Internal Auditing

Case in Point:
Lessons for the pro-active manager

March 2010
Vol. 2 No. 3
Quotable...

"Security is always excessive until it's not enough."

-- Robbie Sinclair, Head of Security, Country Energy, NSW Australia

Thanks to advances in technology it has never been easier to conveniently copy and store data. Laptops, jump drives, CD-ROMs, PDAs, smart phones, and of course, the internet, have created new outlets by which data users can unintentionally make their sensitive data available to those who wish to do harm. This week's stories -- as virtually every month's stories -- include situations where someone lost data their organization was obligated to protect. The benefits of easy data storage are great, but we cannot forget that with this convenience comes substantial risk: the risk that we lose the data. So before you copy that file onto your jump drive or laptop, ask yourself these questions:

  1. Do I really need a copy of this data on local media such as a jump drive?
  2. If I do, is the data sensitive enough (or does policy require) that I should add some additional security such as encryption?
  3. If I lose this media device, what will happen? Will a loss or theft of this device jeopardize me or others to possible identity theft? Will a loss of this device jeopardize the work I am doing in some way? Is there a secure backup copy somewhere besides this media device?
  4. How can I best protect this device while I have data stored on it?

You may come up with other questions, but the bottom line is that it is best to think about data security BEFORE you have data loss. Come to think of it, that's true of our other risk areas as well. As you scan this month's events across higher education, think about how you can proactively manage similar risks here at Auburn University.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing


Information Security Related Events

Mar 29, 2010: A removable media device containing personal data on 3.3 million people was stolen from the Minnesota headquarters of federal student loan guarantor Educational Credit Management Corp. (ECMC) last week -- and the data should never have been copied onto the device in the first place. (link)

Mar 27, 2010: Ferris State University is investigating an apparent attempt to hack into one of the school's computer servers and has notified the FBI. (link)

Mar 18, 2010: Thousands of Vanderbilt University students could be at risk of identity theft after a professor's computer was stolen. (link)

Mar 10, 2010: The University of Texas Medical Branch this week began mailing letters to another 1,200 patients whose personal information might have been compromised by a woman charged with identity theft. (link)

Mar 2, 2010: Bennett College is working to find out who used a key logging took to break into their computer servers. In a bundle of information posted on the college's FAQ website, they explain a hacker broke into the work station of an employee by using their username and password. The information of approximately 1,100 people was exposed during the hack. (link)

Feb 26, 2010: An East Stroudsburg University sociology professor has been suspended for venting her workplace frustration on her Facebook page. (link)


Misappropriation/Fraud/Ethics Events

Mar. 30, 2010: A former University associate vice chancellor and dean has been given a scholarship fund in her name after it was determined there was insufficient evidence to prosecute her on the theft charges for which she was arrested last June amid her retirement. (link)

Mar 24, 2010: Kansas City University of Medicine and Biosciences has filed a lawsuit against former president and CEO Karen Pletz. KCUMB officials say the suit was filed after a special committee’s internal investigation into Pletz actions and expenditures while she worked for KCUMB. (link)

Mar 15, 2010: As an 18-year-old freshman at Drew University, William J. Scott was hired to work at the school’s archives center. Scott, from Massachusetts, was charged today in federal court in Newark with stealing between 21 and 23 of the letters and trying to sell them to a historical document dealer in the United Kingdom. They included letters to Methodist leaders signed by President Abraham Lincoln, President Franklin Delano Roosevelt and Madame Chiang Kai-Shek. (link)

Mar 12, 2010: A former Brigham Young University employee will serve jail time for stealing $200,000 from the school. In all, nearly 50 laptops, 80 computer monitors and 175 printer cartridges were bought with university money and sold for more than $200,000. (link)

Mar 9, 2010: Eamonn Higgins has never earned a college degree in his own name, but prosecutors allege that for the past seven years the 46-year-old has been going to school non-stop for dozens of other students. (link)


Compliance/Regulatory Events

Mar 15, 2010: The number of illegal immigrant college students paying in-state tuition and receiving financial aid at Texas' public colleges and universities continues to climb, according to state higher education records. (link)

Mar 13, 2010: Officials at the University of California, Los Angeles say they are reviewing why an accident in a campus chemistry lab that left a graduate student with serious burns in 2007 was not reported to state regulators, but deny that there are safety problems with the labs. (link)

