CISSP考试指南笔记：2.8 快速提示

Information goes through a life cycle that starts with its acquisition and ends with its disposal.
Each phase of the information life cycle requires different considerations when assessing risks and selecting controls.
New information is prepared for use by adding metadata, including classification labels.
Ensuring the consistency of data must be a deliberate process in organizations that use data replication.
Data aggregation may lead to an increase in classification levels.
Cryptography can be an effective control at all phases of the information life cycle.
The data retention policy drives the timeframe at which information transitions from the archival phase to the disposal phase of its life cycle.
Information classification corresponds to the information’s value to the organization.
Each classification should have separate handling requirements and procedures pertaining to how that data is accessed, used, and destroyed.
Senior executives are ultimately responsible to the shareholders for the successes and failures of their corporations, including security issues.
The data owner is the manager in charge of a specific business unit and is ultimately responsible for the protection and use of a specific subset of information.
Data owners specify the classification of data, and data custodians implement and maintain controls to enforce the set classification levels.
The data retention policy must consider legal, regulatory, and operational requirements.
The data retention policy should address what data is to be retained, where, how, and for how long.