Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

July 2014
Vol. 6 No . 7
Quotable. . .

"The good we secure for ourselves is precarious and uncertain until it is secured for all of us and incorporated into our common life. ''

-- Jane Addams

We know that data thieves frequently target credit card data. When these thieves are successful, the various card brands, (Visa, MasterCard, American Express, etc. ) can levy heavy fines on the merchant who suffered the breach. Merchants who have chosen to accept credit and debit cards are contractually obligated to have in place a very prescriptive set of security controls, collectively known as the Payment Card Industry Data Security Standards (PCI-DSS), to prevent the unauthorized use/disclosure of cardholder data. In addition to large fines for non-compliance, a merchant can be held responsible for reimbursement of fraudulent charges and card reissuance costs. The merchant's reputation will certainly suffer in the court of public opinion.

As consumers, we expect the merchants we do business with will protect our credit card data and not allow it to fall into the hands of identity thieves or other nefarious users. Similarly, we expect every organization, website, and governmental agency to protect the data they require us to provide when using their services. As a merchant, as well as a data steward of customer (applicants, students, alumni, employees) data, the University is also expected to abide by best practices, legislative mandates and contractual obligations to protect the data we have been entrusted with. This includes meeting the highly prescriptive obligations of the PCI-DSS, as well as ensuring reasonable security measures are in place to protect other data we have been entrusted.

While most of us don't handle payment cards on behalf of the University, virtually all of us have access to sensitive data that must be appropriately protected. Protecting this data is a mixture of common sense and sound business processes. PCI-DSS requires all employees be provided with annual information technology security awareness training, and all employees should have a common baseline knowledge of computer security threats and best practices to thwart unintended exposure of data. On a university campus, sensitive data exists in many locations, including centralized and departmental servers, your desktop computer, backup media, and paper forms. The records contained within this data includes, but is not limited to , social security numbers, credit card numbers, driver's licenses, addresses, passport numbers, student educational records, protected health information, research data, and other such information.

A recent study by the Ponemon Institute estimated the cost of a data breach to be $145 per compromised record. A data breach of only 1,000 records therefore could result in $145,000 in direct and indirect costs. Each of us must be vigilant and do our part to protect sensitive information. There are many practices which can contribute to a more secure environment. Here are a few we suggest you consider.

  1. Managing your passwords
    a. Use strong passwords and do not share passwords with others.
    b. Use different passwords for campus resources and non-university resources. Use different passwords on each of the non-University sites you have accounts with. If one site is compromised, you can be assured the breach will not affect data located on other sites.
    c. Use a secure password manager to save your passwords for each site. There are a number of good smartphone and computer applications that will save your various passwords in an encrypted fashion that are only accessible using a strong master password.
  2. Learn how to identify spam/scam/phising emails. Your bank and the University IT department will not ask you to provide your user name and password via email. Likewise, treat as suspect ALL links found within an email. Just because a link takes you to a page that appears to be a University approved site, does not mean that it is. If you have any doubt about a request, contact local IT support to verify its authenticity.
  3. When off-campus, do not trust free or hotel WiFi. Learn how to use the University VPN to protect data transmission while traveling.
  4. Protect your smart phone and tablet like you would your wallet or purse. Don't leave it lying around, even for a moment. These devices are computers and you should have to enter a password or PIN in order to access the device.
  5. Look for security weaknesses and report them to IT professionals, supervisors or Internal Audit.

Each of us should be vigilant and pro -active as any breach of sensitive data results not only in costly remediation, but also tarnishes the University's name and reputation. As always, if you have any suggestions or comments, please let us know.

