Domain 2 – Section A Review: Classification and Provisioning

This section integrates:

• Information and Asset Classification (government and commercial schemes)
• Asset Handling, Marking, and Destruction Requirements
• Media Sanitization (NIST 800-88), Data Remanence, and Crypto-Shredding
• Secure Asset Provisioning, Inventory, and Shadow IT
• Asset Ownership vs. Custody

Domain 2 questions require you to connect classification decisions to downstream handling and provisioning controls. A classification without matching handling is just a label. An asset without an inventory entry is invisible risk.

1. Classification Drives Everything Downstream

The information owner determines classification based on value, sensitivity, criticality, and legal requirements. Every subsequent decision — storage controls, transmission methods, access restrictions, and destruction procedures — follows from that classification.

When a scenario describes a protection failure, trace it back:

• Was the data classified correctly?
• Were handling requirements matched to the classification level?
• Was the classification reviewed when conditions changed?

2. Sanitization Must Match Media and Destination

NIST 800-88 defines three levels: clearing, purging, and destroying. The right choice depends on two factors: the media type and where the media is going.

• Reuse within the organization at the same level → Clearing
• Leaving organizational control → Purging (crypto-shredding, secure erase)
• Highest classification or physical disposal → Destruction

Remember that SSDs require crypto-shredding or manufacturer secure erase — not overwriting. Degaussing works on magnetic media only. Deletion is never sanitization.

3. Provisioning Is a Governance Problem

The asset lifecycle — request, approve, provision, track, maintain, dispose — is a governance framework. When any stage is skipped, risk accumulates silently. Shadow IT is the most visible symptom of provisioning governance failure.

For every asset, ask:

• Does it have a named owner?
• Is it in the inventory?
• Was it approved and configured to standards?
• Is there a plan for its eventual disposal?

Section A Decision Pattern

When facing a Domain 2 Section A question:

1. Identify who owns the data or asset — owner, custodian, or user?
2. Check the classification — was it done, done correctly, and reviewed?
3. Match handling to classification — do storage, transmission, and access controls align?
4. Verify the sanitization method — does it match the media type and the scenario?
5. Confirm provisioning governance — was the asset approved, tracked, and assigned?

Section A – Practice Questions

Question 1

A hospital’s chief medical officer classifies patient treatment records as Confidential. The IT department stores these records on an unencrypted file share accessible to all clinical staff via shared credentials.

What is the PRIMARY security failure?

A. The classification level is too high for patient treatment records
B. The handling controls do not match the classification — Confidential data requires encryption and individual access controls
C. The chief medical officer should not be the one classifying medical records
D. Shared credentials are acceptable if all users have a legitimate need to access the data

Question 2

An organization is replacing 50 hard drives from servers that processed Secret government data. The drives will be sent to a certified destruction vendor. A technician suggests performing a three-pass overwrite before shipping the drives to the vendor as an additional precaution.

What is the BEST course of action?

A. The overwrite is unnecessary — the destruction vendor will handle sanitization
B. Perform the overwrite and then ship the drives for destruction
C. Skip the overwrite and ship directly for physical destruction, maintaining chain of custody throughout transport
D. Degauss the drives before shipping to eliminate data remanence

Question 3

During a data classification review, the information owner for the marketing database has been in a different role for eight months. No replacement owner was designated. The database now contains customer behavioral data subject to GDPR.

What governance failure is MOST significant?

A. The marketing database should not contain GDPR-regulated data
B. No owner was assigned when the previous owner changed roles, leaving classification and access decisions unaccountable
C. The classification review should have been automated rather than manual
D. GDPR data requires a dedicated database separate from marketing data

Question 4

A company’s cloud operations team provisions virtual machines using automated templates. A security audit reveals that 30% of production VMs were provisioned from templates that do not match the current security baseline — they are missing recent hardening changes.

What provisioning control failed?

A. The cloud operations team should not have access to provision VMs
B. Configuration management — templates were not updated when the security baseline changed
C. The VMs should have been provisioned manually to ensure accuracy
D. Virtual machines do not require the same hardening as physical servers

Question 5

A financial services firm stores encrypted customer account data in a cloud database. The firm decides to terminate the cloud provider contract. The cloud provider states they will delete all customer data within 30 days of contract termination.

What additional step should the firm take to ensure data protection?

A. Accept the provider’s deletion commitment as sufficient since it is contractually binding
B. Request that the provider degauss their storage hardware
C. Perform crypto-shredding by destroying the encryption keys before contract termination, then verify the provider’s deletion process
D. Download all data to on-premises storage before termination and trust the provider to handle the rest

Question 6

A defense contractor receives a classified document marked “Secret” from a government agency. An employee who has a Top Secret clearance but no need-to-know for this specific document requests access because they are working on a related project.

Should access be granted?

A. Yes — Top Secret clearance exceeds the Secret classification, so access is permitted
B. Yes — working on a related project establishes sufficient need-to-know
C. No — access requires both appropriate clearance and a specific need-to-know for that document
D. No — only the originating government agency can grant access to their documents

Question 7

An organization’s IT team discovers that a business unit has been running a customer-facing web application on a server that does not appear in the CMDB. The server has not been patched in 14 months and is running an end-of-life operating system.

Which risk is the MOST immediate concern?

A. The server is consuming data center resources without proper cost allocation
B. The unpatched, unmanaged server with a customer-facing application represents an active attack surface that security cannot monitor or defend
C. The business unit violated procurement policy by deploying the server without approval
D. The end-of-life operating system may not support the web application’s latest features

Question 8

A company is decommissioning SSDs from workstations that processed Confidential trade secret data. The SSDs will be sold through an electronics surplus dealer. The IT team plans to perform a full overwrite using a three-pass pattern.

Why is this approach problematic?

A. Three passes is excessive — a single pass is sufficient for SSDs
B. SSDs use wear-leveling that prevents overwriting from reaching all data cells, leaving recoverable data
C. The SSDs should be reformatted instead of overwritten for better performance
D. Confidential data does not require sanitization before surplus sale

Question 9

A security manager reviews the organization’s data classification policy and finds that 60% of all data has been classified as “Internal Only” — the second-lowest tier. Only 5% is classified as Confidential, and 35% as Public. Regulatory audits have identified multiple instances of sensitive customer data stored at the “Internal Only” level.

What does this pattern indicate?

A. The classification scheme is working correctly — most organizational data is indeed internal
B. Under-classification is occurring, likely because owners are defaulting to a middle tier rather than properly evaluating sensitivity
C. The organization has too many classification tiers and should simplify to two levels
D. The security team should reclassify all data to eliminate the inconsistency

Question 10

A BYOD-enrolled employee reports their personal tablet stolen. The tablet was used to access corporate email containing Confidential project information. The organization’s MDM solution shows the device has not connected to the network in 48 hours.

What should the organization do FIRST?

A. Wait for the device to come online and then initiate a remote wipe
B. Issue a remote wipe command immediately — it will execute when the device next connects
C. Disable the employee’s email account and revoke all corporate access tokens immediately
D. Contact law enforcement to recover the stolen device