Audits turn up shortcomings in computer security at UT

By Ralph K.M. Haurwitz
AMERICAN-STATESMAN STAFF
Sunday, April 6, 2003

Nearly two dozen audits of the University of Texas computer system in the past five years found no gaping holes in security but numerous shortcomings and policy violations that could place sensitive information at risk.

Reports by UT's Office of Internal Audits, which conducted the 23 reviews, said problems generally were corrected while the audits were under way or were scheduled to be corrected promptly.

The auditors examined computer operations ranging from payroll systems to student records. An employee training database that was breached in late February and early March, resulting in the downloading of 55,200 names and Social Security numbers from another database linked to the training records, did not rank high enough to warrant auditing, however.

Federal prosecutors have charged Christopher Andrew Phillips, 20, a junior at UT, with unauthorized access to the university's computer system and improper use of a Social Security number. Authorities say no nefarious use apparently was made of the downloaded information.

Among the problems cited in the audit reports:

* Authorizations to view and update data concerning student aid, student billing, donors and alumni were sometimes not revoked promptly when people left university employment or changed jobs.

* Backup systems needed to be improved so crucial services could continue in the event of a power outage, tornado, bombing or other disaster.

* Password requirements and storage practices for students and employees needed to be strengthened to reduce the risk of use by impostors.

* Security awareness training was needed for employees, along with stepped-up efforts to ensure that all students and employees sign a statement acknowledging acceptance of policies and procedures.

A May 1998 audit report that looked broadly at the university's many-layered and decentralized computer system said ongoing scrutiny not only makes sense but is required. State law directs agencies, including state universities, to take measures to protect against unauthorized or accidental disclosure, modification or destruction of electronic information.

"The university's information resources are accessible from around the world at any time. This expansion of connectivity and accessibility creates an infinite number of exposure points that can place critical university information resources at risk," the auditors warned in that report.

No audit of the training database has been conducted in the past five years, and university officials could not recall any before that. However, a July 2000 audit report on the university's VIP system, which tracks donor and alumni gifts touched on the training database.

The report said access to donor and alumni information was routinely granted to people who had participated in a training class on the VIP system; such participation is recorded in the training database. The audit report recommended that access should instead be determined by VIP office managers.

The report noted that 15 people had highly privileged full security administration access, even though most of them should not have had such responsibility. These included staff members from the Ex-Students Association and a former VIP development team member with access under two user identifications.

Also, many computer analysts no longer responsible for maintenance of the VIP system still had access to program libraries.

The problems were corrected during the audit.

UT's audit plan for the current fiscal year shows why the training database, known as TxClass, has not been audited: It wasn't considered a high priority.

Auditors decide which information technology areas to review based largely on risk scores, with zero the lowest risk and 50 the highest. Factors they consider include extent of use, technical complexity and public interest.

The training database got a 16.75 in the latest review, far below that of the areas chosen for audits this year, including the "Bevo Bucks" and "dining dollars" debit card systems (39.25), general network security (42.75) and online ticketing (39.25). In fact, the training database was among 287 areas scoring less than 25 and therefore not considered for auditing. A score of 25 was chosen for the cutoff "because the audit universe in this category is large and resources assigned to (information technology) audit projects is relatively small," the audit plan said.

An audit of the training database would have uncovered its vulnerabilities, said Lon Heuer, UT's director of internal audits. Information technology specialists at UT have revamped the database to tighten its security.

"I would imagine as we develop our audit plan for next year, we will be re-evaluating the use of Social Security numbers," Heuer said.

rhaurwitz@statesman.com; 445-3604