The Quaestor - Volume 10, Issue 2

This past November, I was named Assistant Vice President of IACA. However, as most of you likely know, I’m not new to IACA; I have been the Associate Director of IACA for the past nine years. In my current role, I have a dual reporting relationship reporting both to Dr. Watters, RIT’s Senior Vice President for Finance and Administration, as well as the Chairperson of the Audit Committee of the Board of Trustees. That reporting relationship provides IACA the independence required of an internal audit function.

The two former Senior Internal Auditors for IACA, Nancy Nasca and Wendy Roy, were recently promoted to Managers which serves to adjust their titles to reflect the responsibilities they perform for IACA in addition to their audit engagement responsibilities. Nancy is also our departmental compliance coordinator - making sure IACA is aligned with the professional standards we must abide by as members of the internal audit profession. Additionally, Nancy is developing a training session that will be offered through RIT’s Center for Professional Development (CPD) on the topic of Risk Assessment. As internal auditors, we often talk about internal controls; this class will help attendees to identify business risks that may require internal controls to be implemented or strengthened in order to meet business objectives. In other words, identifying “the things that keep you up at night.”

Wendy is our professional development coordinator, responsible for tracking the licensing and training that is required by our professional licenses and certifications. Wendy and I present our CPD offering of Internal Controls and Fraud in the Workplace as well as the Basic Business Essentials sessions for academic department heads. Wendy also hosts the popular IACA Monday Minute video series found here https://www.rit.edu/fa/iaca/content/iaca-monday-minute.

Regulatory Compliance

Chris VanHemel, our Staff and Audit Assistant, has learned new audit skills to expand her ability to assist with various types of audits.

The newest member of the IACA team is our Associate Internal Auditor, Alissa Jatsenti.  She is a CPA and was most recently with the accounting firm KPMG.  Alissa is new to the Rochester area and is very excited to be here at RIT.

Although our Senior IT Auditor position is currently vacant, we have begun to recruit for that position.

This  past  October,  the  IACA  staff  earned  Six  Sigma  Yellow  Belt  certifications  through RIT’s  Center  for  Quality  and  Applied  Statistics.    For  our  in-class  assignment  (which extended beyond as well) we worked primarily on improving the format and distribution of our audit reports.  Since our report is the final “product” of our services, it is a very important  document  for  us as well as  our  clients.  The goal  was  to simplify  our  reports, ensure the appropriate level of management is aware of the opportunities for improvement, and acknowledge areas that have effective and efficient internal controls – something most audit reports (including our previous report style) typically don’t include.

We are all excited and energized by the many changes that have occurred over the past months at IACA and we remind you that we are here to serve the university community with  professional  services.    We  include  time  for  advisory  requests  in  our  annual  audit plan; so if you have a process/area that you would like reviewed, or just have an internal controls  related  question,  please  give  any  of  us  a  call.    We  are  here  to  serve  the  RIT Community.

Anti-virus isn’t enough!

For years, PC users have relied on anti-virus to provide them with 100% protection from attacks by malicious software, whether the attack occurs when visiting a website or opening an infected attachment. Mac users have sometimes assumed that they needed no malware protection whatsoever. What percentage of malware (malicious software, including viruses, worms, Trojans, etc.) do you think is detected by anti-virus software? 95%? 90%? 80%?

How does anti-virus work?

AV-Comparatives (https://av-comparatives.org) states that they are an independent organization offering systematic testing of PC/Mac-based antivirus products. Reading their most recent report is encouraging. Depending on the anti-virus product you choose, malware detection may be more effective now than ever. However, other studies (http://www.imperva.com/docs/HII_Assessing_the_Effectiveness_of_Antiviru…) have shown that anti-virus detection rates, although very good for some of the industry-leading products, are sorely lacking for some products, with detection rates of less than 50%. (McAfee, the anti-virus protection offered by RIT, scores well on both tests.)

OK. So you’ve chosen an anti-virus product with very high detection rates. Your worries are over, right? Unfortunately, it’s not that simple. 

Most anti-virus products score well against known samples. However, new malware variants are created hourly, and your anti-virus may or may not be good at detecting unknown malware. Anti-virus relies on two types of detection, signatures (also known as DAT files) of known malware and heuristic detection (behavioral analysis) of unknown malware. Not surprisingly, anti-virus doesn’t do as well against unknown malware threats as it does against known threats.

