|Financial Audit Division Report 14-14||Released May 1, 2014|
The Office of MN.IT Services (MN.IT) generally had adequate internal controls to ensure that it appropriately limited access to its data and protected the mainframe’s operating system. MN.IT established expectations for the security controls operating on the mainframe and developed a formal process to evaluate and implement changes. However, MN.IT had some inconsistencies with its internal policies, as noted in the findings in this report.
The audit objective was to determine whether, as of September 2013, the Office of MN.IT Services had adequate internal controls to: 1) limit the ability to see or modify sensitive mainframe operating system settings and data to appropriate personnel and, 2) to ensure that all modifications to the mainframe operating system were authorized.