Minnesota Office of the Legislative Auditor
Financial Audit Division

Menu

Minnesota Office of the Legislative Auditor Menu

Report Summary
Department of Employment and Economic Development
Unemployment Insurance Program
Information Technology Audit

 

Financial Audit Division Report 09-36 Released December 3, 2009

Conclusion

The Department of Employment and Economic Development did not have adequate security controls for the information technology system used to administer the state’s Unemployment Insurance Program.

Findings

  • The Department of Employment and Economic Development did not have a comprehensive security management program for its information technology systems.
  • The Department of Employment and Economic Development had not formalized how it would correct vulnerabilities in computers accessible through the Internet, and it had not routinely scanned computers connected to its internal network for vulnerabilities.
  • The Department of Employment and Economic Development did not have monitoring procedures to detect and promptly respond to security-related events.
  • The Department of Employment and Economic Development did not adequately restrict some information technology staff from direct access to the Unemployment Insurance Program’s database, implement data encryption to mitigate inappropriate access, and monitor activities users performed in the database.
  • The Department of Employment and Economic Development did not have adequate procedures for managing its firewall and did not sufficiently restrict computer traffic in its internal private network.
  • The Department of Employment and Economic Development did not enforce strong password controls.
  • The Department of Employment and Economic Development’s change management and software development procedures were not security focused.
  • The Department of Employment and Economic Development had not established an offsite location to relocate the Unemployment Insurance Program’s computer system in the event of a disruption and had not documented a continuity of operations plan.

Audit Objectives and Scope

The audit objective was to answer the following question:

  • Did the Department of Employment and Economic Development have adequate security controls for the information technology used to administer the state’s Unemployment Insurance Program?

We assessed controls as of August 2009.

More Information

Office of the Legislative Auditor ♦ Room 140, 658 Cedar St., St. Paul, MN 55155