Robert Gottesman, CISA, GCFE, EnCE
Information Systems Auditor

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing

Information Security & Technology Events

July 31, 2014: The U.S. Department Of Homeland Security warned retailers about a type of malicious software attacking point-of-sales systems, dubbed "Backoff," that it said is undetectable by most types of anti-virus software. The agency released a 10-page advisory about the payment-card-stealing virus Backoff on Thursday, saying it has been observed in at least three forensic investigations into breaches of payment systems. (link)

July 31, 2014: The University of West Florida announced Thursday morning that passwords and usernames for about 160 people may have been compromised in an data breach of the university's main campus networks, a news release from UWF said. (link)

July 29, 2014: Seattle University is notifying an undisclosed number of donors that incorrect permission settings on an internal drive made it possible for anyone with a Seattle University computer account to view scanned checks, without authorization.Seattle University is notifying an undisclosed number of donors that incorrect permission settings on an internal drive made it possible for anyone with a Seattle University computer account to view scanned checks, without authorization. (link)

July 23, 2014: Applying for college involves a mountain of data -- GPAs, ACTs, SATs, essays, the list goes on. But NBC 5 Investigates found there are nine numbers students are routinely asked for that they do not have to offer up during the preliminary admissions process, and some experts say they should refuse to include -- their Social Security Number. (link)

July 23, 2014: The Maricopa County Community College District terminated a longtime employee Tuesday for negligence over a massive computer system breach that was discovered last year. (link)

July 14, 2014: Increasingly, corporate risk managers are seeing insurance against cyber crime as necessary budget spending rather than just nice to have. (link)

July 11, 2014: Some former University of Illinois Chicago students were warned last week of a breach that left personal information, including Social Security numbers, publicly accessible. (link)

July 11, 2014: Officials at Orangeburg-Calhoun Technical College are warning students, former students and faculty about a possible security breach of personal information. Administrators notified law enforcement agencies this week a faculty member's laptop computer was stolen from an office. The college has been verifying the information that was on the computer, which included names, birth dates and social security numbers for current and former students and faculty members (link)

July 11, 2014: A laptop containing student and employee information was stolen from an Orangeburg-Calhoun Technical College staff member's office on Monday. The computer contained files with the names, birth dates and Social Security numbers of about 20,000 former and current students and faculty members dating back six or seven years, according to President Dr. Walter A. Tobin. (link)

July 10, 2014: ForeScout, in association with IDG Connect released survey results describing the nature and extent of security threats and defense maturity arrayed against organizations in the finance, manufacturing, healthcare, retail and education sectors. Among the many findings, those in the education
and manufacturing sectors were least sure (73% and 71% either not or somewhat confident) that security measures relating to personal mobile device usage would be improved within the next year. (link)

July 10, 2014: Personal information from more than 1,000 Penn State alumni may have been compromised because of a security breach involving a university computer. (link)

July 10, 2014: Among college students based in the U.S. aged 18 to 26, reveals laptops as their device of choice with 85 percent owning one, outnumbering smartphone owners and more than double the reported number of tablet owners. When asked to rank various items in order of importance, 41 percent of students surveyed consider their laptop their most important possession followed by their car, tablet, bicycle, and television. (link)

Fraud & Ethics Related Events

July 28, 2014: Alabama Gov. Robert Bentley announced today he has removed Alabama State University Trustee Marvin Wiggins from office for conflict-of-interest violations (link)

July 23, 2014: The former head of financial aid at Merrimack College was charged today with wire fraud and mail fraud for allegedly deliberately mishandling federal student loans and falsifying documentation to cover up her actions over a dozen years. (link)

July 21, 2014: A Bentley University accounting professor's ''entire body of work'' is in question, following the school's investigation of two papers by James E. Hunton in which data were found to have been falsified. (link)

July 18, 2014: The University of Connecticut on Friday said it had reached a $1.3 million deal to settle a 2013 lawsuit filed by five current and former students charging that the school had mishandled claims of sexual assault and harassment. (link)

July 16, 2014: A Virigina man faces multiple counts of theft by deception after falsely claiming Georgia residency to lower his daughter's tuition at the University of Georgia, the school's police chief said Wednesday. (link)

July 14, 2014: Three workers fired by the University of Saskatchewan for taking cafeteria food home are headed back to an arbitration board. The group was fired in 2012 while working at the university's ag-bio cafeteria. Over the span of a year, the three workers brought soup, gravy and expired fruit cups home from work. They also ate soup from the cafeteria without paying. (link)

July 11, 2014: UCLA has agreed to pay $500,000, including $350,000 in scholarships, to settle a claim by a prominent African American judge over alleged mistreatment and racial profiling by campus police during a traffic stop last year, officials announced Friday. (link)

July 8, 2014: Federal officials are rescinding nearly $1.4 million in grant money for an Iowa State University research team that was besmirched by a colleague's alleged fraud. The National Institutes of Health decision comes on top of ISU's agreement to reimburse the federal agency $496,000 for salary and other costs related to Dong-Pyou Han's employment. The former ISU scientist is accused of faking experiment results to make it look like a vaccine was protecting rabbits against the AIDS virus. (link)

July 3, 2014: After a string of cases involving embezzlement or misuse of funds at the University of Louisville in recent years, an independent audit commissioned by the university has recommended 17 changes to improve financial controls and oversight. It calls for strengthening disbursement controls, adding checks on vendors and contracts, reviewing university-associated bank accounts, hiring a chief financial officer, standardizing policies and expanding internal auditing. (link)

July 1, 2014: As many as 90 percent of recommendation letters for Chinese applicants to western universities were falsified in 2011, the most recent period studied, according to the U.S. educational consulting firm Zinch China. Seventy percent of admissions essays were written by someone other than the applicants, the firm found, and half of secondary school transcripts were doctored. (link)

Compliance/Regulatory & Legal Events

July 30, 2014: U.S. colleges and universities that fail to take steps to curb sexual assault on their campuses would face stiff penalties under a proposal introduced in the Senate on Wednesday. A key provision would require colleges to conduct an annual, anonymous survey in which students would be asked about their experiences with sexual assault on campus. Colleges would be required to publish the results online "so that parents and high school students can make an informed choice when comparing universities," a summary of the bill says. (link)

July 29, 2014: Alabama State University spent $318,099 suing a Birmingham forensic auditor hired by Gov. Robert Bentley to investigate claims of financial wrongdoing at the school. (link)

July 27, 2014: University and college professors are complaining that government restrictions on the use of small drones are likely to stifle academic research. In a letter to the Federal Aviation Administration on Friday, 30 professors said a clarification the agency issued last month on what rules model aircraft hobbyists must follow would eliminate the ability of researchers to use small, unmanned aircraft on low-altitude flights over private property. (link)

July 25, 2014: The Ohio State University Marching Band, known for entertaining fans at sporting events with hypnotic formations choreographed to music, was also known among university insiders for a culture that facilitated sexual harassment, according to an investigative report. (link)

July 21, 2014: The University of Connecticut will pay nearly $1.3 million to five current and former students to settle a federal lawsuit that accused the university of mishandling allegations of sexual assault and harassment. Most of the settlement -- $900,000 -- will go to just one student. (link)

July 18, 2014: The Iowa Supreme Court is ordering Iowa State University to pay $650,000 to a former employee who was the subject of vicious mistreatment by superiors. The court Friday upheld a jury's $500,000 award to former College of Engineering marketing employee Dennis Smith for emotional distress. (link)

July 16, 2014: A California judge ruled Tuesday that a private Southern Baptist college was within its rights to expel a transgender student who applied to the school as female, but only as regards the school's private courses. The student was found to have been discriminated against with regards to the college's public facilities. (link)

July 15, 2014: A federal appeals court on Tuesday upheld a race-conscious admissions program at the University of Texas, a ruling that comes one year after the U.S. Supreme Court concluded that the same admissions program should be strictly scrutinized. (link)

July 11, 2014: Ball State University board of trustees took an additional step in trying to safeguard the university from another investment scandal. Ball State was the victim of securities fraud in 2008 and 2010 that cost the university $13.165 million. As a result, Gale Prizevoits, the director of cash and investments at the university, was fired; Seth Beoku Betts of Boynton Beach, Fla., was convicted of securities fraud; and George Montolio , from the Bronx, N.Y., was convicted of wire fraud. Both men were prosecuted in Manhattan and sentenced to federal prison. (link)

