Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

October 2010
Vol. 2 No. 10

Quotable...
"Carelessness does more harm than a want of knowledge."

- Benjamin Franklin

This is the twenty-first edition of Case-in-Point. In the preceding twenty issues, we have identified almost six hundred instances where the management of certain risks failed. In last month's issue we focused on protecting sensitive and confidential data as part of October's Cyber Security Awareness initiative. As we look back over the prior twenty months, we've noticed that frequently data loss occurs due to basic carelessness of the data holder.

This month we have an event that clearly illustrates this fact. An academic advisor at Wesley College intended to send an email to other advisors regarding students who were at risk of failing out of the institution. However, the advisor mistakenly sent the e-mail to all students on campus. Included in the e-mail was commentary about one student that stated, ''The hole she has dug is deeper than the mine shaft in Chile.''

While this is a case of a simple mistake by an employee, it also illustrates how easy it is to make critical mistakes with sensitive data and how vigilant we must be when dealing with the data we control. This institution is now implementing controls to prevent future such occurrences of similar events such as having approval from two employees before an email goes out to all their student body. For the rest of us, we can learn from this event and be reminded of the importance of keeping our data secure and ensuring we use care when e-mailing data that could harm our students or institution.

We have plenty of other examples to learn from this month as we survey the current happenings in higher education. As usual, we ask that you do two things: first, evaluate whether you have similar risks that need your attention before a problem occurs; and secondly, share this newsletter with those in your sphere of influence so they can think proactively as well.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing


Information Security Related Events

Oct. 28, 2010: The University of Hawaii-Manoa and has breached the personal information of 40,101 students who attended between 1990-1998 and 2001, including names, social security numbers, dates of birth, addresses, demographic, and detailed academic performance data. (link)

Oct. 27, 2010: It started with a private e-mail to about a dozen fellow academic advisers warning them that the enclosed list of students were at risk of failing out of Wesley College. "The hole she has dug is deeper than the mine shaft in Chile," the e-mail said of one student's grades. (link)

Oct. 27, 2010: The personal information of about 400 Benedictine students and a few non-students within the Election Judge Training Program was inadvertently posted online on the program's Facebook page, according to Executive Vice President Charlie Gregory. (link)

Oct. 27, 2010: The provincial government and the University of Calgary must do a better job of protecting against unauthorized access to confidential online information, warns Alberta's auditor general. (link)

Oct. 27, 2010: A recent security breach on the University Connecticut - Storrs campus revealed a list of former students' names and Social Security numbers and made them available on the Internet. (link)

Oct. 22, 2010: In mid-June, approximately 85 staff members received an e-mail from the Johns Hopkins University Applied Physics Lab’s benefits office with an incorrect attachment that included names, Social Security numbers, birthdates and other information on 692 dependents of APL staff members. (link)

Oct. 19, 2010: For the first time ever, more companies are suffering from electronic theft than from physical theft, according to the results of a poll released yesterday by risk consultancy Kroll. (link)

Oct. 16, 2010: A procedural mishap at New Mexico Tech's Computer Center may have allowed the Social Security numbers of a few thousand people to be publicly available to anyone with a Tech computer account for nearly five years. (link)

Oct. 16, 2010: Between September 24, 2010 and September 29, 2010, a University of North Florida file containing the personal information of high school and college students (and others interested in UNF) may have been accessed by unauthorized persons outside the United States. (link)

Oct. 11, 2010: According to the results of a survey released last month, fewer than 30% of Oracle database administrators encrypt personally identifiable information in all their databases, while about 75% acknowledge their organizations do not have a means to prevent privileged database users from reading or tampering with human resources, financial or other business application data in their databases. (link)

Oct. 7, 2010: A UNC cancer researcher is fighting a demotion and pay cut she received after a security breach in the medical study she directs. Her attorney said that it's unfair to blame his client for the breach. He said the university knew the program's computer system had security deficiencies as early as 2006 but failed to notify her. (link) (link)

