Having trouble viewing this email? View it in your browser.

Office of Audit, Compliance & Privacy

Case in Point:
Lessons for the proactive manager

September 2016
Vol. 8 No. 9
Quotable...
“People always make the best exploits. I've never found it hard to hack most people. If you listen to them, watch them, their vulnerabilities are like a neon sign screwed into their heads.”

-- Elliot Anderson (Rami Malek) in Mr. Robot

It's hard to believe that we are about to enter the final quarter of 2016. October 1st will once again mark the start of National Cyber Security Awareness Month. Throughout October you will likely see multiple messages from technology and security professionals on ways you can protect yourself and the University in one of our biggest risk areas--IT security.

To get a headstart on National Cyber Security Awareness Month, I asked Auburn University's Information Systems Audit Manager, Mary Krauss, (CISA, CRISC, GCIH) for her top suggestions for safe computing. Here are Mary's top five:

  1. Passwords: Choose a hard to guess password and change it often. You should change your password regularly. Consider using a passphrase as this is harder to guess. Do not use the same password or passphrase for non-University resources.
  2. When in Doubt, Don't Click: Do not click on suspicious links in email messages. Always hover your cursor over a link to see the web address before you click on it. If you receive an attachment you were not expecting, do not open it--even if the email appears to be from someone you know or work with. Reach out to them in a separate message or phone call to ensure they sent it to you. If you think you may have clicked something malicious by mistake, let your IT support personnel know.
  3. Don't Disable Security Tools: Tools such as firewalls or anti-virus software are in place to protect assets. You should never disable these tools, even if they seem to be a hindrance to your work. Losing your data will be a bigger issue than a task taking a few extra seconds.
  4. Install Updates Timely: Don't delay the installation of updates. As new threats appear daily, updates ensure your computer/mobile device has the latest protection.
  5. Protect Sensitive Data: When dealing with sensitive data, you must take appropriate steps to prevent disclosure. You should encrypt your hard drive and external media. Store sensitive data on central servers and not on your local hard drive whenever possible. Think twice before sending sensitive information in an email as this is not always a secure method. It is easy for someone to forward your message to unintended recipients. Seek out another method or ensure that email attachments are encrypted.

We appreciate Mary sharing this great advice. For more data security suggestions visit the AU Office of Audit, Compliance & Privacy's web resource on Data Security Controls.

Technology brings a great deal of risk to our operations, but as you will read again this month, there are numerous risk areas that require vigilance in the higher education world. As always, we'd be happy to hear from you with comments or suggestions.

M. Kevin Robinson, CIA, CFE
Associate Vice President
Office of Audit, Compliance & Privacy



Information Security & Technology Events

Sep 26, 2016: People will do crazy things to get to the top of the "real money slots" search rankings. Last week, researchers at eTraffic uncovered a scheme that sent a certain site rocketing up the organic search rankings. When eTraffic investigated, 76 different university and foundation web pages -- including Stanford, New York University and Carnegie Mellon University -- had suddenly begun linking to the site, each randomly inserting linked keywords into otherwise unrelated text. Because Google's search ranking is still largely based on keyword links from trusted sites, that was enough to propel the site to the top of the search ranking. (link)

Sep 20, 2016: Police have arrested a Kennesaw State University student accused of hacking into the school's system to change grades and steal personal data. Cobb County Police say Chase Arthur Hughes illegally accessed the university's Owl Express program to alter his grades and the grades of four other students. Police say he also stole the personal data of his fellow students and, at least, three professors at the university. Using the professor's professional accounts, police say he examined sensitive information, including employment history, credit, financial and medical information. (link)

Sep 07, 2016: On Tuesday, University of Alaska officials announced an attacker using employee credentials may have accessed student information. The breach occurred several months ago after the hacker established a "trust relationship" with a campus employee and then convinced the employee to log into a fraudulent web address using university credentials. Officials said that while student information was stored on a vulnerable network drive, there is no evidence that the information was accessed or stolen. (link)

