 Okay, good afternoon. My name is Michael and we'll talk about security and trust today. Just a bit about the plan of this presentation. So, first of all, we'll talk, it was on. It's Okay. Do you hear me now? Fantastic. So, the plan of today's presentation will talk about the HS2 security team, our plans and what we plan to do through this year or at least to the end of the year and going forward. Then we will ask our colleague from South Africa, Potlaki Malawi, to share the experience from their organization, how they deal with security issues at scale. And then, depending on the remaining time, we will either have a Q&A session, either we will go through kind of a checklist or a list of the recommendations for security engineers, security officers and you're also welcome to ask questions in the community of practice. The link to the community of practice topic is attached to the invitation to this meeting and it will be also shared by Zoom for remote participants. To begin with, let's talk about the major risks in cybersecurity. If you look at any recent report 2021-2022, the list is pretty the same. And many of these things are the same as they've been many years ago with some clear candidates to be favorites and just let's go one by one. Hardware fellows been with us for many, many years since the very first time when we started using computer equipment. Yes, the equipment becomes more and more reliable, but at the same point of time, we always hear reports about network outages. We hear about broken hard disks. We have various problems with the end user devices. So everything that impacts availability is still an agenda. Then we have a pretty new actor, ransomware and crypto miners joined together although they are different category. This is the worst insurable security risk ever. So if you talk to any insurance company that offers cyber insurance, they will probably tell that their price for cyber insurance is ridiculously high and most of them will refuse to make any kind of assessment even if you have quite a good security profile. Even if you handle a lot of sensitive data and you don't have an information security management system in place, there will be quite hard to get a good coverage. Then another thing that is gradually developing through the last years is class of attacks related to digital supply chain. As you know, modern computer software has a lot of components. Third party libraries various online dependencies and attacking the dependency stack, attacking the providers of the software components, libraries, modules and so on is like one of the most favorite attack targets. So this is what we are facing now more and more. COVID-19 times brought a lot of remote work and in addition to the secured perimeters, the organizations now face the need to protect users and their devices when they work remotely in the field and so on. So it's quite a big change that nobody could expect and even most of the companies and organizations deal with it quite efficiently. There are a lot of risks associated to that and probably it is the weakest point nowadays. And then in addition to all these four, the lack of cybersecurity talents, the lack of staffing issues is the concluding risk that we have. If you look for the cybersecurity experts demand in the last years, it's growing and the global amount of specialists that are yet to be hired is roughly a couple of millions. So it's a huge gap that is not possible to fix immediately. So it takes years to get an indication or to train necessary skills for that. So there are some other risks that are important, but these are probably the most concerning and we are pretty aware of that. And that's why we list them just as a reminder of what potentially can go wrong and what we should pay attention to. When we started the security team at DHS2, we defined three or three plus one core errors we would like to focus our attention on. So we have three core domains, which is the DHS2 application as a software product itself. Then we have it's in the center. Then we have the DHS2 implementation support program where we support implementers all over the world to make, to deploy and maintain systems. And then we have our own infrastructure within his center where we build and test the application and where we maintain our own operations. And to cover all this, we thought that it's good to add a kind of the overarching level, which is called the security compliance framework, which we used as an interaction layer or communication layer between all these three components and any other external dependencies. For example, compliance standards, any kind of methodologies, rules, practices, so how our products and processes interact and parade in the wider environment. So this is kind of the model that we have. We discussed the priorities for all these three core domains and the current internal working assumption is that we focus on the implementation first. So we need to help the running systems and we need to help to secure running systems. Then we focus on the application and changes and problems within the application. So this is what helps us to make the systems better and makes them the new features and the product itself more secure. And then we focus on the support of the internal infrastructure, which is relatively small compared to the scale of the application itself and to the whole program in general. And as I said, we are aligning all the efforts according to this compliance framework. We, just as a formal part, we have some objectives and we decided that we will focus on security risks, global security risks that we just discussed in the first slide and aligned with the industry standards because in the open world and open and interconnected world, it is the most important to be compliant and to be compatible with other activities and everything that happens around. For the program itself, we focus on capacity building, which addresses the risk of lack of the cybersecurity talent. And for us, as for