ORM 1 Running head: ORGANIZATIONAL RISK MANAGEMENT Organizational Risk Management (ORM) Project Video Production Technology Department Ossie Thomas San Jose State University December 02, 2015 ORM 2 Introduction The purpose of this Organizational Risk Management Project is to identify International Paper (IP) in-house Video Production Technology’s assets, determine the value of each asset, and to classify the data. IP’s in-house Video Production Technology is located at IP Corporate Office in Memphis, TN., in the Lower Level Studio of Tower 2. The Video Production Technology is a governance team overseeing all aspects of video, streaming media and audio content for International Paper (internal and external). They specialize in: Documented production and quality standards Approved production service providers Encoding and bandwidth standards Formalized review and approval process for audio, video and streaming media content Centralized repository for managing and presenting videos This risk management project is a two part project. Part 1 of the project will identify all assets, information assets, and information system assets and it estimated value found at Video Production Technology. We will define how the information assets’ data should be classified and it value. And for the computer information system assets we will define how critical the information system is to Video Production Technology. Part 2 of the project will identify the threats and vulnerabilities that could damage the assets identified in Part 1, and determine a mitigation strategy for each. ORM 3 Part 1: Asset Identification Table 1 shows a table of the assets located in the Video Production Technology Department. These are assets the department wants to protect in the event of a disaster. The value of the assets was estimated based on the replacement value. Assets Value (estimated) Building / Office Greater than $1 Million Digital cameras - 2 $30,000.00 each Video Cameras - 3 $5000.00 each Camera Stands / Tripods - 4 $1000 each 25’ TV Monitors - 4 $5500.00 each Distribution Amp $1200.00 Speakers - 4 $500.00 each Podcast equipment $800.00 Lighting Kit $1200.00 Broadcast console $8,000.00 Stylist Credenza $6000 Microphones - Hand held (3) $300.00 each Microphones – wireless (hang from $150.00 each ceiling) Microphone Stands (3) $30.00 each Workstation for audio/video editing $3,000.00 Workstations (Cubicle) - 9 $1200.00 each Chairs - 9 $120.00 each Credenza - 3 $950.00 each Tables - 3 $60.00 each File cabinets – 4 (5 drawers) $50.00 each Furniture - Waiting Room $300.00 Chairs – 2 Table Telephone – Waiting Room $90.00 Company Stationery $200.00 Manuals, books, and guides $500.00 Commercial software $200.00 - $850.00 Teleprompter $650.00 Office Supplies $10,000 Wall Mount On-Air Light $100.00 Company Logo Priceless for the Company Table 1. Asset(s) identified and their value to the organization ORM 4 Table 2 shows a table of information assets, classification, and their value to the Video Production Technology Department and the company. The classifications identified are: o Confidential - Where the access is restricted to a specific list of people o Internal Use - Where the access is restricted to internal employees only o Sensitive - Requires special precautions to ensure the integrity and confidentiality of the data by protecting it from unauthorized modification or deletion The values identified are: o High – Items are costly to replace or time sensitive o Sensitive – restricted access Information Assets Data Classification Value (estimated) Listing of Video Recordings Confidential High Equipment inventory list Confidential High Operational procedures Internal Use High Archived Recording Internal Use High inventory list Continuity plans Internal Use Sensitive Strategic plans Internal Use High Service Contracts Confidential High Policies Internal Use High Supplier contact data Internal Use High Training materials Internal Use High Intellectual property Sensitive High Employee Name badge Confidential High (Credential) Project files (documenting Internal Use High Video / Photo request) Budgets Internal Use High Table 2. Information assets, classification, and their value to the organization ORM 5 Table 3 shows a table of the information system assets, criticality, and their value to the Video Production Technology Department and the company. Information Systems Assets Criticality Value (estimated) 8 Employees Sensitive High Name badge reader Sensitive High Employee Name badge Sensitive High scanner Desktop computers - 8 High High Laptops - 8 High High Sound Board High High Software High High Application Operation System operation software High High Servers High High Backups and archives Hard High High drive Routers High High Modems High High Mobile phones (8) High High Telephones (9) High High Removable media (tapes, High High floppy disks, CD-ROMs, DVDs, PC card storage devices, and USB storage) Portable hard drives High High Employee User ID Sensitive High Employee personal contact High High data Network infrastructure High High design Internal Web sites High High Press releases High High Fax machines - 2 High High Copy Machine - 3 High High Printers - 3 High High Scanners High High Wireless & Network High High Connectivity Power supplies High High Table 3. Computer information systems assets, criticality, and their value to the organization ORM 6 Part 2: Threats and Vulnerabilities Identification Definitions: Threats are any action that can damage an asset. Information security threats are events or actions that represent a danger to information assets. These can be both