|Public Release Date: August 29, 1997||No. 97-46|
Minnesota State Colleges and Universities (MnSCU) began operations on July 1, 1995. The new MnSCU system combined two state-level higher education systems, state universities and community colleges, that had previously existed as independent systems. It also incorporated a series of technical colleges into state government. In total, MnSCU now consists of 37 different institutions with 54 campus locations.
MnSCU is developing a collection of new computer systems to help institutions manage their business activities. This system development effort, referred to as the Integrated Statewide Records System (ISRS), began in early 1994 and is still underway. The ISRS is a massive system development project. When development is complete, the ISRS will contain at least 15 different modules that will support most campus business functions, including accounting, human resources, student registrations, financial aids, and student housing.
Our audit analyzed how MnSCU controls access to its new business systems and its critical business data. Every campus is now highly reliant on the integrity of the data in its institutional database. Therefore, MnSCU needs strong security controls to ensure the accuracy, consistency, reliability, and availability of this data. MnSCU also needs strong security controls to help protect data that is not available to the public and reduce each campus' exposure to fraud.
We found that every institution's critical business data is at risk because MnSCU data centers have serious security weaknesses. MnSCU needs to address these security weaknesses immediately to prevent a disastrous loss, unauthorized disclosure, or the corruption of critical business data. We raise concerns about access to the systems from unauthorized environments, ineffective procedures for managing user accounts, inadequate control over powerful system privileges and security groups, and ineffective security monitoring procedures.