Sep 06, 2016: The Medical College of Wisconsin has mailed letters to about 3,200 patients notifying them about a recently discovered security incident involving an employee's email account. On Aug. 3, the forensic investigation determined that an unauthorized third-party had accessed the email account over three days from July 2-4. The incident did not impact the security of any other MCW email accounts, networks or servers, according to the release. The email account in question contained full names, dates of birth, home addresses, medical record numbers, and codes or notes related to diagnosis or treatment provided. Also, the Social Security numbers of two patients were included in the email account. No health insurance, credit card, banking or other financial information was contained in the email account. (link)


Fraud & Ethics Related Events

Sep 30, 2016: On Tuesday, September 28, 2016, a Richmond County Grand Jury charged Roman Cibirka with two felony counts of theft by taking. The Board of Regents received an anonymous hotline complaint in May 2013, containing allegations of malfeasance and a conflict of interest concerning Cibirka. Georgia Regents University Office of Internal Audit investigated the allegations and Cibirka's relationship with a vendor, Barbara Raybourne. Raybourne was the president of Coastal Carolinas Marketing, a North Carolina based marketing firm which Cibirka had engaged to do work for the university. (link)

Sep 22, 2016: Federal charges are expected to be announced today against the SUNY Polytechnic Institute president, Alain Kaloyeros, and former aides to Gov. Andrew Cuomo in connection with an alleged bribery scheme involving Cuomo's signature economic development plan, known as the Buffalo Billion. The charges stem from "two overlapping criminal schemes involving bribery, corruption, and fraud in the award of hundreds of millions of dollars in State contracts and other State benefits," according to the complaint. (link)

Sep 16, 2016: A former Virginia Tech employee is being investigated for embezzling money from the university's Foundation and the Virginia Flower Growers Association over a number of years, according to a search warrant. The investigation involves at least $127,000, Montgomery County Commonwealth's Attorney Mary Pettitt wrote in an email this week. Pettitt said she expects charges to be filed. Maura Martin Wood, 46, of Christiansburg, is named in the search warrant, which includes information that investigators are tracking a period from Sept. 26, 2008, through earlier this year. (link)

Sep 16, 2016: Syracuse University removed the dean of the Martin J. Whitman School of Management after he was arrested for patronizing a prostitute in the town of Salina. Kenneth Kavajecz, 51, of West Jefferson Street, Syracuse, was removed as dean Wednesday and placed on administrative leave from his faculty position "until further notice," Vice Chancellor and Provost Michele Wheatly announced. (link)

Sep 16, 2016: In September 2010, UNC-Chapel Hill was embroiled in its worst athletic scandal in 50 years when one of its lawyers placed a call to Swahili instructor Alphonse Mutima. He said he didn't teach the class. As it would turn out, the class was fake, one of 186 bogus classes created by a clerical employee and avid Tar Heel basketball fan named Deborah Crowder. This story has unfolded slowly for six years. Now, as the NCAA's latest enforcement case nears its end, The N&O has reviewed the newly released correspondence, looking for clues about why it took so long for one of the country's top public universities to discover the full scope of its corrosive shadow curriculum. (link)

Sep 12, 2016: Gov. Nikki Haley's appointee to the Medical University of South Carolina Board of Trustees has agreed to repay more than $20,000 he was reimbursed for pricey meals, expensive bottles of wine and luxury hotel rooms. In a recent investigation, The Post and Courier found the MUSC Board of Trustees spent about $560,000 since 2011, largely on hotel rooms and food. The State Commission on Higher Education also called on the state's inspector general to audit the spending practices of the governing boards of the University of South Carolina and Clemson University. Those boards combined spent more than $1 million during the same time frame. (link)

Sep 08, 2016: The University of Colorado Board of Regents took the rare step on Thursday of revoking the Ph.D. of a pharmaceutical researcher whom colleagues had once described as a "golden boy." A CU investigation found 22 instances of falsification in Rajendra Kadam's doctoral thesis, according to a board document approving the revocation. A report on the investigation, obtained by the website Retraction Watch, recommended that 10 of Kadam's published papers also be retracted. Some of those papers, which were published between 2010 and 2013, had been used to win grants from the federal government. (link)

