Data is not static.
It is created, used, shared, stored… and eventually destroyed.
And every stage carries risk.
Why This Matters
Many organisations focus heavily on protecting stored data.
Encryption at rest.
Access control.
Backups.
But CISSP takes a broader view.
✔ Data is at risk before storage
✔ Data is at risk during usage
✔ Data is at risk while being transferred
✔ Data is at risk when improperly disposed
Protecting only one stage is not enough.
The Core Principle
✔ Security must follow data — not just location
Data moves across systems, users, and environments.
Your controls must move with it.
The Data Lifecycle
Understanding the lifecycle is critical to applying the right controls.
Creation / Collection
This is where data enters the system.
✔ User inputs
✔ Application-generated data
✔ Logs and telemetry
Risks:
✔ Over-collection
✔ Incorrect classification
✔ Privacy violations
Key point:
✔ Classify data at the point of creation
Storage
Data is stored in:
✔ Databases
✔ File systems
✔ Cloud environments
Controls:
✔ Encryption at rest
✔ Access control
✔ Backup and recovery
Usage
Data is actively accessed and processed.
✔ Applications use it
✔ Users interact with it
Risks:
✔ Unauthorized access
✔ Data exposure in memory
Controls:
✔ Least privilege
✔ Session controls
✔ Secure processing
Sharing / Transmission
Data moves across:
✔ Networks
✔ Systems
✔ Third parties
Risks:
✔ Interception
✔ Data leakage
Controls:
✔ Encryption in transit
✔ Secure communication channels
Archival
Data is retained for:
✔ Compliance
✔ Legal requirements
✔ Business needs
Controls:
✔ Restricted access
✔ Long-term protection
✔ Integrity assurance
Destruction
Data reaches end of life.
✔ Secure deletion
✔ Cryptographic erasure
✔ Physical destruction
Critical point:
✔ If data is not securely destroyed, it still exists
Where Organisations Fail
Most failures do not happen at storage.
They happen at:
✔ Transmission
✔ Usage
✔ Disposal
Because these stages are often overlooked.
CISSP Exam Perspective
CISSP will test lifecycle thinking through scenarios.
✔ Data exposed during transfer → missing transmission controls
✔ Old data leaked → poor retention and destruction
✔ Unclassified data → failure at creation stage
Correct approach:
✔ Identify the lifecycle stage
✔ Identify the risk
✔ Apply the appropriate control
Key Takeaway
✔ Data must be protected from creation to destruction
Not just when it is stored.
Listen to the Podcast
This article is part of the CISSP Blogpost and Podcast Series.
The podcast explains lifecycle concepts with real-world analogies and exam-focused scenarios.
Search on Spotify: PK’s Chronicles
Final Thought
Security is not a single control.
It is a continuous process across the entire lifecycle.
Because in cybersecurity—
Protection at one stage is not protection at all.
Think lifecycle.
Think continuity.
Think like a CISSP.
