| Financial Audit Division | October 2024 |
Minnesota Management and Budget (MMB) and Minnesota Information Technology Services (MNIT) had adequate controls for their Enterprise Performance Management (EPM) data warehouse to help ensure that data in the warehouse mirrored data found in the Statewide Integrated Financial Tools (SWIFT) and the Statewide Employee Management System (SEMA4) business systems.
We found that the processes used by MMB and MNIT to load data into the warehouse included sufficient data validation and integrity controls. Furthermore, MMB and MNIT had sufficient change management controls to ensure that data maintenance performed on SWIFT and SEMA4 would be synchronized with its data warehouse. Finally, MMB and MNIT generally implemented appropriate security controls to prevent unauthorized changes to data stored within the warehouse.
Nevertheless, during our audit, we identified some information security control weaknesses. The list of findings below and the full report provide more information about these concerns.
MMB and MNIT have not completed current risk or security control assessments of the data warehouse. (p. 14)
Recommendation
MMB and MNIT should complete required risk and security control assessments of the data warehouse.MMB and MNIT did not regularly review and validate that user access to the data warehouse administrative tools were appropriate for an employee’s job duties, as required by MNIT security standards. (p. 16)
Recommendation
MMB and MNIT should regularly review and validate that permissions granted to user accounts remain necessary, as required by MNIT security standards.MMB and MNIT did not scan for vulnerabilities or misconfigurations on critical computer devices that support the Statewide Integrated Financial Tools (SWIFT), the Statewide Employee Management System (SEMA4), or the data warehouse. (p. 17)
Recommendations
