Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

February 2014
Vol. 6 No. 2
Quotable...
''There are risks and costs to a program of action--but they are far less than the long range cost of comfortable inaction''

-- John F. Kennedy

Last month we looked into the details 2013's Information Technology stories linked in Case-In-Point. As we shared, the largest event in this category involved ''hacking'' from those outside the institution who want to obtain personal data. As we indicated last month we wanted to discuss some ways that these risks can be reduced. Ironically, since our last newsletter there have been multiple national stories involving data breaches in higher education. So clearly this is an issue that we should take seriously.

I asked Robert Gottesman, AU's IT Auditor, what suggestions he would have to prevent these issues. Some of the items below apply to you as an individual and others would be handled by IT departments but all are important protection measures.

  • Patch: New vulnerabilities are discovered all the time. A process for updating software with vendor security patches must be a part of regular process.
  • Know where sensitive/confidential data is stored: In order to make sure you are securing your systems appropriately, you must know where this sensitive/confidential information is stored. Different systems should have levels of access commensurate with the type of information stored on the system.
  • Personally Identifiable Information (PII): PII that is no longer needed should be redacted or destroyed: Years ago, the SSN was the key identifier for students and employees. Faculty grade books, both paper and spreadsheet based, from this time period may still have these identifiers on them.
  • Vulnerability Scanning: IT Providers should regularly conduct vulnerability scans on system they are responsible for. These scans can be run by the IT provider or by OIT personnel and can help with the discovery of unpatched and misconfigured systems.
  • Virus Scanning: A centrally provided virus scanner should be installed, configured to get regular virus definition updates, on every computer.
  • Back-up: Regular backups of system data protects the University in the event of a system failure.
  • Proactive Access Management: Know who has access to your systems: Regularly review users and groups (including group members) granted permission to access your resources. Do all these people still need access to the resource, are they still affiliated with the University?
  • Passwords: Don't use the same user id/password combination on University systems as you do for external websites/systems. Using the same password means a compromise will be much more difficult to contain if it did occur. Best practice is to use different credentials for the University systems and for each of the external services you use.
  • Encrypting: Are you encrypting portable devices (flash drives, laptops, etc.) that contain personal, sensitive or confidential data?
  • Personal Data Device Security: How are you securing your personal device which is connecting to the University Network? If you get your University email on your smartphone, are you properly protecting that device? Does the device require a PIN or password to use?

Routinely communicating the importance of data and technology best practices is very important. These risks involve more than simply the IT department but rather requires all faculty, administrators, staff, students, and departments being diligent and vigilant in protecting data and systems. While IT related risks are probably near the top in importance, there are multiple areas we must stay on top of within higher education. We again invite you to review the issues occurring at institutions the past month. As always, we welcome your feedback.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing


Information Security & Technology Events

Feb 8, 2014: It seems obvious, but passwords are our first line of defense against a growing army of nefarious hackers looking to steal our data, money or even identities. While many people know how serious the issue of cybersecurity is, many still use passwords that are remarkably bad. Compounding matters is the common practice of using the same password across multiple accounts, so a hacker who gains access to one account may be able to breach others. But protecting yourself is easy and there's just no excuse for leaving your accounts vulnerable with bad passwords. (link)

Feb 26, 2014: Apple on Tuesday made it clear that it will no longer patch OS X 10.6, aka Snow Leopard, when it again declined to offer a security update for the four-and-a-half-year-old operating system. With Snow Leopard's retirement, 1 in 5 Macs are running an operating system that could be compromised because of unpatched vulnerabilities. (link)

Feb 26, 2014: Indiana University says it is informing about 146,000 students and recent graduates in its seven-campus system that their personal data were inadvertently exposed to automated webcrawling programs since last March. Files including students' names, addresses and Social Security numbers -- stored in an unsecure location -- were accessed three times by automated data-mining applications, which are used to improve Web searches, the university said Tuesday. (link)

Feb 25, 2014: Data security continues to be a hot issue on Capitol Hill, and just yesterday Attorney General Eric Holder urged Congress to create a ''strong, national standard'' for quickly reporting data breaches to consumers. Democratic and Republican senators have been busy drafting legislation that would establish national requirements for data security and breach notice. (link)

Feb 19, 2014: The sensitive personal information for more than 300,000 faculty, staff, and students at the University of Maryland were stolen in a "sophisticated" cyberattack on the school's recently bolstered security defenses, the school's president revealed late Wednesday. (link) (Feb 27, 2014 Update: University of Maryland president Wallace D. Loh issued an additional statement in wake of the breach in which he shared his plan to launch a "comprehensive top-to-bottom investigation of all computing and information systems" -- both the central ones operated by the University, as well as the local systems operated by individual administrative and academic units. The investigation will include a comprehensive scan of all databases to discover what information they contain; all systems will be subject to penetration testing; a review will take place to determine the appropriate balance between centralized (University-operated) versus decentralized (unit-operated) IT systems; a comprehensive policy review will also take place. (link).