July 11, 2014: The University of Michigan has settled a lawsuit brought by a student group that said it was improperly denied funding for an event featuring a speaker who previously had sued the school. (link)

July 9, 2014: More than 40% of U.S. colleges and universities have conducted no investigations of alleged sexual assaults over the last five years, according to an explosive survey of more than 300 schools by a congressional subcommittee. (link)

July 8, 2014: A settlement has been reached in the lawsuit filed by a Case Western Reserve University law school professor who alleged that when he reported former Law School Dean Lawrence Mitchell had potentially sexually harassed women, he suffered retaliation. (link)

July 7, 2014: This week Students for Concealed Carry Foundation, Inc. filed a lawsuit in Franklin County Common Pleas Court challenging The Ohio State University's authority to ban lawful possession of firearms by students, faculty, staff, and other affiliates on its campuses. (link)

July 7, 2014: A New York City man was sentenced to 18 years in prison on Monday for raping his stepdaughter, who revealed the sexual abuse in a college application essay. (link)

July 7, 2014: Southern University settled a lawsuit over the Baton Rouge campus' failure to accommodate disabled students, agreeing to make several upgrades that are expected to cost the cash-strapped college millions over the next five years. (link)

July 3, 2014: The Supreme Court gave Wheaton College a temporary exemption from birth control coverage required by President Barack Obama's health reform law, days after ruling that for-profit employers can opt out for religious reasons. (link)

July 2, 2014: Lawsuits filed Tuesday by an education foundation accuse three state universities and a community college of restricting free speech of students and faculty, the first public volley of a nationwide campaign to challenge campus policies it says are unconstitutional. (link)

July 2, 2014: Philosophy Prof. Peter Ludlow will not join the faculty at Rutgers for the coming academic year, the school said Wednesday. Ludlow will remain on Northwestern's faculty, University spokesman Al Cubbage confirmed Wednesday. Ludlow is at the center of a Title IX lawsuit that alleges NU acted with ''deliberate indifference and retaliation'' after a student reported being sexually assaulted by Ludlow. The professor has denied the student's allegations. (link)

July 1, 2014: The NCAA is taking another look into academic misconduct at North Carolina after an investigation uncovered new information. UNC athletic director Bubba Cunningham said Monday the school has received ''a verbal notice of inquiry'' that the NCAA will reopen its 2011 investigation in a case that began as an offshoot of a 2010 probe into the football program. ''The NCAA has determined that additional people with information and others who were previously uncooperative might now be willing to speak with the enforcement staff,'' Cunningham said in a statement. (link)

June 30, 2014: Federal initiatives are in the works to make attending college less of a financial burden, but financial aid administrators question whether they present a robust solution. (link)

Campus Life & Safety Events

July 30, 2014: The rupture of a nearly century-old water main that ripped a 15-foot hole through Sunset Boulevard and turned a swath of the University of California, Los Angeles into a mucky mess points to the risks and expense many cities face with miles of water lines installed generations ago . The flooding sent more than 20 million gallons of water cascading from a water main in the midst of California's worst drought in decades and as tough new state fines took effect for residents who waste water by hosing down driveways or using a hose without a nozzle to wash their car. (link)

July 29, 2014: Just in time for the new school year, colleges across the state are making plans to offer alcoholic beverages, either at on-campus pubs or allowing sales at sporting events. (link)

July 28, 2014: The William T. Young Library and several adjacent buildings on the University of Kentucky campus were evacuated for several hours Monday after a construction machine hit a gas line, causing a leak. (link)

July 28, 2014: University of Delaware students are being offered counseling after a doctoral student allegedly hid video cameras in restrooms around the university's Newark campus over a two -year period. (link)

July 25, 2014: An accounting professor who taught at both San Francisco State and the University of San Francisco was arrested Wednesday for allegedly filming friends and former and current students as they used the restroom in his San Francisco home. Mark Landis, 38, was charged with 15 misdemeanor counts of invasion of privacy. (link)

