Contributed by: Patrick M. Didas, Assistant Vice President, Institute Audit, Compliance & Advisement
It appears we have finally shaken the cold winter and can welcome spring. The past several months have been a time of change at IACA as well. We have been busy adjusting to new roles and responsibilities while continuing to provide the same level of high quality professional internal auditing services to the RIT community.
This past November, I was named Assistant Vice President of IACA. However, as most of you likely know, I’m not new to IACA; I have been the Associate Director of IACA for the past nine years. In my current role, I have a dual reporting relationship reporting both to Dr. Watters, RIT’s Senior Vice President for Finance and Administration, as well as the Chairperson of the Audit Committee of the Board of Trustees. That reporting relationship provides IACA the independence required of an internal audit function.
The two former Senior Internal Auditors for IACA, Nancy Nasca and Wendy Roy, were recently promoted to Managers which serves to adjust their titles to reflect the responsibilities they perform for IACA in addition to their audit engagement responsibilities. Nancy is also our departmental compliance coordinator -making sure IACA is aligned with the professional standards we must abide by as members of the internal audit profession. Additionally, Nancy is developing a training session that will be offered through RIT’s Center for Professional Development (CPD) on the topic of Risk Assessment. As internal auditors, we often talk about internal controls; this class will help attendees to identify business risks that may require internal controls to be implemented or strengthened in order to meet business objectives. In other words, identifying “the things that keep you up at night.”
Wendy is our professional development coordinator, responsible for tracking the licensing and training that is required by our professional licenses and certifications. Wendy and I present our CPD offering of Internal Controls and Fraud in the Workplace as well as the Basic Business Essentials sessions for academic department heads. Wendy also hosts the popular IACA Monday Minute video series found here https://www.rit.edu/fa/iaca/content/iaca-monday-minute.
Chris VanHemel, our Staff and Audit Assistant, has learned new audit skills to expand her ability to assist with various types of audits.
The newest member of the IACA team is our Associate Internal Auditor, Alissa Jatsenti. She is a CPA and was most recently with the accounting firm KPMG. Alissa is new to the Rochester area and is very excited to be here at RIT.
Although our Senior IT Auditor position is currently vacant, we have begun to recruit for that position.
This past October, the IACA staff earned Six Sigma Yellow Belt certifications through RIT’s Center for Quality and Applied Statistics. For our in-class assignment (which extended beyond as well) we worked primarily on improving the format and distribution of our audit reports. Since our report is the final “product” of our services, it is a very important document for us as well as our clients. The goal was to simplify our reports, ensure the appropriate level of management is aware of the opportunities for improvement, and acknowledge areas that have effective and efficient internal controls – something most audit reports (including our previous report style) typically don’t include.
We are all excited and energized by the many changes that have occurred over the past months at IACA and we remind you that we are here to serve the university community with professional services. We include time for advisory requests in our annual audit plan; so if you have a process/area that you would like reviewed, or just have an internal controls related question, please give any of us a call. We are here to serve the RIT Community.
Contributed by: Ben Woelk, Program Manager, RIT Information Security Office, firstname.lastname@example.org
Inform RIT is a recurring column provided by the RIT Information Security Office. The column highlights current issues and initiatives that impact the RIT community. In this issue, we’ll talk about reliance on anti-virus for protection and the concept of layering.
For years, PC users have relied on anti-virus to provide them with 100% protection from attacks by malicious software, whether the attack occurs when visiting a website or opening an infected attachment. Mac users have sometimes assumed that they needed no malware protection whatsoever. What percentage of malware (malicious software, including viruses, worms, Trojans, etc.) do you think is detected by anti-virus software? 95%? 90%? 80%?
How does anti-virus work?
AV-Comparatives (https://av-comparatives.org) states that they are an independent organization offering systematic testing of PC/Mac-based antivirus products. Reading their most recent report is encouraging. Depending on the anti-virus product you choose, malware detection may be more effective now than ever. However, other studies (http://www.imperva.com/docs/HII_Assessing_the_Effectiveness_of_Antiviru…) have shown that anti-virus detection rates, although very good for some of the industry-leading products, are sorely lacking for some products, with detection rates of less than 50%. (McAfee, the anti-virus protection offered by RIT, scores well on both tests.)
OK. So you’ve chosen an anti-virus product with very high detection rates. Your worries are over, right? Unfortunately, it’s not that simple.
