Minnesota Office of the Legislative Auditor
Financial Audit Division

Menu

Minnesota Office of the Legislative Auditor Menu

Report Summary
Minnesota State Retirement System
Information Technology Audit

 

Financial Audit Division Report 09-23 Released June 23, 2009

Conclusion

The Minnesota State Retirement System (MSRS) did not have adequate controls to protect the integrity, confidentiality, and availability of its computer systems and business data. Serious security weaknesses exposed them to an unacceptable risk of tampering, disclosure, and disruption. The report contains eight findings relating to internal control deficiencies.

Findings

  • MSRS did not have a comprehensive security management program.
  • Poor firewall and wireless security controls exposed MSRS’s private internal network to external threats.
  • MSRS did not sufficiently segment its internal private network to improve security over its computer systems and data.
  • MSRS did not monitor security-related events.
  • MSRS did not have strong account and password controls.
  • MSRS did not adequately restrict employee access to some computer systems and data, and it did not encrypt sensitive data.
  • MSRS did not follow adequate change management procedures.
  • MSRS did not promptly install software updates or security-related software patches on some of its computers, and some were running unnecessary and insecure software.

Audit Objectives and Scope

  • Did MSRS have adequate controls to protect the integrity, confidentiality, and availability of its computer systems and business data?

We assessed controls as of April 2009.

Background

MSRS administers six retirement plans, a supplemental retirement plan for Hennepin County, and health care and deferred compensation plans for state employees and other public employees. Plan membership is comprised of state employees, state law enforcement and correctional officers, constitutional officers, legislators, judges, employees of the University of Minnesota, the Metropolitan Council, and employees of various other designated public agencies. Approximately 700 employers participate in the plans whose membership includes over 250,000 active and inactive employees and their beneficiaries.

More Information

Office of the Legislative Auditor ♦ Room 140, 658 Cedar St., St. Paul, MN 55155