Oct. 4, 2010: During the first six months of 2010, academia was the sector most impacted by malware, according to a report issued Monday by anti-virus firm Trend Micro. Education was likely hit the hardest because of the large number of students using old and outdated software and visiting suspect websites, Jamz Yaneza, threat research manager at Trend Micro, told SCMagazineUS.com on Monday.(link)

Sept. 29, 2010: The University of Oklahoma's Tulsa Neurology practice recently became aware that one of its clinic computers had been compromised by a virus. The Clinic is notifying individuals whose records were maintained on the computer of the discovery. (link)


Misappropriation/Fraud/Ethics Events

Oct. 28, 2010: Former Alabama two-year college chancellor Roy Johnson admitted in testimony today that he knew it was illegal to let a contractor, who he was recommending for work on community college projects, pay for appliances and other costs for a house he was building in Opelika. (link)

Oct. 21, 2010: A construction company owner admitted today that he paid to improve a deck at the home of a former administrator at the University of Medicine and Dentistry of New Jersey in exchange for contracts to perform work at the university over a seven-year period ending in 2006. (link)

Oct. 20, 2010: The University of Central Arkansas will be subject to an investigation by the Arkansas Ethics Commission after a citizen complaint was brought against UCA President Allen Meadors. (link)

Oct. 14, 2010: Jimmy Vu used his position as faculty associate chairman of Hoston Community College's work force development program to have the college pay for computers, cell phones, televisions and other equipment that he had delivered to his home in Sugar Land, according to the Harris County District Attorney's Office. He also schemed to get a relative on the payroll and then pocketed the paychecks, the DA's office said. (link)

Oct. 10, 2010: Old Dominion University has corrected most of the problems at a teacher training center where a veteran state lawmaker became embroiled in an ethics scandal last year, university auditors have found. (link)

Oct. 5, 2010: A former University of Illinois at Chicago professor has filed a defamation and invasion of privacy lawsuit against the student newspaper and its former news editor. (link)

Sept. 30, 2010: A former administrator at St. John's University accused of embezzling about $1 million from the college in Queens has now been charged with far more lurid crimes: forcing students to clean, cook and act as her personal servants to keep their scholarships. (link)

Sept. 30, 2010: University of Oklahoma sophomore wide receiver Jaz Reynolds was suspended indefinitely for a comment made on his Twitter account: "Hey everyone in Austin, tx…….kill yourself," following an incident Tuesday in which a gunman opened fire with an assault rifle and later killed himself at the campus library at the University of Texas in Austin. (link)

Sept. 30, 2010: A federal grand jury has indicted five Maryland defendants on fraud and aggravated identity theft charges in connection with a scheme to use stolen Johns Hopkins Hospital patient identity information to open fraudulent credit accounts and make purchases on “instant credit” at retail stores in Maryland. (link)


Compliance/Regulatory Events

Oct. 28, 2010: A strong gust of wind swept across Notre Dame's practice football field before a tower toppled, killing a student who had been videotaping the team from the tower, the university's athletic director said Thursday. (link) (link)

Oct. 27, 2010: At the height of the University of Missouri’s collective euphoria over beating top-ranked Oklahoma last Saturday — and as thousands of spectators poured out of the stands and onto the gridiron — campus police nabbed the 30, handcuffed them and cited them for trespassing. (link)

Oct. 25, 2010: Three people have been arrested in connection with a drug lab found inside a Georgetown University dorm-room. (link)

Oct. 22, 2010: The Alabama Supreme Court tody upheld a state school board policy prohibiting employees of the two-year college system from serving in the Legislature. (link)

Oct. 21, 2010: The former president of Sussex County Community College was illegally terminated from her job last spring at a meeting that resembled a "witch hunt," according to an amended lawsuit pending against college officials. (link)

Oct. 21, 2010: A lawsuit has been filed against three officials at the University of Arkansas after a pledge student says he was nearly killed in a hazing incident. (link)

Oct. 19, 2010: A UW-Madison professor did not get due process when the university suspended her animal research last year, according to a report from a faculty committee. (link)

