Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

September 2010
Vol. 2 No. 9

Quotable...
''Fundamentally, security is about people, not technology.''

-- Dr. Greg Newby *

Each month since we began issuing this newsletter, we've had links to news reports from across our industry of data being lost, breached, or in some way inappropriately disclosed. As an industry we continue to struggle with protecting sensitive data. October is once again National Cyber Security Awareness Month, so it's a good time to think about what data security is and to consider whether you possess or have access to data that requires special vigilance.

Ultimately, most of these breaches and disclosures occur because someone fails to exercise proper care and suggested controls. The first line of defense is to consider what data you have and to ensure you are properly protecting it BEFORE you have a problem. In other words, be proactive in your risk management of sensitive data. This month we suggest you think about the types of data you have access to as well as data you possess on your computer, on your portable drives, and even what you may keep out on your desk. Technology certainly poses some unique security challenges, but many times those old paper documents can bring similar risks. Consider the steps you are taking to protect this data, and think about ways you might want to improve the security of your confidential data.

Here are some quick suggestions related to this topic and common controls:

  • Keep security patches updated on your computer
  • Keep virus protection software running and updated on your computer
  • Keep firewalls turned on
  • Use strong passwords
  • Consider encrypting laptops if they have sensitive data
  • Avoid storing confidential data on portable devices if possible
  • Keep confidential documents locked when not in use
  • Shred old documents that have sensitive information
  • (or additional tips see http://keepitsafe.auburn.edu)

Those are just a few things to consider this month regarding data protection. As you see here each month, there are many risks we face in higher education across a broad spectrum. As you review the stories below consider if you have similar risks, and think about how you are currently managing these issues for Auburn University.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing


Information Security Related Events

Sept. 30, 2010: In the past three years, Ohio State University has investigated an average of 10 potential data breaches annually. (link)

Sept. 29, 2010: University of Florida officials have notified 239 former students that their names, addresses and Social Security numbers were part of a web-accessible archive of computer science class information created in 2003 by a faculty member. (link)

Sept. 21, 2010: Since 2008, higher education institutions have experienced a staggering 158 data breaches resulting in over 2.3 million reported records compromised. In 2009 alone there were 57 reported data breaches, and year to date through July of 2010, there have already been 32 breaches. (link)

Sept. 21, 2010: Nearly a quarter (23 percent) of university students have successfully hacked into IT systems, says Tufin Technologies. (link)

Sept. 15, 2010: A database security vendor says colleges and universities need to do more to secure their databases against break-ins. (link)

Sept. 14, 2010: It's common knowledge that you can catch computer viruses on porn Web sites. But did you know it's also risky to surf the Web searching for free movies or music? A study from McAfee finds that adding the word "free" when looking for entertainment content in search engines greatly increases the chances of landing on a site hosting malware. (link)

Sept. 13, 2010: Rice University says a device containing information involving about 7,250 Rice faculty and staff, along with some students and retirees, was recently stolen. (link)

Sept. 7, 2010: It was one computer that was stolen, but it contained the names and information of the 7,000 City College of New York students. (link)

Sept. 7, 2010: An online Minneapolis Community and Technical College directory left sensitive student data and internal documents accessible to the prying eyes of anyone with an Internet connection since at least the summer of 2006, according to an investigation by City College News. (link)

Sept. 5, 2010: An Eastern Michigan University computer server was hacked into late Friday, potentially exposing employees' direct deposit banking information, some university passwords and personal identification numbers, according to an e-mail sent to the EMU community tonight. (link)

Sept. 3, 2010: A mistake by a local doctor may have possibly put the information of hundreds of patients at risk. The University of Rochester Medical Center says the doctor misplaced and still hasn't found a computer flash drive. (link)

Sept. 2, 2010: As part of Western State College of Colorado's Banner 8 testing, a test data file containing direct deposit payroll information was e-mailed and inadvertently sent to an incorrect e-mail address. (link)

Sept. 2, 2010: An e-mail containing the Social Security number, driver's license number, and first and last name of 2,484 full and part-time Arkansas State University employees was sent to 144 ASU e-mail addresses. (link)

Sept 1, 2010: According to several sources familiar with the University of Virginia College at Wise case, thieves compromised a computer belonging to the university's comptroller. The attackers then used a computer virus to steal the online banking credentials for the University's accounts at BB&T Bank, and initiated a single fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. (link)

 


Misappropriation/Fraud/Ethics Events

Sept. 24, 2010: Hundreds of Montclair State University students started lining up well before dawn Wednesday to buy tickets to a much-anticipated homecoming concert featuring hip-hop artist Nicki Minaj.
There was, however, one slight problem: Nicki Minaj was never booked to perform at the university. (link)

Sept. 23, 2010: A former San Francisco State University student who ran the school's cheerleading squad is facing criminal charges for allegedly embezzling nearly $20,000 from the team. (link)

Sept. 20, 2010: A former University of the Pacific student is being accused of embezzling thousands of dollars from her sorority as the board's president. (link)

Sept. 15, 2010: A St. John's University fundraiser apparently swiped more than $1 million from the Queens college and apparently spent the stolen cash on trips to casinos, shopping sprees to Victoria's Secret and funding for her son's tuition at St. John's Law School, authorities announced Wednesday. (link)

