Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

August 2013
Vol. 5 No.8
''A naïve man believes everything, but a wise man looks well into the matter.''

-- Proverbs

Each month with Case-in-Point, we attempt to make you aware of the latest events, threats, and risks for higher education. This month we want to address a specific issue that has been problematic for several institutions over the past month. From conversations with colleagues throughout the country, along with attempts here at AU, higher education appears to be the target of a very widespread attack called phishing.

Phishing is a technique used by cyber criminals to steal data by sending you an e-mail that appears to be from a source you would normally trust. The e-mail calls for your action in some way, typically clicking a link and giving additional information. While phishing isn't new, the number of attempts to phish data from institutions in higher education seems to have increased in the past few weeks, so it is worth our time this month to talk about phishing and how we can be better equipped to protect ourselves and the institution.

According to the SANS Institute, phishing attacks were originally developed to steal online banking usernames and passwords. Now the term is viewed more broadly to refer to e-mail based attacks that attempt to trick you into clicking some link or taking some action. If tricked, the phisher can potentially learn passwords, infect machines with malicious code, and steal sensitive data and a host of other negative things. The reason phishing scams are still prevalent is the simple fact that they frequently work. So what can we do to protect ourselves from phishing schemes?

  • Have a healthy level of skepticism when dealing with unsolicited e-mails. Don't simply assume they are legitimate even if they look like they are from a trusted source. Particularly be wary if the e-mail wants to hurry you into taking some action as this is a technique frequently employed by phishers. It is much better to check with the source and ensure the e-mail is legitimate than to rush into a potential negative situation.
  • Don't click links in e-mails, or at least move your mouse over the link to see where it would direct you. Generally, cutting and pasting links into your browser's address bar and visually reviewing the URL is substantially safer than clicking the link in the e-mail.
  • Remember that just because an e-mail looks like it is from a friend, employer or business, it doesn't mean it is not a spoof e-mail with negative intentions. Be very wary of attachments you were not expecting. Scanning attachments or files with virus software before opening is always a good security step.
  • For more information on phishing and good computing practices see this site developed by AU's Office of Information Technology: http://www.auburn.edu/oit/phishing/.

As we consider phishing, it is always good to remember that we must remain vigilant in protecting sensitive data in other ways as well. We will have more on data protection next month.

If you encounter some emerging risks or threats during the month we'd always like to hear about those items and help educate our industry in ways we can all improve operations. As you again review the issues from across higher education, we again suggest you consider where you may need additional controls or risk strategies.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing

Information Security & Technology Events

Aug. 30, 2013: A St. Louis Community College at Meramec student was arrested and released Wednesday for tweeting a ''violent'' threat directed at the campus' financial aid office, authorities say. (link)

Aug. 27, 2013: College officials often face logistical and philosophical dilemmas in disposing of cast-off cellphones, tablets, computers, and printers. (link)

Aug. 22, 2013: The University of Mississippi Medical Center mistakenly gave out social security numbers, grade point averages and other personal information for most of its student body this week, violating state and federal privacy laws. (link)

Aug. 19, 2013: Health information and Social Security numbers are among data that may have been compromised for faculty, staff and students in a data breach at Emory University in Atlanta. (link)

Aug. 16, 2013: Farris State University says a data security breach put identifying information of thousands of people at risk of being accessed. Officials say they learned July 23 that an unauthorized person evaded network security and gained access to a computer that's used to operate its website. About 39,000 people's names and Social Security numbers were in files that were accessible. (link)

Aug. 15, 2013: For anyone taking electronic payments, the Payment Card Industry Data Security Standard (PCI-DSS) is a critical must-have compliance component in order to do business. Currently the standard is at the PCI-DSS 2.0 level. The new 3.0 standard is now in development, bringing with it policy and procedural changes that will impact the security of the entire electronic payment ecosystem. (link)

Aug. 15, 2013: ''Most data would support the fact that attempts or intrusions into college and university networks, much like corporations or governments, is on the increase,'' said Rodney Petersen, a managing director of the Washington D.C. office of EDUCAUSE, an association of Information Technology leaders in higher education. (link)

Aug. 14, 2013: University of Michigan is experiencing a newly sophisticated type of cyber attack: An email scam that attempts to get employees' passwords, gain access to their personal information and redirect their direct deposits. (link)

