| Ethics Anonymous Reporting Hotline|
||Auburn University has contracted with an outside provider, Ethicspoint, Inc. of Portland, Oregon to receive reports regarding concerns over financial irregularities (and similar ethics related matters) and NCAA violations. To file a report, click the Ethics Hotline link or read the FAQ for more information.
CIA, CFE, CCEP
Case In Point:
Lessons for the pro-active manager
Vol. 7 No. 3
Last month we looked into the details of 2014's Information Technology stories linked in Case-In-Point. As has been true for multiple years, data breaches continue to be the most frequent story we link about in this category. Protecting data requires substantial effort as one weak link in the chain of protection can cause difficulty for the entire organization. As we indicated last month we wanted to discuss some ways that these risks can be reduced.
In last year's February issue, Robert Gottesman, AU's IT Auditor, made suggestions on actions you can take to prevent these issues. Due to the importance of this topic, we again present his list of suggestions for your consideration. Some of the items below apply to you as an individual and others would be handled by IT departments but all are important protection measures.
- Patch: New vulnerabilities are discovered all the time. A process for updating software with vendor security patches must be a part of regular process.
- Know where sensitive/confidential data is stored: In order to make sure you are securing your systems appropriately, you must know where this sensitive/confidential information is stored. Different systems should have levels of access commensurate with the type of information stored on the system.
- Personally Identifiable Information (PII): PII that is no longer needed should be redacted or destroyed: Years ago, the SSN was the key identifier for students and employees. Faculty grade books, both paper and spreadsheet based, from this time period may still have these identifiers on them.
- Vulnerability Scanning: IT Providers should regularly conduct vulnerability scans on system they are responsible for. These scans can be run by the IT provider or by OIT personnel and can help with the discovery of unpatched and misconfigured systems.
- Virus Scanning: A centrally provided virus scanner should be installed, configured to get regular virus definition updates, on every computer.
- Back-up: Regular backups of system data protects the University in the event of a system failure.
- Proactive Access Management: Know who has access to your systems: Regularly review users and groups (including group members) granted permission to access your resources. Do all these people still need access to the resource, are they still affiliated with the University?
- Passwords: Don't use the same user id/password combination on University systems as you do for external websites/systems. Using the same password means a compromise will be much more difficult to contain if it did occur. Best practice is to use different credentials for the University systems and for each of the external services you use.
- Encrypting: Are you encrypting portable devices (flash drives, laptops, etc.) that contain personal, sensitive or confidential data?
- Personal Data Device Security: How are you securing your personal device which is connecting to the University Network? If you get your University email on your smartphone, are you properly protecting that device? Does the device require a PIN or password to use?
Routinely communicating the importance of data and technology best practices is very important. These risks involve more than simply the IT department but rather requires all faculty, administrators, staff, students, and departments being diligent and vigilant in protecting data and systems. While IT related risks are probably near the top in importance, there are multiple areas we must stay on top of within higher education. We again invite you to review the issues occurring at institutions the past month. As always, we welcome your feedback.