Office of the Legislative Auditor - Financial Audit Division

Key Conclusion:

The Minnesota State Colleges and Universities (MnSCU) did not adequately plan and secure its wireless computer networks. Many wireless networks had security weaknesses, some of which were significant. We recommend that MnSCU disable all wireless networks that lack strong authentication and encryption controls.

Findings:

• MnSCU did not adequately plan and secure many of its wireless networks.
• Controls to authenticate users and encrypt wireless data transmissions were weak or nonexistent at several colleges.
• Most colleges did not functionally segment their wired and wireless networks to better protect computer systems and data.
• Several colleges do not have controls to protect their networks from insecure computers that connect to them.
• Several colleges did not adequately monitor their systems and wireless networks.

Audit Scope:

Wireless network security controls as of June 2005

Wireless networks used by MnSCU universities, colleges, and the Office of the Chancellor

Almost all of MnSCU’s colleges and universities have deployed wireless networks. Wireless networks extend the range of traditional wired networks by using radio waves to transmit data through the air to wireless-enabled devices, such as laptop computers or personal digital assistants (PDAs). While wireless networks offer many potential benefits, including flexibility and mobility, they also introduce significant security risks, such as unauthorized access to computer systems and data. Appropriate controls are needed to mitigate risks and protect the integrity, confidentiality, and availability of MnSCU’s computer systems and data.