natural- or humaninduced threats, and can be accidental or malicious. Risk is the likelihood that something bad will happen. Vulnerability is when a weakness allows a threat to be realized or to have an effect on an asset. Table 4 lists categories of threats and provides examples of the threats. Categories of Threat Examples 1. Act of human error or failure Accidents, employee mistakes 2. Compromises to intellectual property Piracy, copyright infringement 3. Deliberate acts of espionage or trespass 4. Deliberate acts of information extortion 5. Deliberate acts of sabotage or vandalism 6. Deliberate acts of theft Unauthorized access and/or data collection 7. Deliberate software attacks Viruses, worms, macros, denial of service 8. Deviations in quality of service by service provides 9. Forces of nature Power and WAN service issues 10. Technical hardware failures or errors Equipment failure 11. Technical software failures or errors Bugs, code problems, unknown loopholes 12. Technological obsolescence Antiquated or outdated technologies Blackmail or information disclosure Destruction of systems or information Illegal confiscation of equipment or information Fire, Flood, Thunderstorm, lightning Table 4. Categories of Threat (Whitman and Mattord, 2011) ORM 7 Risk Mitigation Strategy Table 5 through Table 13 identifies threats to and the vulnerability of the assets of the Video Production Technology Department and offers information to mitigate these threats. The geographic location of the facility is in the Memphis metropolitan area and lies in what is called a "mid-latitude, moist continental" climate (all four seasons). With cool but not bitterly cold winters, hot and humid summers, and a high degree of variability during spring and autumn, along with a fair amount of precipitation (thunderstorms and moderate rain) year-round. Thunderstorms are the most severe precipitation particularly during the summer months; thunderstorms can produce gusty straight-line winds and heavy rain (Cirrus Weather Solutions). A recent article posted by WREG News 3 states a report from the FBI, claimed Memphis is the third most dangerous city in the nation. The study compared crime rates of cities with populations over 200,000. It reported based on 2013 numbers there were 124 murders, 7,200 aggravated assault, 366 arsons and more than 40,000 property crimes. With statistics such as these it is imperative that the Video Production Technology Department have a mitigation strategy to protect its assets. The Video Production Technology Department is located in the Lower Level (basement) of Tower 2. With the location of the department flooding can be a great concern. Thunderstorms with the straight line winds can also cause a threat to the assets. The physical location of the building is located, in what the city calls East Memphis, which is considered to be a safe area of Memphis. However, they are not exempt from crime. The Video Department should have a mitigation strategy in place to protect against the probability of internal and external criminal activities. ORM 8 Table 5 identifies threats to and the vulnerability of the building where the Video Production Technology Department is located and it offers information to mitigate these threats. Name of Asset: Building Threat(s): Vulnerable to Threat(s) Risk Mitigation Strategy Deliberate acts of espionage or trespass Unauthorized access and/or data collection Deliberate acts of sabotage or Destruction of systems or vandalism information Forces of nature Fire, Flood, Tornado, lightning Table 5. Risk Management - Building Ensure there is controlled access to building Ensure building has security system, motion sensors, and Security Guards Ensure all employees have an identification card to enter the building and must swipe their badge to get in Watch for tailgaters Development a business continuity plan with recovery strategies Purchase insurance (fire, flood, casualty, business interruption, etc.) to reduce the financial impact of the business interruption, loss or damage to the facility or equipment Ensure building has fire and security alarms, fire suppression systems, and fire extinguishers The building should have noncombustible interior equipment and adequate controls for humidity, temperature, ventilation, and lighting Plan early with warning drills ORM 9 Table 6 identifies threats to and the vulnerability of the Video Cameras used in the day-to-day operation of the Video Production Technology Department and it offers information to mitigate these threats. Name of Asset: Video Cameras Threat(s): Vulnerable to Threat(s) Risk Mitigation Strategy Act of human error or failure Accidents, employee mistakes Deliberate acts of sabotage or Destruction of systems or vandalism information Deliberate acts of theft Illegal confiscation of equipment or information Security awareness training for users Proper training on the use of the equipment User should safeguard Cameras at all time Have controls in place for the use of the cameras, checkin/check-out Ensure that all employees have an understanding of sensitive information, common security risks, and basic steps to prevent security breaches Ensure that employees have only the privileges and accesses they need to perform their jobs. Implement processes and policies to limit access rights/credentials of all users, but especially privileged users, to ensure that only the minimum of usage amount necessary is provided. Develop an off-boarding procedure for terminated employees to ensure all access to company information is terminated upon departure and company assets are returned to the