When should it be disposed of or deleted? Again, it comes from the same source. 

The question, though, that this begs is, should we retain it for any longer than that? Some people are very reluctant because they have this suspicion that somewhere along the line, the day after I've destroyed data, somebody's gonna walk in and they're gonna ask me for it, and there I'll be. I won't have the data that they're asking for. But we have to address the question in this way as well. If we retain said data for longer than the retention period states, what risks do we run of it becoming more likely to be exposed? Especially if there's personally-identifiable elements within it, such that it has dropped from our attention, and now the risk of it being exposed through that inattention now increases. It's important to realize that even though there may come a request for it after that expiration has come and gone, we have to ask ourselves if the risk of other kinds of ill effects can result by us simply hanging onto it for longer than perhaps we should. 

So, we want to promote cross-functional ownership as one of our standard practices by making more people involved in the process, sharing the accountability, and making them accountable to each other and to the organization as well. It promotes the importance. It promotes wider acceptance of this process as a necessary and standard way of doing business. We need to be sure that this cross-functionality extends to all the different phases of the information lifecycle so that everyone who has a piece of the ownership has a piece of its protection, that they understand its value through all phases, and essentially, everybody is on board with the same practices. We should practice recovery exercises to make that as part of our process, we are able to recover the data. Whatever the need, we're able to do it in a suitably timely fashion, and that means that we have to look at the different aspects of the program, which will include the media, the hardware, and the personnel. 

So, here you see some example retention policies from various sources. We have the European Document Retention Guide as of 2013. State of Florida Electronic Records and Records Management Practices. This might prove to be one of the sources if you happen to be a contactor to the state of Florida. And in all organizations, there is a similar relationship and similar guidance for whoever you happen to be on contract to, whether it's at the state level, the local level, or the federal level, or even the international level. Employment Practices Code from the Information Commissioner's Office of the UK. Wesleyan University, the EU itself with the General Data Protection Regulation of May 2018, and the Texas State Records Retention Schedule as of July 4th, 2012. These are simply some examples, and if we were to look at these things in detail, we would probably find that there is a lot of commonality between them in the general way that they approach this particular issue. Even though that may be the case, we still have to go through each one, assuming, for example, that we are subject to all of these different ones, and make sure that the requirements we have captured are embodied in our policies and procedures and that our practices reflect that guidance from these sources.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics