Having trouble viewing this email? View it in your browser.

Internal Auditing

Case in Point:
Lessons for the pro-active manager

March 2015
Vol. 7 No. 3
''Security is always excessive until it's not enough.''

-- Robbie Sinclair

Last month we looked into the details of 2014's Information Technology stories linked in Case-In-Point. As has been true for multiple years, data breaches continue to be the most frequent story we link about in this category. Protecting data requires substantial effort as one weak link in the chain of protection can cause difficulty for the entire organization. As we indicated last month we wanted to discuss some ways that these risks can be reduced.

In last year's February issue, Robert Gottesman, AU's IT Auditor, made suggestions on actions you can take to prevent these issues. Due to the importance of this topic, we again present his list of suggestions for your consideration. Some of the items below apply to you as an individual and others would be handled by IT departments but all are important protection measures.

  • Patch: New vulnerabilities are discovered all the time. A process for updating software with vendor security patches must be a part of regular process.
  • Know where sensitive/confidential data is stored: In order to make sure you are securing your systems appropriately, you must know where this sensitive/confidential information is stored. Different systems should have levels of access commensurate with the type of information stored on the system.
  • Personally Identifiable Information (PII): PII that is no longer needed should be redacted or destroyed: Years ago, the SSN was the key identifier for students and employees. Faculty grade books, both paper and spreadsheet based, from this time period may still have these identifiers on them.
  • Vulnerability Scanning: IT Providers should regularly conduct vulnerability scans on system they are responsible for. These scans can be run by the IT provider or by OIT personnel and can help with the discovery of unpatched and misconfigured systems.
  • Virus Scanning: A centrally provided virus scanner should be installed, configured to get regular virus definition updates, on every computer.
  • Back-up: Regular backups of system data protects the University in the event of a system failure.
  • Proactive Access Management: Know who has access to your systems: Regularly review users and groups (including group members) granted permission to access your resources. Do all these people still need access to the resource, are they still affiliated with the University?
  • Passwords: Don't use the same user id/password combination on University systems as you do for external websites/systems. Using the same password means a compromise will be much more difficult to contain if it did occur. Best practice is to use different credentials for the University systems and for each of the external services you use.
  • Encrypting: Are you encrypting portable devices (flash drives, laptops, etc.) that contain personal, sensitive or confidential data?
  • Personal Data Device Security: How are you securing your personal device which is connecting to the University Network? If you get your University email on your smartphone, are you properly protecting that device? Does the device require a PIN or password to use?

Routinely communicating the importance of data and technology best practices is very important. These risks involve more than simply the IT department but rather requires all faculty, administrators, staff, students, and departments being diligent and vigilant in protecting data and systems. While IT related risks are probably near the top in importance, there are multiple areas we must stay on top of within higher education. We again invite you to review the issues occurring at institutions the past month. As always, we welcome your feedback.

M. Kevin Robinson, CIA, CFE, CCEP
Executive Director, Internal Auditing

Information Security & Technology Events

Mar. 31, 2015: Bradley University officials say the security of the school's computers have been breached, possibly compromising social security and other identity information of employees, former employees and retirees. (link)

Mar. 30, 2015: The FBI is investigating a cyberattack at Rutgers University that led to a weekend computer slowdown. The school's system suffered a 'denial of service' attack on Friday. That means a user redirected computers to contact one specific server, which caused a slowdown. (link)

Mar. 19, 2015: Racist comments on social media by purported American University students have provoked a strong reaction from students and university officials. The controversy stems from comments on the social media app Yik Yak. The app lets users within a 10 mile radius post comments and replies anonymously, similar to an online bulletin board for people in a certain area. (link)

Mar. 13, 2015: Texas A&M may have inadvertently compromised personal data belonging to fewer than 5,000 university faculty members and graduate students, according to an email sent to possible victims earlier this week. (link)

Mar. 9, 2015: The University of Chicago has been hacked, exposing the Social Security numbers of students and employees in the Department of Medicine.