Sep 01, 2016: Last month, a U.S. district court unsealed a whistleblower lawsuit filed by a former colleague of biologist Erin Potts-Kant. It accuses the researcher, her former supervisor, and the university of including fraudulent data in applications and reports involving more than 60 grants worth some $200 million. If successful, the suit -- brought under the federal False Claims Act (FCA) --could force Duke to return to the government up to three times the amount of any ill-gotten funds, and produce a multimillion-dollar payout to the whistleblower. The Duke case "should scare all [academic] institutions around the country," says attorney Joel Androphy of Berg & Androphy in Houston, Texas, who specializes in false claims litigation. (link)

Sep 01, 2016: The leader of the University of Virginia's governing board told lawmakers Friday that he does not foresee major tuition increases in the near future and indicated that the school is open to discussions about making room for more students from within the state. The remarks from William Goodwin Jr., U-Va.'s rector, came at a legislative hearing called to scrutinize a controversial $2.2 billion investment fund that the university created this year from operating reserves amassed during the past decade. Some Virginia lawmakers had demanded to know the source of the money, why they had been unaware of such a huge sum, and why the university had been raising tuition in recent years. (link)


Compliance/Regulatory & Legal Events

Sep 28, 2016: The University of Pennsylvania has become the latest local school to be hit with allegations that its process for handling campus sexual assault complaints is discriminatory against male students. In a lawsuit filed last week, a university senior -- identified in court filings only as John Doe - asked a federal judge to halt ongoing disciplinary proceedings against him based on what he described as a ''sham investigation'' into claims he raped a female student this year. (link)

Sep 28, 2016: Former San Diego State women's basketball coach Beth Burns won her wrongful-termination trial against the university Wednesday, receiving a $3.35-million judgment from a San Diego Superior Court jury for whistle-blower retaliation after complaining about potential Title IX violations. SDSU ultimately identified two central reasons for her termination -- a video from a February 2013 home game in which Burns elbowed assistant coach Adam Barrett, seated to her immediate right, after a defensive lapse; and an internal investigation that chronicled an alleged "history" of mistreating subordinates. (link)

Sep 27, 2016: UW-Madison is cutting the work week of its student employees to no more than 29 hours to conform to requirements of the Affordable Care Act, a move some student workers say will make it harder for them to stay in school. The ACA requires large employers to provide affordable basic health insurance to employers who work an average of 30 hours a week or more. UW-Madison officials say that the UW System is considered a single employer under ACA. So, under the new rule, student workers would be limited to 29 hours a week total for all jobs with UW, on any campus. (link)

Sep 21, 2016: Wheaton College in Norton failed to respond to a report of student-on-student rape, did little to prevent an alleged rapist from continuing to contact the victim, and neglected to prevent retaliation against a different victim, according to a recent report by the Department of Justice. The Wheaton report is an example of how schools around the country struggle to adequately address sexual assault under a rigorous set of federal guidelines and a reminder of how rapes continue to occur despite increasing awareness. (link)

Sep 20, 2016: A Michigan State University doctor facing a growing chorus of sexual assault allegations has been fired by the university, officials confirmed today. Dr. Larry Nassar, an associate professor in MSU's College of Osteopathic Medicine who served as USA Gymnastics' team physician during four Olympic Games, had been relieved of clinical and patient duties on Aug. 30. Late last week, the university initiated the process to end Nassar's fixed-term appointment. He was formally fired Tuesday, said university spokesman Jason Cody. (link)

Sep 19, 2016: On at least two occasions, undergraduate and graduate students at the University of New Mexico dissected the brains of aborted children during a six-week summer educational research program. The report, released this summer by a select investigative panel of the U.S. House Committee on Energy and Commerce, alleges the "symbiotic relationship" between the university and the abortion center possibly violates New Mexico state law prohibiting the donations of aborted fetal tissue for scientific research and federal statutes that make it illegal to profit from human fetal tissue. (link)

Sep 17, 2016: A former St. Louis University theology professor has won a $367,000 judgment in her gender discrimination lawsuit against the Jesuit university. Cornelia Horn, who worked for SLU from 2004 to 2012, was an assistant professor in the school's theology department who accused the administration of denying her a promotion and tenure because of her gender. She alleged that female faculty members were discouraged, and received less help preparing for those advancements. (link)

