Northern Arizona University already had begun taking steps to secure its web systems when a state audit was released last week pointing to security flaws at Arizona’s universities.
“We have taken the auditors’ findings very seriously and have worked with them over the last nine months to identify and correct system vulnerabilities as soon as they were identified,” said ITS Director Harper Johnson. “In doing so, we feel that our university’s information is more secure, but we realize that there will always be more to do.”
The Arizona Auditor General’s Office released a report Friday pointing out university security weaknesses that allowed auditors to take over large numbers of user accounts and change information. They also were able to access more than 10,000 confidential records containing names and Social Security numbers.
The confidential records were not from NAU accounts.
The audit recommended that NAU, Arizona State University and University of Arizona develop comprehensive security programs, provide better training for web developers and conduct regular security tests.
“We welcome the recent audit and view it as an opportunity to get an independent view to help improve our information security practices,” Johnson said.
President John Haeger already has approved an Information Security Program to meet—and in some areas exceed—the findings of the audit.
The program will include security awareness programs for faculty, staff and students. ITS will work with Human Resources to develop training for new hires as well as ongoing training for current staff and faculty.
With funding provided by the Arizona Board of Regents, ITS will purchase tools to increase web security. The department also will expand its review process for developing secure web applications across campus.
“Web systems security is a continually changing environment, and we will address new situations along the way,” Johnson said. “Making NAU’s systems as safe as possible will continue to be a priority.”
NAU will make a progress report to ABOR in September and to the Arizona Auditor General’s Office in six months.