July 21, 2014: Four Case Western Reserve University students were robbed at gunpoint on campus Saturday afternoon, university spokesman William Lubinger said. The students were studying in the Wade Commons university building about 4:24 p.m. , when three men entered the RedCats room and demanded their belongings. (link)

July 15, 2014: More than 25 students were found to have violated Gettysburg College's policy, resulting in expulsions, suspensions and dismissals from campus, according to a letter from college president Janet Morgan Riggs. In an email sent July 14 to parents and alumni, Riggs stated the 27 sanctions were given in response to the college's internal investigation, which involved the questioning of 39 students. The investigation was in response to a Philadelphia-area drug ring investigation earlier this year. (link)

July 9, 2014: The definition of "consent" in Norfolk State University's sexual misconduct policy consists of 166 words. The College of William & Mary uses 257 words to spell it out. It takes 438 at Virginia Wesleyan College. With scrutiny on policies and prevention of sexual violence at colleges and universities, it's becoming increasingly important for local higher-education officials to pinpoint what constitutes consensual sex. "No " means no , but "yes" can be trickier for school administrators to identify. (link)

July 8, 2014: The president of Washington and Lee University on Tuesday said in a mass email to faculty and students that the battle flags of the Confederacy will be removed from Lee Chapel and that the university will continue to study its historical involvement with slavery. President Kenneth Ruscio issued a lengthy statement in response to a controversy that began last spring when a group of law school students called the Committee demanded that W&L stop glorifying Robert E. Lee and the Confederacy and acknowledge Lee and the university's ownership of slaves. (link)

July 7, 2014: Thirty Baruch College students could face a slew of criminal charges this week - ranging from hazing to homicide - related to the death of a fraternity pledge, a lawyer representing the victim's family says. (link)

July 7, 2014: Three University of Maryland students crossed U.S. 1 this weekend, hours after a fatal hit-and-run on the same stretch of road. The students said they know jaywalking on the major thoroughfare is dangerous -- three people have been struck and killed by drivers there in the past six months -- but they said they've become accustomed to drivers yielding to them on campus. "Because on campus the cars have to stop for you, we all are so used to it," said Elizabeth Steidl. "So we just walk wherever we want. " (link)

July 3, 2014: The family of a Cal State Northridge fraternity pledge who collapsed and eventually died after a hike in the Angeles National Forest is blaming the student's death on hazing..(link)

July 1, 2014: Public safety officers armed with semi-automatic pistols will patrol Idaho State University for the first time on Tuesday to safeguard students and staff, in response to a new state law allowing concealed weapons on college campuses. Arming eight officers and two supervisors with guns is among the security measures the school in the southeastern Idaho city of Pocatello has adopted in light of the new law, school officials said. Another Idaho university was considering a similar move. (link)

Other News & Events

July 29, 2014: The government's official statistic for college-tuition inflation has become somewhat infamous. It appears frequently in the news media, and policy makers lament what it shows. No wonder: College tuition and fees have risen an astounding 107 percent since 1992, even after adjusting for economywide inflation, according to the measure. No other major household budget item has increased in price nearly as much. But it turns out the government's measure is deeply misleading. (link)

July 7, 2014: Total enrollment in the nation's journalism schools has dropped, research by a team at the University of Georgia shows, triggering a variety of responses from the schools and raising questions about the future of journalism education. (link)

July 1, 2014: The University of Arizona has abruptly fired a prominent marijuana researcher who only months ago received rare approval from federal drug officials to study the effects of pot on patients suffering from post traumatic stress disorder. . The firing of Suzanne A. Sisley, a clinical assistant professor of psychiatry, puts her research in jeopardy and has sparked indignation from medical marijuana advocates. Sisley charges she was fired after her research -- and her personal political crusading -- created unwanted attention for the university from legislative Republicans who control its purse strings. (link)

July 1, 2014: Aaron Hernandez, a former tight end for the New England Patriots who has been indicted on three murder charges, is featured in a University of Florida football-themed calendar, according to several reports. The calendar was not produced or distributed by the university, according to the program's Twitter account, which noted that approval of the calendar probably occurred in the spring of 2013. (link)

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.