company. Ensure that employees have only the privileges and accesses they need to perform their jobs. ORM 10 Forces of nature Fire, Flood, Tornado, lightning Technical hardware failures or errors Equipment failure Technological obsolescence Antiquated or outdated technologies Periodically review the access lists for each critical resource or system to ensure that the right set of individuals has authorized access. Ensure all visitors are escorted at all time to a physical security area Ensure there is a Backup and Restore Policies in place Ensure the dept. understand the security features of all hardware and software products that are purchased and ensure that security features are configured correctly Ensure you stay up-to-date with technology Keep cameras in good working conditions by regular maintenance and replace aging cameras Table 6. Risk Management – Video Cameras Table 7 identifies threats to and the vulnerability of the Digital Cameras used in the day-today operation of the Video Production Technology Department and it offers information to mitigate these threats. Name of Asset: Digital Cameras Threat(s): Vulnerable to Threat(s) Risk Mitigation Strategy Act of human error or failure Accidents, employee mistakes Security awareness training for users Proper training on the use of the equipment User should safeguard Cameras at all time Have controls in place for the use of the cameras, check-in/check-out ORM 11 Deliberate acts of sabotage or Destruction of systems or vandalism information Ensure that employees have only the privileges and accesses they need to perform their jobs. Deliberate acts of theft Implement processes and policies to limit access rights/credentials of all users, but especially privileged users, to ensure that only the minimum of usage amount necessary is provided. Develop an off-boarding procedure for terminated employees to ensure all access to company information is terminated upon departure and company assets are returned to the company. Periodically review the access lists for each critical resource or system to ensure that the right set of individuals has authorized access. Ensure all visitors are escorted at all time to physical security area Illegal confiscation of equipment or information Forces of nature Fire, Flood, Tornado, lightning Technical hardware failures or errors Equipment failure Technological obsolescence Antiquated or outdated technologies Table 7. Risk Management – Digital Cameras Ensure there is a Backup and Restore Policies in place Ensure the dept. understand the security features of all hardware and software products that are purchased and ensure that security features are configured correctly Ensure you stay up-to-date with technology Keep cameras in good working conditions by regular maintenance and replace aging cameras ORM 12 Table 8 identifies threats to and the vulnerability to the Employee Name Badge of the Video Production Technology Department and it offers information to mitigate these threats. Name of Asset: Employee Name Badge Threat(s): Vulnerable to Threat(s) Risk Mitigation Strategy Act of human error or failure Accidents, employee mistakes Deliberate acts of espionage or trespass Unauthorized access and/or data collection Blackmail or information disclosure Deliberate acts of sabotage or Destruction of systems or vandalism information Deliberate acts of information extortion Do not share name badge with other employees Report lose or stolen ID badge Employee sign a Confidentiality Agreement Ensure there is a second and third, if necessary, controlled access into the Video Department Ensure Video Dept. has security system, motion sensors, and some type of extra security Ensure only authorized employees have security access to enter the Video Dept. and must swipe their badge to get in Never allow a person without an employee name badge (ID) to enter into a secure area along with an employee with an ID Watch for tailgaters Limit the amount of information you share with non-employees. For employees, share information on the need to know bases Ensure that employees have only the privileges and accesses they need to perform their jobs. Revoke all access for terminated employees ORM 13 Deliberate acts of theft Illegal confiscation of equipment or information Periodically review the access lists for each critical resource or system to ensure that the right set of individuals has authorized access. Revoke all access for terminated employees Ensure all visitors are escorted at all time to a physical security area Table 8. Risk Management – Employee Name Badge Table 9 identifies threats to and the vulnerability to the List of Video Recordings produced by the Video Production Technology Department and it offers information to mitigate these threats. Name of Asset: List of Video Recordings Threat(s): Vulnerable to Threat(s) Risk Mitigation Strategy Act of human error or failure Accidents, employee mistakes Deliberate acts of espionage or trespass Unauthorized access and/or data collection Employee sign a Confidentiality Agreement Only authorized User should have access to the Video Recording Listing Ensure there is a second and third, if necessary, controlled access into the Video Department Ensure Video Dept. has security system, motion sensors, and some type of extra security Ensure only authorized employees have security access to enter the Video Dept. and must swipe their badge to get in Never allow a person without an employee name badge (ID) to enter into a secure area along with an employee with an ID Watch for tailgaters ORM 14 Deliberate acts of sabotage or Destruction of systems or