Mar 10, 2010: State Rep. John Knight, Alabama State University's second in command, says a lawsuit contending that three female university employees suffered repeated sexual and racial harassment that was condoned by ASU supervisors and officials is frivolous and possibly the handiwork of a disgruntled former university trustee. (link)

Mar 9, 2010: The University of Kentucky's fire marshal, Greg Williamson, said Monday he has recommended that the Sigma Alpha Epsilon fraternity house, the scene of an apparent prank involving fire early Saturday, be closed for the rest of this semester and through the next semester. Investigators found "multiple fire violations" at the building after a fraternity member allegedly set fire to a friend who was wrapped in toilet paper, Williamson said. (link)

Mar 5, 2010: Attorney General Ken Cuccinelli says Virginia’s colleges and universities cannot prohibit discrimination against gays because the General Assembly has not authorized them to do so. (link)


Other News & Events

Mar 24, 2010: Cornell University this week erected temporary fencing along three university-owned bridges that cross the deep gorges on its campus, where three students have jumped to their deaths in recent weeks. (link)

Mar 24, 2010: Black lawmakers are urging black football recruits to reconsider playing for the University of South Carolina because the university could lose its lone black trustee. (link)

Mar 23, 2010: Princeton received $35 million in 1961 for the training of government employees from Charles and Marie Robertson, who held the A&P grocery fortune. But the family came to believe the Ivy League school was not carrying out its intent and sued.(link)

Mar 23, 2010: Students and families who borrow money to help pay for college will see sweeping changes as a result of federal legislation approved by the House. Although the bill was focused mainly on health care, it contains key provisions involving loans for higher education — including the Stafford Loan for students and the PLUS Loan for parents. (link)

Mar 23, 2010: When the University of Minnesota opened its new on-campus football stadium last year, the stadium was dry -- the result of an ultimatum by state lawmakers that alcohol be sold everywhere in the stadium or nowhere. Now, legislators are taking another look and could give the university room to sell booze in premium seats while keeping it from stands filled by students and general ticket holders. A proposal rolling back the all-or-nothing law advanced Tuesday in a Senate committee, but its prospects were dimmer in the state House. (link)

Mar 13, 2010: San Francisco judge has ordered the University of California to pay $38 million in refunds and interest to 2,900 students in law, medical and other professional schools whose fees were raised thousands of dollars despite UC's pledge to keep them level. (link)

Mar 9, 2010: An Ohio State University janitor who was about to lose his job walked into a maintenance building for his early morning shift Tuesday and shot two supervisors, killing one of them and fatally shooting himself. No students were hurt. (link)

Mar 6, 2010: As a visual aid, Zachary Bucharest hauled out a duffel bag and withdrew the disassembled parts of a Colt AR-15, a semiautomatic version of the military M-16. For the next 15 or 20 minutes, he kept professor John Hall's class engrossed as he lectured about the weapon's inferiority to the foreign-made AK-47.(link)

Mar 5, 2010: Colorado State University veterinary experts revised their necropsy procedures after more than 20 students and staff were exposed to plague that killed a mountain lion. (link)

Mar 4, 2010: Lake Michigan College has banned people convicted of sex crimes against children and listed on the state sex offender registry from attending classes on its four campuses, officials say. (link)

Mar 3, 2010: A Towson University adjunct professor was fired last week after using a racially insensitive term in his art class. Allen Zaruba, a local artist who had taught at Towson for 12 years, said he was discussing provocative works depicted in textbook chapters on the body and identity when he used the term. "I crossed the line," he said. "I made a terrible, terrible mistake." Zaruba, who is white, said his black stepfather used racial terms freely and that "I never quite got the horror of the word." (link)

Mar 2, 2010: The University of Nevada, Reno announced plans Monday to close the College of Agriculture and eliminate some departments and degree programs to reduce its budget by $11 million to meet the 6.9 percent cut higher education must shoulder under the agreement reached during the Legislature's special session. (link)

Mar 2, 2010: A firestorm over racially and ethnically charged incidents at several University of California campuses spread Tuesday as UC San Diego announced a KKK-style hood was found on campus and students in Los Angeles and Irvine demonstrated against intolerance. (link)


If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at http://www.auburn.edu/audit.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director
robinmk@auburn.edu
334.844.4389
© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.