Ethics Anonymous Reporting Hotline

Auburn University has contracted with an outside provider, Ethicspoint, Inc. of Portland, Oregon to receive reports regarding concerns over financial irregularities (and similar ethics related matters) and NCAA violations. To file a report, click the Ethics Hotline link or read the FAQ for more information.


 



Kevin Robinson
Executive Director
Kevin Robinson
CIA, CFE, CCEP
Monthly Newsletter
Case In Point:
Lessons for the pro-active manager
Vol. 6 No. 7


We know that data thieves frequently target credit card data. When these thieves are successful, the various card brands, (Visa, MasterCard, American Express, etc. ) can levy heavy fines on the merchant who suffered the breach. Merchants who have chosen to accept credit and debit cards are contractually obligated to have in place a very prescriptive set of security controls, collectively known as the Payment Card Industry Data Security Standards (PCI-DSS), to prevent the unauthorized use/disclosure of cardholder data. In addition to large fines for non-compliance, a merchant can be held responsible for reimbursement of fraudulent charges and card reissuance costs. The merchant's reputation will certainly suffer in the court of public opinion.

As consumers, we expect the merchants we do business with will protect our credit card data and not allow it to fall into the hands of identity thieves or other nefarious users. Similarly, we expect every organization, website, and governmental agency to protect the data they require us to provide when using their services. As a merchant, as well as a data steward of customer (applicants, students, alumni, employees) data, the University is also expected to abide by best practices, legislative mandates and contractual obligations to protect the data we have been entrusted with. This includes meeting the highly prescriptive obligations of the PCI-DSS, as well as ensuring reasonable security measures are in place to protect other data we have been entrusted.

 While most of us don't handle payment cards on behalf of the University, virtually all of us have access to sensitive data that must be appropriately protected. Protecting this data is a mixture of common sense and sound business processes. PCI-DSS requires all employees be provided with annual information technology security awareness training, and all employees should have a common baseline knowledge of computer security threats and best practices to thwart unintended exposure of data. On a university campus, sensitive data exists in many locations, including centralized and departmental servers, your desktop computer, backup media, and paper forms. The records contained within this data includes, but is not limited to , social security numbers, credit card numbers, driver's licenses, addresses, passport numbers, student educational records, protected health information, research data, and other such information.

A recent study by the Ponemon Institute estimated the cost of a data breach to be $145 per compromised record. A data breach of only 1,000 records therefore could result in $145,000 in direct and indirect costs. Each of us must be vigilant and do our part to protect sensitive information. There are many practices which can contribute to a more secure environment. Here are a few we suggest you consider.

  1. Managing your passwords
    a. Use strong passwords and do not share passwords with others.
    b. Use different passwords for campus resources and non-university resources. Use different passwords on each of the non-University sites you have accounts with. If one site is compromised, you can be assured the breach will not affect data located on other sites.
    c. Use a secure password manager to save your passwords for each site. There are a number of good smartphone and computer applications that will save your various passwords in an encrypted fashion that are only accessible using a strong master password.
  2. Learn how to identify spam/scam/phising emails. Your bank and the University IT department will not ask you to provide your user name and password via email. Likewise, treat as suspect ALL links found within an email. Just because a link takes you to a page that appears to be a University approved site, does not mean that it is. If you have any doubt about a request, contact local IT support to verify its authenticity.
  3. When off-campus, do not trust free or hotel WiFi. Learn how to use the University VPN to protect data transmission while traveling.
  4. Protect your smart phone and tablet like you would your wallet or purse. Don't leave it lying around, even for a moment. These devices are computers and you should have to enter a password or PIN in order to access the device.
  5. Look for security weaknesses and report them to IT professionals, supervisors or Internal Audit.

Each of us should be vigilant and pro -active as any breach of sensitive data results not only in costly remediation, but also tarnishes the University's name and reputation. As always, if you have any suggestions or comments, please let us know.

(more)



Latest IT Security News



Microsoft EMET 5.0 security tool puts a leash on plug-ins08/01/2014
Most USB thumb drives can be reprogrammed to infect computers08/01/2014
Judge rules against Microsoft in email privacy case08/01/2014
IBM buys access control and identity management firm CrossIdeas07/31/2014
No patch yet for zero day in Symantec Endpoint Protection software driver07/31/2014
Many antivirus products are riddled with security flaws07/31/2014
iPhone gets first free app for encrypting voice calls07/30/2014


Last Updated: July 31, 2014

Internal Auditing | Auburn, Alabama 36849 | (334) 844-4389 |
Website Feedback | Privacy | Copyright ©