Data Classification & Lifecycle

Classify data assets for two different organizations, select appropriate protections for each data state (at rest, in transit, in use), and make lifecycle decisions about retention, destruction, and regulatory deletion requests.

What You’ll Practice

• Assigning classification levels (Public, Internal, Confidential, Restricted) based on data sensitivity and regulatory requirements
• Selecting appropriate cryptographic and access controls for data at rest, in transit, and in use
• Making lifecycle decisions: retention periods, destruction methods, and GDPR/CCPA deletion workflows
• Applying different classification frameworks across industries (PCI/consumer vs. CUI/classified)

How the Exam Tests This

Objective 3.3 covers data protection techniques across all three states — at rest, in transit, and in use. CompTIA expects you to match encryption methods and access controls to data sensitivity levels, understand when tokenization beats encryption, know the difference between crypto-shredding and physical destruction, and handle regulatory deletion requests without breaking audit trail requirements. Expect scenario questions that combine classification, protection selection, and lifecycle decisions.

Scoring

Each scenario is scored across three sections: classification accuracy (correct sensitivity level per asset), protection selection (appropriate controls for each data state), and lifecycle decisions (correct handling of retention/destruction/deletion scenarios). Sections are weighted equally. Final percentage reflects combined performance across both organizational scenarios.