Another  factor  in  determining  anti-virus  effectiveness  is  how  long  it  takes  an  anti-virus firm  to  update  their  detections.  The  longer  the  gap  between  malware  appearing  and  it being  added  as  a  signature,  the  longer  you  may  be  exposed  to  that  malware  threat.

OK. You’ve told me anti-virus isn’t enough and I may be starting to believe you. What do I need to do to protect myself?

The classic model of protection in information security is the concept of layering. Layering means that you don’t rely on any one level of protection (such as anti-virus) to provide all of your protection. For you, that means employing a combination of technical protections, practices, and a dose of common sense.  The RIT Desktop and Portable Computer Standard https://www.rit.edu/security/content/desktop-and-portable-computer-secu… provides minimum requirements for protecting desktop computers.

Those requirements include ensuring that your firewall is active, that you’re up to date  on  security  patches,  that  your  computer  is  set  to  log  you  out  automatically after  a  set  time  period  (15  minutes  is  a  good  choice  for  most  users),  that  your computer  is  encrypted  when  accessing  private  information,  and  a  few  other requirements.

The  Password  Standard  (https://www.rit.edu/security/content/password)  provides minimum password requirements; and we provide a brochure that  explains how to create an easy-to-remember passphrase. Although there’s been a lot of talk about the  usefulness  of  passwords,  a  good  password  provides  an  additional  layer  of protection.

Practices include the proper access, storage, and transfer of Private and Confidential  information  (IAP  Standard),  use  of  an  appropriate  RIT  signature  on official  communication,  and  proper  use  of  portable  media.  The  Best  Practices section of our website (https://www.rit.edu/security/content/keeping-safe) provides  a  great  deal  of  information  that  will  help  you  protect  yourself  (at  home and at RIT), other members of the RIT community, and RIT resources.

Wait! That’s a lot I need to do!

Yes,  in  some  ways  that’s  true.  However,  cyber  criminals  target  you,  not  just computers and systems. Because we are each targeted, we need to not only take advantage of the protection provided by RIT, but to take an active role ourselves in providing protection. We’re not asking you to become a cyber warrior. We do want you  to  realize  you  have  active  adversaries  and  that  the  best  technical  protection can’t stop human error. Much of what we need to do is to slow down and think before we click. Our adversaries try to hurry us into making poor decisions.

We  are  refreshing  the  DSD101  course,  Introduction  to  Digital  Self  Defense,  and plan to begin offering it again later this summer. Let me know what you’d like us to cover in that class.

For more information about protecting yourself and RIT, visit the RIT Information Security Webpage  (http://www.rit.edu/security),  contact us at  infosec@rit.edu,  or call us at 585-475-4123.

Did you know that the RIT Information Security Office has more than 6800 likes of its  Facebook  Page  (http://www.facebook.com/RITInfosec)  and  more  than  1100 Twitter followers (@RIT_Infosec)? Like us or follow us today!

In addition,  the  Framework  includes  points  of  focus  or  characteristics  that  are  examples  of behaviors  or  processes  that  would  be  expected  to  be  in  place  to  demonstrate  that  the related  principle  is  in  fact  present and  functioning.  This  edition of  the COSO  Corner  will summarize the fifth and final principle relating to the Control Environment component of the COSO Framework, as well as the related points of focus.

Principle 5 –   The  organization  holds  individuals  accountable  for  their  internal  control responsibilities in the pursuit of objectives:

• Management  and  the  Board  of  Trustees  enforce  accountability  for  performance  of internal  control  responsibilities  across  the  university  and  implement  corrective action as necessary.  At RIT, IACA provides the Audit Committee of the Board of Trustees a summary  of  audit  results  and  periodic  status  updates  on  management’s implementation of corrective actions.
• Performance  measures,  incentives  and  rewards  are  developed  at  all  levels  of  the university to encourage the achievement of organizational objectives.  These measures should be reviewed periodically for on-going relevance  and adequacy.  RIT’s current initiatives to review its current staff performance appraisal system and update its tenure and promotion policies is consistent with this point of focus.
• Employee  performance  is  periodically  measured  against  established  measures,  and rewards are allocated or disciplinary action is exercised as appropriate.  RIT’s annual performance appraisal processes illustrate the application  of this principal.
• Pressures created by the establishment of goals and targets toward the achievement of objectives are balanced with appropriate messaging, incentives and rewards.  RIT’s commitment to acknowledging staff and faculty member  achievements in its numerous award and recognition programs demonstrates the presence of this principal.

Reference
Committee of Sponsoring Organizations of the Treadway Commission (May 2013). “Internal Control – Integrated Framework – Framework and Appendices”