Feb 19, 2014: Remember getting a letter from the Maricopa County Community College District late last year? More than two million of them went out warning people their personal information could have been exposed in a recent security breach. But the ABC15 Investigators found some district employees knew about another security breach three years ago. (link)

Feb 14, 2014: Texas State Technical College was notifying more than 2,800 former students Friday about a server breach in which personal information may have been accessed. The information about students who attended TSTC Waco in the summer of 2006 and during the 2007 academic year may have been exposed as the result of the unauthorized access to the college server, the school said late Friday afternoon. (link)

Feb 14, 2014: An Ohio University professor pleaded not guilty yesterday to a 12-count indictment filed in Athens County charging him with child-pornography crimes. An investigation began when an Athens Police Department detective learned of child-pornography activity that was tied to an Internet-provider address at OU. (link)

Feb 13, 2014: Congratulations, you've been admitted to the Massachusetts Institute of Technology! Except actually you haven't. Those were the messages coming from MIT after emails alluding to admission were sent to the wrong group of prospective students last week. (link)

Feb 12, 2014: Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. It directed NIST to work with stakeholders to develop a voluntary framework -- based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure. (link)


Fraud & Ethics Related Events

Feb 27, 2014: Joseph Cole, a former Louisiana College employee who worked closely with school President Joe Aguillard, left the school with an employment settlement of nearly $35,000 after threatening to go public with accusations against Aguillard in 2011, according to documents received by The Town Talk. (link)

Feb 26, 2014: A sudden spike in payroll fraud at Louisiana State University is raising questions about how departments around campus are handling payroll. In the past two months, there have been two reported cases of payroll fraud and two cases of attempted payroll fraud. The first case was reported Jan. 16 after a student working for the chemistry department was suspected of forging her supervisor's signature on 27 separate time sheets and collecting an income of approximately $9,000 over a year's time. (link)

Feb 26, 2014: University of Pittsburgh Medical Center said in a statement Wednesday that it believed 22 employees were "victimized" in a "common fraud scheme during tax season." (link)

Feb 25, 2014: The former budget director for Southern New Hampshire University pleaded guilty Tuesday to stealing more than $1 million from the university. Prosecutors said the scheme began to unravel when an extra scholarship was discovered in the university's athletic budget. It turned out to be an unauthorized scholarship for Prouty's niece. That led to a closer examination of the books and, eventually, Tuesday's sentencing. (link)

Feb 18, 2014: Law enforcement officials now believe Shelly Lough took in excess of $1 million from Bethany College in an effort to keep another woman quiet about an alleged affair. That woman, Rachelle Weese, 26, faces a federal charge of extortion. The charges alledge Weese used violence or fear to extort money from Lough who is the former manager of the cashier's office at Bethany College. The criminal complaint against Weese alleges she threatened to reveal to Lough's husband that Lough was in a relationship outside her marriage if she did not pay money. Although reports in October indicated the amount allegedly taken by Lough to be about $500,000, Ihlenfeld said Friday it now appears the amount may have been more than $1 million. (link)

Feb 13, 2014: Months after Angela Secrest became a student supervisor for Columbus State University Alumni Affairs' Phonathon, a student employee with the program told police she received an $860 bill for a credit card she never applied for. That student is one of seven workers CSU Police believe Secrest exploited in order to create multiple fake credit cards, according to court testimony. (link)

Feb 12, 2014: The Grand Jury has returned indictments against Natalie L. Higley, Leonard Willis Dean, Larry Wayne McConnell and Enoch Spurgeon Benefield, Jr., for the theft of Bainbridge State College property, including a Ford Tractor and a golf cart, among other items. (link)

Feb 11, 2014: A scathing report from the Illinois State Auditor General charges that Chicago State University has lost track of hundreds of thousands of dollars in equipment, including computers and other electronic devices, which may include sensitive or confidential data. Auditor General William Holland says an audit by his agency revealed that 197 items, worth $248,825 were missing. (link)

