Minnesota Office of the Legislative Auditor
Financial Audit Division

Menu

Minnesota Office of the Legislative Auditor Menu

Report Summary
Vulnerability Management
Information Technology Audit

 

Financial Audit Division Report 12-11 Released May 22, 2012

Conclusion

The Office of Enterprise Technology established internal controls that were generally adequate to identify and resolve security vulnerabilities; however, the office had not adequately communicated some parts of its vulnerability management standard, and training materials did not address all requirements of the standard.

The state did not comply with the Enterprise Vulnerability Management Security Standard. Agencies had generally not classified the criticality of devices (computers, systems, and networks) based on the confidentiality, integrity, and availability requirements of their data, as required by the standard. Also agencies did not consistently report certain events to the Office of Enterprise Technology, and some agencies did not effectively conduct scans and prioritize the remediation of their vulnerabilities. The Office of Enterprise Technology also did not provide state agencies with certain metrics related to agencies’ device criticality, as required by the standard.

Findings

  • Agencies have not assigned vulnerability ratings to devices based on the requirements of the data and systems they support.
  • Some agencies did not have complete, effective, or efficient internal scanning practices and did not report scanning policy exceptions to the Office of Enterprise Technology.
  • Agencies had not adequately resolved vulnerabilities identified by system scans.
  • While the Office of Enterprise Technology provided various training sessions to agency information technology staff about specific aspects of the vulnerability management program, the office did not develop a comprehensive and role-based training curriculum.

Audit Objective and Scope

The audit objective was to answer the following questions for the period from July 1, 2010, through July 31, 2011:

  • Did the Office of Enterprise Technology’s Vulnerability Management Security Standard establish adequate internal controls to manage vulnerabilities of the state’s computers, systems, and networks?
  • Did the Office of Enterprise Technology and the state agencies comply with the Enterprise Vulnerability Management Security Standard?

We assessed controls between July 2010 and July 2011.

More Information

Office of the Legislative Auditor ♦ Room 140, 658 Cedar St., St. Paul, MN 55155