Aug. 13, 2013: Now might be a good time to become accustomed with Windows 8 if you're still a holdover Windows XP user. Computerworld reports that hackers have started storing up any fresh Windows XP exploits they find and are preparing to unleash them on unsuspecting XP users as soon as Microsoft stops supporting the operating system next year. (link)

Aug. 12, 2013: The College of Extended Learning at San Francisco State University, began notifying an undisclosed number of students of a server breach that occurred on March 25, 2013 at 3am. The college had been alerted to the breach by federal law enforcement on June 11, 2013. (link)

Aug. 9, 2013: On June 19, Auburn University in Alabama learned that spreadsheets containing donor and alumni information had been accidentally uploaded to a public server. The spreadsheets contained an undisclosed number of donor and alumni's names, maiden names, postal and email addresses, telephone numbers, and Social Security numbers. The spreadsheets also contained former students' years of attendance, what school they attended, and their alumni status. No financial information was involved. (link)

Fraud & Ethics Related Events

Aug. 27, 2013: A Framingham State University employee was fired after allegedly misusing a university procurement card for as much as $167,000 in illegitimate expenses, an official said today. The university became aware of the expenses when reviewing spending statements, said Rita Colucci, chief of staff and general counsel. (link)

Aug. 27, 2013: Former University of Maine spokesman and state legislator John Diamond responded Monday to the University of Arkansas firing him last week by releasing a letter in which he accused a UA official of interfering with the release of public information to the news media, making inappropriate remarks about religion and race and creating a hostile and threatening work environment. (link)

Aug. 24, 2013: University of Illinois' director of bands, Robert Rumbelow faces a felony theft charge after selling old band instruments on eBay and depositing the sale proceeds into his personal bank accounts. While Rumbelow's attorney doesn't dispute where his client put the money, he says Rumbelow's motives were pure and that he planned to put all the money toward the building project once all the instruments were sold. Rumbelow also reimbursed the university about $10,000 for what police said were questionable charges on his university-issued ''P-Card,'' a credit card designated for business purposes. (link)

Aug. 22, 2013: United States Attorney Thomas G Walker announced that in federal court today Ademola L Ejire, 53, pled guilty to mail fraud, in violation of Title 18, United States Code, Section 1341. United States Attorney Walker stated, ''Mr Ejire was entrusted with federal grant funds earmarked for the education and nurturing of young minds in the fields of math and science. Unfortunately, he breached that trust.'' (link) (link)

Aug. 11, 2013: Timothy ''Tim'' Johnson says he was fired from his position as executive vice president of Louisiana College because he filed a whistleblower complaint against school president Joe Aguillard. ''It is a result of my filing a whistleblower complaint,'' Johnson said in an interview with The Town Talk. (link)

Aug. 2, 2013: Researchers at a respected University of Utah lab ''recklessly'' mishandled and manipulated data in 11 papers published over the course of five years, according to a report released this week. The problems went far beyond two papers about regulation of iron in the blood that were retracted from a scientific journal last year after a lab technician threw away notebooks, the investigation by a U. research oversight committee found. (link)

Aug. 1, 2013: Thirteen years ago, the University of California changed its ban on flying business or first class on the university's dime, adding a special exception for employees with a medical need. What followed at UCLA was an acute outbreak of medical need. Over the past several years, six of 17 academic deans at the Westwood campus routinely have submitted doctors' notes stating they have a medical need to fly in a class other than economy, costing the university $234,000 more than it would have for coach-class flights, expense records show. (link)

July 31, 2013: The former head of the Research Foundation of the State University of New York and the politically connected woman he hired are facing charges of filing false claims. The charges lodged by state Attorney General Eric Schneiderman allege that John J. O'Connor and Susan Bruno certified Bruno was performing work for the Research Foundation when she was instead working on Republican campaigns or performing tasks for her father, former Senate Majority Leader Joseph L. Bruno. (link)

Compliance/Regulatory & Legal Events

Aug. 29, 2013: A student at Swarthmore College who accused it of being lax in its pursuit of allegations of sexual misconduct says the Pennsylvania college is retaliating against her by denying her a job as a dormitory resident adviser, The New York Times reports. But college officials deny any retaliation. They say they cannot employ the student, Mia Ferguson, because she refuses to tell authorities the name of the victim of an alleged rape. (link)

