Internal Auditing

Case in Point:
Lessons for the pro-active manager

October 2009
Vol. 1 No. 10

''People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.''

Bruce Schneier 1

By now you've probably noticed signs across campus or notices in Auburn Daily that October is National Cyber Security Awareness Month. This month, Auburn University's Office of Information Technology (OIT) is emphasizing the 2009 National Cyber Security Month theme of ''Our Shared Responsibility.'' This theme emphasizes the need for everyone to practice good ''cyber hygiene'' both at work and at home. As you see in this newsletter each month, campuses across the country routinely have serious issues in this area. As an industry, higher education is, unfortunately, one of the leaders in issues such as data breaches and lost information. As a manager you can help ensure your area does not become a headline by using the resources available through OIT both here on campus and at home. You can also help ensure your faculty and staff are aware of these resources and are also using these best practices in their computer use on campus and at home.

So in recognition of National Cyber Security Awareness Month, we present our top three recommendations for staying safe in the computing realm.

1. Use Anti-Virus Software and Keep it Updated - AU provides an excellent product called Sophos for you to use free of charge. Just go to AUInstall if you are not already using this product. It's easy, it doesn't cost you anything, and it can save you a lot of problems by following this one simple step.

2. Keep Your Operating System Updated - There is a continual battle between software engineers and those trying to disrupt security and breech systems. When new vulnerabilities are discovered, software companies release patches to fix the new vulnerabilities. It's critical that you keep automatic updates on and install updates to ensure you have the latest protection from attack.

3. Backup files regularly - Once again AU provides an easy way for you to do this through Tivoli Storage Manager; however, you can backup to local media such as CDs, DVDs or other tools. We do caution you that if you use those local sources you must protect them by keeping them locked away or else you risk loss of potentially private or sensitive files on the backup source.

Once again we ask you to look over the events occurring across our industry and to consider how you can pro-actively prevent similar events at Auburn University. Don't forget that every manager is a risk manager so you might as well be a good one.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing

Information Security Related Events

Oct. 4, 2009: Suffolk Community College has agreed to pay a company for the next year to monitor the credit of 300 students whose last names and Social Security numbers were mistakenly listed in an attachment to an e-mail sent to those students last month. (link)

Sept 30, 2009: In a sports memorabilia world that sees game-used balls, bats and uniforms (or, in the case of old Busch Stadium, a game-used urinal) bring good prices, the Mizzou athletic department recently found itself in the midst, much to its dismay, of a new collectible: the coach-used phone. (link)

Sept 29, 2009: A hacker has infiltrated a computer server housing the personal data of 236,000 women enrolled in a UNC-Chapel Hill research study. Among the information exposed: the Social Security numbers of 163,000 study participants. (link)

Sept. 25, 2009: A former University of Maine business student was sentenced Wednesday in Penobscot County Superior Court to 18 months with all but 30 days suspended for aggravated criminal invasion of computer privacy while a student at the University of Maine. (link)

Misapproriation/Fraud/Ethics Events

Oct. 13, 2009: LSU Police have arrested four people from Atlanta and booked them with the selling of counterfeit tickets to the Tigers' football game against the University of Florida. (link)

Oct. 8, 2009: Rebecca Moorman says the first clue that something was amiss with her field trip to Chile came when her professor at The Evergreen State College insisted her payment of more than $3,000 be deposited into his bank account. (link)

Oct. 2, 2009: Past problems with misreported campus sex crimes statistics, through both understatement and exaggeration, re-emerged Thursday at the University of California, Davis. Officials alleged that the former head of campus anti-violence efforts, Jennifer Beeman, had grossly inflated the number of forcible sexual offenses in three years of mandatory reports to the federal government. (link)

Sept. 30, 2009: The University of Medicine and Dentistry of New Jersey will pay the federal government more than $8 million to settle allegations that it illegally paid kickbacks to cardiologists and caused submission of false claims to Medicare. (link)

Sept. 24, 2009: Chester Ludlow, a pug dog from Vermont, has been awarded an online MBA (Masters in Business Administration) by Rochville University--an online college that offers distance learning degrees based on life and career experience.