vandalism information Deliberate acts of theft Illegal confiscation of equipment or information Periodically review the access lists for each critical resource or system to ensure that the right set of individuals has authorized access. Ensure that all employees have an understanding of sensitive information, common security risks, and basic steps to prevent security breaches Ensure all visitors are escorted at all time to a physical security area Table 9. Risk Management – List of Video Recordings Table 10 identifies threats to and the vulnerability of the Intellectual Property of the Video Production Technology Department and it offers information to mitigate these threats. Name of Asset: Intellectual Property Threat(s): Vulnerable to Threat(s) Risk Mitigation Strategy Act of human error or failure Accidents, employee mistakes Compromises to intellectual property Piracy, copyright infringement Ensure all employment contracts clearly state the company ownership of any intellectual property developed for the company Establish a policy for all patents, designs, trademarks, copyrights and domain names Make sure workers sign an agreement that any inventions created by them while working for your business belong to the business Employee sign a Confidentiality Agreement Obtain a Patent Copyright Protection File for Trademark ORM 15 Deliberate acts of espionage or trespass Unauthorized access and/or data collection Ensure employees, contractors, and other personnel are familiar with the protocol for handling sensitive information, including IP and customer information Obtain a Patent Copyright Protection File for Trademark Put essential security control in place without exception. Implement more advanced controls as needed. Table 10. Risk Management – Intellectual Property Table 11 identifies threats to and the vulnerability to the Laptops used in the day-to-day operation of the Video Production Technology Department and it offers information to mitigate these threats. Name of Asset: Laptop Threat(s): Vulnerable to Threat(s) Risk Mitigation Strategy Act of human error or failure Accidents, employee mistakes Deliberate acts of espionage or trespass Unauthorized access and/or data collection Deliberate acts of sabotage or Destruction of systems or vandalism information Safeguard laptop at all time Continuous User training Prompt reporting of lose device Keep laptop in a secure laptop bag to prevent dropping it Safeguard laptop at all time Enforce the use of strong password Ensure data on laptop is encrypted Restrict access to detective controls to prevent unauthorized access Add an authentication and time-lock feature Safeguard laptop at all time Keep laptop locked in secure area and out of view ORM 16 Deliberate acts of theft Illegal confiscation of equipment or information Deliberate software attacks Viruses, worms, macros, denial of service Forces of nature Technical hardware failures or errors Fire, Flood, Tornado, lightning Equipment failure Technical software failures or errors Bugs, code problems, unknown loopholes Technological obsolescence Antiquated or outdated technologies Table 11. Risk Management - Laptop Back up data regularly Safeguard laptop at all time Enforce the use of strong password to make it difficult for break in Ensure laptop is encrypt Keep laptop locked in secure area and out of view of others Disable accounts after a certain number of unsuccessful login attempts Safeguard Laptop at all time Update and patch operating system Install an Anti-Spam Install virus protection Use up-to-date anti spyware tool Have an up-to-date firewall protection Monitor logs for unusual traffic Allow only trusted software to execute the operating systems Install an Intrusion Detection Ensure company has proper insurance Control hardware that gets connected to the company’s network. Ensure the dept. understand the security features of all hardware products that are purchased and ensure that security features are configured correctly Ensure that all software updates are properly signed and coming from a trusted source Ensure you stay up-to-date with technology Keep laptop in good working conditions by regular maintenance and replace aging laptop ORM 17 Table 12 identifies threats to and the vulnerability of the Mobile Phones used in the day-today operation of the Video Production Technology Department and it offers information to mitigate these threats. Name of Asset: Mobile Phones Threat(s): Vulnerable to Threat(s) Risk Mitigation Strategy Act of human error or failure Accidents, employee mistakes Deliberate acts of espionage or trespass Unauthorized access and/or data collection Deliberate acts of sabotage or Destruction of systems or vandalism information Deliberate acts of theft Illegal confiscation of equipment or information Deliberate software attacks Viruses, worms, macros, denial of service Forces of nature Fire, Flood, Tornado, lightning Table 12. Risk Management – Mobile Phones Safeguard mobile phone at all time Continuous User training Prompt reporting of lose device Safeguard mobile phone at all time Enforce the use of strong password Ensure mobile phones are secure with passwords and the data is encrypted Add an authentication and time-lock feature Safeguard mobile phone at all time Safeguard mobile phone Enforce the use of strong password to make it difficult for break in Keep mobile phone out of sight when traveling Protect mobile phone with password and pins Set the lock screen so the phone will auto lock after being left idle for a period of time. Ensure that all software updates are properly signed and coming from a trusted source Safeguard