Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

February 2015
Vol. 7 No. 2
''Wisdom consists in being able to distinguish among dangers and make a choice of the least harmful.''

-- Niccolo Machiavelli, The Prince

As we noted in last month's Case-in-Point, we linked 580 stories during 2014 dealing with diverse issues and sometimes even entertaining events that occurred within higher education. This month we begin analyzing those 580 stories to see what we can learn and hopefully prevent in our areas of responsibility.

Within the Information Security and Technology category, we had 118 stories linked during 2014.

The breakdown within this category for 2014 is:

  • Hack/Data Breach 58%
  • Accidental Data Disclosure 23%
  • Social Media Issues 8%
  • Other 8%
  • Cyber Insurance 3%

As a point of comparison the 2013 results are:
  • Hack/Data Breach 44%
  • Accidental Data Disclosure 25%
  • Social Media Use 13%
  • IT Resources/Use 10%
  • Other 8%

The clear leader over the past two years in stories we linked involved ''Hack/Data Breach'' where someone outside of the institution (or without legitimate internal access) attempted to obtain some protected data.

The second most common event we observed in this category involved accidental data disclosure by an employee. Most frequently noted was the situation where an employee thought they were storing electronic files in a secure place, but in reality they were open for anyone to view. We also included device loss or theft in this category. Laptops, smartphones, and thumb drives are all easily lost/stolen and can have major implications if not adequately protected.

Social media continues to be a fairly substantial topic as well with items ranging from institutional policy issues to specific social media posts by either students or employees being topics we noted during the past year.

Due to the importance of this topic we will look at some best practices in the data security and IT realm to help manage these events. We did this last year and think the topic is worth a reminder. In future months we will delve into the other categories in more depth.

As always we invite you to review the events from this month and consider ways you can help proactively manage risks.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing

Information Security & Technology Events

Feb. 27, 2015: Nearly 3,000 students -- some of whom did not even apply -- got acceptance emails from Kean University this week that were followed up with a big never mind. The congratulatory emails sent Tuesday were taken back within a half-hour by a decidedly less enthusiastic message saying the first email had been ''sent in error.'' (link)

Feb. 26, 2015: Thousands of former Pitt Community College students could have their personal information at risk after the college says a computer thumb drive was lost. PCC says some 5,300 full names, social security numbers, and addresses of the former students were on the drive that was lost January 21st..(link)

Feb. 17, 2015: Applicants to Carnegie Mellon University's Master of Science in Computer Science program are pursuing higher education. This week, about 800 of them learned a tough lesson: You can't believe everything you read. It's something they learned the hard way after they received emailed letters of acceptance that were mistakenly sent by CMU's computer science department. (link)

Feb. 6, 2015: A Utah State University staff member accidentally sent an email message Thursday containing 347 individual names and Social Security numbers to a group of USU student veterans, the university revealed Friday. According to a news release posted to the university's website, the email included Social Security numbers and names, but no other personal information, and went out to 1,033 people. (link)

Fraud & Ethics Related Events

Feb. . 25, 2015: A former Iowa State University scientist admitted in court Wednesday that he faked results in a multimillion-dollar AIDS vaccine study. He expressed readiness to accept his punishment, including possible prison time. As part of his plea agreement, Dong-Pyou Han admitted that his subterfuge cost the federal government $7 million to $20 million. In return for his guilty pleas to two felony charges of making false statements, prosecutors dropped two other charges. He could face up to 10 years in prison, which would be a rare punishment for academic fraud. (link)

Feb. 10, 2015: A college student is accused of bilking the University of Washington out of tens of thousands of dollars. Campus police say it was a simple scheme that meant a big and illegal payoff. They say Said Ahmed was a cashier at the University Instructional Center. Court records claim when students returned course packets, Ahmed admitted that he gave himself unauthorized refunds on his UW Husky Card. (link)

Feb. 10, 2015: A former University of Alabama contract instructor faces a felony ethics charge after he allegedly made more than $375,000 by encouraging students to buy textbooks from a company he owned. 44-year-old Charles Christopher Horton allegedly profited $378,022.99 by requiring students in his computer sciences classes to purchase their textbooks through a company he owned, according to a grand jury indictment filed in the Tuscaloosa County Circuit Court in October 2014. (link)

Feb. 6, 2015: A former University of Kentucky mining engineering professor who prosecutors say defrauded the university out of tens of thousands of dollars in items and services has pleaded guilty. The U.S. attorney's office said 54-year-old Dongping "Daniel" Tao pleaded guilty to one count of wire fraud Thursday before U.S. District Judge Karen Caldwell. (link)

Feb. 2, 2015: The University of Missouri at Kansas City gave the Princeton Review false information designed to inflate the rankings of its business school, which was under pressure from its major donor to keep the ratings up, according to an outside audit released Friday. (link)

Compliance/Regulatory & Legal Events

Feb. 26, 2015: Chapman University has agreed to settle a lawsuit brought by a 98-year-old philanthropist who had charged that the university took advantage of his age to get him to donate $12 million for a technology building. University officials said donations from James and Catherine Emmi now will be used to create a scholarship fund. The agreement will resolve the suit, according to a brief statement issued Wednesday. (link)