Sep 16, 2016: Former UC Berkeley School of Law dean Sujit Choudhry sued the UC Board of Regents -- among other university-related parties -- on Thursday, alleging that he was the victim of racial discrimination and that the university was attempting to deprive him of his reputation and career. The lawsuit comes after campus outcry over Choudhry's return to campus this fall as a Berkeley Law faculty member, despite having resigned as dean in March after allegations of sexual harassment came to light. A campus Title IX office found that his behavior toward his former executive assistant, Tyann Sorrell, violated UC sexual misconduct policies. (link)

Sep 14, 2016: A mother has filed a lawsuit against William Paterson University, claiming her daughter committed suicide after officials at the school failed to fully investigate the student's claims of rape. Cherelle Jovanna Locklear, 21, was found by her roommates hanging by a necktie in a dorm bathroom on Nov. 22, 2015, according to a lawsuit filed Sept. 8 in U.S. District Court by her mother, Marquesa C. Jackson-Locklear. The lawsuit alleges William Paterson University employees violated Title IX of the Education Amendments of 1972, which state in part no person should be discriminated against on the basis of sex. (link)

Sep 14, 2016: Wesleyan University has settled a lawsuit filed by a professor who alleged school administrators mishandled an investigation into sexual harassment complaints she made against another professor. Documents filed in federal court in New Haven show a judge dismissed Associate Professor Lauren Caldwell's lawsuit Sept. 1, after lawyers reported the settlement. Terms were not disclosed. (link)

Sep 09, 2016: UCLA settled a lawsuit Thursday that was filed by two graduate students who claimed they were sexually harassed by professor Gabriel Piterberg. According to a UCLA statement, the UC Board of Regents agreed to pay one student $350,000 and the other student $110,000. They will also provide one of the students with a dissertation year fellowship in her final year of graduate school. Nefertiti Takla and Kristen Glasgow, both graduate students in history, sued UCLA in June 2015, alleging that UCLA violated Title IX when dealing with their claims of sexual harassment. (link)

Sep 09, 2016: The U.S. Department of Education announced today that its Office for Civil Rights (OCR) has entered into an agreement with Frostburg State University of the University System of Maryland to ensure compliance with Title IX of the Education Amendments of 1972 as it applies to sexual violence and sexual harassment. The action follows an OCR investigation which found Frostburg to be in violation of Title IX. (link)

Sep 08, 2016: J Robinson was fired from the University of Minnesota on Wednesday by athletic director Mark Coyle. Coyle, who took over in June, had on his first day on the job banished the 70-year-old coach from campus and begun an investigation of Robinson's handling of an alleged drug ring involving more than a dozen wrestlers. Ultimately, it was Robinson's unwillingness to reveal details of the use and sale of the prescription sedative Xanax by Gophers wrestlers, and his alleged self-policing of the issue, that led to his fall. (link)

Sep 07, 2016: In a lawsuit filed last week in federal court, 41 Nigerian nationals -- many of whom are now Alabama State University alumni -- allege the school overcharged them for books and meals, enrolled them in classes they never took, and more, all because they were black foreigners. "They called us cash cows," said Jimmy Iwezu, an ASU alum who claims the university intentionally mismanaged millions from a scholarship fund set up by the Nigerian government that was paid in advance for every exchange student. (link)

Sep 07, 2016: A San Jose State professor found to have sexually harassed a student last year remained the head of his department for nearly five months after the campus investigation concluded, stepping down just days before the end of the academic year, an investigation by this news organization has found. Late last week, after receiving questions from this news organization, the campus placed Professor Lewis Aptekar on paid leave, according to a source familiar with the case. (link)

Sep 01, 2016: Missouri's public universities are on the hook from the state auditor about college affordability. In a report released Tuesday morning, Auditor Nicole Galloway highlights the growing trend of schools keeping tuition flat for in-state residents, but increasing fees that students must pay for specific classes or within an academic college. An almost 10-year-old state law prevents universities from increasing tuition costs for in-state students more than the value of the Consumer Price Index, a percentage that indicates how Missouri's economy is performing. (link)


Campus Life & Safety Events

Sep 28, 2016: A fraternity at the University of Missouri has been suspended while officials investigate reports of racial and sexist slurs. University officials and the Delta Upsilon national organization suspended the chapter of the fraternity Wednesday after members were accused of shouting slurs at black students late Tuesday. Two black female students said other students yelled racial slurs at them as they walked past the fraternity house. The alleged slurs include the N-word and misogynistic expletives. (link)