Sept. 10, 2010: North Dakota State University officials agree with state auditor findings that spending $24,000 for unused hotel rooms and $15,000 for Tony Robbins seminars was not a good use of taxpayer money. (link)


Compliance/Regulatory Events

Sept 28, 2010: Chelsi Miller says she amassed $45,000 in debt to earn a surgical technologist degree from the for-profit Everest College in 2008 in the hopes of transferring to the University of Utah, only to find few schools accept Everest credits. (link)

Sept. 24, 2010: The international office of Delta Kappa Epsilon is investigating its University of Minnesota chapter, where a woman was sexually assaulted and at least one man was robbed on separate nights last weekend. (link)

Sept. 23, 2010: Wabash College is under fire. The all-male school founded in 1832 in Crawfordsville is facing a potential million dollar lawsuit filed on behalf of the family of Johnny Smith. (link)

Sept. 21, 2010: A judge has reduced the amount of money the University of Minnesota must pay to a former Oklahoma State basketball coach who sued the school and coach Tubby Smith after they decided not to hire him. (link)

Sept. 20, 2010: The University of Florida has fired a professor for saying during a lesson about sexual harassment that Latin American women dress more provocatively than U.S. women. (link)

Sept. 14, 2010: Northeastern University has launched a review of its handling of hazardous chemicals after the death of a university researcher whose body was discovered at her Milford home this weekend with a bag marked ''cyanide''' next to it. (link)

Sept. 7, 2010: An animal rights group today called for a federal investigation into a University of Michigan course that teaches students to save human lives but uses cats and pigs to train them. (link)

Sept. 7, 2010: The University of Wisconsin-Madison's student assessment fund for extracurricular activities must reimburse student religious groups for activities constituting religious practices, the U.S. Court of Appeals for the Seventh Circuit recently held. (link)

Sept. 1, 2010: San Francisco State University has no obligation to refund a student additional fees it charged after CSU trustees approved a last-minute tuition increase last year, a San Francisco court has decided. (link)

Aug. 27, 2010: Since Aug. 19, six pedestrians or bicyclists have been injured in collisions with vehicles in crosswalks near campus. And it's happened while Purdue and West Lafayette police have been conducting a joint crosswalk enforcement blitz, giving information, warnings and at times tickets to pedestrians and motorists who don't follow the rules. (link)


Other News & Events

Sept. 30, 2010: A New Jersey college student jumped to his death off a bridge a day after authorities say two classmates surreptitiously recorded him having sex with a man in his dorm room and broadcast it over the internet. (link)

Sept. 28, 2010: A chartered bus returning from New York with the University of Maine at Fort Kent men's and women's soccer teams struck a moose early Sunday morning. The moose was killed. (link)

Sept. 29, 2010: A 19-year-old math major got dressed in a suit and a ski mask and fired off several rounds from an AK-47 assault rifle today, sending the campus of the University of Texas at Austin into a lockdown before taking his own life in a library, police said. (link)

Sept. 25, 2010: A group of Rutgers University students repeatedly interrupted a speech by the school president today as they sought lower tuition for illegal immigrants at New Jersey colleges. (link)

Sept. 22, 2010: Drew University has eliminated a basket of free condoms in the lobby of the school's health services department. The school said department budget cuts and thefts led to the decision. (link)

Sept. 20, 2010: A Stony Brook University residence hall was evacuated when a chemical irritant was released into the air, causing students to vomit Sunday night. (link)

Sept. 17, 2010: Cleanup, repair and installing mitigation measures after last month's floods will cost Iowa State University $40 million to $50 million, said Warren Madden, ISU vice president for business and finance. (link)

Sept. 11, 2010: The University of North Carolina in Chapel Hill may install railings on bunk beds in its dorms after a woman fell to her death in her daughter's room last month. (link)

Sept. 2, 2010: Prompted by a shooting at Ohio State University in March that left two dead and one wounded, university officials plan to change several hiring policies by early next year. Two of the five recommended changes deal with background checks: All people hired will go through background checks before starting work, and one company will do all the checks. (link)

Sept. 2, 2010: Los Angeles County Sheriff's bomb investigators on Thursday safely detonated a live Vietnam-era grenade that was unearthed by construction crews at a Garfield Avenue satellite campus for Glendale Community College. After it was discovered, crew superintendent Jerry Valent said he and others picked up the grenade for closer examination, going so far as washing off corrosion and snapping photographs. (link)

Aug. 31, 2010: Authorities say they destroyed a pair of Civil War-era cannon balls on display at a Kennesaw State University after officials realized they were live. (link)

Aug. 31, 2010: Students in a financial management class at Indiana University will get a chance to invest real money as they handle a $100,000 account. (link)

Aug. 29, 2010: For most CU-Boulder students, spotty cell phone reception has become the norm on campus and has gotten worse with the construction of new environmentally friendly buildings. University officials say they're hard at work on ways to improve cell phone service on campus. (link)

 


If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at http://www.auburn.edu/audit.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director
robinmk@auburn.edu
334.844.4389

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.