Feb. . 25, 2015: A University of Massachusetts student filed a civil rights lawsuit Wednesday against Amherst police alleging he was wrongly arrested last year during rowdy, pre-St. Patrick's Day parties known as the "Blarney Blowout." (link)

Feb. 25, 2015: A former top administrator at the University of Louisville has filed suit against the school's board of trustees, alleging he was fired because he spoke out about health insurance bidding issues and racial discrimination of employees. According to a complaint filed Tuesday in Jefferson County Circuit Court, Sam Connally, former vice president for human resources, claims the university violated Kentucky's whistleblower statute and the state's civil rights act. (link)

Feb. 24, 2015: Mary Willingham and UNC-Chapel Hill have reached a tentative settlement over a lawsuit she filed last summer that contended the university retaliated against her for blowing the whistle on a long-standing academic fraud involving classes that never met. Willingham said the settlement would provide her monetary compensation, but does not allow her to return to the university as she originally sought. She would not specify the amount of the compensation. (link)

Feb. 23, 2015: She's had nightmares, flashbacks and panic attacks since being sexually assaulted last year at Stony Brook University. Yet when Sarah Tubbs sought the university's help to proceed with disciplinary charges against her alleged attacker, officials required her to personally prosecute him, she said. Tubbs has no legal training. Yet she had to question and be cross-examined by the man she claims sexually assaulted her in his dorm room. (link)

Feb. 20, 2015: The University of Colorado has agreed to pay a suspended male student $15,000 and will not disclose without a waiver the details of his disciplinary record -- which includes convictions under the campus judicial process in a 2013 sexual assault case. The agreement was made with the CU junior known only as "John Doe," as he identified himself -- with a judge's permission -- when he sued the university last year under Title IX, the federal gender-equity law. (link)

Feb. . 18, 2015: Federal and state officials are investigating Boston College for possible violations of accessibility laws, amid complaints from some current and former students with disabilities who describe navigating sections of the campus as a nightmare. Problem spots, including numerous routes and ramps that are steep and others that lead only to stairs, force people with disabilities to travel longer routes or navigate ''shortcuts'' through a maze of building hallways and elevators to get across campus, the students said. (link)

Feb. 16, 2015: More than 1,000 supporters of S.C. State University gathered at the State House Monday to rally against a legislative proposal to close the school for two years. Lawmakers, ministers and activists promised to keep open South Carolina's only historically black public college, decrying what they said is a lack of state funding for the Orangeburg school. ''The state of South Carolina has a sad and sorry history of only giving S.C. State enough to get by,'' the Rev. Joseph Darby, elder of the AME Church's Beaufort District and an S.C. State alum, told the crowd. ''We need to say -- loud and clear -- that we're tired of just getting by.'' (link)

Feb. 13, 2015: Beginning Feb. . 1, the University of Massachusetts stopped admitting Iranian national students to specific programs in the College of Engineering and College of Natural Sciences because of a law Congress enacted in 2012. (link) (update)

Feb. 12, 2015: The National Association of the Deaf (NAD) and four deaf and hard of hearing individuals filed two federal class action lawsuits today against Harvard University and the Massachusetts Institute of Technology (MIT), charging that the schools discriminate against deaf and hard of hearing people by failing to caption the vast and varied array of online content they make available to the general public, including massive open online courses (MOOCs). (link)

Feb. 5, 2015: Harvard University banned professors from having ''sexual or romantic relationships'' with undergraduates, joining a list of campuses that have taken similar steps. Many colleges discourage but don't ban sex between professors and students. While a national professors' group doesn't favor such a prohibition, recent moves by Harvard, Yale University and the University of Connecticut suggest the tide may be turning. (link)

Feb. 5, 2015: The developers of a failed $1.3 billion plan to build a data center and power plant at the University of Delaware's STAR campus have sued the university, alleging the institution knuckled under to community opposition and then deliberately sabotaged a project that it had actively pursued. (link)

Campus Life & Safety Events

Feb. 23, 2015: Ten Wesleyan students and two visitors have been hospitalized, with at least two in critical condition, after overdosing over the weekend on the synthetic party drug MDMA, known as ecstasy or Molly, police and Wesleyan officials said. (link)

Feb. 20, 2015: In a week when two University of Tennessee football players were charged with aggravated rape, a report in the Tennessean about yet another rape allegation against a football player got a lot of attention. The school has now provided its internal investigation into the latter case to The Washington Post, and, like many alleged campus sexual assault cases, the report illustrates how difficult it can be for university officials to take on the roles of prosecution, defense, and jury for its own students, all the while aware that the end result will reflect on the institution, as well. School officials concluded that the two students in the case had agreed to have sex, a finding that the Tennessean described as ''devastating'' to the woman involved. (link)