Sep 21, 2016: Students and staff at the University of Houston have been dealing with discolored water on campus since late Tuesday. Administrators say the water definitely won't be deemed safe to drink through Wednesday. They say test results taken by UH won't be back until Wednesday evening at the earliest, and those results will then have to be reviewed by city. Results from city's testing won't be back until Thursday, officials say. (link)

Sep 19, 2016: A maintenance worker was sentenced to eight years in prison on Monday for targeting female college students through social media and then burglarizing their homes, stealing personal belongings including underwear. From May 2014 through December 2015, authorities said, Arturo Galvan, 44, targeted at least 33 women, mostly sorority members from Chapman University and Cal State Fullerton, tracking their movements through social media and then burglarizing their apartments and houses. (link)

Sep 17, 2016: Rice University's marching band used its halftime performance in a Friday night football game against Baylor University to mock Baylor's recent sexual assault scandal. Video uploaded to social media after the event shows Rice's Marching Owl Band forming the Roman numeral IX, a reference to the Title IX ban on sexual discrimination, followed by a star and a rendition of the song "Hit the Road Jack," in reference to the departure of university president and chancellor Ken Starr in the wake of the scandal. (link)

Sep 16, 2016: A student at Tarleton State University accidentally fired a gun at a campus residence hall Wednesday, officials said. The student, who is trained and licensed to carry, reported accidentally discharging a firearm about 6:30 p.m. in Integrity Hall, a co-ed dorm that primarily houses second-year students, university spokesman Harry Battson said. There were no injuries, and property damage was "minimal," he said. No law was broken, he said. (link)

Sep 15, 2016: About one-fifth of the faucets in three University of Oregon residence halls run with lead-tainted water -- and a fourth hall is very likely to have some of the same. Crews either found or are concerned about elevated levels in Walton, Hamilton, Barnhart and Bean halls. The UO didn't release specific numbers but said they are above the 15 parts per billion set by the federal Environmental Protection Agency as allowable in water for human consumption. (link)

Sep 14, 2016: A fraternity at Washington State University was suspended Wednesday after allegations of date rape. Officials said police officers were called to contact an 18-year-old female student, who said she was given alcohol and sexually assaulted at WSU's Delta Upsilon fraternity. As police investigated, they found other women who told officers they suspected their drinks had been drugged at that same party. The rape victim told police she tried to leave after a night of drinking, but an unknown man blocked the doorway and refused to let her out. (link)

Sep 13, 2016: A UNC-Chapel Hill student said she was sexually assaulted in February by a UNC football player who has not been prosecuted or held accountable by the university, the UNC police or the court system. The student, Delaney Robinson, a 19-year-old sophomore from Apex, held a news conference in Raleigh with her attorney and father Tuesday to discuss her case. Earlier in the day, she swore out warrants in the Orange County magistrate's office, charging the football player with misdemeanor assault and misdemeanor sexual battery. Her lawyer, Denise Branch, explained that the misdemeanor charges were the only option open to Robinson now to get justice -- despite campus police and university investigations that led to no action against the player. (link)

Sep 12, 2016: A month ago, public colleges and universities in Texas were preparing for the realities of a controversial new law which allowed citizens to carry concealed weapons into campus facilities. But despite much public outcry over the new law's implementation, costs and concerns about gun violence are so far dramatically lower than expected. A report from the Dallas Morning News shows college officials projected for security adaptations to the new law to exceed $15 million in additional personnel, metal detection technology, firearm storage and other safety plans. But through the first month of the new law, campuses have spent just under $1 million, mostly on signs to designate areas prohibiting firearm possession. (link)

Sep 12, 2016: University of Richmond's chapter of Kappa Alpha Order has been suspended by its national headquarters and the university suspended all chapter activities pending a thorough investigation, according to statements from Kappa Alpha Order's National Administrative Office and the University of Richmond. The suspension comes after a member of Richmond's Kappa Alpha Order chapter emailed more than 95 students, including freshmen, at 12:55 p.m. Friday, the first night of lodges. (link)

