An Audit Report on the Protection of Confidential Information and Critical Systems at the University of Houston
November 2004
Report Number 05-010
Overall Conclusion
Although the University of Houston (University) has implemented certain controls, it needs to implement additional controls to ensure that it adequately protects confidential information and critical systems. The University collects and stores a significant amount of confidential information in automated systems. We did not identify any breaches of security or disclosure of confidential electronic data, but we did identify weaknesses that the University needs to address to ensure that its information and systems are adequately protected. Specifically:
- The University does not always ensure that high-level user accounts, which allow access to and control of a broad range of systems and information, are used appropriately. It also does not always monitor activity conducted through high-level user accounts.
- The University exchanges information through methods that are not secure, and weaknesses in wireless access increase the risk of unauthorized access. Although the security of the University systems we audited is generally adequate, network monitoring could be enhanced.
- The University does not always remove or change user access as needed, which increases the risk of unauthorized access. Weaknesses in passwords also increase this risk.
- Weaknesses in disaster recovery and business continuity planning increase the risk that the University would be unable to promptly and fully recover from a disaster. In addition, specific weaknesses in physical security increase the risk that network equipment is not adequately protected. Also, the University's information security program does not meet certain requirements of the Texas Administrative Code.
Contact the SAO about this report.
Download the Acrobat version of this report. (.pdf) (Generate HTML Equivalent)*
*HTML equivalents for PDF documents are generated utilizing Adobe's PDF Conversion by Simple Form.