mobile phone at all time ORM 18 Table 13 identifies threats to and the vulnerability of the Employees User ID of the Video Production Technology Department and it offers information to mitigate these threats. Name of Asset: Employee User ID Threat(s): Vulnerable to Threat(s) Risk Mitigation Strategy Act of human error or failure Accidents, employee mistakes Deliberate acts of espionage or trespass Unauthorized access and/or data collection Deliberate acts of theft Illegal confiscation of equipment or information Compromises to intellectual property Piracy, copyright infringement Table 13. Risk Management – Employee User ID Do not share Employee ID with others. Keep ID and password in secure place. Ensure there is a second level of controlled access into the Video Department Ensure there is a security system and motion sensors Ensure only employees with needs have security access to enter the Video Dept. using their badge to enter Never allow a person without an employee ID to enter into a secure area Watch for tailgaters Keep employees ID listing in locked cabinet at all times. Periodically review the access lists for each critical resource or system to ensure that the right set of individuals has authorized access. Regularly view active accounts to make sure they are valid, necessary, properly configured, and given only appropriate privileges Restrict and monitor privileges users Ensure that all employees have an understanding of sensitive information, common security risks, and basic steps to prevent security breaches Restrict and monitor users access ORM 19 Conclusion The purpose of this risk management project is to conduct appropriate activities to mitigate risks associated with International Paper in-house Video Production Technology’s classified valued assets identified in Table 1, its information asset identified in Table 2, and its Information Systems Assets identified in Table 3. International Paper is a global leader in the paper and packaging industry with manufacturing operations in North America, Europe, Latin America, Asia and North Africa. Headquartered in Memphis, Tenn., the company employs approximately 65,000 people and is strategically located in more than 24 countries serving customers worldwide. The in-house Video Production Technology is located at the Headquarters in Memphis, TN, dedicated to providing global employees with a video library they can access at their convenience. The on-demand videos provide employees with consistent and timely communications, enabling cost-effective knowledge transfer and ensure best practice sharing. The press releases, national and trade news related to International Paper products, brands and services are taped, recorded, and/or filmed in the in-house Video Production Technology Department. This area is deemed a highly security area because it is where the Chairman/Chief Executive Officer does recording, video, and or taping of company earnings for NYSE and the Members of the Board of Directors, as well as, any PR for the company. This is the repository for the history of the CEO speeches, videos, photographs of special events. Table 1 shows a listing of the physical valued assets located in the Video Production Technology Department that have been identified as critical and essential for the department to continue operations in the event of a disaster. The value of these assets was estimated based on the replacement value. ORM 20 Table 2 shows a listing of information assets that provides value to the Video Production Department and poses an operational risk that can impact the overall business operations of the Company. These items have been deemed critical and essential to the department. It also shows the asset classification and it sensitivity to loss, disclosure, or unavailability to the Video Production Technology Department and the company. Items were identified as Confidential, Internal Use, and or Sensitive because they are restricted to all or only some employees in the company and if released, can have the potential of negative consequences on the company business mission and security stance. Table 3 shows a listing of the information system assets, criticality, and their value to the Video Production Technology Department and the company. These assets are critical and essential to the department and deemed valuable because they cannot be easily replaced without significant investment in expense, time, employee’s skill, and/or resources; and in some cases form part of the organization’s corporate identity (Whitman and Mattord, 2011). Table 4 shows the common threat agents identified by Whitman and Mattord, 2011. Table 5 identifies the vulnerabilities, identifies and mitigates potential threats imposed on the asset, and provides appropriate countermeasures to reduce risk to the building. While there are many threats identified, awareness and an action plan can mitigate the potential threats. Table 6 identifies the vulnerabilities, identifies and mitigates potential threats imposed on the asset, and provides appropriate countermeasures to reduce risk to the Video Cameras. The video cameras are of value to the department and the company because of the details that can be found on the hard drive can be of great interest to the company’s competitors. The Video Production Technology Department tapes the CEO when presenting internal company information for global employees including earnings of the company, external communication to ORM 21 shareholders, stock exchange, and general public relations information. There are instances where there is internal information such as trade