Compliance/Regulatory Failure Events

Oct 18, 2009: University of North Carolina schools skip their normal hiring procedures with ''disturbing'' frequency, the group that represents state employees says. (link)

Oct 18, 2009: Two former high-level employees at troubled Chicago State University claim they were fired as retaliation for asking state officials to investigate the trustees' ''intricate involvement into the university's personnel matters and files'' and are suing the school. (link)

Oct 15, 2009: Kansas State University has made strides to correct problems identified in an audit earlier this year, its new president told higher education officials Thursday. An audit released in June revealed undisclosed payments, conflicts of interest and accounting irregularities and potential tax problems at KSU and its Athletics Department. (link)

Oct 7, 2009: Most trustees who want to meddle inappropriately in their university's intercollegiate athletics programs do so subtly, behind the scenes, because they know it's generally frowned upon. Not Jim Smith, chairman of the Board of Trustees at Florida State University, who straightforwardly told a reporter for The Tallahassee Democrat last weekend that it was time for the university to get rid of its longtime football coach, Bobby Bowden, because the team was not winning enough. (link)

Oct. 4, 2009: Iowa Student Loan Liquidity Corp. has been ordered to repay money to the federal government because the nonprofit used illegal cash inducements to drum up more loan business. A review by the U.S. Department of Education found that Iowa Student Loan paid the illegal fees to the Iowa State University Alumni Association to induce it to steer business to Iowa Student Loan. (link)

Other Events

Oct 17, 2009: Harvard University, one of the world's richest educational institutions, stumbled into its financial crisis in part by breaking one of the most basic rules of corporate or family finance: Don't gamble with the money you need to pay the daily bills. (link)

Oct 17, 2009: An all-male college in Atlanta, Georgia, has banned the wearing of women's clothes, makeup, high heels and purses as part of a new crackdown on what the institution calls inappropriate attire. (link)

Oct 13, 2009: A libel lawsuit filed by Butler University highlights the dangers of certain types of online postings. The university is suing an anonymous blogger for comments posted last year on a blog that the school contends includes defamatory statements about two high-level administrators. A libel lawsuit filed by Butler University highlights the dangers of certain types of online postings. The university is suing an anonymous blogger for comments posted last year on a blog that the school contends includes defamatory statements about two high-level administrators. (link)

Oct 11, 2009: A UCLA professor who taught the student accused of slashing a female classmate's throat last week said Saturday that he told a university administrator 10 months ago that he had concerns about the student's mental health, but strict federal privacy laws prevent UCLA officials from disclosing how they handled the issue. (link)

Oct 7, 2009: Entomologist Phil Koehler saw a bad case of the bedbugs last month. The parasites had gone unnoticed by a resident in an on-campus apartment at the University of Florida, in Gainesville for what could have been months. By the time Koehler arrived to inspect the infestation, there were hundreds: under the futon and in the walls. (link)

Oct. 7, 2009: Maryland's public university system is poised to become the first in the country with a policy on student displays of pornographic films, a direct response to legislative demands made after a screening earlier this year of a XXX-rated film at the University of Maryland, College Park. (link)

Oct. 4, 2009: Leaders of the legislature's higher education committee say they want to meet with University of Connecticut officials to discuss the university's practice of paying its private foundation millions of dollars a year for fundraising services. (link)

1 Schneier, Bruce Secrets and Lies: Digital Security in a Networked World. New York: John Wiley & Sons, 2000. Print.

Schneier will be speaking at the Littleton-Franklin Lectures on Auburn's main campus on February 2, 2010. For more information see the Littleton-Franklin Lectures webpage.

If you have any suggestions, questions or feedback, please e-mail me at We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director
© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.