Financial Audit Division | May 2024 |
The Department of Employment and Economic Development (DEED) and Minnesota Information Technology Services (MNIT) complied with many of MNIT’s information security requirements, and had adequate internal controls related to Unemployment Insurance (UI). However, DEED and MNIT did not comply with a variety of MNIT’s information security controls related to risk management, identity and access management, security logging and monitoring, vulnerability management, disaster recovery, and secure system configurations. The more significant instances of noncompliance and internal control weakness were in the areas of identity and access management. The list of findings below and the full report provide more information about these and other weaknesses.
DEED and MNIT inaccurately concluded that the Unemployment Insurance system complied with all information security control requirements and did not report known issues within MNIT’s centralized risk and compliance tool. (p. 12)
Recommendations
DEED and MNIT do not have a process for identifying and securely deleting data records within the Unemployment Insurance system that exceed defined retention periods. (p. 15)
Recommendations
DEED and MNIT have not fully implemented one-quarter of the identity and access management requirements designed to help protect the Unemployment Insurance system. (p. 18)1
Recommendations
For the Unemployment Insurance system, DEED and MNIT should:
In accordance with Minnesota Statutes 2023, 13.37, subd. 2, we have removed from the public version of our report language from Finding 3 that we deemed likely to substantially jeopardize the security of information in the UI system. We discussed the specific details with DEED and MNIT. ↩︎
DEED and MNIT do not comply with all provisions of MNIT’s Security Logging and Monitoring Standard for the Unemployment Insurance system. (p. 23)
Recommendation
DEED and MNIT should ensure that the Unemployment Insurance system’s logging and monitoring controls are implemented as required by MNIT’s Security Logging and Monitoring Standard.DEED and MNIT do not adequately maintain scanning agents on essential technical devices that support the Unemployment Insurance system. (p. 25)
Recommendations
DEED and MNIT did not document their review, updates, or testing of the Unemployment Insurance system’s disaster recovery plan. (p. 27)
Recommendation
DEED and MNIT should ensure that disaster recovery plans for the Unemployment Insurance system are reviewed, updated, and tested annually.DEED and MNIT did not fully document some key processes necessary to ensure full recovery of the Unemployment Insurance system in case of a disaster. (p. 28)
Recommendation
DEED and MNIT should ensure that its disaster recovery plan for the Unemployment Insurance system contains documentation of all key processes and procedures necessary to successfully recover and validate the system.In some cases, DEED and MNIT did not implement recommended security configurations for the Unemployment Insurance system, nor did they document, within MNIT’s centralized risk and compliance tool, the rationale for deviating from the recommended configurations. (p. 29)
Recommendations
DEED uses various external and manual processes to identify suspicious transactions and potentially ineligible individuals, rather than automating these processes within the Unemployment Insurance system. (p. 31)
Recommendations
DEED and MNIT do not report on all Unemployment Insurance system project-related costs. (p. 38)
Recommendations
DEED and MNIT continue to custom build identity and access management functionality into the Unemployment Insurance system, rather than modernizing to an off-the-shelf solution. (p. 39)
Recommendation
DEED and MNIT should consult with the Technology Advisory Council, and reaffirm its decision to custom build identity and access management functionality.