Minnesota Office of the Legislative Auditor
Financial Audit Division

Menu

Minnesota Office of the Legislative Auditor Menu

Report Summary
Department of Management and Budget and the
Office of Enterprise Technology

State Personnel and Payroll System
Security Controls

Information Technology Audit

 

Financial Audit Division Report 10-02 Released February 11, 2010

Conclusion

The Department of Management and Budget and the Office of Enterprise Technology generally had adequate security controls for the state’s personnel and payroll system and its data. However, the agencies lacked some important security controls.

The Department of Management and Budget resolved the prior eight audit findings applicable to the scope of this audit.

Key Findings

  • The Department of Management and Budget did not conduct formal risk assessments nor develop adequate written information security policies, standards, and procedures.
  • The Department of Management and Budget did not have adequate controls to ensure some computer users’ access was appropriate on an ongoing basis.
  • The Department of Management and Budget had not formalized how it would detect, monitor, and resolve computer vulnerabilities and did not promptly install updates and patches on some of its computers.
  • The Department of Management and Budget did not have effective monitoring procedures to detect and promptly respond to security-related events.

Audit Scope

The audit objective was to answer the following questions:

  • Did the Department of Management and Budget and the Office of Enterprise Technology have adequate security controls to protect the confidentiality, integrity, and availability of the state’s personnel and payroll system and its business data?
  • Did the Department of Management and Budget resolve prior audit findings?

We assessed controls as of October 2009.

More Information

Office of the Legislative Auditor ♦ Room 140, 658 Cedar St., St. Paul, MN 55155