Another Way to Share Your Financial, Compliance, and Ethical Concerns – the RIT Ethics Hotline
Contributed by: Steven Morse, Assistant Vice President, Institute Audit Compliance & Advisement
In the complex and fast moving work environments we find ourselves in these days, we may observe situations or activities that just don’t seem right. In the Taking Responsibility document which may be found at www.rit.edu/fa/iaca/sites/rit.edu.fa.iaca/files/forms/ethicsbrochure.pdf, Dr. Destler states that “The University’s reputation depends on the personal integrity and commitment of every person. Each employee shares in the responsibility to promote a safe and ethical environment, to conduct their business and employment activities in a highly principled fashion, and to report violations of the Institute’s ethical standards.” When we observe these situations or activities and when discussion with a supervisor may be challenging or may make us feel uneasy about bringing the issue forward, RIT employees have another way to alert management that something may be amiss – the RIT Ethics Hotline.
The RIT Ethics Hotline (the Hotline) was established in November 2005. The Hotline is an ideal way for RIT employees to report financial, compliance, and ethical (including conflicts of interest) concerns they have observed whilemaintaining anonymity. The Hotline is hosted by EthicsPoint, a Navex Global company. It is important to note that the Hotline is NOT intended to supersede existing processes for reporting concerns or emergencies(such as speaking to a supervisor or contacting the Human Resources or the Public Safety Department),but rather to be an option for employees who are uncomfortable reporting a situation in person.
To report a concern, an employee may do so electronically at www.ethicspoint.com, by telephone at 866-294-9358, or by TTY at 866-294-9572. The reporter will first be asked to categorize the report into one of five general categories: financial, research, employee benefits, confidentiality, or information security/privacy. The reporter may choose to remain anonymous or to identify themselves. Of the reports received to date, approximately 82% of the reporters have chosen to remain anonymous. There are a number of RIT websites (i.e., Controller’s Office, Global Risk Management Services, and IACA) that have a link to the Hotline to click on which will take you to the RIT EthicsPoint File a Report webpage. Also, Dr. James Watters’ (Senior Vice President for Finance & Administration) webpage www.rit.edu/fa/svp/(Ethics and Compliance sidebar) has information about the Hotline and a link to make a report.
After a report is made, a small group of senior RIT managers (report recipients) receive the report and promptly dispatch the report to the appropriate RIT department(s) for investigation (i.e., Human Resources, IACA, Controller’s Office). It is important to note that all investigations are performed in a careful and methodical manner thereby maintaining confidentiality at all points along the way. Soon after the report is received, a general receipt acknowledgement is posted in the system. An investigating department, via the report recipient, may choose to communicate with the reporter and ask additional questions by utilizing the Hotline system. Once a reporter files a report, he/she is provided with a code so that they may log back into their report (or call back) to see if “RIT” has any questions for them. This anonymous back and forth discussion is a useful function of the EthicsPoint system. The reporter is under no obligation to provide additional information; however, receiving such information can often facilitate the investigation.
At the conclusion of an investigation, the appropriate report recipient will post a concluding comment similar to “the investigation has been completed; thank you for using the RIT Ethics Hotline to report your concern.”
The RIT Ethics Hotline is a great option for employees to utilize when they are uncomfortable about bringing a concern forward in person. Every report is taken seriously and is appropriately investigated. If you have any questions about the Hotline, please contact me at firstname.lastname@example.org.
Contributed by Ben Woelk, Program Manager, Information Security Office
Inform RIT is a recurring column provided by the RIT Information Security Office. The column highlights current issues and initiatives that impact the RIT community. In this issue, we’ll talk about secure use of mobile devices. Our thanks to Professor Rick Mislan and the Department of Computing Security for providing core information for the article below.
Mobile devices (smartphones, tablets, iOS devices, etc.) pose difficult security risks. They’re often personally-owned and may not have the security controls you would expect on a laptop or desktop computer. Organized crime is funding development of malware to attack mobile devices. It’s important to understand what types of security controls you should use to protect both yourself and RIT.
