|Financial Audit Division Report 09-16||Released April 9, 2009|
Small agencies in Minnesota state government generally do not have adequate security controls over their computer systems, which creates an unacceptable risk of unauthorized access to not public data and disruption to state functions. Effectively resolving these weaknesses is unlikely without the ongoing oversight and support of the Office of Enterprise Technology. This report contains six findings concerning control weaknesses in small agencies’ computer systems.
The primary objective of our audit was to answer the following question:
To answer this question, we assessed security controls at 12 small state agencies as of January 2009.
We identified 45 small state agencies, which we defined as any office, bureau, board, commission, or agency with 50 or fewer employees. All of these agencies perform some service or function specified in state law. These agencies need to have secure computer systems to protect the state from financial losses and unauthorized disclosure of not public data; they need to have effective internal controls to address their information technology risks.