the first iteration of the like dedicated security program, it is important to focus on the feedback. So that's why during every session, we ask for the feedback, we ask to provide the opinions on how security works in your implementations, how security does not work in your implementations and what can and should be improved. So establishing this kind of channel is maintained by David and me and we are very, very open to all kinds of comments. And looking into implementation issues is a core thing for understanding the understanding the risk better and having like a better response to the security issues. Then there is a security quality assurance product, a process, sorry, which we would like to make as automated and as verifiable as possible to ensure that whatever we build can be easily tested and confirmed from the security perspective. And most of the compliance frameworks that we'd like to adhere to, they are literally requiring that. And if we look at the product itself, we'd like to become secure in default and audit will at scale so that every installation that happens would be sufficiently protected in the default configuration. And the users will be able to audit the potential security issues easily. A special note about compliance. So compliance requirements as we discussed for the data governance session, they become more and more like visible and more and more relevant in the digitalized world. So we are building a matrix of other matrix compliance for privacy compliance for different industry compliance and for different governance requirements. So at least we thought about implementing these three different types of technical methodology and privacy compliance domains. And this list will be expanded as we go. Also as a part of the connection to the open world, we are working at the CD program enrollment. So we'd like to have better control on the issues of security vulnerabilities and communicate actively with the vendors. Also, we would like to give a kind of a good example for other players in the industry to sign up to CNA program and CD program and to have a kind of coordinated response to security vulnerabilities. So it gives more control and more visibility in how vulnerabilities in the product are tracked and how they can be maintained and how we control disclosure. Then we have a participation in the OpenJ working group on security and privacy, whereas I'm going to work to implement privacy requirements and better security guidelines. And we have an unofficial bug bounty program and we are rolling out a whole thing for the vulnerabilities, which is working progress. As a side note, most of these things that we discussed, these are plans for this year. Some elements of all these are already in place. Some of them will be rolled out to the next months. Some of them have more long-term plans and they, of course, are subject to having better or more precise priorities in the next quarters. Another important thing that I've mentioned is capacity building. So we are working on the training materials and we would like to have a special communication with the implementers teams or what kind of training, what kind of educational support is needed. So we have different internal plans on what to tell and what to teach and what to deliver. At the same point of time, it can be very, very counter dependent and organization to organization dependent. So that's why we really appreciate any kind of thing back on what you'd like to learn from us. These topics already discussed multiple times and just to emphasize, we are working on implementation checklist and audit checklist, something that will help the implementers to install the secure configuration and be able to audit and verify the security of their configurations. The challenge is, of course, that we have to run the software on the multiple different platforms of different stages of legacy, new systems, legacy systems and so on. So it means that we will also call for testing, we will call for verification of this checklist before we officially found them. So we will reach out to the participating members of our security community to test different parts of this checklist to ensure that they are metal proof and we can use them in production and actually recommend as a default security secure configuration method. And in addition to that, another stream is a research errors. We will be initiating and rolling out a research program on different errors of like high concern. Generally, if you look, for example, on the research about cyber attacks in the health area, there is not that much like dedicated research. There are different studies which actually don't tell a lot about health specific problems, but they are focusing on the general industry problems like technology or technology problems rather than on specific cyber protection in healthcare. And also another like emerging topic that we discussed already internally is about digital identities and handling of personal data, which requires more and more attention. This is a short summary of what we were working on. And before, let's say we move to the next like more practical session, I would like to ask my colleague Patlake to continue with sharing their experience from South Africa on how they do security. Hello. Afternoon, can everybody hear me? Good, good. My name is Putlake Mulloy. It's a suit to name. It means hasty. So I'm going to do a sprint through my presentation. Thanks, Michael. So we've drafted this presentation between the three of us, myself as senior manager at HISP for systems infrastructure, and it was a collaborative effort with my cybersecurity officer, Tatum Afouk and his deputy, Rene Russo. Just as a disclaimer, HISP South Africa by no means experts in cybersecurity, but I just want to take you through some of the things we've done on our sort of compliance journey on screen. So the thing with cybersecurity is I think the underlying issue is you don't have much cybersecurity if you don't have physical