SC-730 Part 3b: Data Handling Lifecycle & Backups (25–30%, Part 2)

SC-730 Part 3b Data Handling

Part 3b: The Data Lifecycle and Disaster Recovery

Data doesn't stay in one place. It flows through your organization: collected, used, shared, stored, retained, then destroyed. Each stage has security requirements. Part 3b covers the full lifecycle plus backup and recovery strategies.

The Data Lifecycle: Six Critical Stages

Every piece of data follows a journey through your organization. Understanding each stage helps you protect data appropriately and comply with regulations like GDPR and CCPA. Below is a visual overview of the complete lifecycle:

Data Lifecycle: Six Stages from Collection to Destruction 1. Collection Gather only necessary data with consent GDPR / CCPA Data minimisation Lawful basis 2. Use Purpose-limited processing only Least privilege RBAC controls Audit logging Access reviews 3. Transfer Encrypt in transit (TLS) Verify recipients HTTPS, VPN Data sharing agreements 4. Storage Encrypt at rest (AES-256) Physical security BitLocker, LUKS Data centre access controls 5. Retention Keep per legal requirements only as needed Tax: 7 years Contracts: 5 yrs GDPR limits 6. Destruction Securely delete when no longer needed Shred, wipe Certify deletion Data controller Each stage needs different security controls — and failing to manage lifecycle correctly creates regulatory liability. Collect less → Use carefully → Encrypt in transit → Protect at rest → Enforce retention limits → Delete securely Consent + legality Purpose limitation TLS + DPA required Encryption required Legal schedules Certified disposal
Complete data lifecycle from initial collection through certified secure destruction — each stage with its own security controls.

1. Data Collection

Collect only necessary data:

  • Necessity: "Do we need this data?" If not, don't collect it. Reduces risk and storage cost. Example: A website doesn't need customer SSN for checkout. Only collect it if legally required (e.g., tax documents).
  • Legitimacy: "Is collection legal?" Verify compliance with GDPR (EU), CCPA (California), local regulations. Get consent if required.
  • Consent: Users must opt-in (not out). Privacy policy must clearly explain what data is collected and why. Violation = fines.

2. Data Use

Use data only for stated purposes:

  • Purpose limitation: If collected for "checkout", don't use it for "marketing" without explicit permission. Scope creep violates privacy.
  • Least privilege: Only people who need data for their job access it. Finance doesn't need HR data. IT doesn't need customer secrets.
  • Classification and labeling: Mark data level. Treat Restricted data differently than Public.
  • Rights management: Control who can edit, view, copy, share.
  • Audit trails: Log who accesses data and when. Detect unauthorized access.

3. Data Transfer

Moving data between locations safely:

  • Encrypted channels: Use HTTPS (TLS), VPN, encrypted email, or secure file transfer. Never plaintext FTP or unencrypted email for sensitive data.
  • Verified recipients: Before sending, verify recipient email/identity. Verify phone number before calling with data. Confirm department before sending to internal email.
  • External agreements: If transferring to vendor/partner, have data processing agreement (DPA) in place. Defines how they handle data, security requirements, breach notification.
  • International compliance: If transferring data outside country (GDPR, local laws), verify legal basis. Some countries ban certain data transfers. Example: GDPR data to non-EU requires specific safeguards.

4. Data Storage

Protecting data at rest:

  • Encryption at rest: Hard drives encrypted (BitLocker, FileVault). Database encrypted (Transparent Data Encryption). Cloud storage encrypted.
  • Authorized locations: Store in approved data centers. Don't store customer data on personal cloud storage. Verify location compliance (data residency laws).
  • Access controls: Only authorized people access. Use RBAC, MFA, physical locks (if data center).
  • Backups: Multiple copies protect against corruption or deletion. Backups themselves must be encrypted and secured.
  • Physical security: Data centers have guards, cameras, access badges, environmental controls (temperature, humidity, fire suppression).

5. Data Retention

How long to keep data:

  • Legal requirements: Tax records (7 years), contracts (duration + 3-5 years), employment records (varies). Retention policies must reflect legal minimums.
  • Retention policies: Organizations define how long each data type is kept. Example: "Customer purchase history = 3 years after last purchase" then auto-deleted.
  • Scheduled reviews: Periodic audit. "Is this data still needed?" If not, delete.
  • GDPR compliance: GDPR requires data deletion upon request (Right to Be Forgotten). Must comply within 30 days. Retaining data longer than necessary = violation.

6. Data Destruction

Secure deletion when data is no longer needed:

  • Secure deletion tools: Files deleted normally are recoverable (data remains on disk). Secure deletion overwrites disk sectors multiple times (DoD 5220.22-M standard). Then unrecoverable.
  • Destruction services: For sensitive hardware (old servers, drives), hire certified destruction company. They physically destroy drives, verify destruction, provide certificate.
  • Hard drive shredding: Physical destruction. Drive physically pulverized. Can't recover data from shredded metal.
  • Device wiping: Remote wipe of lost phone/laptop. All data erased. Essential for lost devices containing sensitive data.
  • Verification: Document destruction. Who destroyed it? When? What method? Proof for audits and compliance.

