The Quaestor - Volume 11, Issue 3

Rolling with the Changes

Contributed by: Aldwin B. Maloto,  Jeffrey W. Butler, Ginger Howe

We  wanted  to  take  this  opportunity  to  allow  a few new RIT employees to introduce themselves...

From Global Risk Management Services Information Security Office

Aldwin Maloto

Chief Information Security Officer


Aldwin B. Maloto recently joined RIT as the Information Security Officer (ISO) on  July  1,  2016.  He  is  a  graduate  of  the  Management  Information  Systems (MIS) program and the Executive Masters of Business Administration (EMBA) program  at  the  E.  Philip  Saunders  College  of  Business.  Aldwin  is  also  a Certified  Information  Security  Manager  (CISM)  and  a  Certified  Information Systems Auditor (CISA). He brings  over 18 years of experience in Information Security  and  Information  Technology.  He  has  a  high  level  of  technical  and security expertise with  expert level knowledge of current data protection best practices, standards and applicable legislation, and is well versed with principles and  techniques of security risk analysis, disaster recovery planning, and business continuity processes. Aldwin has a comprehensive understanding  of  industry  frameworks,  approaches,  and  standards  such  as COBIT, ITIL, NIST 800, ISO 27000, European Union Safe Harbor Framework, Payment Card Industry Data Security Standards (PCI-DSS), and SSAE 16. He also has regulatory expertise in the Health Insurance Portability and  Accountability  Act (HIPAA), Health Information Technology  for  Economic and Clinical Health (HITECH) Act, 42CFR, Gramm Leach-Bliley Act  (GLBA), Sarbanes-Oxley (SOX), US Patriot Act, and EU Privacy Directive.

Aldwin is excited to be part of RIT’s ISO. The ISO partners with the university community to achieve the university's mission by maintaining an  appropriate level  of  information  security  risk  that  is  in  alignment  with  our  academic portfolio,  research  agenda  and  educational  model.  As  a  community,  we strongly endeavor to appropriately preserve the confidentiality, integrity and availability of university information assets through the innovative use of the committee. Aldwin will chair the Information Security Council. The council is comprised of technical and  senior  management  representatives  from  each  College,  Division  and  operating units across campus. The Information Security Council is the body responsible  for the creation of Information Security Standards at RIT.

“I am thrilled to be back at my Alma mater, doing work that I am really passionate about.  I  am  deeply  honored  to  be  working  amongst  some  of  the  best  minds  in  the industry  and  academia.  The  level  of  talent  and  diversity  that  you  see  on  campus  is really second to none, and I am very proud to be part of the RIT team.”

From Institute Audit, Compliance & Advisement

Jeffrey Butler

Senior Internal Auditor


My name is Jeffrey Butler, and I’m the new Associate Inernal Auditor in IACA. I attended St. Bonaventure University, where I received my BBA and MBA, both with a focus in Accounting. Since graduating, I’ve worked at both a Big 4 and a regional accounting firm, PwC and Insero & Co. CPAs, respectively. I’ve worked in consulting; audited for-profits, not-for-profits, and universities; and now I’ve found my way into internal audit and I couldn’t be happier to call myself a Tiger!

Inform RIT

Contributed by: Ben Woelk, Program Manager, RIT Information Security Office,

Inform  RIT  is  a  recurring  column  provided  by  the  RIT  Information  Security  Office.  The column highlights current issues and  initiatives  that impact  the  RIT community. In this issue, we’ll talk about the benefits of using a password manager. A special thank you to Eilysh  Haeger,  Information  Security  Communications  Associate  for  drafting  the  original article.

Why Use a Password Manager?

Using a password manager is the easiest way to keep your personal and private information safe. A password vault stores your passwords securely, allowing you to save the information in the cloud or on your personal computer. This allows you to use truly random combinations in all of your passwords, making them much harder for malicious users or bots to crack. Password managers also protect you from giving away private information inadvertently. In fact, there are multiple reasons you should be using a password manager right now.

Remember Only One Password

A password manager stores all of your passwords in a single account. The master password to your safe is the only password you’ll ever need to remember. Generate Random Passwords Password managers can generate random passwords for each of your accounts. Password cracking programs are designed to guess the most common passwords first so completely random passwords are far stronger than those you come up with off the top of your head.

Login to Accounts Simply

You can login to accounts the easy way. Once you sign up for a password manager, you can install a browser extension that will autofill logins for you while still storing them securely.