security or if you don't at least address physical security first. So what is the point of having a comms room where all of your cyber infrastructure is secure but somebody can just walk in and carry your servers out and there goes all your data. So what we did is we went and rented space at a private data center provider in South Africa and in that environment we, you know, it is their core business to sort of provide us the right levels of physical security. So the heating ventilation and air conditioning systems, lock doors, access control with biometrics. So that allows us at least to sort of take the burden of our hands so that we can continue with the business of HMIS for our national department of health. And so that at least helped us to address the issue of physical security. What we then did was we, at the beginning of 2021, we completed a restructuring process within the organization where for the first time in South Africa's history we officially appointed a cybersecurity officer, Mr. Tatumafouk. And then what we noticed was as time went to address the human or to address the risk of cybersecurity fatigue, you know, if you have one person sort of looking after all of your cybersecurity infrastructure, there comes a time when they might, no problem. So after a while it just becomes a bit routine and they might start getting a bit fatigued from looking after the threats from every other angle. So towards the end of last year we placed the second deputy, Mr. Rene Russo. Once that was done we then addressed what I like to believe is the foundation for any organization is governance. So making sure that we've got our cybersecurity policy in place and making sure that we've got the associated SOP, an incident response plan, which basically details how to react, where to react, internal and external communication in the event of an incident. Both of which are sort of NIST aligned and we try and align all of our processes with the CIS controls framework. It is a very interesting topic we had with David yesterday. A lot of organizations are ISO 27001 certified. I hope you can still hear me. I'm sorry, I'm going to fiddle with the mic a little bit. A lot of organizations are ISO 27001 certified, but are they indeed aligned? It's no use. If you're certified it's a box ticking exercise. You've got the certification. Sure, it looks great. You look amazing on paper, but are your processes really aligned? So we are not yet certified, but a lot of our processes are aligned, at least with that framework and they're auditable. So we do use appropriate levels of encryption, address and in transit. We have initiated security awareness and training across the organization, which is also auditable. So we do have sort of reporting where we can track our staff throughout the process from when we initially did security awareness and training and we review that sort of annually to make sure that we're sort of moving ahead and we're improving on our security stance. And as part of that, as part of the alignment we've got, as part of alignment and change management and onboarding, what we do in the security awareness and training is do a lot of education around password managers. I mean, there come a dime a dozen, last pass, key pass, bit warden, you name it. So for my infrastructure team, we've got key pass and we went specifically with key pass for protecting our infrastructure because at least the database file, we're able to hold and keep that ourselves in our infrastructure as opposed to relying on somebody else's vault in the cloud. If that vault is broken into, you know, keys to Fort Knox. So as part of change management, basically not IT service management, change management, but sort of organizational change. We first had to constantize our staff and our independent contractors. So it's everything I've just mentioned now. So the use of password managers, password length and complexity, encryption and, you know, just making sure that any sensitive documentation is password protected and that we have the right sort of levels of access that nobody has admin access where they otherwise shouldn't. And then just constantizing our service providers and our customers on the, you know, the risks of the personally identifiable information that we share, making sure that we've got all of our operator agreements in place. So South Africa's equivalent of GDPR is Papilla. And from his South Africa's perspective, where we manage information on behalf of National Department of Health, we're seen as the operators of their data. So we've had to make sure that we've got all of our agreements in place. Yeah. So moving right along, I'm going to work this slide from the bottom upwards. Once we'd placed our cybersecurity staff, something Michael mentioned earlier was lack of talent. So although we'd had before 2021, although we'd had some of our systems engineer sort of in an acting role on cybersecurity, once we'd officially placed them, the work is now underway to make sure that we upskill them so that we've got so that we maintain the talent to make sure that, you know, just because a guy has been acting and winging it that, you know, the education sort of bolsters and allows us the more informed approach towards response. So getting the formal qualifications and the certifications as well. So anything in like a CEH or OCSP certification, those are the kind of qualifications we're looking for for my guys. And then, yeah, tricky one is the ransomware insurance. I think that one, that one is a definite one that we need to get my boss and indeed Elmerie in the crowd today. Elmerie mentioned it on Monday to say with cybersecurity, with breaches, it's never an issue of if you get broken into it. It's an issue of when you're broken into and are you sufficiently prepared. So one of the things we're looking into right now is one of the things we're sourcing is ransomware insurance to make sure that when we're broken into that we're at least able to sort of prepare to cover that