Key principle: Data has a lifecycle. Manage each stage appropriately. Collect what's necessary, use with restrictions, transfer safely, store securely, retain per law, destroy completely.

Backup Strategy: The 3-2-1 Rule

Understanding the 3-2-1 Backup Rule

The 3-2-1 rule is the gold standard for backup strategy. It ensures you can recover from ANY single failure—whether that's hardware failure, data corruption, ransomware, or physical disaster. Let's break down the rule and see a practical example:

3-2-1 Backup Rule: Three Copies, Two Media Types, One Offsite 3 2 1 Copy 1 — Original Work Laptop / Desktop Primary working data Used daily Media: Internal SSD / HDD Copy 2 — Local Backup External Hard Drive Kept at home or office Disconnected when not in use Media: External HDD / USB drive Copy 3 — Offsite Backup Cloud Storage Different datacenter/region Survives physical disasters Media: Cloud / tape offsite 3 Copies Means ✓ One copy can fail without loss ✓ Two failures: still one copy left ✓ Protects against corruption ✓ Separate copies = separate risk 2 Media Types Means ✓ HDD failure? Cloud backup ok ✓ Cloud outage? Physical copy ok ✓ Different failure modes ✓ No single point of failure 1 Offsite Copy Means ✓ Fire or flood destroys office? Offsite copy survives ✓ Ransomware hits network drives? Offline cloud copy unaffected Real-World Scenario: Laptop stolen + external drive in same bag Without 3-2-1: Both copies lost — catastrophic data loss. With 3-2-1: Cloud backup (Copy 3) is safe in a different location. Restore takes hours, not weeks. This is exactly why the rule exists.
3-2-1 rule: Three copies across two media types with one offsite copy — every element protects against a different failure mode.

Why this rule works: If any one component fails, you still have two other copies on different media. The offsite copy protects against physical disasters. Organizations losing data almost always failed to follow this rule.

Backup Best Practices

  • Automated backups: Manual backups are unreliable. User forgets, is busy, travels. Automated (daily) ensures consistency.
  • Regular backups: Frequency = RPO (Recovery Point Objective). If you can afford to lose 1 day's work, daily backup sufficient. If you can't, hourly backup needed.
  • Test restorations: Regular backups are useless if they can't be restored. Monthly, try restoring a file or full system from backup. Verify it works.
  • Encrypt backups: Backup contains your data. Encrypt it with strong key. Stolen backup = useless.
  • Offline copies: At least one backup kept offline (not connected to network). Ransomware can't encrypt offline backups. Once per month, disconnect drive.
  • Retention policies: Keep backups long enough to detect corruption (30-90 days). Delete old backups to save space. If you keep every backup forever, storage becomes prohibitively expensive.
Scenario: Your laptop hard drive fails. What saves you? Answer: Regular backups on external drive and cloud. You can restore from backup immediately. No data lost.

Recovery Procedures: How to Recover from Disasters

Common Disaster Scenarios and Recovery Steps

Lost or Stolen Device

  1. Immediate: Report to IT and manager. Don't delay.
  2. Device tracking: Attempt to locate via Find My (Apple) or Windows Laptop Locator.
  3. Remote wipe: If device found unrecoverable or contains sensitive data, wipe remotely. All data erased, device unusable.
  4. Account security: Change all passwords. Attacker might have accessed them.
  5. Restore from backup: Get replacement device, restore from backup. Data recovered, back to work.

Malware or System Compromise

  1. Disconnect from network: Unplug ethernet, disable Wi-Fi. Prevent malware spreading.
  2. Notify IT: IT will decide: try to remove malware vs. wipe and restore.
  3. Recovery: If wipe needed, boot from clean media, restore from pre-malware backup. Malware gone.
  4. Investigation: IT forensics team examines malware. Where did it come from? What damage did it cause?

Accidental Data Deletion

  1. Stop using device immediately: Deleted files aren't erased from disk immediately. Continuing use might overwrite deleted data.
  2. Restore from backup: Most recent backup before deletion has your data. Restore to original or new location.
  3. Lesson: This is why backups matter. Without backups, deleted data is permanently lost.

Ransomware Attack

  1. Disconnect immediately: Ransomware encrypts files and spreads to other devices on network. Disconnect to contain.
  2. Do NOT pay ransom: Paying enables criminals, doesn't guarantee recovery, funds future attacks.
  3. Restore from backup: Wipe device, restore from pre-ransomware backup. Files recovered unencrypted.
  4. Credential reset: Ransomware likely captured passwords. Change all credentials immediately.
Critical: Offline backups are essential for ransomware defense. If all backups are on network-connected storage, ransomware can encrypt them too. Keep one backup completely offline.

Key Takeaways from Part 3b

Data has a lifecycle: collect, use, transfer, store, retain, destroy. Manage each stage securely.

3-2-1 rule: 3 copies, 2 media types, 1 offsite. This protects against ANY single failure.

Automated, regular backups are essential. Test restores monthly to ensure they work.

For ransomware defense: offline backups are critical. Ensure at least one backup is disconnected from network.

Ready for Part 4?

You've learned to protect and recover. Part 4 covers the final domain: recognizing when something IS wrong and how to report security incidents.

Continue to Part 4: Incident Response & Reporting

Archives