This is our second security-related audit of MnSCU's information systems. The first audit, performed in June 1997, concluded, "Every institution's critical business data is at risk because MnSCU data centers have serious security weaknesses."
Our current audit focused on employees with extremely powerful security clearances to the Minnesota State Colleges and Universities (MnSCU) computing environment. In an appropriately controlled environment, extremely powerful security clearances are typically limited to certain information technology professionals who manage the computerized infrastructure.
Key Audit Conclusions:
MnSCU's critical business data continues to be at risk because it has not formally defined its security infrastructure. More specifically:
Though MnSCU made progress resolving some of the weaknesses identified in the prior audit, it cannot effectively manage its information security risks until it formally defines its security infrastructure. Without policies, MnSCU cannot effectively deploy security administration tools. Challenging the appropriateness of employee security clearances is also difficult without written policies. Many employees who we identified with excessive security clearances were not challenged by MnSCU's Office of Security.
We also question the sufficiency of MnSCU's security resources. For example, the Office of Security employs only two staff, one of whom also oversees all software development for MnSCU.
This financial-related audit report focused on security privileges held by information technology professionals in MnSCU's computing environment.