risk. And then I'm going to, I want to speak a little bit on the tools that we've used. We've got, we've deployed Monit currently for monitoring our operating system processes. So this helps us, I think on it's not exactly an intrusion prevention application. It's more like the policeman in your operating system. So we are indeed looking for any sort of suggestions on a decent intrusion prevention application. But with Monit, it's an issue of once there's sort of suspicious activity running on your operating system environment, it acts as a policeman and it's able to sort of isolate the threat and then notify sysadmins that there's been an issue, either your sysadmins or your SOs. And then for intrusion prevention, I don't think I, oh yes, it's, it's a, I added an underreacting agent, but it's actually an intrusion prevention technology CrowdSec. In the past we'd been using fail to ban, but for our production environment we're rolling out CrowdSec. Both of them do exactly the same thing. So they'll look at number of failed login attempts. And then, you know, it allows you, it's pretty flexible. So it allows you to specify sort of metrics, number of failed logins, and then it just blocks that IP or it adds it onto a blacklist. And yeah, so the other thing is we've created a few more, you know, in our, in our generation six of servers, we're trying to add a little bit of complexity in how we build the system. In generation five, we'd rented about 25 physical machines at the data center, and each of them had a public IP allocated to it. So each of those machines were reachable from anywhere in the world. Of course, there was fail to ban on them. So any number of failed attempts would easily be blocked, but the problem is they're still public facing. So in generation six, what we've done is to reduce, yeah, I know. It shocked me as well when I understood what we were doing. So but one thing, what we've tried to do in generation six is we've procured 18 servers, and of the 18, I think about three or four are only really publicly accessible. And so once we slap CrowdSec onto there and do some geofencing with our broadband provider, that should allow us at least to sort of counter any sort of risk from anywhere outside of South Africa. And then the rest of the private systems, we've sort of like our monitoring agent, our Zabic solution, and most of our internal systems we've placed behind a sort of virtual private network. So they're not publicly accessible. Yeah, so then came the daunting task of securing our users. This is actually not so much daunting, but it is a bit tricky. I use the word daunting because cybersecurity, I think it has three pillars, people, processes and technology. The two you can sort of do something about adequately. And once you put something in place, it's usually just familiarizing yourself with any new changes and then, you know, just sort of applying those applying adequate changes. With users, it gets a little bit tricky. Human beings, we tend to fully understand the process and then over time deviate from the process because it's in our best interest. Because, you know, every time I have to click yes to apply admin access, it's a bit of a problem. And why don't I just drop the UAC in Windows so that, you know, that prompt stops coming up. Then, you know, I don't have to, oh, I can just speak to my network admin, please give me admin access, right? Then I can install my own apps on my device. So that's why I say it's a little bit daunting. So with human beings, you constantly have to have an adequate sort of review mechanism in place. And so one of the first things that we did was to get, was to onboard a third party provider of cybersecurity awareness and training, no before. I think they're based in Europe. And so what they do is some of the content that they cover is password management, MFA, and I think social media use. So there's quite a long list of content that they cover. And it's very informative, very educational, and it's light. So you can watch a video for about five minutes and then do a quick test of about five or 10 questions. If you fail a test, you know, you are re-enrolled into that course until you get about 90% upwards. So it's very easy for us to say, look, you failed this re-enroll. And the notifications go out, the systems, sorry, to the cybersecurity officer and our capacity building teams. So if somebody's consistently failing a test, we're able to see, we're able to monitor them and we're able to just coach them until, until they get to, you know, an adequate level of stuff, cybersecurity. And then we're using a few other tools for enterprise asset and software management. We've got an application called Komodo that allows us endpoint security. So we're able to install, we're able to sort of manage devices remotely. HIST South Africa has been working remotely before COVID. So about 80% of our staff are working remotely before COVID. And once COVID struck, I think all essential services, everybody that was coming into the office then started working from home. So it wasn't a major shift for us. But the sort of, the emphasis was then on how do we remotely track our assets. Something that we had been doing before, but before COVID it was easy. Most staff were able to travel were very much mobile. So, you know, our technical support staff were able to just catch up with them at the office when they visited time and time again. But once COVID struck, everybody was mostly at home. So we really needed something where we could track assets and make sure that staff aren't, you know, plugging in, buggy, flash drives with viruses or malware on them. And Komodo allows us at least to track each and every sort of staff laptop. And it allows us to remotely sort of push updates, push operating system updates, security updates, and antivirus updates down to the machines. So that way at least we're able to sort of ensure that, you know, our assets are mostly secure. I imagine this is something we're all sort of used