The Quaestor - Volume 11, Issue 3

Aldwin B. Maloto recently joined RIT as the Information Security Officer (ISO) on  July  1,  2016.  He  is  a  graduate  of  the  Management  Information  Systems (MIS) program and the Executive Masters of Business Administration (EMBA) program  at  the  E.  Philip  Saunders  College  of  Business.  Aldwin  is  also  a Certified  Information  Security  Manager  (CISM)  and  a  Certified  Information Systems Auditor (CISA). He brings  over 18 years of experience in Information Security  and  Information  Technology.  He  has  a  high  level  of  technical  and security expertise with  expert level knowledge of current data protection best practices, standards and applicable legislation, and is well versed with principles and  techniques of security risk analysis, disaster recovery planning, and business continuity processes. Aldwin has a comprehensive understanding  of  industry  frameworks,  approaches,  and  standards  such  as COBIT, ITIL, NIST 800, ISO 27000, European Union Safe Harbor Framework, Payment Card Industry Data Security Standards (PCI-DSS), and SSAE 16. He also has regulatory expertise in the Health Insurance Portability and  Accountability  Act (HIPAA), Health Information Technology  for  Economic and Clinical Health (HITECH) Act, 42CFR, Gramm Leach-Bliley Act  (GLBA), Sarbanes-Oxley (SOX), US Patriot Act, and EU Privacy Directive.

Aldwin is excited to be part of RIT’s ISO. The ISO partners with the university community to achieve the university's mission by maintaining an  appropriate level  of  information  security  risk  that  is  in  alignment  with  our  academic portfolio,  research  agenda  and  educational  model.  As  a  community,  we strongly endeavor to appropriately preserve the confidentiality, integrity and availability of university information assets through the innovative use of the committee. Aldwin will chair the Information Security Council. The council is comprised of technical and  senior  management  representatives  from  each  College,  Division  and  operating units across campus. The Information Security Council is the body responsible  for the creation of Information Security Standards at RIT.

“I am thrilled to be back at my Alma mater, doing work that I am really passionate about.  I  am  deeply  honored  to  be  working  amongst  some  of  the  best  minds  in  the industry  and  academia.  The  level  of  talent  and  diversity  that  you  see  on  campus  is really second to none, and I am very proud to be part of the RIT team.”

My name is Jeffrey Butler, and I’m the new Associate Inernal Auditor in IACA. I attended St. Bonaventure University, where I received my BBA and MBA, both with a focus in Accounting. Since graduating, I’ve worked at both a Big 4 and a regional accounting firm, PwC and Insero & Co. CPAs, respectively. I’ve worked in consulting; audited for-profits, not-for-profits, and universities; and now I’ve found my way into internal audit and I couldn’t be happier to call myself a Tiger!

Why Use a Password Manager?

Using a password manager is the easiest way to keep your personal and private information safe. A password vault stores your passwords securely, allowing you to save the information in the cloud or on your personal computer. This allows you to use truly random combinations in all of your passwords, making them much harder for malicious users or bots to crack. Password managers also protect you from giving away private information inadvertently. In fact, there are multiple reasons you should be using a password manager right now.

Remember Only One Password

A password manager stores all of your passwords in a single account. The master password to your safe is the only password you’ll ever need to remember. Generate Random Passwords Password managers can generate random passwords for each of your accounts. Password cracking programs are designed to guess the most common passwords first so completely random passwords are far stronger than those you come up with off the top of your head.

Login to Accounts Simply

You can login to accounts the easy way. Once you sign up for a password manager, you can install a browser extension that will autofill logins for you while still storing them securely.

Easily Change Your Passwords

Password managers make it easy to change or reset passwords. If a website you have an account with has been hacked, you can stay secure by using a built-in password generator to create a new password. Some password managers can even reset your passwords with the click of a button. You can also choose to change all of your passwords periodically for optimal security.

Use the Convenient Autofill Feature

You can still use the form autofill feature when you have a password safe. Instead of letting your web browser save your form information, entrust your password manager to store your personal information safely.

Share Passwords Securely

You can share passwords to joint accounts with family or coworkers. Of course, it’s generally not recommended you give away your personal passwords, but for shared accounts, a password manager gives you the option to control who has access to passwords.

Store More Than Just Passwords

Answers to security questions, shopping profiles, memberships, and medical prescriptions are just a few examples of additional information that can be stored securely in a password safe.

Use the Same Password Manager Across Multiple Devices

Many password managers provide access across multiple devices. As we use our mobile devices more often (and as more websites provide optimized mobile experiences), this is increasingly important. Many of the password managers also provide support for passwords for apps.

Right now, several popular password managers are: LastPass, 1Password, KeePass, Dashlane, and RoboForm. If using a password manager at RIT, we recommend LastPass or KeePass.

Keep your personal information and accounts safe by switching to a password manager today!

Sign up for our DSD101 course, Introduction to Digital Self Defense, through CPD. Contact Ben if you’d like us to present DSD101 or provide information on other security topics to your department. http://www.rit.edu/security/

Like RIT Information Security at www.facebook.com/RITInfosec

Follow us on Twitter: @rit_infosec

This article was previously posted in May 2016 on the RIT Information Security website.

In addition, the Framework includes points of focus or characteristics that are examples of behaviors or processes that would be expected to be in place to demonstrate that the related principle is in fact present and functioning. This edition of the COSO Corner will summarize the ninth COSO principle which is the fourth  and  final  principle  related  to  the  Risk  Assessment  component  of  the  COSO Framework, as well as the related points of focus.

Principle 9 –   The  university  identifies  and  assesses  changes  that  could  significantly impact the system of internal control.  The three key areas where the university should consider changes include:

• The  External  Environment  –  As  economic,  industry,  and  regulatory  environments change, the university should consider the need to adapt and evolve.  For example, as  a  result  of  recent  revisions  to  the  U.S.  Department  of  Labor  regulations governing  exemptions  to  the  Fair  Labor  Standards  Act,  Human  Resources  is working  with  senior  leadership  of  the  university  to  determine  what  actions  are required in order for RIT to remain in compliance with the new regulations. 
• The  Business Model  –  The  university should consider the potential impact of new business  models  on  the  system  of  internal  control,  changing  reliance  on  foreign geographies,  and  new  technologies.  As  opportunities  arise  to  enter  into  new  joint ventures or affiliation agreements to advance RIT’s Strategic Plan (e.g., to facilitate the expansion of global engagement), senior leaders should evaluate if revisions to current  university  policies  and  procedures  will  be  necessary  to  support  these  new ventures.
• Leadership  –  The  university  community  should  consider  changes  in  management and respective attitudes and philosophies on the system of internal control.  This is particularly relevant for RIT with some of the recent changes in College leadership, and as we begin the search for a new president.

In the next Quaestor Quarterly, we will review Principle 10, the first principal related to the  Control  Activities  component  of  the  COSO  Framework.      Control  activities  are  the actions  established  through  policies  and  procedures  to  assist  with  the  mitigation  of risks which threaten the achievement of the university’s key objectives.

Reference
Committee of Sponsoring Organizations of the Treadway Commission (May 2013). “Internal Control – Integrated Framework – Framework and Appendices”