An Audit Report on Protection of Research Data at Higher Education Institutions
June 2004
Report Number 04-035
Overall Conclusion
Higher education institutions should do more to protect research data. Security of research data at the institutions we audited -- The University of Texas at Austin, The University of Texas Southwestern Medical Center at Dallas, and The University of Texas Health Science Center at San Antonio -- was inconsistent and sometimes inadequate. Although we identified instances in which research data was very well protected, we identified inconsistent security measures at each of the three institutions we audited that expose research data to the risk of loss or misuse. This could significantly impede researchers progress or, ultimately, result in the loss of research funding. Inadequate security can lead to the loss or misuse of research data, which could jeopardize institutions reputations and their ability to achieve their missions.
The institutions have ultimate responsibility for research data because they are the owners of this data and receive benefits from research such as patents, royalties, and associated funding for indirect costs. However, while institutions generally provide some degree of security to all users through perimeter firewalls or other types of network protection, they rely on decentralized departments and individual researchers to further protect research data.
Inadequate security can lead to the loss or misuse of research data, which could jeopardize institutions reputations and their ability to achieve their missions. Although the following examples did not occur at institutions we audited, they demonstrate the importance of protecting research data:
- Not properly backing up research data has the potential to impede the progress of research. For example, Tropical Storm Allison caused the Baylor College of Medicine and the Medical School at The University of Texas Health Science Center at Houston to lose 10 years worth of data on spinal cord injuries.
- Not securing workstations with antivirus software can leave workstations
vulnerable to potential attacks, and inadequate security associated with a
single workstation has the potential to have an impact on the institutions
entire network. For example, in May 2004 the Sasser computer virus reportedly
infected nearly one-third of the computers at The University of Texas M.D.
Anderson Cancer Center and delayed some patient treatment. It is suspected
that the virus entered the institution through a notebook computer.
- Because of their need for free exchange of information and open computing environments, higher education institutions in particular face a significant risk that intruders will be motivated to hack into their systems and use their extensive computing resources for unauthorized purposes. For example, hackers recently targeted and compromised TeraGrid, a network that institutions use to conduct and share research. Because of this attack, institutions that use TeraGrid took certain computers off line, which disrupted research for several days.
Contact the SAO about this report.
Download the Acrobat version of this report. (.pdf) (Generate HTML Equivalent)*
*HTML equivalents for PDF documents are generated utilizing Adobe's PDF Conversion by Simple Form.