cdpse-d3-data-persistence-data-storage

Data Storage

isaca-cdpse · framework · Gold standard

Drawn fromCDPSE Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Data Storage

Data Storage is the deliberate selection, configuration, and governance of physical and logical mechanisms used to persist data across its lifecycle — from creation through archival and deletion. Within the ISACA CDPSE framework, data storage is a governance and risk responsibility, not merely an infrastructure function. It determines where data physically or logically resides, how it is protected, how long it is retained, and how quickly it can be recovered. Storage encompasses three fundamental types: block storage (raw volumes for high-IOPS workloads such as databases), file storage (shared network filesystems), and object storage (cloud-native, massively scalable blobs such as AWS S3 or Azure Blob). These types are deployed across on-premise, cloud, hybrid, and edge environments. Storage decisions encode organizational risk tolerance, regulatory compliance posture, and cost strategy directly into the data layer.

Where it stops · what it isn't

—IS: Selection of storage type (block/file/object) and deployment model (on-premise/cloud/hybrid/edge) matched to workload, regulatory, and recovery requirements.
—IS: Security controls at the storage layer — encryption at rest, access control (IAM, ACLs), audit logging, and immutability (WORM) configuration.
—IS: Data residency and sovereignty enforcement — ensuring data is physically stored in jurisdictions permitted by applicable regulations (GDPR, HIPAA, China PIPL).
—IS: Storage tiering strategy (hot/warm/cold/archive), automated retention lifecycle, and deletion governance.
—IS: Disaster recovery alignment — replication configuration and backup architecture designed to meet defined RTO/RPO targets.
—IS NOT: Application-layer database design, schema modeling, or query optimization — those belong to data management and data architecture competencies.
—IS NOT: Network transport protocols or infrastructure provisioning beyond storage connectivity requirements.
—IS NOT: Deep storage hardware engineering (RAID configuration, storage controller tuning) — CDPSE scope is governance and decision-making, not infrastructure operations.
—IS NOT: Data classification itself — classification drives storage decisions but is a distinct upstream competency in the CDPSE Data Lifecycle domain.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Data Lifecycle Management (CDPSE Domain 3: Data Persistence)

REQUIRES

Data Classification — determines which controls apply to which data and where it may resideEncryption Key Management — encryption at rest requires corresponding key lifecycle governance

ENABLES

Data Retention — storage architecture must support configured retention policies and automated deletionDisaster Recovery and Business Continuity — storage redundancy, replication, and backup design determine whether RTO/RPO targets are achievable

RELATED TO

Data Backup and Recovery (adjacent CDPSE competency in the Data Persistence domain)

CONSTRAINS

Data Residency and Sovereignty Compliance — storage location decisions directly constrain legal transfer and jurisdiction requirements

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.