to. And then on our DHIs to front, something that we're looking at is deploying multi-factor authentication. We've already initiated that in-house on our Microsoft platform. So, for exchange or teams or SharePoint to any of that, you know, we've had to onboard staff and make sure that everybody has an authenticator app. We're fortunate in that most hispians or all hispians have a smartphone, so they're able to sort of scan the QR code and get an authentication code to their phone. So that was largely successful in-house. And something that we're trying to get rolled out now is across all our DHIs to instances. So it is taking a little bit of time because we're managing about plus or minus 150 DHIs to installations on behalf of the national provincial departments of health in South Africa and other ministries of health across the continent. So, you know, in some countries, smartphone units hasn't, it's mixed. It's people that still use sort of legacy phones. So they're not going to be able to scan a QR code. So one thing we'd really like sort of some support from Oslo or some pointers or some help with is how can we have multiple or multi-factor authentication and not just using an authenticator app. Moving right along. So I'm going to deviate a little bit. I want to speak a little bit on infrastructure. The slide on screen is a representation of the architecture for one of our flagship projects, the human resources information system. And basically everything between these blocks here is our in-house infrastructure. So how this works is we're building a data warehouse for the ministry of health in South Africa to maintain visibility over all of the healthcare workers. Am I correct Omari? And what we're trying to do is what Omari's team is doing is trying to predict the movement patterns of all the stuff within the ministry of health. So using things like SuperSet and MLflow, which are machine learning applications, we're trying to sort of predict when stuff are most likely to resign or exit the public service and the ages of the times that they're most likely to onboard into the public service. Please correct me if I'm wrong. I hope I'm okay. Thank you. And so you would understand, you would anticipate that we're going to need high performance computing for that. And so with the sixth generation of servers that we're trying to onboard onto now, the migration is actually starting this Friday. So unfortunately I'll be traveling, but I'm going to be touching base of my team on Saturday afternoon just to see how that went. Touch wood. And so you would anticipate that a lot of kick you will be required from your server hardware. So what we're trying to do now is or what we were doing in generation five is we were using hardware, we were renting from the data center provider, all the hardware, so all the servers, the switches and rack space and sort of IP addressing and networking devices. What we're doing now with generation six is we're just going to the private data center provider. We're saying just give us space in your facility. We've gone out on tender and we've procured our kit and we're just packing the kit inside of the DC. And then we're sort of doing an entire build. We're moving away from individual hypervisors. We started in generation four with VMware. Generation five, we moved to Zen, the free version. And now we're moving to free and open source open stack. What open stack now allows us is one horizon dashboard to view your entire infrastructure. The other major I think benefit with open stack where it beats the other two is or at least where it beats Zen is live migration. So with live migration, if I need to do maintenance on my underlying hardware, it's easy for me to just migrate my instance to one of the other physical machines or one of the other physical environments within the stack, complete my maintenance and migrate back. That's one thing we couldn't do with I think versions 7.4 upwards of Zen. What we could do in 7.2 and maybe 7.3. We moved from VMware because of, you know, ultimately we're building these systems for national departments of health. And I think the entire DHIs to or indeed the free and open source community is quite big. And everybody since Monday, since I got here, everybody has been talking about moving away from proprietary systems, right? So because you want to make the experience as cost effective as possible for your customer who is essentially any ministry of health within for wherever you're working. So what we didn't want to do is to slap the ministry with, well, the application is free, but it's going to cost you a million a year for this hypervisor. Firstly, that's not their core business. So the minute I say that to my biggest client, Mr. Mule Trabuco, that the hypervisor is going to cost you 100,000 grand a year. His first question is what the hell is a hypervisor? So to allow Mr. Trabuco and the National Department of Health to carry on with their core business, you know, we try and from operating system all the way up to the application level free and open source as far as possible. That makes it easier for the internal IT staff at the ministry to take over the system and run with it themselves. Coming back to this high performance infrastructure, the next slide will probably give us a little bit more detail now. But before I go into it, you will imagine that we're going to get a ton of data from different data sources. So we've got a nursing council in South Africa which manages all of the nursing practitioners in the country. And then we've got a health professions council of South Africa, which basically makes sure that every health professional practicing in the country is registered and is legally allowed to practice. Please correct me if I'm wrong. I have to say for myself specifically, I focus a lot on infrastructure and that is my entire background for the last 15 years. So on the health side, I'm a little bit rusty, so I keep referring to my colleague up there. But I think we're doing