The Data Lifecycle


Data Classification & Categorization
Data Ownership
1m 13s

The course is part of this learning path

Start course

This course is the second installment of three courses covering Domain 2 of the CSSLP, covering the topic of data classification and categorization.

Learning Objectives

  • Understand the fundamentals of data classification and categorization
  • Learn about the security implications of data ownership and labeling
  • Learn about different data types and the data lifecycle

Intended Audience

This course is designed for those looking to take the Certified Secure Software Lifecycle Professional (CSSLP)​ certification, or for anyone interested in the topics it covers.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Now, here again, you see the data lifecycle. But in this particular slide, we're going to talk about different items. First, we have to be certain that the confidentiality, integrity, and availability protections are fully functional, as appropriate, in each one of the six phases. For example, during generation, this would mean that the generation or acquisition process would include that the controls are always geared towards baseline authentication, classification, and protection commensurate with the data type and value, which leads to an accurate classification and categorization of the data object, and therefore, places it under the appropriate controls for such data.

In the portions of the cycle regarding retention, we need to be sure that we identify data and its transient or persistent characteristics, so that we have these attributes clearly defined and implemented to make sure that the governance practices are in place, and that those responsible act in compliance by enforcing policy. When we reach disposal, we need to be sure that the certain data types that need to be retained, or do not need to be retained based on regulatory requirements, that they, and when other types lose their value and impact, there are other types that still retain the potential liabilities and associated with some form of uncontrolled unwanted disclosure. This means that we need to be sure we recognize that at no time does individually identifiable data ever cease to be a breach for as long as it's in our possession and available in a human-readable form. Thus it is that we need to find assured disposal practices, those that truly and irrecoverably render the data into a nonhuman readable, nonhuman recoverable form to address those concerns and make certain that these data objects cannot be recovered by anyone by any means.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.