The Quaestor - Volume 9, Issue 2

This  article  focuses  on  the  bedrock  of  a  well-controlled  operation,  the  control environment.    Also  referred  to  as  the  internal  environment,  the  control environment is the foundation for a solid internal control structure in any entity and establishes the business risk culture.  Every layer of an entity – a division, a  department,  or  an  operating  unit  within  a  department,  has  its  own  control environment.  You have likely heard of it referred to as the “tone at the top.”   Keep  in  mind  the  tone  at  the  top  is  not  just  senior  management’s responsibility,  but  that  of  all  leaders.    It  could  be  said  that  all  employees, regardless  of  job  title,  function  as  leaders  if  they  embody  the  key  values  of stewardship, trustworthiness, insight, humility and enthusiasm.

The control environment sets the basis of how risk and control are viewed by an entity’s people.  You will agree that the core of any business is its people – their attributes, integrity, ethical values, competence - influence the environment in which they operate.  Other control environment factors include management's  philosophy  and  operating  style,  the  way  management  assigns authority and responsibility, and organizes and develops its people.

Other signs of a solid control environment include:

Leading by Example:

Managers should demonstrate through their  own actions  their  commitment  to honesty, ethical strength, reliability, and fairness.

Communicating and Promoting Ethics and Values:

Management should clearly communicate its ethics and values throughout their area  of  responsibility.    These  values  could  be  communicated  through  formal methods  (written  codes  of  conduct, policies,  staff  meetings,  memos, etc.),  or informally, during day-to-day interaction and operations.

Reporting:

RIT  has  a  method  for  employees  who  are  witnessing  unethical  behavior  to  report  such behavior  anonymously  (the  RIT  Ethics  Hotline).    Employees  are  responsible  to  report  such activity  and  should  feel  safe  from  retaliation.   Managers  should be  familiar  with,  and make their employees aware of, the RIT Ethics Hotline and RIT Policy C0.0, which contains within it Standards of Ethical Conduct including Whistleblower Protection Against Retaliation.

Rewarding Integrity:

Management should acknowledge employees who demonstrate honesty and integrity. Doing so will help communicate management’s commitment to this behavior and will encourage others to act likewise.  This will promote integrity within the university and have a positive influence on others.

To summarize, while every employee in the RIT community has a personal and professional obligation  to  be  a  good  steward  of  university  assets  and  resources,  a  manager  has  a particular responsibility to ensure that the control environment in their area of responsibility is  aligned  with  the  expectations  of  senior  management  and  the  Board  of  Trustees  and promotes ethical behavior.

How strong is the control environment in your area?

The RIT Ethics Hotline is a great option for employees to utilize when they are uncomfortable about  bringing  a  concern  forward  in  person.    Every  report  is  taken  seriously  and  is appropriately  investigated.    If  you  have  any  questions  about  the  Hotline,  please  contact Steve Morse at smmiaca@rit.edu.

Information is classified by its degree of confidentiality by the Information Access and Protection Standard. Here are the four classification levels and related handling information:

Private Information

Private  information  is  information  that  is  confidential  and  which  could  be  used  for identity  theft.  Private  information  also  has  additional  requirements  associated  with  its protection (e.g., state and federal mandates). Examples include:

• Social Security Numbers (SSNs) or other national identification numbers
• Driver’s license numbers
• Financial  account  information  (bank  account  numbers,  checks,  credit  or debit card numbers), etc

Use  alternatives  to  Private  information  whenever  possible.  Unless  required  by  RIT business processes, files should not contain Private information. Sanitize all unnecessary Private  information  by  redacting  (removing)  the  Private  information.  Redaction  should be done in such a manner that the Private information is completely removed from the files—masking  of  Private  information  is  insufficient.  Approved  sanitization,  redaction, and disposal practices may be found at https://www.rit.edu/security/content/information-access-protection-stan….

Stored Private information should be protected with documented technical and process controls that limit access in both physical and electronic environments. Private information  in  electronic  form  should  be  stored  in  secure  ISO-approved  servers  or another  ISO-authorized,   encrypted  form.  Transfer  or  sharing  of  Private  information  is prohibited unless it is essential to RIT business practices, and should be done using an ISO-approved  transfer  method  such  as  the  Tiger  File  exchanger,  encrypted  e-mail,  or file-based  encryption.  Avoid  printing   Private  information  unless  necessary  for  business operations, and implement the ISO-recommended printer best practices where possible.