Aug. 28, 2013: The United States Attorney's Office for the Northern District of Georgia and Attorney General Sam Olens announced today they have reached a settlement with Emory University, which agreed to pay $1.5 million to settle claims that it violated the False Claims Act by billing Medicare and Medicaid for clinical trial services that were not permitted by the Medicare and Medicaid rules. (link)

Aug. 27, 2013: Two fledgling programs created to teach journalism students how to use drones in their reporting are applying for permits so they can resume operating unmanned aircraft outdoors, their directors said this week. Both programs received cease-and-desist letters from the Federal Aviation Administration last month. (link)

Aug. 22, 2013: A student at St. Charles Community College was arrested Tuesday for sending out a tweet that police say contained terroristic threats. (link)

Aug. 21, 2013: An appeals court rejected part of a jury's verdict in the whistleblower case of a former Iowa State University employee awarded more than $1.25 million in damages after being, among other things, falsely accused of being a ''potential terrorist or mass murderer'' by his superiors. (link)

Aug. 19, 2013: A ruling by a Florida appeals court on Friday has reduced a $10 million damage award to $200,000 in a wrongful death lawsuit filed by the family of a University of Central Florida football player who died following conditioning drills in 2008. The court, however, denied the University of Central Florida Athletic Association a new trial, which it also was seeking. (link)

Aug. 19, 2013: A physics professor Southern University fired in the spring of 2012 showed up on campus the following semester and continued working, teaching a full load of classes in the fall of 2012, apparently unbeknownst to university administrators. (link)

Aug. 19, 2013: Pennsylvania State University has agreed to a multimillion-dollar settlement with a 25-year-old man who was sexually abused by former assistant football coach Jerry Sandusky in a campus shower. It is the first of 26 claims to be settled in the Sandusky scandal, with the others expected early this week. The university has approved spending $60 million for the payouts.(link)

Aug. 17, 2013: The state Board of Regents has denied a University of Georgia art professor's appeal of his tenure revocation for having public sex with a student. UGA administrators began a rare tenure revocation process earlier this year against nationally known painter James Barsness for having sex in a public place with a student under his supervision at UGA's Costa Rica 2012 Maymester study abroad program, which UGA administrators said was a violation of UGA's harassment policy and other university and state Board of Regents policies. (link)

Aug. 15, 2013: A jury has ordered Globe University in Woodbury to pay $395,000 to a former dean who said she was fired for complaining about unethical practices at the for-profit school. (link)

Aug. 12, 2013: University of Southern California senior Ariella Mostov wondered in May why neither the Los Angeles Police Department nor the school Department of Public Safety had attempted to contact her more than a month after she reported being sexually assaulted. Mostov said she visited the campus Department of Public Safety to follow up, but the records manager couldn't find the crime report she had filed March 27. When the report was located later, it listed the crime as ''injury response,'' rather than rape or sexual assault. (link)

Aug. 10, 2013: A Sparta resident allegedly broke into Sussex County Community College, threw a weight into a snack machine and stole some treats before he was found him hiding in the gymnasium bleachers, police said. (link)

Aug. 8, 2013: Not even public universities are safe from their former interns. In a rare internship dispute to play out in the public sector, the University of California was ordered to pay more than $14,000 in back wages and damages to a psychology intern who said she was illegally required to work without pay. (link)

Aug. 8, 2013: A Providence doctor and emergency medicine professor who's studied alcohol misuse in his official involvement with Brown University and Rhode Island Hospital pleaded not guilty Wednesday to hosting an underage drinking party at his Barrington house. (link)

Aug. 6, 2013: The Freedom From Religion Foundation is pushing a public university in Alabama to abandon its plans to open a residence hall for religious students. The website of Troy University indicates the new dorm, named the Newman Center, is non-denominational and meant for students ''who want to engage in dialogue about spirituality.'' (link)

Aug. 5, 2013: The dean of the fine arts department at Fairmont State University has been charged with second-degree sexual assault and placed on administrative leave. A male employee at the school told police that on Saturday, while in Lach's office in Wallman Hall, Lach pulled down the victim's pants, forcefully restrained him and initiated oral sex. (link)

Aug. 1, 2013: A Coon Rapids man has been sentenced for stealing prosthetics and other supplies from the University of Minnesota Medical Center-Fairview and selling them online. Peter Stasica, 52, was sentenced to two years of probation, ordered to pay $88,000 in restitution and ordered to perform 100 hours of community service on one count of wire fraud. (link)

Campus Life & Safety Events

Aug. 30, 2013: Towson University's championship cheerleading squad has been suspended from competition for the academic year over an alleged hazing incident, school officials confirmed Thursday. (link)

Aug. 29, 2013: With the beginning of the semester less than a week away, a few dozen at Framingham State University are scrambling to find a place to live after being evicted from their apartments. (link)

Aug. 28, 2013: Gunshots shattered the calm on the Faulkner University campus Tuesday and left a woman in critical condition. Police said officers took a man into custody on Atlanta Highway shortly after the shooting around noon and said the shooting was domestic violence related. (link)

Aug. 27, 2013: Temple University has canceled its decades-old Spring Fling, saying the event has outlived its original intent and that ''high-risk'' drinking posed serious concerns, according to a campus-wide email sent  Monday night by school officials. (link)

Aug. 26, 2013: The ''GW Housing Horrors'' Facebook page is a compendium of, as the name would suggest, objectionable conditions in the dorms of George Washington University, a D.C.-based school where tuition for the 2013-2014 academic year is $47,290, room and board another $10,850. (link)

Aug. 23, 2013: Oral Roberts University students gasped and shrieked Wednesday morning when a bald eagle that was part of a chapel service failed to fly to its trainer, crashed into a window at Christ Chapel on campus and collapsed to the floor. (link)

Aug. 16, 2013: The University of Idaho is prepared to expel low-performing students and require permits for frat parties as part of an effort to curb underage drinking. (link)

Aug. 15, 2013: Police say George Carlisle II, 43, called 911 around 12:22 p.m. Tuesday identifying himself as a college professor and indicating there was an armed female student inside of Anne Arundel Community College holding approximately eight students at gunpoint. But it all turned out to be hoax. (link)

Aug. 15, 2013: Calling ''campus violence a reality'' to prepare for, the University of Maryland Eastern Shore announced plans Thursday to spend $60,000 on the Clark Kent of teacher supplies: an innocuous-looking white board that can stop bullets. The high-tech tablet --- which hangs on a hook, measures 18 by 20 inches and comes in pink, blue and green --- can be used as a personal shield for professors under attack, according to the company that makes it, and a portable writing pad in quieter times. (link)

Aug. 9, 2013: The governing board of the UNC system voted unanimously Friday to ban campuses from letting students of opposite genders live in the same dorm suites or apartments. The decision reverses a housing policy that was unanimously endorsed by UNC-Chapel Hill's Board of Trustees last year, and it comes just days before the plan was to take effect on the Chapel Hill campus. (link)

Aug. 8, 2013: The University of Connecticut's first-ever prohibition against romantic relationships between faculty and undergraduate students won quick and unanimous adoption Wednesday by the school's board of trustees. (link)

Aug. 8, 2013: Two college friends of accused Boston Marathon bomber Dzhokhar Tsarnaev were indicted Thursday on federal obstruction of justice charges, while lawyers for a third friend said he is negotiating a possible deal in his case. Dias Kadyrbayev and Azamat Tazhayakov, both 19-year-old former students from Kazakhstan, were indicted by a federal grand jury, which said they took evidence from Tsarnaev's dorm room at the University of Massachusetts Dartmouth, tossed it in the trash, and watched a rubbish truck take it away after authorities had publicly identified Tsarnaev as a suspect. They were first charged in May in US District Court, but the indictment increased their possible sentence from five to 25 years in prison. (link) (link)

Aug. 8, 2013: University of Iowa President Sally Mason defended UI's image at the Iowa state Board of Regents meeting on Thursday following the Princeton Review earlier this week dubbing it the No. 1 party school in the nation. (link)

Aug. 4, 2013: Discussions may begin again this fall about whether New Mexico State University should apply for a license to sell beer and wine during sporting events in the Pan American Center. NMSU officials have said they expect the issue will be up for discussion this year, after the school year begins. (link)