Sep 12, 2016: Thirty-one people were injured after a deck collapsed at an off-campus party near Trinity College in Hartford, Connecticut, on Saturday night. A third-floor balcony collapsed onto the second floor balcony, which then collapsed on the first floor, according to Deputy Police Chief Brian Foley. There were no major injuries, officials said.Trinity College confirmed in a statement that the building is owned by the school and managed by an outside property manager and that they were investigating the incident. (link)

Sep 08, 2016: As workers continue another year of unexpected repairs to the roof of North Quad Residence Hall's residential and academic wing, the University of Michigan is preparing to pursue an investigation into the roofing system's failure just six years after its construction. The University of Michigan's Board of Regents has approved two separate repair projects for the North Quad roof -- one in April 2015 and another this past April -- totaling $11 million over the last two summers, citing the failure of 55,000 square feet of roofing. The most recently approved action request stated that construction will be completed this fall. (link)

Sep 08, 2016: Three days before the College of Charleston announced a crackdown on excessive drinking and risky behavior among fraternity and sorority members, a 17-year-old college student told police she was raped at an off-campus party. A week later, a 21-year-old College of Charleston fraternity brother was charged with sexually exploiting the young woman whom he allegedly photographed while with another male. His campus fraternity, Alpha Epsilon Pi, has been closed. (link)

Sep 07, 2016: Officials at the University of Northern Colorado would very much like to leave its Bias Response Team -- and all of the trouble it caused -- behind them. The team, which officials now call "a process" for dealing with student conflict, recently came under fire for actions free speech advocates say violated the First Amendment and professors' academic freedom. In her State of the University address Wednesday, UNC President Kay Norton suggested the team -- in its trouble-causing iteration -- will no longer exist. (link)

Sep 07, 2016: A 32-year-old Glendale man pleaded guilty Tuesday in federal court to making threats to faculty and staff at Buffalo State College where he was suspended from being a graduate student, prosecutors say. Benjamin Bolton began his time at Buffalo State College as a graduate student for the fall 2013 semester. In April 2014, authorities say, Bolton was suspended as a result of incidents at the school, including disputes with faculty members. (link)

Sep 06, 2016: A 22-year-old North Easton man allegedly stealing women's underwear from a dorm at Amherst College early Monday morning is facing a series of charges stemming from that break-in. Amherst College police have charged Ryan J. Chase, 22, of North Easton, with three counts of breaking and entering in the nighttime, two charges of larceny from a building and one charge of trespassing. He is not affiliated with the college, according to police, but a Chase is listed as a student at the University of Massachusetts. (link)

Sep 01, 2016: San Francisco State University failed to properly handle a protest against the mayor of Jerusalem during his speech on campus this spring, an independent investigation into the incident has found. Though there was no evident danger, the protest caused a handful of students on both ideological sides of the Israeli-Palestinian conflict to fear for their safety in the aftermath of the demonstration, according to the report. "The inadequate response prior to, during and following the event falls squarely on the shoulders of San Francisco State University administrators," SFSU President Leslie Wong. (link)

Aug 31, 2016: One Auburn University engineering professor has brought the national debate over trigger warnings into the classroom by posting a sarcastic warning near the top of the syllabus for one of his Fall 2016 courses. Prof. Peter Schwartz's tongue-in-cheek take on trigger warnings -- which have become ubiquitous on many campuses across the country -- warns students that the course will subject them to such horrors as physics, work and quizzes. It's an attempt at humor from a man who on Monday told AL.com that he finds trigger warnings "silly" and he would never issue a serious trigger warning. (link)

Aug 31, 2016: The College of Charleston on Tuesday temporarily suspended all alcohol-related activities for its fraternities and sororities, citing disruptive parties and excessive drinking among students. The announcement came a day after the school was ranked 15th on the Princeton Review's list of the nation's top party schools. Other universities have similarly restricted or banned alcohol, often after incidents of sexual assault or excessive partying on their campuses. (link)


Other News & Events


If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at http://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top


Office of Audit, Compliance & Privacy
Auburn University
304 Samford Hall
M. Kevin Robinson, Assoc. VP
robinmk@auburn.edu
334.844.4389

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Office of Audit, Compliance & Privacy is listed as the source.