Most anti-virus products score well against known samples. However, new malware variants are created hourly, and your anti-virus may or may not be good at detecting unknown malware. Anti-virus relies on two types of detection, signatures (also known as DAT files) of known malware and heuristic detection (behavioral analysis) of unknown malware. Not surprisingly, anti-virus doesn’t do as well against unknown malware threats as it does against known threats.
Another factor in determining anti-virus effectiveness is how long it takes an anti-virus firm to update their detections. The longer the gap between malware appearing and it being added as a signature, the longer you may be exposed to that malware threat.
OK. You’ve told me anti-virus isn’t enough and I may be starting to believe you. What do I need to do to protect myself?
The classic model of protection in information security is the concept of layering. Layering means that you don’t rely on any one level of protection (such as anti-virus) to provide all of your protection. For you, that means employing a combination of technical protections, practices, and a dose of common sense. The RIT Desktop and Portable Computer Standard https://www.rit.edu/security/content/desktop-and-portable-computer-secu… provides minimum requirements for protecting desktop computers.
Those requirements include ensuring that your firewall is active, that you’re up to date on security patches, that your computer is set to log you out automatically after a set time period (15 minutes is a good choice for most users), that your computer is encrypted when accessing private information, and a few other requirements.
The Password Standard (https://www.rit.edu/security/content/password) provides minimum password requirements; and we provide a brochure that explains how to create an easy-to-remember passphrase. Although there’s been a lot of talk about the usefulness of passwords, a good password provides an additional layer of protection.
Practices include the proper access, storage, and transfer of Private and Confidential information (IAP Standard), use of an appropriate RIT signature on official communication, and proper use of portable media. The Best Practices section of our website (https://www.rit.edu/security/content/keeping-safe) provides a great deal of information that will help you protect yourself (at home and at RIT), other members of the RIT community, and RIT resources.
Wait! That’s a lot I need to do!
Yes, in some ways that’s true. However, cyber criminals target you, not just computers and systems. Because we are each targeted, we need to not only take advantage of the protection provided by RIT, but to take an active role ourselves in providing protection. We’re not asking you to become a cyber warrior. We do want you to realize you have active adversaries and that the best technical protection can’t stop human error. Much of what we need to do is to slow down and think before we click. Our adversaries try to hurry us into making poor decisions.
We are refreshing the DSD101 course, Introduction to Digital Self Defense, and plan to begin offering it again later this summer. Let me know what you’d like us to cover in that class.
Did you know that the RIT Information Security Office has more than 6800 likes of its Facebook Page (http://www.facebook.com/RITInfosec) and more than 1100 Twitter followers (@RIT_Infosec)? Like us or follow us today!
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Corner
Contributed by: Nancy A. Nasca, Manager, Institute Audit, Compliance & Advisement, email@example.com
As explained in previous editions of the Quaestor Quarterly, the COSO Framework (an internationally recognized standard with which the adequacy and effectiveness of an organization’s internal controls are evaluated) was updated in May 2013 to further define the principles underlying the five components of internal control (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring). According to the Framework, these principles are fundamental concepts that must be present and functioning in order to achieve an effective system of internal control.
In addition, the Framework includes points of focus or characteristics that are examples of behaviors or processes that would be expected to be in place to demonstrate that the related principle is in fact present and functioning. This edition of the COSO Corner will summarize the fifth and final principle relating to the Control Environment component of the COSO Framework, as well as the related points of focus.
Principle 5 – The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives:
Management and the Board of Trustees enforce accountability for performance of internal control responsibilities across the university and implement corrective action as necessary. At RIT, IACA provides the Audit Committee of the Board of Trustees a summary of audit results and periodic status updates on management’s implementation of corrective actions.
Performance measures, incentives and rewards are developed at all levels of the university to encourage the achievement of organizational objectives. These measures should be reviewed periodically for on-going relevance and adequacy. RIT’s current initiatives to review its current staff performance appraisal system and update its tenure and promotion policies is consistent with this point of focus.
Employee performance is periodically measured against established measures, and rewards are allocated or disciplinary action is exercised as appropriate. RIT’s annual performance appraisal processes illustrate the application of this principal.
Pressures created by the establishment of goals and targets toward the achievement of objectives are balanced with appropriate messaging, incentives and rewards. RIT’s commitment to acknowledging staff and faculty member achievements in its numerous award and recognition programs demonstrates the presence of this principal.
Committee of Sponsoring Organizations of the Treadway Commission (May 2013). “Internal Control – Integrated Framework – Framework and Appendices”
Additional Information by IACA
Watch IACA’s Monday Minute video series here!
Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our webpage.
Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment, and many others.