Establish Handling Requirements
Start course

This course is the 2nd and final module of two modules within Domain 2 of the CISSP, covering asset security.


Learning Objectives

The objectives of this course are to provide you with and understanding of:

  • How to ensure the appropriate retention using archiving, retention policies and best practices
  • How to determine data security controls, focusing on critical tenets, data encryption, the security content automation protocol (SCAP), in addition to considerations and baselines
  • Establishing handling requirements where we look at the importance of labeling and destruction of different media types

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


So we're going to move into Section 6 of Asset Control where we're going to look at establishing handling requirements. 

Now as you'll see, this is about handling any media that is going to contain the data. That means that we have to be sure that it's protected in all of its forms. So when we store sensitive information on this media, it means that we have to use the combination of physical and logical controls to achieve our control objectives. Media by itself lacks the means for digital accountability when the data is not encrypted. And if they're small, like USB drives or CDs, having them numbered, or given serial numbers, or asset tags, or any of that sort of thing is, also, not only undesirable but purely unfeasible. We must, therefore, take proper care of these things and make sure that all users know the proper handling procedures and methods that we allow. 

As I've already stated, we need to be sure that the storage media is properly marked. First off, we train users to make sure that only authorized persons have this information on this media in their possession. And that any time, anyone who is not authorized has it, that they're going to do what they have to do to break into the container, whatever it might be. Therefore, anything that we are going to build as label contents needs to accurately reflect who the authorized owner is, what the protection is, what its level of classification is because if someone unauthorized gets a hold of it, one of two things is happening. They're either going to return it or dispose of it, not wanting to bother. Or, if they're actually an adversary, they're not going to pay any attention to the label. They're simply going to investigate and find out if it's got anything that they want on it. 

So it is to our advantage first to physically protect it so that it doesn't fall into their hands but even with that, we still need to have an accurate label. It should clearly indicate ownership, whether it's encrypted. It may be if it's large enough, it may also contain a point of contact and a retention period. And again, if it's large enough to hold a label this size, who to return it to. These are all things we're doing for ourselves because we're going to have the program to prevent logical access, but also to protect it from physically falling into the wrong hands. So as I've said, handling means that only designated, authorized personnel will have access to the media itself, and through some form of password or other access control, to the data that it contains. That means that there will be policies and procedures describing to them how this will happen, how they're to handle it, how they're to store it, how they're to access it, how they're to share it, perhaps, with their colleagues. It also says how they're responsibilities are to be carried out and what sanctions will be pursued if they are not. 

Clearly a part of this entire program is how it's to be stored. This means, of course, that the data at rest on the media should be encrypted, and that the media itself should be stored in a secured container of some kind. That could be a briefcase. It could be a lockbox. It could be a safe. Whatever that media is, and whatever storage medium you have to contain it in, these are supposed to be used, and this is what our policies and procedures direct. And this is what we're measuring to ensure that we have the compliance that we require from our workforce. The records retention and destruction, as this section has dealt with, means that the information should only be kept as long as it is required. We need to be sure that the organization understands what those requirements of retention are for the different types of data that we have so that it's well understood in the workforce what kind of data is retained and what the basis for that retention is. The organization documents in a records schedule what data is to be kept for what period of time, at what point, meaning the actual date at which that expires, and what method should be used to destroy that data when that period expires. And that we need to record that that data has been taken and destroyed properly by that method, signed off by one or preferably two persons so that it's properly documented that it's been done. And this needs to apply to all the media that is going to be holding sensitive information, whatever kind of coverage we have for that data. Simply throwing it away in a trash bin or using some sort of logical method may be wholly inadequate. And so the usage of proper methods really is vitally important. It's well known that the very famous hacker Kevin Mitnick dumpster dived to be able to recover and learn all that he did about the phone systems that he hacked from manuals, technical service manuals, that were thrown away, when in fact, they should have been shredded or incinerated, but there they were. And so you see, this information was available to him through the simplest of oversights. It was simply thrown in the trash, and it shouldn't be assumed that a person who really wants the information asset won't go to the trouble to do that. He certainly did, and others do as well, every day. 

So in summary, we have covered the security processes, the information systems securities, personnel, organizational sub-units, and the responsibilities that they and the members of them have to protect our assets. We've examined frameworks. We've talked about the importance of the policies and concepts, and the other things that make up our program, why they're important, and how we implement them, perform them, and measure them. And it described that this is the foundation for a comprehensive and proactive security program to identity and properly control and protect all of the assets in our organization. This completes Domain Two, and thank you very much for your attendance. And we're going to continue this course, and I look forward to seeing you back for that. Thank you.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics