Home

 

Arizona's Universities - Information Technology Security (June 2008)

 

 

SUMMARY

The Office of the Auditor General has conducted a performance audit of information technology security at Arizona State University (ASU), the University of Arizona (UA), and Northern Arizona University (NAU) pursuant to Arizona Revised Statutes (A.R.S.) §41-2958. This audit was conducted under the authority vested in the Auditor General by A.R.S. §41-1279.03 and is the third in a series of three performance audits of the universities. The other two audits focus on technology transfer programs and capital project financing.

Information technology (IT) security practices are important for Arizona's universities to protect large amounts of sensitive and confidential information that are stored on their computer systems, including information for more than 122,000 students and nearly 25,000 faculty and staff. Universities in general are attractive targets for computer hackers because universities traditionally have a strong culture of academic freedom that values open access to information and a free exchange of ideas. By providing numerous computers and high-capacity Internet access that allows for a large exchange of information at high speeds, universities not only accommodate their many users, but also create an attractive target for computer hacking. University IT security problems are occurring more often through weaknesses in computer programs called Web-based applications. Web-based applications are popular because users can view or update information over a Web browser, such as Internet Explorer, rather than having to download the programs onto their personal computers. The Arizona universities combined use at least 205 significant Web-based applications for educational and administrative purposes, such as curriculum and course management, documenting personal information for admissions and financial aid, and processing financial, payroll, and other transactions, such as purchasing parking permits.

Universities need to improve Web-based application security
(see pages 9 through 15)

ASU’s, UA’s, and NAU's Web-based applications are vulnerable. Auditors were able to gain unauthorized access to sensitive information, such as social security numbers, and could have modified or deleted important university information. Auditors were able to gain this access by exploiting some critical and commonly found weaknesses that exist in many of the universities' Web-based applications. For example:

  • Security weaknesses in one Web-based application allowed auditors to access a database and obtain more than 10,000 records with names and social security numbers. Auditors also obtained other records that contained student identification numbers, addresses, phone numbers, and e-mail addresses. Auditors also had the ability to modify and delete this information.
     

  • In two other applications, auditors were able to exploit a security weakness that would have allowed them to take over a large number of user accounts, including accounts with high-level access.
     

  • In many applications, auditors discovered a security flaw that would allow an attacker to take over user accounts and install malicious software.

Such vulnerabilities are likely to exist in many more of the universities' Web-based applications. Auditors did not attempt to identify every flaw that may exist because the testing was designed to determine what the impact could be if certain identified vulnerabilities were successfully exploited. However, based on the results, auditors concluded that the security flaws they identified are likely to exist in other university Web-based applications.

To better protect the information processed through their Web-based applications, ASU, UA, and NAU need to:

  • Conduct regular security assessments of Web-based applications. The universities first need to determine how many Web-based applications they have and then make provisions to regularly update their lists of applications. They then need to develop and implement procedures for regularly conducting security reviews of their critical Web-based applications.
     

  • Develop a university-wide policy and associated procedures for updating Web servers, which are computers that host Web-based applications. Software vulnerabilities are constantly being discovered and publicized, and the universities need to develop or enhance: (1) procedures for identifying vulnerabilities relevant to their Web servers, (2) a timeline for reacting to notifications of newly discovered Web server vulnerabilities, and (3) a process for determining whether to apply a software update, establish another control to address the Web server vulnerability, or accept the risk of not updating the software.
     

  • Ensure that security is built into the process for developing Web-based applications. According to ASU, UA, and NAU officials, none of them have university-wide security standards for developing applications. According to an IT best practice, building security into the development process is more cost-effective and secure than applying it afterwards.1
     

  • Provide training to application developers so that they are aware of common Web-based application vulnerabilities and methodologies that can be used to avoid them. None of the universities have a training program that is mandatory for all users and geared toward an individual's role within the university.

Universities need to develop comprehensive IT security
programs (see pages 17 through 28)

All three Arizona universities have taken some key steps toward developing an overall IT security approach; however, additional work is needed.

  • Creating information security staffs—Over the past few years, ASU, UA, and NAU have established and filled information security officer (ISO) positions and made these ISOs responsible for information security efforts university-wide. Until the ISOs were hired, the universities have not had any staff whose sole responsibility included directing and coordinating all aspects of information security across the university.
     

  • Developing information security programs—The universities are at varying stages in developing formal programs to guide their information security efforts, but none have yet developed all the standards or procedures needed to support a complete information security program. The universities are in the beginning stages of implementing their information security programs, in part because the ISO positions are relatively new. All three universities' programs will consist of an overall information security policy and supplemental standards that will provide guidance on how to implement key information security features. According to IT standards and best practices, an effective information security program consists of at least four key security features: (1) classifying and protecting data according to its sensitivity, (2) conducting risk assessments, (3) providing users with security awareness education and training, and (4) responding to information security threats or incidents. The universities' programs lack many of the policies, standards, or procedures needed to effectively address these features.

    ASU, UA, and NAU also need to identify the necessary resources for implementing their information security programs, including determining whether they have adequate resources internally or need to request additional funding. Then, after their programs are put in place, the universities need to monitor university-wide program compliance.

1

Information Security Forum. "The Standard of Good Practice for Information Security." 2007. Information Security Forum. November 6, 2007

Read full report in Acrobat PDF format

 

 
 
 

 Home | About UsPublications | Careers | Links | Contact Us | Privacy Statement | Webmaster

Copyright 2005 State of Arizona Office of the Auditor General, All Rights Reserved.