Domain 2 – Section B Review: Data Lifecycle and Controls

This section integrates:

• Data Lifecycle Management (creation, classification, storage, use, sharing, archival, destruction)
• Asset Retention Policies, Legal Holds, and Records Management
• Data Security Controls (encryption, masking, tokenization, DLP)
• Data States (at rest, in transit, in use)
• Compliance Requirements (GDPR, PCI DSS, HIPAA) and Data Sovereignty

Section B questions connect lifecycle governance to operational controls. Knowing a retention policy exists is not enough — the exam tests whether the right controls are applied at the right stage, in the right jurisdiction, under the right regulatory framework.

1. Controls Must Follow the Data

Data does not stay in one place. It moves between systems, crosses network boundaries, gets cached by applications, and lands in backup archives. A control applied at the point of creation means nothing if the data escapes protection as it moves through its lifecycle.

When a scenario describes a data exposure, trace the lifecycle:

• Where was the data when it was exposed?
• What state was it in — at rest, in transit, or in use?
• Did the control applied at one stage fail to cover the stage where the breach occurred?

2. Retention and Destruction Are Active Governance

Retention is not passive storage. It requires active decisions: what to keep, for how long, under what authority, and when to destroy. Legal holds override schedules. Jurisdictional conflicts require legal analysis. Destruction must be verified across all copies, including backups.

• Is the retention period driven by regulation, legal obligation, or business need?
• Has a legal hold been issued that supersedes the schedule?
• Can destruction be verified with a certificate covering all copies?

3. Compliance Is a Matching Problem

Each regulatory framework imposes specific requirements on specific data types. GDPR governs personal data of EU residents. PCI DSS governs cardholder data. HIPAA governs protected health information. Applying the wrong framework to a scenario — or assuming one framework covers all data types — is a common exam trap.

• What type of data is in the scenario?
• Which regulatory framework applies?
• Does the control satisfy that framework's specific requirement?

Section B Decision Pattern

When facing a Domain 2 Section B question:

1. Identify the data state — is the data at rest, in transit, or in use?
2. Check the lifecycle stage — is the data being created, stored, shared, archived, or destroyed?
3. Match the control to the state and stage — does the proposed control actually protect the data in its current condition?
4. Verify regulatory alignment — does the control satisfy the applicable framework (GDPR, PCI DSS, HIPAA)?
5. Confirm retention governance — is the data being kept for the right duration, and is destruction verified?

Section B – Practice Questions

Question 1

An organization discovers that its DLP system is generating thousands of alerts daily, most of which are false positives. The security team has disabled several DLP rules to reduce alert fatigue. Sensitive data has since been detected on an unauthorized cloud storage service.

What is the ROOT cause of the data leakage?

A. The organization lacks a data classification program, so the DLP system cannot accurately distinguish sensitive from non-sensitive data
B. The DLP product is defective and should be replaced with a newer version
C. DLP technology is ineffective against cloud storage services
D. The security team should not have access to modify DLP rules

Question 2

A financial institution receives a subpoena related to a fraud investigation. The records management team checks the retention schedule and confirms that the relevant transaction records were destroyed six months ago, in compliance with the three-year retention policy. No legal hold was in place at the time of destruction.

What is the organization’s position?

A. The organization is liable for spoliation of evidence because it destroyed potentially relevant data
B. The retention policy should be revised to prevent future subpoena conflicts
C. The organization should have retained all financial records indefinitely
D. The organization followed its documented retention schedule and destroyed records in the ordinary course of business before litigation was anticipated

Question 3

A healthcare organization’s business associate stores ePHI in a cloud database. During a contract review, the security team discovers that the business associate has not signed a Business Associate Agreement (BAA).

What is the MOST significant risk?

A. The cloud database may not meet performance requirements
B. The organization is in violation of HIPAA because PHI is being handled by a third party without a BAA defining security obligations and breach responsibilities
C. The business associate may charge higher fees without a formal agreement
D. The cloud database may not support encryption

Question 4

A multinational corporation stores customer data in a cloud environment with automatic replication across three regions: US East, EU West, and Asia Pacific. A new data localization law in one of the Asian countries requires all citizen data to remain within national borders.

What should the organization do FIRST?

A. Disable all cloud replication to prevent cross-border data movement
B. Encrypt the data before replication to satisfy the localization requirement
C. Identify which data is subject to the localization law and configure cloud replication rules to restrict that data to the required jurisdiction
D. Move all data to the Asian data center to ensure compliance

Question 5

During a data lifecycle review, the security team finds that an archived database containing employee Social Security numbers has been stored on an unencrypted network share for four years. The data is past its retention period by two years, and no legal hold applies.

What is the correct sequence of actions?

A. Encrypt the data, then extend the retention period to account for the oversight
B. Delete the files from the network share and document the deletion
C. Restrict access to the share immediately, verify no legal hold applies, destroy the data following proper procedures, and issue a certificate of destruction
D. Leave the data in place and report the finding to the data owner for future consideration

Question 6

A retail company implements tokenization for credit card data across its e-commerce platform. The token vault is maintained by a third-party payment service provider. During a PCI DSS audit, the assessor asks about the security of the token vault.

Who is responsible for the token vault’s PCI DSS compliance?

A. Only the retail company, since it is the merchant of record
B. Only the third-party payment service provider, since it hosts the vault
C. Both parties share responsibility — the service provider for vault security and the merchant for ensuring the provider meets PCI DSS requirements through contractual and monitoring controls
D. Neither party, since tokenized data is not subject to PCI DSS

Question 7

An organization’s data lifecycle policy states that all data must be classified at creation. A security audit reveals that 40% of data stored in the organization’s collaboration platform has no classification label. The platform does not enforce classification before saving documents.

What governance gap does this reveal?

A. The collaboration platform should be replaced with one that supports classification
B. Users need additional training on classification procedures
C. The security audit methodology is flawed and over-counting unclassified data
D. The policy exists but lacks a technical enforcement mechanism, allowing users to bypass the classification requirement

Question 8

A European subsidiary of a US-based corporation receives a data subject access request under GDPR from a former employee. The former employee wants a copy of all personal data the organization holds about them. The US headquarters instructs the subsidiary to deny the request because the employee’s data is stored on US servers.

Is the denial appropriate?

A. No — GDPR applies based on the data subject’s status, not where the data is stored, and the organization must comply regardless of server location
B. Yes — data stored in the US is subject to US law, not GDPR
C. Yes — former employees forfeit their data subject rights upon separation
D. No — but only if the data was originally collected in the EU

Question 9

A security manager is designing controls for a new data warehouse that will consolidate data from multiple business units. The warehouse will contain financial records (subject to SOX), customer payment data (subject to PCI DSS), and employee health plan data (subject to HIPAA).

What is the MOST important design consideration?

A. Implement data segregation so that each data type can be governed by its applicable regulatory framework with appropriate controls
B. Apply PCI DSS controls uniformly since they are the most prescriptive framework
C. Encrypt all data with the same key to simplify key management
D. Store all data in a single encrypted table to reduce storage costs

Question 10

An organization is migrating from on-premises storage to a cloud provider. The migration plan includes transferring seven years of archived data. The security team discovers that some archived data is past its retention period but was never destroyed because the automated destruction process failed silently two years ago.

What should the organization do before proceeding with the migration?

A. Migrate all data to the cloud first, then clean up retention violations in the new environment
B. Verify legal hold status, destroy all data past its retention period with proper documentation, then migrate only data that has a valid retention basis
C. Extend the retention period for all archived data to avoid destroying anything during a migration
D. Transfer the automated destruction process to the cloud provider and let them handle it