okay. Thank you. So we have a ton of basically we have a ton of primary data coming into the application and then we run an extraction and transformation process and we reload the data and then we push it into our dimensional data store. And then that pushes it into a machine learning workflow and a DHS to instant instance. And then we're able through the different web portals to sort of visualize that data. So there is a ton of processing that is required on this end on this side, probably sure, but not as much as on the back end. And so this is why we have to this is why we've chosen to move into what we call stack six or generation six of our hardware. So with the new kit that we've procured allows us up to four times the sort of processing capability. And in the past, we had a one gigabit backlink between all the servers. This one allows we've now got a 25 gigabit per second fiber link between every physical component. So for your back end processing, you know, it happens like that on the fly. And so obviously, then that means you're reporting so much easier, you know, your dashboards should ideally load faster. And if they don't, it'll probably be either a pipkak era. So the problems either between the keyboard and the chair, or it is the customer's own sort of data line that connects to these systems. But let me just give you a we sort of representation on our what we call what I am conceptualizing as a high performance computing infrastructure. So we've got we've got we've got our incoming. So the red is our public link. And the green is our 25 gigabit per second fiber link. And that runs on the back end across all of our physical servers. And then we have a jump what we call a jump box, which is our VPN solution. We've got two mass controllers. And that basically allows us to provision our physical servers a lot quicker. When the past provisioning a physical machine, it would take us maybe four hours to order it at the data center. And we had a custom spec that they gave us. So we had a custom spec that we gave them. And that's why it would take four hours to provision the machine. From that four hours, it would take us two hours to install Zen to upload an ISO install Zen, you know, but essentially, a day is lost just provisioning a physical machine. Now with Mars, this literally takes minutes. I'm sure some of you in the room now are incredibly familiar David familiar with Mars metal as a service. And then we deployed our open stack using three node controllers and the rest of the servers and 12 control 12 compute nodes. And so basically, this is where on the compute nodes, this is where our entire infrastructure or our DHS two instances are going to live, including the ML machine learning instances and the AI instances that we saw previously. That was his journey to his South African journey to cybersecurity. And like I said, we're always happy to get suggestions where by no means experts, this is our first rodeo. Thank you very much. Thank you. Okay. And we have one more remaining part of the day session. So we've just heard a story about how security is implemented at scale. And the typical question was, we should we start with or what would be our plan for security? And what we will briefly talk about now it's 10 steps in from our perspective in the grouped by priority starting from first to 10, growing the complexity, the maturity level of what can be used as a kind of an initial roadmap for building security in your organization. We will go, we have not that much time left, we'll go through it quite fast, all the materials will be available later. And we also expect some feedback, we can have a conversation later, we can ask the questions in the community practice. So we'll go through the slides and you probably will see how we suggest implement security. So the first natural step is to define roles and responsibilities. And this is what I'd like you just talked about, that is important to have people who are on the ground, who are aware about security issues, who are willing to learn about security, and who treat it as a part of their responsibility. Overall, on the organization level, there should be someone who is responsible for that as well. But at least it is important to have someone who can be a content who can be trusted internal peer for security matters. The second one is having an inventory of assets, because if we don't have an inventory, we don't know what to protect, as simple as that. And the bigger amount of stuff left outside of the known inventory, the bigger risk we have with something that we don't know. In fact, security is maintaining, or part of the security process is maintaining the things that we know, and reducing the part of the issues that we are not aware about. Something that is out of our sight, something that is out of our control. This is pretty easy. The third one is backup to data. So we had multiple cases of our lack of backups, failed backups, and so on. And once you have identified the assets, you can understand what to backup, what should be the schedule, and who should be responsible for that. The fourth, after you have made all the precautions, look at the authentication policy. Authentication is one of the strongest protection, but also it's somehow a weakest link, because it is super easy to apply brute forcing, apply different solutions and techniques to bypass authentication. So any security attacks, the cheapest attack will start with attacking the authentication. It is as simple as that. Number five is review access and permissions. So we start with authentication, and it's about not letting people in. But once we have authorized users, or once we have an attacker who has just obtained access, we need to ensure that the permissions assigned within the system, within our secured perimeter, are corresponding the roles and responsibilities and that our users don't have too many permissions and that the permissions don't match their job profile or roles. Number six is review network