[MUSIC] And when we come to actually dispose of data, we want to achieve legally defensible destruction. Something that we could stand up in a court of law and say we did the right thing and again needs to be compliant with regulation. It has to be compliant with regulation. Tacit is that we understand what that regulation is. We're going to follow standards but which standards do we know what is required? Understanding compliance then very important for organizations when we delete records, it is possible to recover them. So we need to think about that legally defensible approach some sort of overwriting some sort of erase asia as opposed to just deletion when we delete a file. What most file formats do is equivalent to deleting its entry in a table of content. They're saying this file is no longer here. But actually if you actually if you read the disk itself, the contents or most of the contents are still there. And depending how that disk is used, moving forward the item you've deleted could be there for some period of time or could never be deleted. So ways in which we can improve our approach to disposition of data for logical data. For data that is stored in computer based systems, we need to understand that deleting is not enough deleting and emptying your recycle bin is not enough. We need to overwrite and you get secure disk arrays, your tools. If our disk is encrypted anyway, that might help prevent accidental disclosure. If a machine is resold. The disk is is encrypted by default. We have a form of crypto or asia where this can be encrypted and the keys are not disclosed to anybody. Effectively, the data becomes inaccessible. Alongside that we have the idea of physical destruction. We can actually physically shred hard disk drives, solid state disks, hard disk drives and the same is true of our paper records. We need to be careful ensuring that any physical destruction is actually appropriate. It is actually destroying the data, what you see in the image there a straight cut shredder. There are numerous examples of people being able to re combine documents. It's not a high security way of deleting data or destroying data. Whatever we do. Whatever our approaches again needs to be formal. We need internal standards, things we must do policies or procedures, policies and procedures and again, where we have that kind of directive set of controls. We need training to support them. What we're looking for is a level of assurance. The level of confidence that we have done the right thing that we could stand up and say actually we did the right thing. We destroyed this data. We took the following steps. This is a kind of control activity. Again, this is risk based, therefore we're seeking a level of confidence in what we've done level of assurance and just a reminder of the importance of logging Again, understanding what you want or you need to log and monitor is really important. There may be contractual or legal requirements. There are things you have to do and it's important for us to make a decision not to rely on defaults or what a technician establishes. For example, with Windows client devices. The logging system is based on size and it has a default. So depending on how often those machines are used, the log availability will vary if the machine is used as performs lots of log ins, log log in log off events, shutdowns restarts. The logs will be overwritten much more quickly than a machine that is used infrequently. So here we have a specification of log retention based on size rather than duration. It's important that the decision is made and if you think about these kinds of logs used as part of forensic investigations internally, but also to support defense. We did this thing. We actually undertook this activity. Logs are a way in which we can help prove that we want to make sure that our logs are trustworthy that, that they are available at the right time in the right way. So we want to make sure that the confidentiality integrity and availability is managed to that specification and we can think about this logging also in terms of some of our other controls, things like CCTV. How long do we keep CCTV records for? Is it just the system came with a default retention schedule or came with a certain amount of size storage and we use that again, that's not an ideal situation. We want to specify a requirement of requirement and then check that any system we acquire or build, meets or exceeds it. There's a benefit from centralizing our log storage. It enables us to aggregate, protect more easily to normalize to standardize which enables better reporting. And also we can start to correlate events between different logs we can start to look at, for example, paxar firewall logs and user login information by correlating those two things, we might be able to see external attacks in a broader context. There's unusual firewall activity and also a series of unsuccessful logins and this is a very natural step towards monitoring logs are made consequential only with their review if we never check our logs. If the logs are never used, we may as well not have them. There is no purpose to having them. And a good approach to reviewing our logs is a blend of manual and automated processes. One of the problems we have now isn't that we don't have enough logs available to support our investigations. It's that we have too many and it's trying to understand which logs we need and also the ability to check those logs effectively. So we have manual monitoring undertaken by human beings. Typically a more skilled insightful process can be used by audit. Can also be used by people within security and technology teams, automated monitoring though we can use to supplement that capability to increase that capability. We have seen systems, security, incident and event management systems and this started out as very simple aggregating tools that would bring our logs together to protect them in one place. They then started to help us report against them. And ultimately now they helped to correlate different log types and to identify patterns and they alert us. They can alert us. For example, if somebody creates a domain administrator account then send the security team an SMS message or an email, some kind of alert. So based on the patterns that this seems, system sees in your log files, you can establish alerting capabilities. Now this is a detective, a reactive capability, something bad may have happened, but now we get much faster awareness of it. So it's not a preventative control but it can help with our with our containment and that detection.