Minnesota Office of the Legislative Auditor
Financial Audit Division

Menu

Minnesota Office of the Legislative Auditor Menu

Report Summary
Department of Commerce
Information Technology Security Controls

 

Financial Audit Division Report 11-08 Released April 15, 2011

Conclusion

The Department of Commerce did not have adequate security controls to protect the confidentiality, integrity, and availability of its data and computer systems from threats originating outside its internal network. We identified five weaknesses in internal controls.

Findings

  • The Department of Commerce did not develop a comprehensive security management program.
  • The Department of Commerce had many firewall rules that were too permissive or unnecessary.
  • The Department of Commerce did not sufficiently restrict or filter computer traffic nor did it encrypt some sensitive computer traffic in its private internal network.
  • The Department of Commerce had not implemented formal change management processes to ensure that it adequately documented, assessed, tested, and approved proposed changes before implementing those changes in the technology environment.
  • The Department of Commerce lacked a periodic review of some users with remote access privileges.

Audit Objective and Scope

The audit objective was to answer the following question:

  • Did the Department of Commerce have adequate security controls to protect the department’s computer systems and data from threats originating outside the internal network?

We assessed controls as of January 2011.

More Information

Office of the Legislative Auditor ♦ Room 140, 658 Cedar St., St. Paul, MN 55155