Domain 7: Security Operations Module 47 of 84

Resource Protection

CISSP Domain 7 — Security Operations A — Investigations and Monitoring 9–11 minutes

The Afterlife of Your Data

In 2019, a major bank sold decommissioned data center servers through a surplus dealer. The drives had been “wiped” using a quick format. A security researcher purchased several drives from the dealer and recovered customer financial records, social security numbers, and internal banking applications. The bank’s data disposal procedure existed on paper — it simply was not followed.

Data does not disappear when you press delete. It does not disappear when you format a drive. It persists until the physical media is properly sanitized or destroyed. Resource protection means managing that reality across every asset in your environment.

This module covers CISSP exam objective 7.5: apply resource protection. The exam tests whether you can select the right protection and disposal method for different media types, manage software assets, and prevent the resource sprawl that creates unmanaged risk.

Media Management

Media management covers the handling, storage, transportation, and eventual destruction of all storage media: hard drives, SSDs, tapes, USB drives, optical media, printed documents, and mobile devices.

Media Handling and Storage

  • Labeling — Media containing classified data must be marked with the appropriate classification level. Unmarked media in a shared environment is a handling failure.
  • Storage — Media must be stored in conditions appropriate to its classification. Confidential backup tapes in an unlocked storage closet fail the handling requirement, even if the tapes are encrypted.
  • Transportation — Moving media between locations requires controls proportional to the classification. Encrypted media with documented chain of custody for transport. Unencrypted classified media should not leave secured facilities.
  • Access control — Only authorized individuals should be able to check out, transport, or access stored media. A media library or vault with access logging provides accountability.

Media Sanitization and Destruction

NIST SP 800-88 (Guidelines for Media Sanitization) defines three levels of sanitization, each appropriate for different scenarios.

  • Clear — Overwriting data using standard tools. Protects against simple recovery methods (undelete tools). Appropriate when media will be reused within the same organization at the same security level. Example: overwriting a workstation drive before reassigning it to another employee in the same department.
  • Purge — Making data recovery infeasible using state-of-the-art techniques. Includes cryptographic erasure (destroying the encryption key that protects the data), manufacturer secure erase commands, and degaussing for magnetic media. Appropriate when media is leaving organizational control. Example: returning leased servers to the vendor.
  • Destroy — Physically rendering the media unusable: shredding, disintegrating, incinerating, or pulverizing. Appropriate for the highest classification levels or when media cannot be effectively purged. Example: shredding drives that stored Top Secret data.

The critical decision factors: what data was on the media and where the media is going. Higher classification and media leaving organizational control require stronger sanitization.

Data Remanence

Data remanence is the residual data that remains on storage media after deletion or sanitization attempts. Understanding remanence is key to selecting the right sanitization method.

  • Magnetic hard drives (HDD) — Data can persist in areas not reached by overwriting (bad sectors, host-protected areas). Degaussing (exposing to a strong magnetic field) destroys data on magnetic media but renders the drive unusable. Overwriting is effective for clearing but may miss remapped sectors.
  • Solid-state drives (SSD) — Wear-leveling algorithms distribute writes across memory cells, which means overwriting may not reach all cells containing data. Cryptographic erasure (crypto-shredding) or the manufacturer’s secure erase command is the correct approach. Degaussing does not work on SSDs because they do not store data magnetically.
  • Magnetic tape — Degaussing is effective. Overwriting the entire tape is also effective for clearing. Physical destruction (shredding) for the highest classification levels.
  • Cloud storage — You do not control the physical media. Crypto-shredding (encrypting data and then destroying the key) is the primary sanitization method in cloud environments.

Hardware Asset Protection

Hardware assets require protection throughout their lifecycle, not just during active use.

  • Physical security — Servers in locked data centers, workstations with cable locks, mobile devices with encryption and remote wipe capability
  • Tamper detection — Seals, sensors, and monitoring that detect physical access to sensitive equipment
  • End-of-life management — When hardware is decommissioned, data sanitization must be completed and documented before disposal. Certificates of destruction provide accountability.
  • Warranty and maintenance tracking — Out-of-warranty equipment may not receive firmware updates or security patches, creating risk

Software Licensing and Compliance

Software asset management (SAM) ensures the organization is legally compliant with licensing terms and operationally aware of what software is deployed.

  • License types — Per-seat, per-core, concurrent-use, subscription, open source. Each type has different compliance requirements and audit implications.
  • Under-licensing — Running more installations than licenses allow. Creates legal liability and potential fines during vendor audits.
  • Over-licensing — Paying for more licenses than needed. A financial waste, but not a security issue.
  • License auditing — Automated tools that compare deployed software against license entitlements. Regular reconciliation prevents surprises during vendor audits.
  • Open source compliance — Open source licenses (GPL, MIT, Apache) have their own terms. Some require releasing modifications as open source. Using GPL-licensed code in proprietary products without compliance can create legal exposure.

Intellectual Property Protection in Operations

Operational teams handle intellectual property daily: source code, proprietary configurations, customer data, trade secrets. Protection in operations means:

  • Access controls that restrict IP to authorized personnel based on need-to-know
  • Data loss prevention (DLP) tools that detect and block unauthorized transfer of IP
  • Non-disclosure agreements (NDAs) for employees, contractors, and third parties with access
  • Monitoring for unusual data access patterns that could indicate IP theft
  • Secure disposal of media containing IP when systems are decommissioned

Cloud Resource Protection

Cloud environments introduce resource protection challenges that do not exist in traditional data centers.