configuration. As but like I said, you had a bigger network perimeter and every server could be a target for attack. If you know your network perimeter, if you have asset inventory, you can think about protecting it, taking care of different protocols, taking care of security on different levels of network and every connected device, again, it adds a potential attack vector. So it's important to review the network perimeter and check the security configuration to network. Number seven is typically one of the most complicated keep software updated and every software update process is a part of change management, typically, and there are both risks and some benefits that come with that. We talked about supply chain risks and this is a kind of emerging risk. The more software we install, the more dependencies it may have and the legacy software can have much more risks than the new one and the issues that are discovered in the supply chain, the components that are used by software, they affect the target product that you install as well. So this is an increasing risk and even more severe than in the past years. Number eight is collect event logs. In the same way as we talked about network, about asset inventory, sorry, it is important to collect event logs. Once you know the inventory of your assets, once you know what to protect, it is important to get the feedback from the systems to have a live response from your environment about what's going wrong. If you don't do that, you're literally blind and it is important to check and test the security attacks using your event log infrastructure. Number nine is ask for a second opinion. Security is a very complicated topic and even if you have best-in-class professionals in your team, it is always wise to talk to the peers from the community, from the organizations and our current interconnected world where public knowledge on security is literally easily available. It is quite easy to ask experts, to ask for peer opinion, to ask for independent security review, bug bounty program, community advice, dedicated consultants and so on. And there is quite a lot of knowledge that can be obtained, it's just to check that they are following the right path. And number 10 is keep your profile in top shape. Every day we learn about new vulnerabilities, new issues, new attack vectors, and whatever we learned yesterday may be not relevant today. The world is developing too fast, especially for those who don't keep up. So that's why it is extremely important to read news, to follow the vulnerability trends, get regular security trainings and also talk to your colleagues and peers from the environment. We have a couple of minutes left for questions. If you have, please ask. So the question from the gentleman was what do we do about disaster recovery? Correct. So at the moment, we have all our servers, our production environment, hosted in Johannesburg. And so what we do is we've provisioned a dedicated server in a separate facility in Joburg for our, what we call onsite backups, although they're not exactly onsite at the same facility, but we have, we replicate that to a separate facility in Cape Town. And then what we'll do is, because we've now done an outright purchase of all this hardware, it's going to take us forever in the event of an extension level event in Johannesburg, to get those servers back is going to be some time. We're going to have to do an insurance claim and that's going to take months. So our disaster recovery process would be to rent Generation 5 style, everything from the previous data center provider, the guys that provide us the servers, the, the servers, the bandwidth and all of that. And we just build Generation 5 style using those backups in Cape Town and we redirect our DNS there. That at least allows us within 36 hours. That's our sort of recovery objective or RTO recovery time objective to sort of get back up online within 36 hours while we initiate the process of doing an insurance claim. Covered. Thank you. That's actually a great question. Yeah, yeah. Yeah, yeah. That is a risk. I'm happy for them. And I think it's probably good because the last thing you want is for lack of a better word is a slight level of complacency with cybersecurity. So sometimes you want the fresh of the blood and you want to get new guys, not entirely new, but you want them to sort of have decent level of experience and you keep upskilling those. But I mean that's always a risk that we run. But I think it's my role as a manager to make sure that I don't, you know, I read somewhere that people quit bad managers, not bad jobs. So as long as I make sure that myself as a manager, I motivate my people, there shouldn't be a reason for them to leave, even if the job sucks in some aspects. Sometimes it sucks so badly they have to leave. But I think with cybersecurity, there's enough to keep them there. But if I'm doing my job properly and leading my guys the way they expect me to lead, there shouldn't be a reason. We hope and pray, right? Then they shouldn't leave. I hope I've come in. Sure. Elmarie? Yes, it's on agenda. So the question is do we have different settings on security and the improvement on how administrators can control user devices or user experience in relation to security? So yes, the answer is yes. We collect feature requests first. So what can be implemented? We have list of current features. And one of the tasks for our small security team, David and me, and the biggest security team involving quite a lot of people in this room who represent the HS2 center is to go through these features and not only say let's have a mandatory password every three months, or let's allow administrators to reset it every two months. But to look at the user experience and say if we ask our users to reset passwords too often, it will probably hit us more than we have a password that has like six months' retention period. If we have a better UI workload, if we have a better set of edge features, or maybe we should skip