Feb. 10, 2015: The boyfriend of a college freshman found dead in her dorm room was charged Monday with homicide after an autopsy found signs she had been severely beaten and strangled.. Authorities responding to a 911 call early Sunday at Millersville University said 19-year-old Gregorio Orrostieta had blood smeared on his face and a dried cut on his forehead and was trying to administer CPR to student Karlie Hall, police said. His shirt was ripped, exposing scratch marks on his chest, and he had blood on his hands and jeans, the police affidavit said. (link)

Feb. 10, 2015: College of Charleston President Glenn McConnell called the alert system mistakes made in Tuesday's bomb threat ''unacceptable'' and said he will immediately work to correct them. Five days after police swarmed onto the University of South Carolina campus after a double shooting in a classroom, officers with rifles burst into some classrooms at the college to deal with then threat. (link)

Feb. 9, 2015: Texas Fiji hosted a party guests said had a ''border patrol'' theme Saturday night, where attendees wore construction gear, ponchos and sombreros. Other guests wore army camouflage outfits. According to Fiji fraternity president Andrew Campbell, the party was this year's annual Fiji Marshals event, a ''western-themed party which focuses on the traditional old west.'' Multiple attendees said the party's theme was communicated as ''border patrol.'' (link)

Feb. 8, 2015: A second case of meningococcal meningitis was confirmed in a Providence College student Sunday as the school unrolled its effort to vaccinate the entire student body. Beginning at 9 a.m., students began receiving the serogroup B meningococcal vaccine -- the first of three doses they will take over the next six months, according Dr. Michael Fine, director of the Rhode Island Department of Health. The school is not mandating that its 3,800-plus students receive the vaccine, but health officials are urging students to do so in an effort to prevent an outbreak. (link)

Feb. 6, 2015: "The University of California will require incoming students to be screened for tuberculosis and vaccinated for measles, mumps, rubella, chicken pox, meningococcus, tetanus and whooping cough, under a plan set to take effect in 2017," the UC said in a statement. "Currently, the UC system only requires students to be vaccinated against hepatitis B, though several campuses have additional requirements." (link)

Feb. 5, 2015: Two people died Thursday in an apparent murder-suicide inside a building on the University of South Carolina's campus in busy downtown Columbia. The shooting happened about 1 p.m. Thursday as students were changing classes. Even as police cars with sirens blaring rushed to the new School of Public Health and the university sent out an alert that everyone should stay inside, people were walking around the sprawling campus. (link)

Feb. 4, 2015: Clemson University officials announced Wednesday a five-year suspension of the university's Sigma Phi Epsilon fraternity chapter for alleged violations of the student organization conduct code. (link)

Feb. 3, 2015: Was it a bomb? A booby trap? Something else designed to cause harm? The answer: D. None of the above. The device duct-taped to the side of the 14th Street Bridge that forced the Downtown Connector to be emptied for more than two hours Monday was actually a college art project, officials said Tuesday. Nothing suspicious about that, but instead one obvious question: Why the heck was it there? (link)

Jan 29, 2015: The student shuffle continues at City College of San Francisco. The Gough Street campus will now close due to seismic safety concerns, school officials told faculty Thursday. This follows the announcement three weeks ago that CCSF's Civic Center campus on Eddy Street would close because it too is seismically unsafe. (link)

Other News & Events

Feb. 25, 2015: Standard & Poor's Rating Services recently issued a negative outlook for nonprofit higher education for 2015. "Upping the Ante: Costs of Luring Top Students Keeps the Outlook Negative on U.S. Not-for-Profit Higher Education Sector" cites that colleges and universities will continue to struggle to balance their rising costs with student affordability. In addition, increased competition within the industry will require even stronger in-house management. (link)

Feb. 17, 2015: Recently, a computer science student at the University of Illinois did some class homework and posted the answers to GitHub, the code-sharing platform widely used by open-source software developers. And the university was peeved. Last week, using a DMCA takedown notice, the standard way to request removal of copyrighted material from the net, the university tried to force GitHub into vanishing the coursework from its service. After criticism from students, the school has rescinded the notice, but the incident goes a long way towards describing how the software world has changed in recent years. (link)

Feb. 16, 2015: The administration of Horry-Georgetown Technical College has issued an apology concerning ''happy pills'' that were handed out to children during a recent event. The apology was made Monday, two days after a faculty member distributed M&Ms in prescription pill bottles to children in attendance at a family event that took place off campus during the Fun Run associated with the Myrtle Beach Marathon. (link)

Feb. 12, 2015: A day after Clemson University's faculty asked the school's leaders to change the name of Tillman Hall, the board's chairman, David Wilkins, said the board does not plan to change the name. "While we respect the many differing opinions of our graduates, our students, our faculty and staff regarding this matter, the Clemson University Board does not intend to change the names of buildings on campus, including Tillman Hall," Wilkins said in a statement to The Greenville News. (link)

Feb. 2, 2015: College sports fans who donate money to their favorite schools and get priority seating at big games in exchange could lose a tax break under a federal budget plan proposed on Monday. (link)

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.