When auditors evaluated the security of computer networks on the Kingsville campus of Texas A&M University at the state's request last summer, they found gaping holes.

No employees were assigned to protect critical data and shield campus networks from hackers and viruses. The university had failed to inform students and faculty and staff members of its security policies, and had not updated them since 1996. And it was not periodically reviewing weaknesses in its computer systems, as required by state and federal regulations.

The auditors said that unless the university took major steps, like hiring a chief information officer, confidential information was at risk of being exposed, data could be wiped out, and crucial systems could fall victim to viruses and hackers. Kingsville did not have "information technology represented at the executive-management level when core-mission-critical decisions [were] being made," says one auditor, who declined to be identified.

The university, which took the auditors' findings to heart, is now busy improving the security of its networks. But an analysis by The Chronicle of the Kingsville audit, as well as audits of other public-university systems, in Florida, Texas, and New York, suggests that such security lapses are common at colleges. It is a conclusion shared by experts on campus-computer security, some of whom worry that colleges could eventually be sued for operating their information systems negligently.

"What I've seen is a top-to-bottom lack of awareness of issues related to security," says Eugene H. Spafford, a computer-science professor who is executive director of the Center for Education and Research in Information Assurance and Security, at Purdue University at West Lafayette. Too many students, he says, don't know that they need to fix computer holes and use antivirus software, and that some of their activities -- particularly downloading copyrighted music without paying for it -- are illegal.

"You have faculty who believe that because it's their machine and because of academic freedom they should be able to do whatever they want," he says. "And you have administrators who don't understand the risk or the need to invest in appropriate technology and set policy appropriately."

Indeed, E. Eugene Schultz, a principal engineer at the Lawrence Berkeley National Laboratory who is editor in chief of the journal Computers & Security, says universities are "among the least secure places in the universe, as far as computing goes."

Among the more prevalent problems identified in the audit reports obtained by The Chronicle through university Web sites or state open-records laws:

Colleges are not doing enough to encourage students and other campus users to protect their campus accounts. Passwords are not changed periodically, are too short, or are not always required for employees to gain access to confidential information.

Many colleges have not created disaster-recovery plans so that crucial information can be saved if a campus is leveled by a hurricane, terrorist attack, or other catastrophe.

College officials are often slow to terminate or revise employees' computer access after they leave. Such delays increase the chance that a disgruntled worker can sabotage the network.

Because colleges are not performing risk assessments of their networks, officials don't know where to concentrate resources to protect networks and data.

Some institutions undergo information-systems audits as part of broad operational reviews. In such cases, the colleges often rely on auditors without much technical expertise, who may fail to root out computer-security issues.

And some colleges don't respond completely to auditors' findings, because of constraints on budgets or other resources.

"Most institutions can't help but focus their resources on existing problems and cross their fingers," says Martin H. Ringle, chief technology officer at Reed College, who also advises other colleges on computer-security issues. "If you happen to be fortunate and nothing bad happens, you win. If you're unfortunate, senior officers, the board, faculty, and others will say, 'Now, we better make sure this never happens again.'"

Under the Auditors' Eyes

The Chronicle focused its analysis on public colleges in California, Florida, New York, and Texas because of those states' large public higher-education systems, and the availability of the audit information through state government-in-the-sunshine laws. Most of the audits were initiated by state authorities and were released in 2003 and 2004. Some college officials were reluctant to make the audits public for fear they would assist hackers.

Audits of several public colleges in Florida were conducted by the state auditor general's office; Texas A&M University's branches were audited by the system's internal audit department; the University of Texas' branches and the University of North Texas were evaluated by internal auditors on each campus; and the State University of New York at Buffalo was reviewed by internal auditors.

In most cases, auditors noted information-technology weaknesses during larger evaluations of the universities' operations. The audits at Kingsville, Buffalo, and the Universities of Texas and North Texas were done specifically on information systems. At Florida State University, only the system that collects and disburses money was audited.

The City University of New York has not audited computer operations at any of its institutions in at least five years, says Dave Fields, special counsel to the chancellor. At the request of faculty-union leaders, auditors evaluated the California State University System's new administrative computing system two years ago; and the San Marcos and Bakersfield campuses were evaluated last year for their disaster plans. The University of California system, citing security concerns, provided heavily redacted computer audits.