Oct. 13, 2010: Education officials in Georgia voted Wednesday to bar illegal immigrants from attending the state’s five most selective public colleges, a decision that immigrant rights groups threatened to challenge in court. (link)

Oct. 6, 2010: The Connecticut State University System's board of trustees apparently violated state law by improperly delegating the power to make personnel policies to an executive committee and the authority to terminate university presidents to the chancellor. (link)

Oct. 5, 2010: The California Supreme Court appeared skeptical Tuesday of a lawsuit that would end in-state tuition for an estimated 25,000 illegal immigrants who attend the state's public universities and colleges. (link)


Other News & Events

Oct. 28, 2010: A 19-year-old student at Minnesota State University Moorhead faces a charge of indecent exposure after he was found naked in a study room of a female-occupied area of a dormitory. (link)

Oct. 26, 2010: In an e-mail sent campuswide late Monday, Dean of Students Burgwell Howard warned against wearing racially or culturally insensitive costumes this weekend. He also discouraged "ghetto," "pimps and hos" and "gangsta" parties at the esteemed Evanston university. (link)

Oct. 25, 2010: Authorities have called it a "death investigation," not a homicide case, but school officials have heightened security on campus and locked student dorms earlier than usual. There is a greater police presence on campus, and campus buses are running expanded hours. (link)

Oct. 25, 2010: Indiana University says it's canceling plans to require its 17,000 full-time employees to complete an online health risk assessment to qualifying for a cut in their health premiums next year. (link)

Oct. 19, 2010: While "drunkorexia" is not a medical term, it has become easily understood slang for the practice of swapping food calories for those in alcohol. (link)

Oct. 20, 2010: Last month, two cartoons created by students were published in the University of Connecticut's student newspaper, The Daily Campus — one suggesting that women have social diseases and the other that women could be bribed into bed by a diamond. (link)

Oct. 18, 2010: A Yale fraternity whose pledges chanted obscenities last week as they marched on Yale's campus has come under the scrutiny of its national board of directors. (link)

Oct. 15, 2010: A New Jersey college has banned caffeinated alcoholic beverages fearing they could lead to what officials call "blackout in a can." (link) (link) (link)

Oct. 13, 2010: Chicago native Elizabeth Pearlman was taking part in a conditioning drill with her college basketball team last October when she collapsed. If an automated external defibrillator -- an AED is a portable device that can detect cardiac arrhythmias and shock the heart back into rhythm -- hadn't been available, she likely would have died. (link)

Oct. 12, 2010: With the new school year underway, some college students are spending the year abroad. In addition to hitting the books and taking in the sights, they may also be drinking a lot more, a new study suggests. (link)

Oct. 12, 2010: Columbia police said a fight over game day traffic escalated and left a 20-year-old man dead after the University of South Carolina football game Saturday night. (link)

Oct. 11, 2010: During a five-year period, more than $9 billion was spent by state and federal governments to support students at four-year colleges and universities who left school before their sophomore year, according to an analysis by the American Institutes for Research (AIR). California, Texas and New York led the nation in government spending on students who dropped out before their second year. (link)

Oct. 7, 2010: For nearly two weeks, many here on the Duke University campus had been aware of a certain senior ''thesis'' that a recent graduate wrote, apparently as a private joke, about her sexual exploits with 13 student-athletes. (link)

Oct. 7, 2010: Technology has become so entwined with college students' often frantic lives that most in a new survey say they'd be more frazzled without it. (link)

Oct. 4, 2010: The presidents of all 24 fraternities on the University of Minnesota's Twin Cities campus say they will ban parties for now following a third sexual assault at a fraternity house. (link)

Sept. 30, 2010: State lawmakers put construction projects at some South Carolina public colleges on hold Wednesday as a way to force them to lower tuition costs. (link)

Sept. 30, 2010: It was a sad day at Rutgers University in New Jersey. Students mourned a classmate who killed himself after a secret video of his sexual encounter with a man was posted online. (link)


If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at http://www.auburn.edu/audit.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director
robinmk@auburn.edu
334.844.4389

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.