The Quaestor - Volume 9, Issue 1

The RIT Ethics Hotline (the Hotline) was established in November 2005. The Hotline is an ideal way for RIT employees to report financial, compliance, and ethical (including conflicts of interest) concerns they have observed while maintaining anonymity. The Hotline is hosted by EthicsPoint, a Navex Global company. It is important to note that the Hotline is NOT intended to supersede existing processes for reporting concerns or emergencies (such as speaking to a supervisor or contacting the Human Resources or the Public Safety Department), but rather to be an option for employees who are uncomfortable reporting a situation in person.

To report a concern, an employee may do so electronically at www.ethicspoint.com, by telephone at 866-294-9358, or by TTY at 866-294-9572. The reporter will first be asked to categorize the report into one of five general categories: financial, research, employee benefits, confidentiality, or information security/privacy. The reporter may choose to remain anonymous or to identify themselves. Of the reports received to date, approximately 82% of the reporters have chosen to remain anonymous. There are a number of RIT websites (i.e., Controller’s Office, Global Risk Management Services, and IACA) that have a link to the Hotline to click on which will take you to the RIT EthicsPoint File a Report webpage. Also, Dr. James Watters’ (Senior Vice President for Finance & Administration) webpage www.rit.edu/fa/svp/ (Ethics and Compliance sidebar) has information about the Hotline and a link to make a report.

After a report is made, a small group of senior RIT managers (report recipients) receive the report and promptly dispatch the report to the appropriate RIT department(s) for investigation (i.e., Human Resources, IACA, Controller’s Office). It is important to note that all investigations are performed in a careful and methodical manner thereby maintaining confidentiality at all points along the way. Soon after the report is received, a general receipt acknowledgement is posted in the system. An investigating department, via the report recipient, may choose to communicate with the reporter and ask additional questions by utilizing the Hotline system. Once a reporter files a report, he/she is provided with a code so that they may log back into their report (or call back) to see if “RIT” has any questions for them. This anonymous back and forth discussion is a useful function of the EthicsPoint system. The reporter is under no obligation to provide additional information; however, receiving such information can often facilitate the investigation.

At the conclusion of an investigation, the appropriate report recipient will post a concluding comment similar to “the investigation has been completed; thank you for using the RIT Ethics Hotline to report your concern.”

The RIT Ethics Hotline is a great option for employees to utilize when they are uncomfortable about bringing a concern forward in person. Every report is taken seriously and is appropriately investigated. If you have any questions about the Hotline, please contact me at smmiaca@rit.edu.

Using your Mobile Device Safely

Mobile devices (smartphones, tablets, iOS devices, etc.) pose difficult security risks. They’re often personally-owned and may not have the security controls you would expect on a laptop or desktop computer. Organized crime is funding development of malware to attack mobile devices. It’s important to understand what types of security controls you should use to protect both yourself and RIT.

There are a number of ways in which information on a mobile device may be breached: theft of the device, attacks on your service provider, wireless hijacking or "sniffing," and unauthorized access. Because mobile devices may be more easily stolen or compromised, users of these devices must take precautions when using them to store or access Private or Confidential Information.

Private Information and Mobile Device Use

We recommend that Private Information NOT be accessed from or stored on mobile devices. If Private Information must be accessed from or stored on a mobile device, then the information on the mobile device must be encrypted. Password protection alone is NOT sufficient.

To ensure that RIT information will remain secure, you should use only devices that provide encryption while information is in transit and at rest.

Security requirements for handling RIT Private, Confidential, and other information may be found in the Information Access and Protection Standard < www.rit.edu/security/content/information-access-protection-standard>.

General Guidelines for Mobile Device Use at RIT

Understand Your Device

Configure mobile devices securely. Depending on the specific device, you may be able to:

• Enable auto-lock. (This may correspond to your screen timeout setting).
• Enable password protection.
  • Use a reasonably complex password where possible.
  • Avoid using auto-complete features that remember user names or passwords. You may want to use a password safe application where available.
• Ensure that browser security settings are configured appropriately.
• Enable remote wipe options (third party applications may also provide the ability to remotely wipe the device; if you're connecting to mymail.rit.edu with ActiveSync for email and calendaring, you may wipe all data and applications from your device remotely from mymail.rit.edu).

Disable Bluetooth (if not needed). This will help prolong battery life and provide better security.

Ensure that sensitive websites use HTTPS in your browser URL on both your computer and mobile device.

Know your mobile vendor's policies on lost or stolen devices. Know the steps you need to take if you lose your device. Report the loss to your carrier ASAP so they can deactivate the device.

Use appropriate sanitation and disposal procedures for mobile devices.

Use Added Features

Keep your mobile device and applications on the device up to date. Use automatic update options if available.

Install an antivirus/security program (if available) and configure automatic updates if possible. Like computers, mobile devices have operating systems with weaknesses that attackers may exploit.

Use an encryption solution to keep portable data secure in transit and at rest. WPA2 is encrypted. 3G encryption has been cracked. Use an SSL (HTTPS) connection where available.

General Tips

Never leave your mobile device unattended.

Report lost or stolen devices and change any passwords (such as RIT WPA2) immediately.

Include contact information with the device: On the lock screen (if possible). For example, "If found, please call RIT Public Safety at 585-475-2853. "Engraved on the device or inserted into the case.

For improved performance and security, register your device and connect to the RIT WPA2 network where available.

Get informed

Visit the RIT Information Security website <www.rit.edu/security&gt; to read the security standards, access security tools and software, or find out more ways to protect yourself.

In addition, the Framework includes points of focus or characteristics that are examples of behaviors or processes that one would expect to be in place in order to conclude that the related principle is in fact present and functioning.  This edition of the COSO Corner will summarize the first principle relating to the Control Environment component of the Framework, as well as the related points of focus (or expected controls).

Principle 1 –  The university (including its board, management, and all faculty and staff members) demonstrates a commitment to integrity and ethical values.  Key characteristics (points of focus) relating to this principle include:

• The Board of Trustees and management at all levels of the entity demonstrate through their directives, actions and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.
• The expectations of the Board of Trustees and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the organization.
• Processes are in place to evaluate the performance of individuals and teams against the expected standards of conduct.
• Deviations from the university’s expected standards of conduct are identified and remedied in a timely and consistent manner.

Are you familiar with the RIT Compliance Policy and Code of Ethical Conduct? http://www.rit.edu/academicaffairs/policiesmanual/sectionC/C0.html

Reference
Committee of Sponsoring Organizations of the Treadway Commission (May 2013). “Internal Control – Integrated Framework – Framework and Appendices”