BY PATRICK SWEENEY
Mar. 19, 2004
The Minnesota Revenue Department's computer system that processes $5.5
billion a year in income taxes has multiple shortcomings that could
allow employees improper access to tax returns, a new audit concludes.
"Our overall conclusion was we just didn't think the Department of
Revenue had the level of security controls that we expected to find,"
said Christopher Buse, who led a four-person legislative audit team
that examined the computer system.
An 18-page report released Thursday recommends the Revenue Department
do far more to limit access to the computer system by employees who do
not have a current need to use it in their jobs, and to quickly patch
security flaws in software.
Department officials said, and Buse agreed, that the auditors found no
significant problems with security measures the Revenue Department has
in place to prevent outside hackers from obtaining confidential
taxpayer information. "The firewall, itself, was pretty darn good,"
Buse said of the external security.
Buse said the auditors found no evidence that any hackers had gained
access to the tax data, nor any evidence that employees used the
computer system improperly. But he also said that auditors did not
probe for such evidence.
The most serious internal security problems are not listed in the
auditors' public report. Instead, those problems were detailed in five
confidential memos to the department.
"We outlined a litany of detailed security weaknesses that we think
the department needs to address," Buse said.
Dennis Erno, a deputy revenue commissioner, did not dispute the audit
team's findings and said many of the fixes the auditors recommended
already have been made. "We can say emphatically that we have the
strongest protection from outside sources that modern technology
permits," Erno said.
Erno said an 11 percent budget cut at the Revenue Department during
the last budget period led to significantly less monitoring of
security policies. "We have purposely scaled back some of our internal
procedures," he said.
The audit report's findings included:
The department needs to do more regular security reviews.
Many employees continued to have security clearances after they
changed jobs within the department or left state employment.
Too many information technology workers had too much access to
sensitive tax data.
The department allowed too much access to its system by employees
working from home, and sometimes allowed employees to share a
Employees sometimes failed to change readily available default
passwords on new software, and sometimes were slow to install software
"patches" to frustrate hackers.
ISN is currently hosted by Attrition.org
To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn'
in the BODY of the mail.