Easily Change Your Passwords

Password managers make it easy to change or reset passwords. If a website you have an account with has been hacked, you can stay secure by using a built-in password generator to create a new password. Some password managers can even reset your passwords with the click of a button. You can also choose to change all of your passwords periodically for optimal security.

Use the Convenient Autofill Feature
You can still use the form autofill feature when you have a password safe. Instead of letting your web browser save your form information, entrust your password manager to store your personal information safely.
Share Passwords Securely

You can share passwords to joint accounts with family or coworkers. Of course, it’s generally not recommended you give away your personal passwords, but for shared accounts, a password manager gives you the option to control who has access to passwords.

Store More Than Just Passwords

Answers to security questions, shopping profiles, memberships, and medical prescriptions are just a few examples of additional information that can be stored securely in a password safe.

Use the Same Password Manager Across Multiple Devices

Many password managers provide access across multiple devices. As we use our mobile devices more often (and as more websites provide optimized mobile experiences), this is increasingly important. Many of the password managers also provide support for passwords for apps.

Right now, several popular password managers are: LastPass, 1Password, KeePass, Dashlane, and RoboForm. If using a password manager at RIT, we recommend LastPass or KeePass.

Keep your personal information and accounts safe by switching to a password manager today!

Sign up for our DSD101 course, Introduction to Digital Self Defense, through CPD. Contact Ben if you’d like us to present DSD101 or provide information on other security topics to your department.

Like RIT Information Security at

Follow us on Twitter: @rit_infosec

This article was previously posted in May 2016 on the RIT Information Security website.

Committee of Sponsoring Organizations of the Treadway Commission (COSO) Corner

Contributed by: Nancy A. Nasca, Manager, Institute Audit, Compliance & Advisement,

As explained in previous editions of the Quaestor Quarterly, the COSO Framework (an internationally recognized standard with which the adequacy and effectiveness of an organization’s internal controls are evaluated) was updated in May 2013 to further define the principles underlying the five components of internal control (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring). According to the Framework, these principles are fundamental concepts that must be present and functioning in order to achieve an effective system of internal control.

In addition, the Framework includes points of focus or characteristics that are examples of behaviors or processes that would be expected to be in place to demonstrate that the related principle is in fact present and functioning. This edition of the COSO Corner will summarize the ninth COSO principle which is the fourth  and  final  principle  related  to  the  Risk  Assessment  component  of  the  COSO Framework, as well as the related points of focus.

Principle 9 –   The  university  identifies  and  assesses  changes  that  could  significantly impact the system of internal control.  The three key areas where the university should consider changes include:

  • The  External  Environment  –  As  economic,  industry,  and  regulatory  environments change, the university should consider the need to adapt and evolve.  For example, as  a  result  of  recent  revisions  to  the  U.S.  Department  of  Labor  regulations governing  exemptions  to  the  Fair  Labor  Standards  Act,  Human  Resources  is working  with  senior  leadership  of  the  university  to  determine  what  actions  are required in order for RIT to remain in compliance with the new regulations. 
  • The  Business Model  –  The  university should consider the potential impact of new business  models  on  the  system  of  internal  control,  changing  reliance  on  foreign geographies,  and  new  technologies.  As  opportunities  arise  to  enter  into  new  joint ventures or affiliation agreements to advance RIT’s Strategic Plan (e.g., to facilitate the expansion of global engagement), senior leaders should evaluate if revisions to current  university  policies  and  procedures  will  be  necessary  to  support  these  new ventures.
  • Leadership  –  The  university  community  should  consider  changes  in  management and respective attitudes and philosophies on the system of internal control.  This is particularly relevant for RIT with some of the recent changes in College leadership, and as we begin the search for a new president.

In the next Quaestor Quarterly, we will review Principle 10, the first principal related to the  Control  Activities  component  of  the  COSO  Framework.      Control  activities  are  the actions  established  through  policies  and  procedures  to  assist  with  the  mitigation  of risks which threaten the achievement of the university’s key objectives.

Committee of Sponsoring Organizations of the Treadway Commission (May 2013). “Internal Control – Integrated Framework – Framework and Appendices”

Additional Information by IACA

Watch IACA’s Monday Minute video series here!
Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our webpage.
Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment, and many others.

What about ethics in the workplace?
Learn about the RIT Ethics and Compliance Hotline

Learn more about your IACA team.