Confidential Information

Confidential information is information that is restricted to a need-to-know basis and due to legal, contractual, ethical, or other constraints may not be accessed or communicated without specific authorization. Examples include:

• University Identification Numbers
• Educational records governed by FERPA that are not defined as directory information (see RIT Educational Records Policy D15.0)
• Employee health information as defined by the Health Insurance Portability and Accountability Act (HIPAA)
• Management information, including communications or records of the Board of Trustees and senior administrators, designated as Confidential
• Faculty research or writing before publication or during the intellectual property period (see RIT Intellectual Property Policy 3.0)
• Third party information that RIT has agreed by contract to handle as confidential

Confidential information should only be used and disclosed to others on a need-to-know basis in order to perform RIT business operations. Any transfer or sharing of Confidential information should include an annotation labeling the document or file as “Confidential” (education records governed by FERPA that are not defined as directory information are excluded from the marking requirement).

Confidential information in paper form should be stored in locked areas; in electronic form, it should be protected using secure information technology resources and access controls. Confidential information should not be stored or posted in blogs, wikis, or other digital locations/repositories that do not use ISO-approved authentication and authorization.

Internal Information

Internal information is restricted to RIT faculty, staff, students, alumni, contractors, volunteers, and business associates for the conduct of university business. Examples include online building floor plans, specific library collections, etc.

Use secure information technology resources and access controls whenever storing, transferring, or sharing Internal information.

Public Information

Public information may be accessed or communicated by anyone without restriction and has no special handling requirements associated with it.

Private Information Management Initiative

The Private Information Management Initiative focuses on helping RIT employees identify and reduce or eliminate Private Information not needed for business processes. Most of you are familiar with the Identity Finder software that runs monthly on your RIT computer. The Identity Finder software searches your system for data patterns that look like Private Information. Identity Finder provides a search results window that enables you to examine the suspected Private Information found and shred (delete) or scrub (redact) the information. It also allows you to choose “Ignore” for information that is a false positive. (A false positive matches the data pattern of Private Information, but is not actually Private Information. We typically see false positives in various statistical packages and in spreadsheets that contain entries that are nine-digit numbers or otherwise appear to be account numbers.)

We appreciate your diligence in handling information properly. It increases the safety of both RIT’s and your information.

Courses Available to Employees Include:

DSD 103 Information Handling

RIT employees handle or are exposed to Private and Confidential information every week. It is important to use appropriate and secure information handling practices to protect these types of information. Inadvertent loss or disclosure of Private information may result in a Notification event under the NYS Information Security Breach and Notification Act.

Course Objectives
Attendees of the Digital Self Defense (DSD) 103—Information Handling course will learn new and improve existing information handling skills. Specifically, the course explains the different classes of information at RIT, how these types of information should be treated, and the correct means of storage, transfer, and destruction to be used. Completion of the course should provide the user with the necessary knowledge to be in compliance with the Information Access & Protection (IAP) Standard.

DSD 103 Online Course

DSD 103 Information Handling is now available as a self-paced online class through the RIT E-Learning Zone.

Access DSD 103 Information Handling Web-based training on the RIT E-Learning Zone Login with your RIT credentials

• Open the course.
• Click the blue triangle to launch the course. (You may want to perform a Browser Check to ensure your computer is configured correctly.)
• Take the course and complete the post-course assessment.

For More Information

https://www.rit.edu/security/content/information-access-protection-standard

https://www.rit.edu/security/sites/rit.edu.security/files/PlainEnglishGuideAccessProtection2009_0.pdf

In addition, the Framework includes points of focus or characteristics that are examples of behaviors or  processes that  would be  expected to  be in  place to demonstrate that the related principle is in fact present and functioning.  This edition of the COSO Corner will summarize the second principle relating to the Control Environment component of the COSO Framework, as well as the related points of focus.

Principle 2 –   The Board of Trustees (BOT) demonstrates independence from management  and  exercises  oversight  of  the  development  and  performance  of  internal control.  Key characteristics (points of focus) relating to this principle include:

• The  BOT  identifies  and  accepts  its  oversight  responsibilities  in  relation  to established  requirements  and  expectations.    The  Board  is  responsible  for providing oversight and constructive feedback to management.
• The  BOT,  maintains,  and  periodically  evaluates  the  skills  and  expertise needed  among  its  members  to  enable  them  to  ask  probing  questions  of senior management and take commensurate actions. 
• The  BOT  has  sufficient  members  who  are  independent  from  management and objective in evaluations and decision making.
• The  BOT  retains  oversight  responsibility  for  management’s  design, implementation, and  conduct of  internal  control.    The  President  and  senior management bear direct responsibility for developing and implementing the internal  control  system.    Board  oversight  is  supported  by   structures  and processes that management establishes at a business-execution level.

Follow this link to learn more about RIT’s BOT:   https://www.rit.edu/president/trustees/trustee-home.

Reference
Committee of Sponsoring Organizations of the Treadway Commission (May 2013). “Internal Control – Integrated Framework – Framework and Appendices”