Password Protection

The audits examined for this article determined that the key lapses in campus computer security involved passwords, employees' access to computers, analysis of risks, and the recovery of lost data.

One of the most important issues for campus security is the protection and use of passwords. Auditors at Kingsville said administrators did not require network users in the College of Business, the College of Engineering, the distance-education program, or the campus debit-card system to change their assigned passwords. The audit recommended that passwords be changed every two to six months.

Departmental computers contain very little confidential data and are not vital to the mission of the university, but people could use the systems to break into centrally maintained "mission-critical systems," auditors noted.

An audit of 423 information systems at the University of Texas Southwestern Medical Center at Dallas, most of which are managed by individual departments, showed that computer users on some systems were not asked for ID's and passwords before viewing "sensitive data." Philip Schoch, a spokesman for the center, responded in a written statement, "We have corrected or are in the process of correcting those security concerns."

Failure to address that issue opens the door to trouble. Using stolen user names and passwords, hackers broke into supercomputers at several universities and the U.S. Department of Energy last month and tried to capture more such information. No systems or data were destroyed, but researchers were for varying periods unable to connect with the supercomputers (The Chronicle, April 23).

Security experts say employees and students should change passwords every few months, or choose long passwords to make it more difficult for people to break into systems. Ideally, passwords should consist of a combination of letters and numbers and should not be words, so they cannot easily be guessed, says Robert N. Clark Jr., director of internal auditing at the Georgia Institute of Technology, who also is immediate past president of the Association of College and University Auditors.

As for responding to audits, Stanley J. Yuraitis, director of computer-information systems at Kingsville, says it is hard for him to dictate to the College of Engineering, which does its own information-technology support. "We are going to have to somehow strongly encourage them to comply with the same standards, and to the same degree that the rest of the campus does," he says.

Limiting Access

Another area of concern for colleges: a failure to close off network access to departing employees.

In reviewing the records of 12 employees who had left Florida Atlantic University, auditors found in 2002 that 5 of them could still get into the university's computer network from two weeks to a year after their departure.

Computer-security experts say department heads often fail to communicate with one another when an employee leaves. Students frequently leave and return, and administrators are often more focused on having students, professors, and staff members settle outstanding debts, like parking fines or tuition, than on whether they can still log on to the network.

Florida Atlantic installed new human-resources software in January that makes it easier to cut off the computer access of departed employees, says Denise Campbell, acting director for personnel services. But the system is effective, she notes, only when managers let her know that an employee has left the university.

A good test of whether administrators are paying attention to network security is whether they can feel confident that their systems and data cannot be destroyed if the college decides to fire the chief information officer, says D. Frank Vinik, a risk manager at United Educators, a member-owned insurance company for colleges.

"The greatest threat to computer systems is not from outside hackers," he says. "It's from insiders who, for whatever reason, are disgruntled or unhappy with an institution."

Colleges need to be particularly vigilant about threats from terminated information-technology employees because they are capable of installing hidden "backdoors" that enable them to circumvent passwords, says Mr. Vinik.

Mr. Vinik and Mr. Schultz, of the Lawrence Berkeley lab, say they have not heard of fired college employees' exacting revenge on former employers by sabotaging computer systems or stealing research data. But such incidents have occurred at companies.

Administrators also sometimes fail to restrict employees' ability to view and tinker with sensitive data.

Auditors at SUNY Buffalo, for example, discovered last year that 11 people could change information in the registration system even though their job responsibilities did not warrant such access. "People shouldn't just be able to go in and change information on a whim," says Gary J. Walters, director of the university's internal-audit department.

At Texas A&M's College of Veterinary Medicine, auditors noticed last year that four information-technology workers could change data in the system that collects and reports information on the animals under care there.

This problem is not unique to public institutions. After an audit last year, Carnegie Mellon University's outside auditors, from the accounting firm Deloitte & Touche, recommended that the university limit the number of employees who can enter the university machine room, which houses multiple systems and sensitive data.

