Minnesota Office of the Legislative Auditor
Financial Audit Division

Menu

Minnesota Office of the Legislative Auditor Menu

Report Summary
Department of Administration
Information Technology Security Controls

 

Financial Audit Division Report 10-35 Released November 4, 2010

Conclusion

The Department of Administration generally had adequate security controls to protect the confidentiality, integrity, and availability of its data and computer systems from threats originating outside its internal network. However, we identified five weaknesses in internal controls.

Findings

  • The Department of Administration had not adequately managed its information security risks and lacked some written agreements with the Office of Enterprise Technology.
  • The Department of Administration had not adequately assessed, prioritized, reported, and remediated vulnerabilities.
  • The Department of Administration had not assessed its monitoring needs nor did it proactively review security events.
  • The Department of Administration lacked change control procedures for its firewall rules.
  • The Department of Administration had not periodically recertified some access privileges, and some information technology staff shared passwords.

Audit Objective and Scope

The audit objective was to answer the following question:

  • Did the Department of Administration have adequate security controls to protect the department’s computer systems and data from external threats?
We assessed controls as of September 2010.
More Information

Office of the Legislative Auditor ♦ Room 140, 658 Cedar St., St. Paul, MN 55155