secret, product specification, manufacturing information, marketing plans, pricing strategies, and customer information may be recorded. Table 7 identifies the vulnerabilities, identifies and mitigates potential threats imposed on the asset, and provides appropriate countermeasures to reduce risk to the Digital Cameras. The digital cameras are of value to the department and the company because of the details that can be found on the disk can be of great interest to the company’s competitors as well as anyone that want to do harm to the CEO. The Video Production Technology Department takes photos of the CEO during speeches, Board of Directors meetings, many of the company gatherings, company products, and intellectual property. Table 8 identifies the vulnerabilities, identifies and mitigates potential threats imposed on the asset, and provides appropriate countermeasures to reduce risk to the Employee Name Badge. The employee name badge is the ticket to many areas; some highly secure areas, of the company. It is imperative that each employee name badge is coded with the privileges and accesses they need to perform their jobs only and no exception. Have a policy in place for lost or stolen ID. Revoke all access for terminated employees and make sure the ID badge is confiscated. Most importantly do not allow tailgaters. Company assets can be stolen or destroyed if the employee name badge got in the hands of the wrong person. Table 9 identifies the vulnerabilities, identifies and mitigates potential threats imposed on the asset, and provides appropriate countermeasures to reduce risk to the List of Video Recordings. The list of video recordings is of value to the department and the company because of the details that can be found on the list can be of great interest to the company’s competitors. The Video Production Technology Department tapes the CEO when presenting internal company ORM 22 information for global employees including earnings of the company, external communication to shareholders, stock exchange, and general public relations information. There are instances where there is internal information such as trade secret, product specification, manufacturing information, marketing plans, pricing strategies, and customer information may be recorded. Table 10 identifies the vulnerabilities, identifies and mitigates potential threats imposed on the asset, and provides appropriate countermeasures to reduce risk to the Intellectual Property. Protecting the intellectual property is crucial to the success of any business. Intellectual property consists of items that the company has created that are unique such as inventions, designs, and trade secrets. The Video Production Technology Department houses the video taping of many inventions created by the company. One of the inventions includes box designs for several businesses. Table 11 identifies the vulnerabilities, identifies and mitigates potential threats imposed on the asset, and provides appropriate countermeasures to reduce risk to the Laptop. The company laptops allow the employees to have access to the company email, documents, business intelligence, and many other applications on the company’s system. Without proper safeguards in place the information on the laptop is accessible by people who should not have it. Therefore, it is imperative the laptops have adequate protections such as passcode protections preferable with defined number of failed attempts lock-out and remote lock. The company must define protocols for the employees to follow in the event of a lost or stolen laptop. Table 12 identifies the vulnerabilities, identifies and mitigates potential threats imposed on the asset, and provides appropriate countermeasures to reduce risk to the Mobile Phones. The company has smartphone applications that allow the employees to have access to the company email, documents, business intelligence, and many other applications on the company’s system. ORM 23 Without proper safeguards in place the information on these devices is accessible by people who should not have it. Therefore, it is imperative that the mobile device have adequate protections such as passcode protections preferable with defined number of failed attempts lock-out and remote lock. The company must define protocols for the employees to follow in the event of a lost or stolen mobile phone. Table 13 identifies the vulnerabilities, identifies and mitigates potential threats imposed on the asset, and provides appropriate countermeasures to reduce risk to the Employee User ID. The department must ensure that private information is kept secure and that unauthorized access to the employee’s User ID doesn’t take place. Protecting the employee User ID can help reduce risk of theft and security breaches. Employees should avoid using an automatic login feature that saves your user name and password. The department should regularly view active accounts to make sure they are valid, necessary, properly configured, and given only appropriate privileges. Ensure that all employees have an understanding of sensitive information, common security risks, and basic steps to prevent security breaches. ORM 24 References Ciampa, M. (2015). CompTIA security+ guide to network security fundamentals (5th ed.). Boston, MA: Cengage Cirrus Weather Solutions, LLC. (n.d.). Overview of Memphis and Mid-South Weather. Retrieved from http://www.memphisweather.net/cli-overview.shtml Rufener, K. (2015, April 10). FBI ranks Memphis as the 3rd most dangerous city. WREG News [Memphis]. Retrieved from http://wreg.com/2015/04/10/fbi-ranks-memphis-asthe-3rd-most-dangerous-city/