Carnegie Mellon, Buffalo, and Texas A&M's veterinary hospital have all taken action in response to their auditors' recommendations. Carnegie Mellon now only permits about 20 people to have access to the machine room, down from about 80, says Joel M. Smith, chief information officer and vice provost for computing.

Susan A. Huston, director of administrative computing services at Buffalo, says her office now periodically reminds supervisors to update their roster of employees, so that those who no longer need to use certain databases have their access terminated.

And Texas A&M has made sure that the information-technology workers in the veterinary hospital no longer have access to data on the animals under treatment, says H. Richard Adams, dean of the veterinary college.

Risk Assessment

To safeguard systems and data, colleges also must identify threats and allocate resources effectively. But many are not performing even those basic steps.

Auditors for the cashier system at Florida State University, which collects and disburses money, noted "deficiencies" in risk-management practices between September 2002 and January 2003. Their audit did not elaborate, in order "to avoid the possibility of compromising university information," according to the report.

"A risk assessment is a good starting point before designing information-technology controls, so you can get the most out of your funding," says Jon E. Ingram, who supervised the audit. The information-technology audit team will follow up to see if the university has adopted the audit's recommendations, he says.

Mr. Yuraitis, of Kingsville, says one of the most time-consuming and complicated tasks on the campus will be conducting the risk-management assessment that the auditors have recommended. Among other things, it requires faculty members to answer a survey about the type and amount of sensitive data they have stored on their computers, so that administrators can determine how best to safeguard valuable information.

"Collecting the information is like pulling teeth out of chickens," says Mr. Yuraitis. "Our faculty tend to not like to respond to any kind of inquiry that's given to them, especially from the administrative side."

Only 30 percent of colleges do risk assessments, according to a 2003 study by the Educause Center for Applied Research, which examines technology issues for colleges.

Securing Data

Because campuswide disasters happen infrequently, many institutions do not properly maintain and test their strategies for recovering lost data and making sure that information systems run smoothly in the event of catastrophe.

Auditors at Florida Atlantic, which is located on the state's hurricane-prone coastline, noted that the institution's agreement with another college to handle its information systems if necessary expired on May 2002. A year went by before Florida Atlantic had a written agreement with the University of South Florida to serve as a backup site for its computer operations.

In addition, auditors recommended that Florida Atlantic's backup operation be regularly tested. But Jeffrey Schilit, associate provost and chief information officer, told them that the university would not shut down its information systems to simulate a real emergency. It takes four hours to turn off all the computers on campus, and another four hours to turn them back on, he notes.

"I don't have the time, energy, or resources to do that," says Mr. Schilit.

Planning for Disaster

At Texas A&M University at College Station, auditors examining the College of Science between September 1, 2002, and May 3, 2003, observed that six of its units lacked disaster-recovery plans, and that five did not store backup tapes away from the campus. H. Joseph Newton, dean of the College of Science, says the disaster-recovery plans, among other weaknesses noted in the audit -- including password protection and physical security -- were addressed by March 31.

Mark S. Bruhn, chief of information-technology security and policy at Indiana University at Bloomington, says many colleges don't make disaster-recovery plans, readying an alternative space to run crucial applications and databases, because doing so would cost hundreds of thousands of dollars.

At Bloomington, the dance studio at the School of Health, Physical Education, and Recreation would serve as a backup space if emergency conditions were to leave the university's data center inoperable. The studio is wired to run a network, and Indiana's information-technology units have contracts with vendors to install computer servers there. University employees are prepared to install cooling units and a generator and to bring in data and programs. The plan has cost Bloomington about $200,000, says Mr. Bruhn.

The studio is about five miles away from the university's computing facilities. Ideally, the recovery site should be at least 50 miles away, he says. Bloomington has plans for a new recovery site, at Indiana University-Purdue University at Indianapolis, which is 55 miles away.

Apart from natural disasters, colleges also have to worry about more-mundane occurrences, like a sudden loss of power because of campus construction, says Georgia Tech's Mr. Clark.

Many colleges lack a strategy for making sure that their information systems can continue to operate if telecommunications lines are severed, he says. Such a plan "requires a lot of different people to be all on the same page, and to be collaborating and working closely together," he says. That is easier to accomplish at a business than at a college.