Feb 10, 2014: It was by all accounts an unusual white-collar crime: The perpetrator got no money for himself and never sought any. ''Most people commit crimes because of greed, and that wasn't his motive at all,'' Louisville lawyer Scott C. Cox said of his client, Brandon Hamilton, the former admissions director at University of Louisville Brandeis School of Law, who promised incoming law school students in the class of 2015 $2.4 million more in scholarships than the university had to offer. (link)

Feb 4, 2014: Ray Cool, an assistant professor of health, physical education and recreation at Western Michigan University, will be reimbursed after his paycheck was stolen by hackers, he said Monday. The news came a day after MLive reported that the university had not reimbursed Cool for the paycheck, which was stolen in mid-December. (link)


Compliance/Regulatory & Legal Events

Feb 27, 2014: A University of Connecticut dean is recommending dismissal of a music professor accused of sexual misconduct and of the former dean accused of ignoring complaints about him for a decade. In separate letters sent Thursday to Professor Robert Miller and to former Dean David Woods, who is now a professor, Brid Grant, dean of UConn's School of Fine Arts, said that the university was beginning "to take disciplinary action against you, up to and including termination." (link)

Feb 26, 2014: A Cook County jury has awarded a former Chicago State University employee $2.5 million in damages and back pay after deciding he was fired in retaliation for reporting alleged misconduct by the university president and other top officials, an amount that a judge could further increase at a hearing next month. (link)

Feb 26, 2014: In an unprecedented criminal conviction, a former UC Irvine computer scientist pleaded guilty Wednesday to a conflict of interest for receiving secret payments from Japanese companies funding his academic research. (link)

Feb 26, 2014: St. Cloud State University has asked a federal judge to dismiss a lawsuit filed by a former administrator in charge of enrollment management. Mahmoud Saffari sued the university and President Earl Potter III alleging his civil rights were violated when he was fired in 2011. The university said Saffari was terminated for failing to produce a management plan that would have better predicted enrollment numbers, according to court documents. (link)

Feb 25, 2014: The University of Michigan is being investigated by federal investigators for its handling of sexual assaults on campus. The Michigan investigation relates to a complaint filed against the school in January that cites earlier allegations of inadequate responses to sexual assaults, the Office for Civil Rights said in a letter to UM President Mary Sue Coleman. (link)

Feb 24, 2014: Some faculty members in the philosophy department at the University of Colorado say they're concerned that three outside consultants tasked with studying the climate of the department were given access to confidential files regarding sexual harassment and discrimination. (link)

Feb 15, 2014: The U.S. Department of Education is investigating Temple University's athletic department for possible Title IX gender-equity issues, university president Neal D. Theobald said. (link)

Feb 14, 2014: Portland State University has agreed to pay more than $160,000 to settle a lawsuit filed by a deaf student who claimed she wasn't allowed to live in a carpeted dorm or take a required biology-lab course because of her service dog. The settlement could have widespread implications for U.S. universities in how they treat students with disabilities, said an attorney for the woman. (link)

Feb 13, 2014: The University of Alabama is reviewing its guidelines for the display cases in the Ferguson Student Center, following complaints of censorship by a student group that argues its First Amendment rights were violated when an anti-abortion display was removed by staff over alleged complaints the content was offensive. (link)

Feb 12, 2014: Rutgers has reached an agreement with the former Big East to settle a lawsuit over exit fees, campus officials announced Wednesday. The two sides had been feuding in federal court over exit fees and other issues related to Rutgers' decision to leave the Big East to join the Big Ten later this year. The settlement will require Rutgers to pay an $11.5 million exit fee -- $3.5 million less than the conference originally wanted to bill Rutgers, campus officials said. (link)

Feb 11, 2014: A student at Northwestern University filed a federal lawsuit against the school Monday, alleging that university officials acted with ''deliberate indifference and retaliation'' after she reported that a professor sexually assaulted her during her freshman year. The plaintiff, now a junior in Northwestern University's Medill School of Journalism, claims that a tenured professor at the Evanston university sexually assaulted her in February 2012 after they attended an art event together in Chicago, the suit said. The university eventually found the student's claims credible, but have never disclosed to her how they disciplined the professor, she says. (link)

Feb 8, 2014: Four of the last seven US Treasury secretaries hold Harvard degrees, but that hasn't stopped the august university from running into problems with federal taxes. Harvard University officials acknowledged Friday that a mistake in tax reporting led 11,000 employees to pay taxes on income they did not receive -- to the tune of millions of dollars -- between 2009 and 2013. (link)

Feb 5, 2014: Julia Dixon, a sexual assalt victim, believes the University of Akron's policy is not only ''misleading but partially plagiarized,'' and shows ''that institutions are more interested in appearing to comply with the law than actually following it and helping their students''--and legal consultants and sexual assault advocates agree with her. (link)