There are a number of ways in which information on a mobile device may be breached: theft of the device, attacks on your service provider, wireless hijacking or "sniffing," and unauthorized access. Because mobile devices may be more easily stolen or compromised, users of these devices must take precautions when using them to store or access Private or Confidential Information.
Private Information and Mobile Device Use
We recommend that Private Information NOT be accessed from or stored on mobile devices. If Private Information must be accessed from or stored on a mobile device, then the information on the mobile device must be encrypted. Password protection alone is NOT sufficient.
To ensure that RIT information will remain secure, you should use only devices that provide encryption while information is in transit and at rest.
Security requirements for handling RIT Private, Confidential, and other information may be found in the Information Access and Protection Standard < www.rit.edu/security/content/information-access-protection-standard>.
General Guidelines for Mobile Device Use at RIT
Understand Your Device
Configure mobile devices securely.Depending on the specific device, you may be able to:
Enable auto-lock.(This may correspond to your screen timeout setting).
Enable password protection.
Use a reasonably complex password where possible.
Avoid using auto-complete features that remember user names or passwords. You may want to use a password safe application where available.
Ensure that browser security settings are configured appropriately.
Enable remote wipe options(third party applications may also provide the ability to remotely wipe the device; if you're connecting to mymail.rit.edu with ActiveSync for email and calendaring, you may wipe all data and applications from your device remotely from mymail.rit.edu).
Disable Bluetooth(if not needed). This will help prolong battery life and provide better security.
Ensure that sensitive websites use HTTPS in your browser URL on both your computer and mobile device.
Know your mobile vendor's policieson lost or stolen devices. Know the steps you need to take if you lose your device. Report the loss to your carrier ASAP so they can deactivate the device.
Use appropriate sanitation and disposalprocedures for mobile devices.
Use Added Features
Keep your mobile device andapplications on the device up to date.Use automatic update options if available.
Install an antivirus/security program(if available) and configure automatic updates if possible. Like computers, mobile devices have operating systems with weaknesses that attackers may exploit.
Use an encryption solutionto keep portable data secure in transit and at rest. WPA2 is encrypted. 3G encryption has been cracked. Use an SSL (HTTPS) connection where available.
Never leave your mobile device unattended.
Report lost or stolen devicesand change any passwords(such as RIT WPA2) immediately.
Include contact information with the device:On the lock screen (if possible). For example, "If found, please call RIT Public Safety at 585-475-2853. "Engraved on the device or inserted into the case.
For improved performance and security,register your deviceand connect to the RIT WPA2network where available.
Visit the RIT Information Security website <www.rit.edu/security> to read the security standards, access security tools and software, or find out more ways to protect yourself.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Corner
Contributed by: Nancy A. Nasca, Manager, Institute Audit, Compliance & Advisement, email@example.com
As explained in previous editions of the Quaestor Quarterly, the COSO Framework (an internationally recognized standard with which the adequacy and effectiveness of an organization’s internal controls are evaluated) was updated in May 2013 to further define the principles underlying the five components of internal control (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring). According to the Framework, these principles are fundamental concepts that must be present and functioning in order to achieve an effective system of internal control.
In addition, the Framework includes points of focus or characteristics that are examples of behaviors or processes that one would expect to be in place in order to conclude that the related principle is in fact present and functioning. This edition of the COSO Corner will summarize the first principle relating to the Control Environment component of the Framework, as well as the related points of focus (or expected controls).
Principle 1 – The university (including its board, management, and all faculty and staff members) demonstrates a commitment to integrity and ethical values. Key characteristics (points of focus) relating to this principle include:
The Board of Trustees and management at all levels of the entity demonstrate through their directives, actions and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.
The expectations of the Board of Trustees and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the organization.
Processes are in place to evaluate the performance of individuals and teams against the expected standards of conduct.
Deviations from the university’s expected standards of conduct are identified and remedied in a timely and consistent manner.
Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our webpage.
Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment, and many others.