NSW universities have poor information security practices that could expose the institutions to security attacks and result in data integrity issues, fraud and identity theft, according to the state's Auditor-General.
In an otherwise positive report card on the financial affairs of the 10 NSW universities, the Auditor-General said it was "disappointing" that problems with information security reported in 2014 had still not been addressed.
It comes just two months after the University of Sydney was forced to apologise to students for a major privacy breach, when a contractor lost a laptop containing sensitive information about thousands of students using disability services, stored in a form that an internal review later revealed was unencrypted and unsecured.
The Auditor-General's report, released on Thursday, said user access vulnerabilities were the most significant problem with information management.
"The main areas of audit concern are the weak processes at some universities over user access reviews and the timely termination of user access to systems. It is disappointing that over a third of the issues identified in the 2015 audits had been reported to management in 2014 and not addressed," the report said.
It recommended management of user administration processes should be strengthened to prevent inappropriate access to financial information.
IT security expert Troy Grant said this would go to account management issues like how accounts are created, password settings, how long users can stay logged in and when users access rights should be revoked, such as after graduation.
"Organisations tend to put a lower priority on this stuff," he said. "What's more interesting is if there's been a finding and recommendation and they haven't fixed it."
The University of Sydney's internal review found the software developer responsible for the lost laptop had not followed the university's policies on secure information storage.
The Auditor-General otherwise gave the 10 NSW universities a good report card on their financial reporting and research quality, with 91 per cent of discrete fields of research performed judged to be at or above world standard.
But questions were again raised over the sector's financial sustainability, given total operating expenditure increased more than total revenue, and uncertainty over levels of federal government funding in the future.