Report Summary
Department of Management and Budget and the
Office of Enterprise Technology
State Personnel and Payroll System
Security Controls
Information Technology Audit
|
Financial Audit Division Report 10-02 |
Released February 11, 2010 |
Conclusion
The Department of Management and Budget and the Office of Enterprise Technology generally had adequate security controls for the state’s personnel and payroll system and its data. However, the agencies lacked some important security controls.
The Department of Management and Budget resolved the prior eight audit findings applicable to the scope of this audit.
Key Findings
- The Department of Management and Budget did not conduct formal risk assessments nor develop adequate written information security policies, standards, and procedures.
- The Department of Management and Budget did not have adequate controls to ensure some computer users’ access was appropriate on an ongoing basis.
- The Department of Management and Budget had not formalized how it would detect, monitor, and resolve computer vulnerabilities and did not promptly install updates and patches on some of its computers.
- The Department of Management and Budget did not have effective monitoring procedures to detect and promptly respond to security-related events.
Audit Scope
The audit objective was to answer the following questions:
- Did the Department of Management and Budget and the Office of Enterprise Technology have adequate security controls to protect the confidentiality, integrity, and availability of the state’s personnel and payroll system and its business data?
- Did the Department of Management and Budget resolve prior audit findings?
We assessed controls as of October 2009.