Mar. 7, 2015: Three of seven Information Technology employees who were placed on paid administrative leave in late January after Victor Valley College's computer network was hit by a security breach have been invited back to work, officials said. (link)

Mar. 4, 2015: Kalamazoo College officials are meeting with students and stepping up security patrols after an anonymous, ''anti-Semitic'' online posting that included a threat to shoot faculty. (link)

Mar. 2, 2015: Employees at Pittsburgh's Carnegie Mellon University were recently the target of a sophisticated hacking attempt. On Saturday, about 200 faculty and staff at CMU received an e-mail claiming to contain information about a raise. The real content of the e-mail, however, was found to be a phishing scheme. (link)

Fraud & Ethics Related Events

Mar. 27, 2015: Stanford University is investigating allegations of academic cheating by students during the recent winter quarter, according to University Provost John Etchemendy. A letter Etchemendy sent to faculty and teaching staff on Tuesday pointed to ''an unusually high number of troubling allegations of academic dishonesty'' reported to the school's Office of Community Standards at the end of the quarter. (link)

Mar. 19, 2015: A former Greenville Technical College employee and two other Upstate women are facing charges in connection with what authorities called embezzlement of federal work-study funds at the school. (link)

Mar. 19, 2015: Responding to a second critical report in weeks over research involving vulnerable humans, University of Minnesota President Eric Kaler said Thursday he intends to put some research activities on hold pending a more-thorough review. Kaler will ask the Board of Regents next week to suspend enrollment in new and ongoing drug studies in the Department of Psychiatry until they are reviewed by an independent Institutional Review Board. The U's own review board, which is charged with approving research on humans, was found to be lacking expertise and too trusting of U researchers. (link)

Mar. 18, 2015: Robert Miller, a former maintenance manager at West Chester University, was arrested for allegedly stealing more than $112,000 from the university, according to Pennsylvania Attorney General Kathleen G. Kane, who announced the arrest Tuesday afternoon. According to the criminal complaint, Miller used the university's credit card hundreds of times without the authorization of the university to purchase thousands of dollars' worth of gift cards, clothing, food and miscellaneous personal items. (link)

Mar. 16, 2015: Sandi Marie Hollifield, 49, worked as a bookkeeper at Galen College, a now-defunct vocational college in Fresno. Beginning in 2008, Hollifield embezzled money from the school by creating fake invoices for supplies and charging Galen College. The school issued checks to Hollifield's fictitious business, ''Total Business Forms.'' Between September 2008 and April 2010, Hollifield deposited over $85,000 in Galen College checks made payable to ''Total Business Forms.'' (link)

Mar. 13, 2015: The former executive director of marketing at Southwestern Michigan College will spend almost two years in federal prison for stealing more than $200,000 from the Dowagiac school. Gregory DeRue, 48, of Granger, Ind., was sentenced Thursday to 21 months in federal prison for mail fraud during a hearing before U.S. District Judge Paul L. Maloney, according to court documents. His defrauding of the college was discovered after his release from employment. During his time at the college, federal investigators said the college used DMG Media as its advertising agency and was billed for more than $487,000. The school dealt exclusively through e-mail with the company's purported agent, ''Jack,'' and DeRue never disclosed to his supervisors that he was the president and sole employee of DMG Media. (link)

Mar. 9, 2015: In 2005, following a season of poor academic performance from his players, Syracuse University's head basketball coach, Jim Boeheim, hired a new director of basketball operations and gave him an imperative: ''fix'' the academic problems of his athletes. The director's solution, according to the National Collegiate Athletic Association, was for athletics staff members to access and monitor the e-mail accounts of several players, communicate directly with faculty members as if they were the athletes, and then complete coursework for them. (link)

Mar. 6, 2015: The University of Tennessee athletics department inappropriately pressured officials in charge of campus discipline and exerted undue influence that placed students and institutional integrity in ''peril,'' according to a former vice chancellor. (link)

Compliance/Regulatory & Legal Events

Mar. 31, 2015: Phi Theta Kappa Honor Society is investigating allegations by two female students that the community college honors group's longtime leader sexually harassed them. The allegations against Rod Risley, the group's executive director and C.E.O., have provoked letters of concern from presidents of the two community colleges the students attended, as well as court filings and Equal Employment Opportunity Commission complaints (link)

Mar. 31, 2015: A failure to provide a breakfast of McDonald's biscuits and hash browns for 30 fraternity brothers may have played a role in the death of a Clemson University student who was found dead in a lake after an early-morning run with other fraternity pledges, according to legal complaints filed by the student's family, The State and other newspapers in South Carolina report. (link)

