3.6. Reflection Checkpoint

Key Takeaways

• Classification drives proportional protection — the correct control at the correct strength is determined by classification level, not by default or convenience.
• Data owners are always business managers (never IT or security) — custodians implement the controls owners require.
• Deletion ≠ destruction. Use media-type-appropriate methods: overwriting for HDDs, cryptographic erasure for SSDs and cloud, degaussing for magnetic tape, physical destruction for highest sensitivity.
• Legal holds override retention schedules the moment litigation is reasonably anticipated — not when the lawsuit is filed.
• EOL ≠ EOS — the security risk begins when patches stop (EOS), not when sales stop (EOL).
• Data states (at rest / in transit / in use) each require separate, appropriate controls. Encryption at rest doesn't protect data in transit; TLS doesn't protect data at rest.
• DRM is content-centric (travels with data), DLP is channel-centric (monitors transmission), CASB is cloud service-centric (governs cloud usage).

Connecting Forward

Phase 4 builds on Domain 2's data protection concepts by asking: how do we design systems that protect data securely from the ground up? Security architecture and engineering (Domain 3) addresses the design principles, formal security models, cryptographic mechanisms, and physical infrastructure that implement the protection requirements Domain 2 identifies. The Bell-LaPadula model will directly map to the classification concepts from Section 3.1; the cryptographic controls in Phase 4 will implement the at-rest and in-transit protections from Section 3.5.

Self-Check Questions

• An organization discovers a terminated employee's home directory still contains 3 years of customer PII. The directory is on a server scheduled for decommission and hard drive reuse. What handling, destruction, and governance actions are required before the server can be repurposed?
• Your organization implements full-disk encryption on all laptops AND deploys a network DLP solution that blocks unencrypted email of sensitive data. A manager argues these are redundant. Are they? What scenario does each protect against that the other does not?