In my previous post, Demystifying CISSP Domain 1: Security and Risk Management, I provided an overview of Domain 1: Security and Risk Management.
Next up is CISSP Domain 2: Asset Security
The least weighted CISSP exam topic at 10%, but extremely important concept to apply within the information security realm. This domain focuses on securing organizational assets by assigning ownership, control, and proper handling based on asset classification. Assets include both physical assets like physical datacenter hardware, facilities, and infrastructure as well as digital assets like applications, networks, systems, and most importantly, data. As an information security professional, your role is to work with business units to identify, categorize, and inventory all key assets. Then, you must select and implement appropriate security controls based on an asset's value, risks, and requirements.
The major concepts in CISSP Domain 2 include:
Data Classification:
Assigning security levels (e.g. public, confidential, private, top secret) based on asset value and damage if compromised. Higher classified data requires stronger controls like encryption, access restrictions, and monitoring. Know different data classification models like Bell-LaPadula and how to apply them.
Asset Ownership:
Identifying individuals responsible for maintaining assets and ensuring proper security. Owners determine controls like access permissions, change management, and backup procedures. They must understand asset classification and their security responsibilities. Owners can be data owners, system owners, network owners, etc. depending on the asset.
Maintenance:
Performing regular maintenance such as updates, patches, audits, backups, redundancy, etc. to ensure maximum availability and integrity of assets. Maintenance includes testing backups, practicing restoration, monitoring for unauthorized access, and remediating vulnerabilities.
Asset Handling:
Establishing proper procedures for labeling, storing, transporting and destroying assets based on classification. This prevents unauthorized disclosure or access. Procedures should include encryption, logged access, witness oversight, cross-cutting, and certified shredding or wiping.
Inventory Management:
Maintaining a detailed inventory of all assets including ownership, classification, specifications, location, network details, etc. The inventory enables monitoring, impact analysis, and control of assets. Inventories must be kept secure based on the highest classification of data included.
On effectively and efficiently learning Domain 2, focus your studies on understanding classification models, assigning appropriate controls based on risks, ensuring all assets have an identified owner, and are properly maintained, handled and inventoried.
Domain 2: Asset Security
CISSP Exam Cram Full Course UPDATED - 2022 EDITION!
I want to again highly recommend the following FREE CISSP Domain 2 - Asset Security YouTube video resource by Pete Zerger and his Inside Cloud and Security CISSP series and channel. I used this all in one YT video extensively while running, working out etc and consistently listened to it at 1.5x or 2.x or higher speeds over and over to hash out the specific focus areas of Domain 2: Asset Security.
01:24:19 : Domain 2: Asset Security
CISSP Exam Study Material Resources such as the following:
(ISC)2 CISSP (Sybex) Study Guide 9th Edition
Luke Ahmeds : How To Think Like A Manager
Destination CISSP - A Concise Guide - Rob Witcher
will help strengthen your knowledge.
With diligent preparation, you'll have CISSP Exam Domain 2: Asset Security covered for the exam!
