ISA-2000-6080
This report contains an executive summary and audit results which detail the areas where improvements should be made to strengthen the access controls over the Campus Pipeline application and operating environment. During the course of our audit certain sensitive security related findings and recommendations were identified. Those sensitive issues were conveyed in detail to the University Information Technology Services personnel during the audit exit conference. Due to the sensitive nature of these issues, they will be reported more generically in this audit report. University Information Technology Services personnel have reviewed a draft copy of this report, and their written responses to each issue are included herein. Some of the findings are summarized below. The Campus Pipeline application does not provide sufficient security features in the areas of user ID management, password management, and security violation and audit trail logging. The current Campus Pipeline application, as configured by the University, allows access to sensitive and personal user profile information for students, faculty, and University employees anonymously using a standard web browser. The Campus Pipeline application tracks the application usage activities of each user and transfers this information to Campus Pipeline, Inc. who uses the information in various ways. This tracking activity should be clearly disclosed to users. The University currently does not run the Campus Pipeline application or the Web for Students application in accordance with the network and hardware architecture recommended by the application vendors. We found inappropriate user access to numerous files on the UNIX server that hosts the Campus Pipeline application. Virus protection software is not being used on the UNIX server that hosts the Campus Pipeline application. ASU does not have security policy and operating guidelines that govern the security of all University application systems.