Aug. 1. 2013: Yale University found six students guilty of ''nonconsensual sex'' during the first half of 2013 and allowed all of them to continue pursuing an Ivy League diploma from the school. Only one of the six students that a university committee or administrator found guilty of nonconsensual sex was suspended, according to a semi-annual report on Yale sexual misconduct. (link) (link)

Aug. 1, 2013: A psychology professor at Downstate Millikin University killed his parents and sister 46 years ago when he was a teenager, a revelation that has jolted the bucolic liberal arts college that has employed him for nearly three decades and sparked calls for his resignation. As a teenager, he avoided prison time after being found insane at the time of the slayings. (link)

Other News & Events

Aug. 28, 2013: A major donor has withdrawn a $100,000 gift to Westfield State University, saying he was ''appalled at the lavish spending'' by President Evan Dobelle, joining a growing backlash against the school after reports that Dobelle ran up big charges to the school's private fundraising arm for luxury hotels, limousine rides, and other high-end purchases, including a trip to Asia. (link)

Aug. 18, 2013: Most of America's select institutions of higher education are straining to find a sustained path to diversity. But according to a new study from Georgetown University, they are failing. In fact, the study concludes that the system is becoming more polarized racially, with African-American and Hispanic students settling for community colleges and those without access restrictions. (link)

Aug. 17, 2013: The phenomenon of the teacher who sticks around well past age 70 has been widely noted, yet colleges have had little success in mitigating its impact. A survey commissioned by Fidelity Investments and reported at Inside Higher Ed in June found that ''some 74 percent of professors aged 49-67 plan to delay retirement past age 65 or never retire at all.'' (link)

Aug. 15, 2013: The Virginia Military Institute English professor who refused to either work or quit is now on an indefinite paid administrative leave. Kurt Ayau, one of a group of seven embattled professors in the department and the only one who hasn't resigned or retired, said the VMI administration offered the leave, which he said is non-punitive, and he took it as a way to maintain his income while he looks for another job. (link)

Aug. 13, 2013: Former Oakland University President Gary Russi will receive about $230,000 in deferred compensation from the school despite terms in his contract barring such a payment if he left the university before June 30, 2014. (link)

Aug. 7, 2013: Longtime Fresno City College instructor Brian Calhoun said in an email sent to colleagues this week that he's been fired from his position following a well-publicized confrontation with a student. The email --- with the subject line ''It has been a pleasure…'' --- was sent late Tuesday morning from Calhoun's Fresno City College account. The school's fall semester begins Monday. Calhoun, a former Fresno City Council member, said in the email that it took Fresno City College and the State Center Community College District ''only 47 days to fire me, probably a record for a tenured instructor.'' (link)

Aug. 5, 2013: Faculty of color at community colleges feel subordinated and marginalized, causing them to limit what they could contribute to their institutions, according to a new report issued by a community college research center at the University of California, Riverside. (link)

Aug. 3, 2013: The state entity with the largest number of buildings uses them an average of 25 percent of the workweek, leaving them empty the rest of the time, a new study shows. The University System of Georgia studied the issue itself at all 31 of the state's public colleges and universities and found it could be more efficient. (link)

Aug. 1, 2013:A petition is circulating on the Penn State campus demanding that the Office of Human Resources put an immediate end to the implementation of the newly adopted ''Know Your Numbers'' wellness program which they say is a coercive program requiring employees to submit to intrusive questions and comply with medical procedures, or else pay significant fines. (link)

Aug. 1, 2013: The president of Hillsdale College took heat from several lawmakers during a hearing today in which he said state officials visited his campus to determine whether enough ''dark ones'' were enrolled. (link)

Aug. 1, 2013: Pasadena City College's self-titled ''Porn Professor'' announced this week he will not offer the class again in the near future after pressures from the college and social media sent him to psychological rehab last week. Professor Hugo Schwyzer has offered his Humanities 3 class, which he called ''Navigating Pornography,'' twice at PCC, but this spring the class received backlash from the college and the community after media reports of a guest lecture by porn star James Deen that Schwyzer tried to open up to the public. (link)

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at http://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.