The mission of the Office of Audit, Compliance & Privacy is to assist the University in fulfilling its vision of being a preeminent comprehensive land-grant university. Our office provides services in three distinct yet related disciplines - audit, compliance, and privacy - in support of Auburn University's three-pronged mission of teaching, research, and service.
The Office of Audit, Compliance & Privacy functions in partnership with University leadership to:
Last month we started our annual review of last year's Case in Point by looking at the categories as a whole. This month we focus on the Information Technology (IT) category, which certainly brings substantial risk to all institutions.
When we break down the stories in this category, the top 3 issues in order of frequency are:
The overall numbers and types of events are fairly similar to the last few years. We dove deeper into each category and evaluated the circumstances of events to come up with some basic advice for avoiding these particular risks.
Data Breach/Hack – You may be tempted to think this is a central/security IT topic and not one that you can control. While there are some things that IT professionals handle behind the scenes, if you are connected to the institution's system, you are a potential target for those wanting to do harm. As the old adage goes, a chain is only as strong as its weakest link. Your role is to avoid being that weak link, and you can do this by practicing safe computing. AU's Information Security Group has put together a very helpful resource at this link: http://www.auburn.edu/oit/security/. We encourage you to read through these suggestions for ways you can protect yourself and our institution from IT related risks.
Accidental Exposure of Data – The second most frequent problem noted during 2018 is one you can definitely impact. By far, the most common incident was carelessly emailing protected data to those outside the institution (who had no need or right to the data). These cases weren't malicious or intentional, simply careless mistakes where the wrong information was sent to the wrong people. If you handle confidential data, you have a responsibility to go the extra mile in protecting this data.
Lost or Stolen Devices – Laptops, jump drives, and external hard drives with confidential data were lost at institutions coast to coast during 2018. This is another risk that you can control. The use of encryption is certainly the most important way to mitigate the risk, but common-sense security of devices like these is also important. You should ask yourself if confidential data needs to be on the devices that leave your workspace. Often there is no real need to raise the risk level by transporting data. Think about what data is on what device and make wise decisions.
IT risks require all faculty, administrators, staff, students, and departments to be diligent and vigilant in protecting data and systems. While IT related risks are probably near the top in importance, there are multiple areas we must stay aware of in higher education. We invite you to review the events that occurred at institutions in the past month. As always, we welcome your feedback.
Auburn University uses the EthicsPoint anonymous Reporting System to enhance communication and empower individuals to promote safety, security, and ethical behavior. Use this anonymous, confidential system to report situations, events or actions by individuals or groups that you believe unethical or otherwise inappropriate. Frivolous or unfounded reports do not help foster a positive workplace. This hotline service does not replace our existing reporting methods for reporting fraud, waste, abuse or other potentially illegal activities. The University continues to encourage stakeholders to report concerns or suspected violations to their supervisor or other campus entities as appropriate. If you are uncertain if a situation violates University policy, is illegal or constitutes harassment or discrimination, you may use EthicsPoint to obtain clarification. We would much rather have you ask questions than let potential problems go unchecked. However, EthicsPoint should not be used for immediate threats to life or property. If the situation presents an immediate threat to life or property call emergency -- 911
Last Updated: June 27, 2018