|Public Release Date: September 18, 1998||No. 98-52|
The Department of Administration's Intertechnologies Group (Intertech) operates the state's primary data center. Intertech also maintains the software that is used to control access to its mainframe computers and manage scheduled batch processing. Ms. Elaine Hansen serves as the commissioner of the department.
The Department of Finance maintains the state's accounting system, commonly referred to as the Minnesota Accounting and Procurement System (MAPS). The MAPS software runs on a mainframe computer at Intertech. However, information system professionals in the Department of Finance design and test most of the MAPS computer programs. Mr. Wayne Simoneau serves as the commissioner of the department.
Scheduled batch processing is a special type of computing environment that requires little or no user interaction. Most of the state's major computer systems rely on a large overnight batch stream to perform critical business functions. For example, the nightly batch stream for MAPS contains hundreds of jobs that run from approximately 4 PM to 3 AM.
During this audit, we analyzed scheduled batch processing procedures at both Intertech and the Department of Finance. We designed our work to determine if Intertech was providing state agencies with a secure environment for their scheduled batch processing. We also analyzed the MAPS job stream to determine if there were controls to prevent unauthorized changes to computer programs.
We feel that Intertech provides state agencies with a secure environment for their scheduled batch processing. However, many state agencies, including the Department of Finance, run their scheduled batch jobs from an unsecured environment. This creates a serious security exposure that could result in disruptions to critical government services or the widespread destruction of data. We also found significant weaknesses in the MAPS program change control procedures. Specifically, most information system professionals in the Department of Finance have complete and unfettered access to nearly all MAPS data and computer programs. We do not feel that this level of security clearance is appropriate or necessary. Finally, we found one documentation shortcoming that Intertech needs to address to avoid making unauthorized changes to agency batch streams.
The Department of Finance and the Department of Administration agree with the findings in this report. The agencies' written responses to this report detail their corrective action plans.