So we're going to move into Section 6 of Asset Control where we're going to look at establishing handling requirements. 

Now as you'll see, this is about handling any media that is going to contain the data. That means that we have to be sure that it's protected in all of its forms. So when we store sensitive information on this media, it means that we have to use the combination of physical and logical controls to achieve our control objectives. Media by itself lacks the means for digital accountability when the data is not encrypted. And if they're small, like USB drives or CDs, having them numbered, or given serial numbers, or asset tags, or any of that sort of thing is, also, not only undesirable but purely unfeasible. We must, therefore, take proper care of these things and make sure that all users know the proper handling procedures and methods that we allow. 

As I've already stated, we need to be sure that the storage media is properly marked. First off, we train users to make sure that only authorized persons have this information on this media in their possession. And that any time, anyone who is not authorized has it, that they're going to do what they have to do to break into the container, whatever it might be. Therefore, anything that we are going to build as label contents needs to accurately reflect who the authorized owner is, what the protection is, what its level of classification is because if someone unauthorized gets a hold of it, one of two things is happening. They're either going to return it or dispose of it, not wanting to bother. Or, if they're actually an adversary, they're not going to pay any attention to the label. They're simply going to investigate and find out if it's got anything that they want on it. 

So it is to our advantage first to physically protect it so that it doesn't fall into their hands but even with that, we still need to have an accurate label. It should clearly indicate ownership, whether it's encrypted. It may be if it's large enough, it may also contain a point of contact and a retention period. And again, if it's large enough to hold a label this size, who to return it to. These are all things we're doing for ourselves because we're going to have the program to prevent logical access, but also to protect it from physically falling into the wrong hands. So as I've said, handling means that only designated, authorized personnel will have access to the media itself, and through some form of password or other access control, to the data that it contains. That means that there will be policies and procedures describing to them how this will happen, how they're to handle it, how they're to store it, how they're to access it, how they're to share it, perhaps, with their colleagues. It also says how they're responsibilities are to be carried out and what sanctions will be pursued if they are not. 

Clearly a part of this entire program is how it's to be stored. This means, of course, that the data at rest on the media should be encrypted, and that the media itself should be stored in a secured container of some kind. That could be a briefcase. It could be a lockbox. It could be a safe. Whatever that media is, and whatever storage medium you have to contain it in, these are supposed to be used, and this is what our policies and procedures direct. And this is what we're measuring to ensure that we have the compliance that we require from our workforce. The records retention and destruction, as this section has dealt with, means that the information should only be kept as long as it is required. We need to be sure that the organization understands what those requirements of retention are for the different types of data that we have so that it's well understood in the workforce what kind of data is retained and what the basis for that retention is. The organization documents in a records schedule what data is to be kept for what period of time, at what point, meaning the actual date at which that expires, and what method should be used to destroy that data when that period expires. And that we need to record that that data has been taken and destroyed properly by that method, signed off by one or preferably two persons so that it's properly documented that it's been done. And this needs to apply to all the media that is going to be holding sensitive information, whatever kind of coverage we have for that data. Simply throwing it away in a trash bin or using some sort of logical method may be wholly inadequate. And so the usage of proper methods really is vitally important. It's well known that the very famous hacker Kevin Mitnick dumpster dived to be able to recover and learn all that he did about the phone systems that he hacked from manuals, technical service manuals, that were thrown away, when in fact, they should have been shredded or incinerated, but there they were. And so you see, this information was available to him through the simplest of oversights. It was simply thrown in the trash, and it shouldn't be assumed that a person who really wants the information asset won't go to the trouble to do that. He certainly did, and others do as well, every day. 

So in summary, we have covered the security processes, the information systems securities, personnel, organizational sub-units, and the responsibilities that they and the members of them have to protect our assets. We've examined frameworks. We've talked about the importance of the policies and concepts, and the other things that make up our program, why they're important, and how we implement them, perform them, and measure them. And it described that this is the foundation for a comprehensive and proactive security program to identity and properly control and protect all of the assets in our organization. This completes Domain Two, and thank you very much for your attendance. And we're going to continue this course, and I look forward to seeing you back for that. Thank you.