Feb 4, 2014: Duke University and Davidson College are among 111 universities accused of possibly requiring students to fill out more than the required paperwork to receive federal student aid. (link)

Feb 3, 2014: The University of Wisconsin's patent licensing arm -- the Wisconsin Alumni Research Foundation -- is suing Apple for violating a university patent through the A7 processor found in the iPhone 5s, iPad Air, and iPad mini. The patent is titled Table Based Data Speculation Circuit for Parallel Processing Computer, and credited to several computer scientists who were at UW Madison. It describes a way of improving ''the efficiency and performance of contemporary computer processors.'' (link)


Campus Life & Safety Events

Feb 19, 2014: Eight students on the Bronx campus of Fordham University have contracted mumps. Mumps is a contagious disease that starts with a few days of fever, headache, muscle aches, tiredness and loss of appetite followed by the swelling of salivary glands, the Center for Disease Control explained. (link)

Feb 18, 2014: At the request of Chancellor Dan Jones, the university's Alumni Association has offered a $25,000 reward for information leading to the arrest of two individuals involved in an early morning incident on The University of Mississippi campus. The University Police Department (UPD) is looking for two men who were seen early Sunday morning near the James Meredith statue, which commemorates the 1962 integration of the university. One of the men was reported to have been wearing camouflage pants. The statue had been draped with a noose and an old Georgia state flag, and the men were heard shouting racial slurs. (link)

Feb 17, 2014: A University of Chicago student was found dead in his dorm room over the weekend, a discovery that was made after complaints of a foul odor and one that shocked the campus community. (link)

Feb 13, 2014: A giant runaway snowball crashed into a Reed dorm on Saturday evening, ripping a wall off its studs and narrowly missing a window. No one was injured in the collision. (link)

Feb 8, 2014: A dozen dorm rooms on the campus of the University of Maryland, College Park had items stolen from them in two separate incidents over the last two weeks, campus police said Friday. On Thursday, January 30, a suspect entered four different unlocked dorm rooms in Denton Hall and between about 8:45 a.m. and 10 a.m. and stole items, according to University of Maryland police. On Friday between 7 a.m. and 10 a.m., items were stolen from eight unlocked dorm rooms in Centreville Hall and Cumberland Hall. (link)

Feb 8, 2014: University of Georgia police have charged 11 male students with hazing, police and jail records show, in reported beatings of pledges to a campus fraternity. Police issued arrest warrants for the 11 students on Thursday and they were all booked into the Clarke County Jail and released on bond by Friday night, according to the records. (link)

Feb 5, 2014: A realistic-looking statue of a man sleepwalking in his underwear near the center of Wellesley College has created a stir among the women on campus, especially as more than 100 students at the all-women's college signed a petition asking administrators to remove it. (link)

Feb 4, 2014: In the first examination of San Jose State's handling of a racially charged bullying case, an independent investigator Monday found the university did "everything it could" and was quick to alert police when it learned a group of white students had been reportedly tormenting a black roommate for weeks. (link) (link)

Feb 4, 2014: A study released by the Pew Research Center in January reported that 53 percent of adult cellphone owners have been involved in a ''distracted walking'' encounter. (link)

Feb. 3, 2014: Reports of sexual assaults on Boston-area college campuses have risen sharply over the past several years, according to a Globe review of federal statistics, shedding light locally on what victims' advocates and President Obama have called a national epidemic with devastating effects. (link)


Other News & Events

Feb 14, 2014: Posters laced with profanity, blow-up dolls in business attire, and quirky d├ęcor filled Dr. David William's office at the University of Saskatchewan -- at least before complaints were made against the tenured professor. (link)

Feb 13, 2014: For the first time in 50 years, the educational balance among married couples has tipped towards women. Wives are more likely to be the better educated partner than the other way around. The trend is particularly sharp among newlyweds; in 2012 almost 40% of college educated women were married to a guy without a degree. Read more: Women Are Marrying Less Educated Men. (link)

Feb 10, 2014: While surveying land for a new parking lot at the University of Mississippi Medical Center, officials made a grisly discovery: more than 1,000 bodies thought to have been patients at the old Mississippi State Lunatic Asylum. (link)

Feb 2, 2014: College textbooks cost too much -- and something needs to be done about it, according to a report from the advocacy group U.S. PIRG. (link)


If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at http://www.auburn.edu/audit.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director
robinmk@auburn.edu
334.844.4389

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.