Mar. 30, 2015: The U.S. Justice Department filed a lawsuit on Monday against Southeastern Oklahoma State University, alleging the school discriminated against a transgender assistant professor. The DOJ said it also sued the Regional University System of Oklahoma. The department said Rachel Tudor was denied a promotion because of her gender identity and retaliated against after she complained. (link)

Mar. 26, 2015: An Ohio-based association of campus retail stores wants more detail about a business deal struck last year between Purdue University and online retail powerhouse Amazon, which opened its first brick-and-mortar store earlier this semester on the West Lafayette campus. Located in Krach Leadership Center, Amazon's on-campus store serves as a pickup and drop-off spot for textbooks and other merchandise students order online. (link)

Mar. 24, 2015: College fraternities and sororities, concerned that students accused of sexual assault are treated unfairly, are pushing Congress to make it harder for universities to investigate rape allegations. (link)

Mar. 17, 2015: The University of North Carolina will pay a $335,000 settlement to Mary Willingham, the former learning specialist who was the whistleblower in the school's academic fraud case. Willingham filed suit against the school with claims she was retaliated against and demoted for drawing attention to the nearly two-decade fraud. (link)

Mar. 16, 2015: Today, students at college radio station WRAS-FM at Georgia State University (GSU) announced that they have filed an appeal (PDF) against the University System of Georgia (USG) Board of Regents, protesting the university's decision last year to allow Georgia Public Broadcasting (GPB) to broadcast over WRAS-FM during daytime hours. The appeal argues that the school misused student organization funds, specifically mandatory student activity fees, which were used for WRAS expenditures that are now benefiting a local public broadcaster. (link)

Mar. 13, 2015: Sacramento State has agreed to pay an employee $123,000 to settle a lawsuit alleging he was sexually harassed by the university president's son. The employee, Jeffrey Sharp, agreed to resign from his position and never apply again for a job in the California State University system. Sharp filed a lawsuit in March 2013 alleging that Alexander Gonzalez Jr. touched him and made suggestive actions and offensive comments when they worked together in the Office of University Advancement, which raises funds for the university. (link)

Mar. 11, 2015: The University of Michigan Senate Advisory Committee on University Affairs issued a report detailing what it sees as several major flaws with how the University's Office for Institutional Equity treats faculty members who are subjects of harassment and discrimination investigations. (link)

Mar. 6, 2015: Northeastern State University never should have let two faculty members that it had reprimanded for discriminating against a Native American colleague take part in a subsequent vote to deny him promotion and tenure, a federal judge has ruled. (link)

Mar. 5, 2015: A former UCLA researcher who filed an unlawful dismissal lawsuit in 2012 will be paid $140,000 and have his termination rescinded as part of a settlement reached with the University of California Board of Regents on Wednesday. Dr. James Enstrom's lawsuit claimed UCLA officials wrongfully dismissed him from his position because of political motivations in response to his controversial research about certain air pollutants. UCLA has previously denied the allegations and said it is committed to protecting academic freedom. (link)

Mar. 4, 2015: Thousands of veterans and active-duty members of the armed services have filed complaints against colleges through an online system created just over a year ago, officials in the Departments of Defense and Veterans Affairs said on Tuesday. Speaking at a meeting of the Association of Private Sector Colleges and Universities, the officials said the VA had received 2,711 complaints as of February 22 and the Pentagon had received 223 as of September 30, 2014. (link)

Mar. 2, 2015: Security procedures at Wheaton College-owned apartment buildings will not change after the recent arrest of a student charged with secretly taping a female student in her shower, school officials said. An investigation was launched the evening of Feb. 22 after a woman noticed a watch facing her as she showered, DuPage County prosecutors said. After seeing what appeared to be a video lens in the watch's face, the woman contacted police. (link)

Feb 27, 2015: The University of Minnesota needs stronger measures to protect people participating in its scientific research, according to an outside review that found ''inconsistent and inadequate'' practices to prevent vulnerable patients from being coerced into clinical studies. The review, released Friday, strikes at the same issues critics raised about the recruitment of Dan Markingson, a man with schizophrenia who died by suicide in 2004 while participating in a U drug study. Markingson was enrolled by a psychiatrist who had been treating him and advising a judge whether the young man needed to be committed to an institution. (link)