Auditors Questioned

While the various audits reviewed for this article had administrators scrambling to respond to auditors' recommendations, some expressed frustration with the process itself. Mr. Newton, of Texas A&M's College of Science, complained that the information-technology audit of his campus was done by auditors who "don't know anything about information technology."

"The things we all sit around worrying about are preserving the confidentiality of information ... and, like everybody else, we're worried about hackers," says Mr. Newton, a computational statistician. But the auditors, he recalls, seemed obsessed with such basics as having passwords changed. The university should bring in auditors who are "true experts in the issues associated with information technology," he says.

None of the auditors who reviewed the College of Science are certified as information-systems auditors, a designation conferred by the Information Systems Audit and Control Association. An auditor for the university system, who requested anonymity, says the report's information-technology recommendations were "rudimentary" and based on Texas law. "A couple of individuals don't like changing passwords," he says in response to Mr. Newton's complaint.

Mr. Clark agrees that audits ought to be conducted by people knowledgeable about computers. He and his auditing team at Georgia Tech evaluate information systems in at least a dozen areas, including how well the operators set strategy, train employees, refresh passwords, secure data, document procedures, maintain equipment, and back up information.

He has tried to raise college auditors' awareness of information systems, he says, because too many of them do not know how to evaluate computer networks. "Typically people gravitate toward the audit profession because of a strong background in accounting and finance," he says.

Many colleges choose outside auditors with expertise in information systems for help in evaluating their computer systems. Virginia E. Rezmierski, a privacy expert who is an adjunct associate professor teaching information-technology-policy issues at the University of Michigan at Ann Arbor, says a study she is leading of how colleges respond to computer-security failures shows that administrators are increasingly likely to consult with a variety of experts, including risk managers, auditors, and college lawyers -- as well as information-technology specialists -- when responding to computer mishaps. In the past, colleges seemed to rely only on information-technology employees, who often are unfamiliar with the legal and privacy issues associated with information systems, she says.

In its audit last year, for instance, Carnegie Mellon did use internal auditors, but it also hired Deloitte & Touche.

An Ounce of Prevention

At institutions less prominent than Carnegie Mellon, administrators often fail to deal with audit findings simply because of feeling overwhelmed by the number of problems uncovered, says Purdue's Mr. Spafford.

"They look at the output and go, 'Oh, my God, there's 20,000 things on our machines that are out of date, broken, or badly configured. We've only got one full-time person to handle it all. We can't do it,'" he says. "Or they give that poor person the list of 20,000 things and say, 'Here, fix these.'"

Even more troubling to security experts is that many institutions remain ignorant of their networks' weaknesses because the systems aren't audited at all.

"It indicates a broken process," says Mr. Schultz, of the Lawrence Berkeley laboratory. "It's like finding one mouse in your house. If there's one, there's probably a dozen."

The consequences of colleges' failure to pay attention to network security can be severe. One college was at risk of having its ability to accept Visa credit-card payments cut off -- jeopardizing its receipt of tuition funds, alumni donations, and other revenue sources -- after it accidentally exposed credit-card numbers stored on a server, says an administrator who asked that his institution not be named. He says Visa reversed its decision only after top college administrators frantically intervened.

Mr. Spafford suggests that administrators be required to disclose all network-security failures to a central campus authority, whether systems are damaged by viruses, break-ins by hackers, or thefts of proprietary information.

"It is important that campus authorities know something about the extent of the security problems they have," he says.

Because of the prevalence of security mishaps, it may be just a matter of time before colleges are hit with multimillion-dollar lawsuits accusing them of negligently operating their networks, says Mr. Vinik, of United Educators.

Student users, for instance, might sue a college that accidentally released their financial information online if the information was later used by identity thieves. Or a biotechnology company might sue if hackers broke into a campus network and stole valuable research that the company and the university had jointly developed.

"Prevention and risk management is absolutely key," says Mr. Vinik, "because if you were to be sued and somebody says that you did not have adequate security, you want to be able to show that you engaged in significant audit-type measures and tried to correct problems."