the password authentication completely and think about something else on the more long-term perspective to use a different authentication. So starting how user experience and the issues of that is also a part of what we should work on. But generally, some recommendations and some opinions on how user authentication should look like, they are part of what we are going to provide. I just wanted to add that we do have, oops, that's good. I just wanted to add that there are a number of enhancements that we've made more recently to user security specifically within DHS2, and that's something that we're ongoing and working with the whole security team to improve. For example, the automatic, basically scheduled deactivation of users that haven't logged in for a certain amount of time, something that was introduced recently, additional password policies or username policies to prevent people from using certain tricks to basically impersonate other users within the system and those types of things. So there are several enhancements that have come in very recently and are continuing, are already on the roadmap as well. Is it working? That's great. I mean, as Michael was saying at the beginning, we are very open to feedback and suggestion in general for what are your concerns, what you feel that we should focus on stepping up and building the security program, but also on security features. So we have a Gira board, right? I think it's still open, and we encourage every one of you to send them those suggestions. As you have seen already, my colleagues have said you are working on some security features, security improvement, but we may lack these type of use cases. So it would be great if all of you just help us to submit these features and then we'll for sure take a look and plan our roadmap and implement all of these. So yeah, thank you. Thank you for that, Michael. For me, it's the issue of multi-factor authentication. I think for us in South Africa, we believe it's agent because the QR code, it's a bit inhibiting in the sense that it's only multi-dimensional. So if, for instance, now I do not have a high-end phone, then I don't have that authentication. So I think we should perhaps, if you can move it up in terms of Gira processes, we would appreciate it because I think with us in South Africa, unfortunately, we are audited by the entire general using the best practices. And so therefore, there are certain authentications that perhaps we should explore because, for instance, for low-end phones, for instance, if you get an authentication or your code via SMS or via email as a start so that then we can get the feature implementable, it would be appreciated to us. So it's a request, not a question. Thank you so much. Yeah, right. We have it on the list of the feature requests and it was asked multiple times during the last two weeks, have multiple authentication methods, so we'll discuss them internally. I think it's a known issue. Okay, thank you. Yeah, I just wanted to, I had one use case request for setting up PHIs to that is HIPAA compliant. I don't know, is that something that the security team have in plan? Because my understanding is probably not yet in there. We can discuss this separately. Yeah. Thank you for that very good presentation. Thanks a lot. So I think we talked a lot about infrastructure, security and policies and so on and you're doing very impressive work in that one, guys. I just wondering, because another aspect that you probably should think about is also the DHS2 configuration itself. Because as you know, like the DHS2 is very configurable, you can do a lot of things, which means there's a lot of options for making mistakes. So even if you have the strongest VPN and firewall and things, if someone gives public sharing to your confidential program data or gives all access to a guest account or something like that, then it doesn't really matter that you have the strongest firewall. So do you have any kind of checks or verification in place for detecting is potential kind of misconfigurations in the DHS2 as well? So I think in South Africa, we have a maybe a unique situation where we focus on separation of roles a lot. So the Portuguese infrastructure team are the only people who have actually got access to the server and they don't have access to the database. My team, we've got a software team and a data science team, so the data team that works really in the database, they have got access to the database but nothing on the server side. And we essentially that helps us a lot in determining who could actually do what because for certain actions, I'm reliant on his team who is then performing a second role of checking sense check. Is this advisable? What about if you do that then ABC could happen? So that helps us a lot in that separation of roles. So we don't have someone who is the super user on DHS that is also managing the server. Not that they can't. Many of the developers can get a bit frustrated but we allow them then a different environment where they can do that. But on a production environment, we definitely have that separation of responsibility and roles. In terms of the configuration of DHS itself, I did a presentation on Monday in terms of base practices and we were perhaps a bit rigid in saying this is how systems should be developed because we initially we found someone would make some sort of configuration mistake that has an influence on users in the system. And essentially in another system, we have already figured out how to solve that problem but we just not communicating that solution well enough between ourselves. So it's been a long-term process but we built these base practices for system development and those type of things. And yes, we still pick up configuration issues that could be problematic but I think we largely don't really have a lot of those type of things. Thank you. We ran out of time so if you have any extra questions we are here and we can discuss them outside of this room. Thank you so much.