Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

May 2011
Vol. 3 No. 5
“By three methods we may learn wisdom: First, by reflection, which is noblest; Second, by imitation, which is easiest; and third by experience, which is the bitterest..”

-- Confucius

Notebook computer stolen from employee vehicle .... Weak password leads to unauthorized access .... Social Security Numbers inadvertently exposed on publicly accessible web site .... Unencrypted flash drive lost .... Over the past several years, Case in Point has highlighted a multitude of incidents in which such breaches have resulted in the exposure of employee, research or student data.

Earlier this month, the White House announced a comprehensive cyber-security legislative proposal in the U.S. Congress. If enacted, the provisions will affect not only governmental agencies, but also federal contractors and private corporations who already must comply with a plethora of cyber-security federal and state laws and regulations.

Mandates such as these come about due to government agencies, private entities, and universities failing to take seriously their responsibility to protect the data of their stakeholders. As we become more reliant on technology to carry out our three-tiered mission of instruction, research, and outreach, we have also introduced a great number of additional risks into our enterprise. These risks take on many forms. Some potential consequences include loss of confidentiality, data integrity, and data availability.

As we have sought to impart to our readers, a pro-active manager should be a risk manager. A pro-active manager is constantly evaluating individual and business processes, looking for potential threats that may impair the organization’s ability to carry out its mission. IT security habits should not be ignored when looking for these threats.

Over the past decade, the gap between the adoption and dependency of new technology in higher education and the addition of new IT controls has dramatically increased. This gap has not only led to higher education being more frequently targeted by cyber-criminals but also to expensive campus-wide outages and productivity losses. In the corporate world, with its focus on the bottom-line, there has been a greater recognition that information security is NOT an IT issue but rather a business issue and a corporate governance challenge. Management, at the highest levels, not the IT department should set the direction for how enterprise security is perceived, prioritized, managed, and implemented. IT security should be considered in just about every strategic plan and business process.

Adoption of cyber-security standards across the enterprise mitigates many of the risks present in any highly networked environment. Several such best practice standards for IT security exist, including COBIT, NIST SP-800, and ISO/IEC 27002. Perhaps our lack of action to adopt these practices is because we see security measures as an inconvenience. Perhaps it is because enough negative events have not yet impacted us. Nonetheless, it is this slowness to adopt that leads to federal and state governments to enact legislation to protect citizens.

While every employee has an individual responsibility to use technology resources in a responsible manner, it is management who must define what constitutes responsible use and provide adequate training on these standards.

If things were limited to just this one area, we'd have a challenge. Unfortunately our risks are even beyond this one important area. Once again as you review the events across our area, think about where your unit's most critical risks are, and think pro-actively about how you are managing them. As always, we'd appreciate your feedback or suggestions.

Robert W. Gottesman, CISA, EnCE
Information Systems Auditor

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing

Information Security & Technology Events

May 27, 2011: He raves about the medical care he's received at Loyola University Medical Center, but a heart transplant patient says he can't believe the hospital allowed his personal information to be compromised. (link)

May 23, 2011: Montclair State University is suing Oracle over an allegedly botched ERP (enterprise resource planning) software project, saying a series of missteps and delays could ultimately cost the school some US$20 million more than originally planned, according to a complaint filed last week in U.S. District Court for the District of New Jersey. (link)

May 18, 2011: So far this month, three legislative proposals containing a national data breach notification requirement have been issued. On May 4, Rep. Bobby L. Rush (D-Ill.) reintroduced the Data Accountability and Trust Act. On May 11, Rep. Cliff Stearns (R-Fla.) introduced the Data Accountability and Trust Act (DATA) of 2011. One day later, the White House released a Cybersecurity Legislative Proposal. (link)

May 12, 2011: A new bill backed by movie studios and other large copyright holders takes a novel approach to curbing access to piratical Web sites: an Internet death penalty. That's a good way to describe the approach adopted by the legislation introduced today, which specifies a step-by-step method for making Web sites suspected of infringing copyrights or trademarks vanish from the Internet. It's called the Protect IP Act. (link)

May 6, 2011: Central Oregon Community College officials have identified some information on the COCC web site that may have been exposed as part of a recent unauthorized intrusion. (link)

May 6, 2011: While some college students consider fake IDs a rite of passage, the Maryland U.S. attorney underscored their illegality Thursday, announcing federal charges against a scholarship winner accused of making and selling phony driver's licenses from his College Parkdorm for a few months in 2009. (link)

