Skip to main content Skip to office menu Skip to footer
3 golden objects Minnesota Legislature

Office of the Legislative Auditor - Financial Audit Division

Report Summary


Financial-Related Audit


Minnesota State Colleges and Universities

Systemwide Access to MnSCU Data


This is our second security-related audit of MnSCU's information systems. The first audit, performed in June 1997, concluded, "Every institution's critical business data is at risk because MnSCU data centers have serious security weaknesses."

Our current audit focused on employees with extremely powerful security clearances to the Minnesota State Colleges and Universities (MnSCU) computing environment. In an appropriately controlled environment, extremely powerful security clearances are typically limited to certain information technology professionals who manage the computerized infrastructure.

Key Audit Conclusions:

MnSCU's critical business data continues to be at risk because it has not formally defined its security infrastructure. More specifically:

  • MnSCU has not conducted a formal risk assessment to identify vulnerabilities in its business systems. In addition, MnSCU does not have written security policies and procedures to control and monitor people with extremely powerful security clearances.

Though MnSCU made progress resolving some of the weaknesses identified in the prior audit, it cannot effectively manage its information security risks until it formally defines its security infrastructure. Without policies, MnSCU cannot effectively deploy security administration tools. Challenging the appropriateness of employee security clearances is also difficult without written policies. Many employees who we identified with excessive security clearances were not challenged by MnSCU's Office of Security.

We also question the sufficiency of MnSCU's security resources. For example, the Office of Security employs only two staff, one of whom also oversees all software development for MnSCU.

This financial-related audit report focused on security privileges held by information technology professionals in MnSCU's computing environment.

Office of the Legislative Auditor, Room 140, 658 Cedar St., St. Paul, MN 55155 : legislative.auditor@state.mn.us or 651‑296‑4708