288   Chapter 10 • Global, Ethics, and Security Management


                BOX 10-2    UC Berkeley—Privacy and Security Violations

                Over the past few years, colleges and universities have been implementing ERP systems to integrate
                all student information into one main database. Students enroll in classes, drop classes, pay bills,
                receive grades, and update personal information all in one central location. This is a great idea
                because in the past, if a student moved, they would have to change their address at the registrar’s
                office, financial aid office, and admissions office; it was just a very redundant and frustrating process.
                With the implementation of these systems, however, came violations of security. Most of the systems
                that are integrated are secure, but individuals with certain accesses are able to download information
                on their laptops or PCs, and that is when the information becomes very insecure and out of control of
                the CIO that oversees the centrally located systems. There was a major incident at Berkley in 2005:
                “As chancellor of the Berkeley campus, I was stunned to learn of the theft of a laptop computer in the
                graduate division, which contained personal information for approximately 98,000 current and former
                graduate students as well as persons who applied to our graduate programs. Our students, staff, and
                alumni expect us to protect the information they have given us confidentially, and we have not
                maintained that trust. This incident revealed serious gaps in our management of this kind of data. The
                campus has been instituting new policies to address these issues for several months, and we will do
                much more. Accountability for this effort ultimately lies with me.” 34


              records (Colorado Analytical Research & Development). 35  Exhibits 1-1 and 1-2 present a more
              comprehensive list of requirements, but the main ones are that all data must be accurate and a
              record is available of when the data were entered or changed and by whom. SOX has more re-
              quirements regarding auditing data and access to the data. Digital data are now more common
              than data recorded on paper. Signatures on paper are being replaced with digital signatures
              backed by some sort of biometrics or as is more common an ID and password. But the most
              telling issue is that managers must now understand how their computer systems process data.
                   “If you can’t explain how things going into the sausage machine come out the other end,
              then you will be in trouble,” said a compliance officer with a London investment bank. For
              example, upcoming international capital adequacy rules, known as Basel II, will require firms
              to consider operational risk, such as the risk of a trade not being settled, when calculating capi-
              tal levels. Without a clear view of how a firm’s systems process trades, it will be very difficult
              to calculate operation risk, he noted. SOX, meanwhile, requires that firms audit and understand
              their own software. “Before it was like getting a drivers license, as long as you could drive the
              software you were fine,” said Kusionowicz. “But now they are saying you have to show you
              know what IT systems are doing, so to get your driver’s license you have to be able to strip
              down and rebuild an engine” (Compliance Reporter).
                   ERP systems are time-savers and money savers, but the very complexity of the system that
              makes them so advantageous also means that they have many potential areas of weaknesses.
              Security of the data is of utmost importance if a company wishes to satisfy an auditor that it is in
              compliance with all the regulations mentioned in SOX. In 2005, a study showed that a large com-
              pany can expect to spend 70,000 man-hours and $7.8 million reporting and correcting material
              weaknesses in its financial controls (Dave McClure).


              34  www.educause.edu/apps/er/erm05/erm05613.asp?bhcp=1 (accessed February 2001).
              35  Keatley, K. L. (April–June 1999). A review of US EPA and FDA requirements for electronic records, electronic
              signatures, and electronic submissions. Quality Assurance, 7 (2), 77–89. Colorado Analytical Research &
              Development, an Operating Unit of Pyxant Labs, Inc., Colorado Springs 80907, USA.