Campus Life & Safety Events

Mar. 28, 2015: Hazing has cost the St. Olaf College baseball team the rest of its 2015 season. A formal investigation by the Northfield college and its independent counsel found that team members violated St. Olaf's hazing policy in actions that took place both on and off campus the weekend of Feb. 28. The college also said that team members attempted a cover-up. St. Olaf released a statement Friday that described the events only in general terms, saying they involved ''ridicule, harassment and public displays of servitude,'' as well as underage students drinking alcohol. (link)

Mar. 28, 2015: An investigation ordered by university President David Boren reveals that the videotaped racist chant by brothers of the Sigma Alpha Epsilon fraternity had been taught at a leadership event organized by SAE's national organization four years ago. (link)

Mar. 22, 2015: A fraternity chapter at Elon University has been shut down until at least 2017. ''The decision to remove Pi Kappa Phi follows a pattern over several years of discipline for violations of the Elon Honor Code,'' Elon officials said in a statement. (link)

Mar. 21, 2015: The secret Facebook page where members of Kappa Delta Rho at Penn State University allegedly posted and commented on pictures of naked, unconscious women is just the latest in a spate of publicized incidents that have cast a shadow over fraternities nationwide.(link)

Mar. 13, 2015: A University of Maryland student and member of the Kappa Sigma fraternity is under investigation after an email he sent filled with racist and sexist language was shared with school authorities. (link)

Mar. 11, 2015: A Louisiana Tech University professor says he's ''not surprised'' at an allegation the school's Sigma Alpha Epsilon members sang a racist song during a pledge in 2010. ''We live in the South and we still have a lot of open wounds and a lot of misunderstanding about different groups. I haven't experienced or seen that personally (on campus), but I am not surprised that it happened,'' said Reginald Owens, head of Louisiana Tech's journalism program and adviser to its Black Student Union. (link)

Mar. 8, 2015: A five-member executive cabinet overseeing UC Irvine's student government on Saturday vetoed a decision to ban the display of all flags, including the American flag. ''We fundamentally disagree with the actions taken by ASUCI Legislative Council and their passage of [the ban] as counter to the ideals that allow us to operate as an autonomous student government organization with the freedoms of speech and expression associated with it,'' the cabinet said in a prepared statement. (link)

Other News & Events

Mar. 18, 2015: All copies of University of Canterbury's student magazine have been recalled after backlash over a ''poor taste'' article about virtual rape. The story in Canta magazine, written by a student under the alias Queen B, was published in its Monday edition, and discussed the issue of simulated rape in forums such as video games. (link)

Mar. 16, 2015: The United Arab Emirates, where New York University opened a new campus last year, has barred an N.Y.U. professor from traveling to the monarchy after his criticism of the exploitation of migrant construction workers there. The professor, Andrew Ross, who teaches at the university's New York campus and specializes in labor issues, said on Monday that he learned over the weekend that he had been barred from the country, ostensibly because of unspecified security concerns. (link)

Mar. 16, 2015: Kansas University officials told state legislators Monday that the university's ownership and use of jets gives taxpayers and students a strong return on the investment. The jet expenditures of $1.5 million a year are more than offset by revenue the planes help bring in from donor relations and athletics, said Tim Caboni, vice chancellor for public affairs. (link)

Mar. 13, 2015: College administrators across the country --- in Kansas, Florida, and Massachusetts --- are now fighting ISIS on their campuses. The acronym, that is. (link)

Mar. 4, 2015: A leading neuroscience journal has barred a pair of prominent University of Pennsylvania scientists from publishing in its pages for two years, citing mistakes in a paper on Alzheimer's disease that they helped write four years ago. The husband-and-wife team, John Q. Trojanowski and Virginia M.-Y. Lee, acknowledged errors in two images of mouse brain cells printed in the May 2011 Journal of Neuroscience but said they were unintentional, blaming them on carelessness by a former postdoctoral researcher. (link)

Mar. 2, 2015: Nearly three out of four colleges ask applicants a variation of the question most dreaded by those who have been on the wrong side of the law: Have you ever been convicted of a crime? Some colleges are only concerned with violent felonies, others with misdemeanors or even high-school suspensions. And what they do with that information, ostensibly gathered only to keep their campuses safe, varies widely. (link)

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Department of Internal Auditing
Auburn University
304 Samford Hall
M. Kevin Robinson, Exec. Director

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Internal Auditing is listed as the source.