Arizona State University, Northern Arizona University (NAU), and the University of Arizona (UA) have implemented several information technology (IT) security practices consistent with IT standards and best practices, but these practices can be improved. Specifically, relatively few university employees were susceptible to auditors’ simulated social engineering attacks, but some employees took actions that could have provided an attacker with access to sensitive data, indicating a need to improve security awareness training. In addition, although the universities’ security controls limited auditors’ attempts to gain unauthorized access to their IT systems, auditors were able to exploit some vulnerabilities to access sensitive data. The universities should enhance their existing policies and procedures in five key areas to further reduce these potential vulnerabilities. Further, each university has established components of an IT security governance framework, but NAU and UA should continue to develop and implement their frameworks. The Arizona Board of Regents should also expand its oversight of the universities’ IT security efforts. Finally, each university can improve its data classification processes, and NAU and UA should improve their IT risk assessment and incident response processes.