  • Shared responsibility — The cloud provider protects the infrastructure; the customer protects data and configurations. Knowing where the boundary falls is essential.
  • Data location — Data may be stored across multiple regions or countries. Regulatory requirements may restrict where data can reside.
  • Multi-tenancy — Cloud resources are shared among customers. Proper isolation depends on the provider’s controls. Encryption ensures that even if isolation fails, data remains protected.
  • Data disposal in cloud — When you delete data in the cloud, you are removing a logical reference. The physical media is managed by the provider. Encrypting all cloud data and using crypto-shredding for disposal gives you control over data protection regardless of the provider’s physical media management.

Virtual Machine Sprawl Management

VM sprawl occurs when virtual machines are created faster than they are tracked, maintained, and decommissioned. It is the virtual equivalent of shadow IT in the physical world.

Risks of VM sprawl:

  • Unpatched VMs with known vulnerabilities running in the environment
  • VMs with no assigned owner, meaning nobody is accountable for their security
  • Dormant VMs consuming resources and expanding the attack surface
  • Snapshots containing sensitive data persisting long after they were needed
  • Development and test VMs promoted to production without proper hardening

Managing VM sprawl requires:

  • Automated provisioning through approved templates with built-in expiration dates
  • Regular inventory scans that identify VMs not in the CMDB
  • Lifecycle policies that require owner confirmation to keep VMs running past a defined period
  • Snapshot management policies that automatically delete old snapshots

Pattern Recognition

Resource protection questions on the CISSP follow these structures:

  • Media leaving the organization — Purge or destroy, depending on classification. Never just clear.
  • SSD sanitization — Crypto-shredding or manufacturer secure erase. Never standard overwriting. Never degaussing.
  • Cloud data disposal — Crypto-shredding. You cannot control the physical media.
  • Unknown VMs discovered — VM sprawl. The answer involves inventory, ownership assignment, and lifecycle management.

Trap Patterns

Watch for these wrong answers:

  • “Formatting the drive is sufficient sanitization” — Formatting removes the file system index but does not overwrite data. It is not sanitization.
  • “Degauss the SSD” — SSDs store data electronically, not magnetically. Degaussing has no effect on SSDs.
  • “Delete the cloud storage bucket” — Deletion removes logical access but does not sanitize physical media. Encrypt first, then destroy the keys.
  • “Over-licensing is a bigger risk than under-licensing” — Over-licensing wastes money. Under-licensing creates legal liability. The exam considers under-licensing the greater risk.

Scenario Practice

Question 1

A healthcare organization is migrating from on-premises servers to a cloud provider. After migration, the on-premises servers containing patient health information (PHI) will be donated to a local school. The IT team plans to perform a single-pass overwrite on all server hard drives before donation.

Is this approach adequate?

A. Yes — a single-pass overwrite meets NIST 800-88 clearing requirements
B. No — PHI requires purging or destruction since the media is leaving organizational control, and SSDs in the servers cannot be reliably overwritten
C. Yes — donating to a school is a low-risk scenario that does not require full sanitization
D. No — healthcare data requires a minimum of seven-pass overwrite per DOD standards

Answer & reasoning

Correct: B

Two factors make the planned approach inadequate. First, PHI is regulated data (HIPAA) and the media is leaving organizational control, which requires purging or destruction rather than clearing. Second, if any of the servers contain SSDs, overwriting is unreliable due to wear-leveling. The correct approach is crypto-shredding or manufacturer secure erase for SSDs, and degaussing or destruction for magnetic drives. The seven-pass DOD standard (D) is outdated and not required by NIST 800-88.

Question 2

A cloud security audit reveals 340 virtual machines in the organization’s cloud environment. The CMDB records only 210. Of the 130 unaccounted VMs, 45 have not been patched in over six months, and 20 have no identifiable owner.

What is the MOST immediate security concern?

A. The organization is overpaying for cloud resources it does not need
B. The 45 unpatched VMs represent an active vulnerability exposure that is not being managed
C. The CMDB is unreliable and should be replaced with a new system
D. The 20 ownerless VMs violate the organization’s asset management policy

Answer & reasoning

Correct: B

Unpatched VMs with known vulnerabilities are an active security risk. The 45 unpatched VMs have been outside the patching process for six months, accumulating vulnerabilities that attackers can target. While the CMDB inaccuracy and ownerless VMs are governance concerns that need attention, the immediate security threat is the unmanaged vulnerability exposure. Cost (A) is an operational concern, not a security priority.

Question 3

An organization stores all cloud data using customer-managed encryption keys. When a cloud storage account is decommissioned, the security team destroys the encryption keys and then requests the cloud provider to delete the storage account.

Why is this approach considered effective for cloud data sanitization?

A. The cloud provider will physically destroy the storage media after the account is deleted
B. Destroying the encryption keys renders the encrypted data unrecoverable regardless of whether the physical media is sanitized by the provider
C. Customer-managed keys give the organization control over the cloud provider’s hardware
D. Key destruction is only effective if the cloud provider also performs a cryptographic erase on their end

Answer & reasoning

Correct: B

This is crypto-shredding in practice. When data is encrypted with customer-managed keys and those keys are destroyed, the data is cryptographically unrecoverable. It does not matter whether the cloud provider wipes the physical media immediately, eventually, or never — without the decryption keys, the data is effectively destroyed. This is why encryption with customer-managed keys is the primary data sanitization strategy for cloud environments.

Key Takeaway

Resource protection is about managing the full lifecycle of every asset that touches your data. The exam will present scenarios where data is at risk because sanitization was wrong for the media type, media left the organization without proper handling, or virtual resources multiplied beyond the organization’s ability to track and maintain them. For every resource protection question, ask: what classification is the data, what type of media holds it, and where is it going? Those three answers determine the right control.

Related Modules

CISSP Domain 2 — Asset Security Asset Handling and Media Sanitization Security+ Domain 4 — Security Operations Data Protection and Privacy
Next Module Module 48: Incident Management Lifecycle