Minnesota Office of the Legislative Auditor
Financial Audit Division

Menu

Minnesota Office of the Legislative Auditor Menu

Report Summary
Department of Education
Information Technology Security Controls Audit

 

Financial Audit Division Report 10-17 Released May 5, 2010

Conclusion

The Department of Education did not have adequate security controls to protect the confidentiality, integrity, and availability of its data and computer systems from threats originating outside its internal network.

Key Findings

  • The Department of Education did not develop a comprehensive security management program nor did it allocate sufficient resources or personnel to adequately manage security.
  • The Department of Education had some firewall rules that were too permissive or unnecessary.
  • The Department of Education did not assess its monitoring needs nor did it proactively review security events.
  • The Department of Education had not adequately assessed, prioritized, reported, and remediated vulnerabilities.

Audit Objective and Scope

The audit objective was to answer the following question:

  • Did the Department of Education have adequate security controls to protect the department’s computer systems and data from threats originating outside the internal network?

We assessed controls as of February 2010.

More Information

Office of the Legislative Auditor ♦ Room 140, 658 Cedar St., St. Paul, MN 55155