Classifying information and assets and protecting them across their lifecycle.
2.1
Labelling assets by sensitivity so controls can follow the label.
Classification and ownership
- Classify by sensitivity and criticality; the data owner sets the classification, the custodian enforces it.
- Roles — owner · custodian · processor · user — each with distinct accountability.
Data lifecycle
- Acquire → use → archive → dispose; controls and retention differ at each stage.
- Disposal must match the classification — degaussing · cryptographic erasure · physical destruction.
2.2
Protecting data
States of data and the privacy obligations attached to them.
Data states
- At rest · in transit · in use — each needs its own control set, encryption being the common thread.
- Scoping and tailoring of baselines (
NIST SP 800-53) keeps controls proportionate.
Privacy
- Track data residency and sovereignty; personal data carries obligations under
GDPR and similar regimes. - Minimise collection and retention — the data you do not hold cannot leak.