Fraud & Ethics Related Events

May 27, 2011: Two community college presidents have come under fire in recent weeks for their expense account spending, which some critics argue is too generous given the cutbacks their institutions are being forced to make in this rough economy.(link)

May 21, 2011: A continuing investigation into alleged embezzlements by a former Vassar College construction manager has uncovered crimes more widespread than originally believed, a Dutchess County prosecutor said.(link)

May 13, 2011: Some Upstate Medical University medical students may not get their medical degrees at the school’s commencement May 22 because they cheated on tests. (link)

May 2, 2011: Federal authorities allege former Del. Phillip A. Hamilton sought a job at Norfolk’s Old Dominion University in exchange for obtaining state funding for the school.(link)

May 2, 2011: The president of Tri-Valley University, which has been called a "sham" by federal prosecutors, was arrested Monday after being indicted on 33 counts in what authorities call a student visa fraud scheme.(link)

Compliance/Regulatory & Legal Events

May 30, 2011: A closely watched trial in federal court in Atlanta, Cambridge University Press et al. v. Patton et al., is pitting faculty, libraries, and publishers against one another in a case that could clarify the nature of copyright and define the meaning of fair use in the digital age. Under copyright law, the doctrine of fair use allows some reproduction of copyrighted material, with a classroom exemption permitting an unspecified amount to be reproduced for educational purposes. (link)

May 26, 2011: Prosecutors say they’ll seek the death penalty for accused University of Alabama in Huntsville shooter Amy Bishop. (link)

May 25, 2011: A Lubbock County jury on Wednesday decided Texas Tech should pay a former professor more than $500,000 for discriminating against him because he is deaf. (link)

May 24, 2011: The University of Michigan will pay $550,000 to settle a civil lawsuit brought by Andrei Borisov, a dismissed U-M professor who sued the university, alleging fraud, defamation and false imprisonment. (link)

May 11, 2011: A top House Republican is planning to propose that Internet service providers, including Universities, be required to store information about their customers to aid police in criminal investigations (link)

May 9, 2011: Recently released documents of a 2-year-old federal investigation into animal care at Clemson University bring to light a conflict of interest that persisted for two years between the research-compliance and animal-care operations at Clemson. The same person headed up both divisions. It also cited inadequate animal-research oversight that had prompted an earlier federal investigation and a management culture that discouraged open discussion. (link)

May 5, 2011: A University of Kentucky football season ticket holder with a hearing impairment has gone to federal court to try to get UK to display captioning on the video boards and video monitors throughout Commonwealth Stadium.(link)

May 5, 2011: A Washtenaw County jury on Wednesday awarded almost $418,000 to a former Ave Maria College administrator who sued the school for firing her in retaliation for cooperating with a federal investigation that found financial aid violations. (link)

May 5, 2011: A federal jury awarded a former history professor at Madison Area Technical College $1.1 million on Wednesday, finding that he lost his job at the college for complaining about religious harassment and discrimination. (link)

May 5, 2011: The University of Virginia plans to revise its sexual misconduct policy to broaden the scope of offenses and to lower the standard of evidence necessary to find a student guilty. (link)

Campus Life & Safety Events

Other News & Events

May 24, 2011: Nine people, including seven Ohio State University students, were arrested yesterday afternoon when they refused to disband a protest at President E. Gordon Gee's office.About 50 students and community members staged the sit-in to protest Ohio State's $10 million deal with the French food-service operator Sodexo. (link)

May 22, 2011: The issue strikes at the nexus of parking angst, civic revenues and righteous indignation. With many cities adopting high-tech meters and demand-based pricing, abuse of disabled placards translates into millions of dollars in lost parking revenues and increased traffic congestion as paying motorists are forced to cruise streets looking for open spaces, officials say. (link)

May 22, 2011: Leon Lin was ecstatic when he found out he’d be leaving home in southern China to study at the University of Connecticut. As the Chinese agent whom his parents paid $5,000 to help him get into the school told him, the university’s flagship campus at Storrs was a highly ranked institution, with 25,000 students and ready access to Boston and New York City. And eventually Lin would return home with the status and career advantage of a U.S. degree. (link)

May 11, 2011: The Maryland Higher Education Commission is guilty of a $4.4 million bureaucratic bungle, as that's what it will cost for the high school seniors to be eligible for aid over their four-year undergraduate term. (link)

May 5, 2011: Three former fraternity pledges at Cornell University pleaded not guilty Thursday to misdemeanor charges linked to the alcohol-related death of a fellow student after a mock kidnapping. (link)

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.