Pioneer Press
Mar. 19, 2004

The Minnesota Revenue Department's computer system that processes $5.5 
billion a year in income taxes has multiple shortcomings that could 
allow employees improper access to tax returns, a new audit concludes.

"Our overall conclusion was we just didn't think the Department of 
Revenue had the level of security controls that we expected to find," 
said Christopher Buse, who led a four-person legislative audit team 
that examined the computer system.

An 18-page report released Thursday recommends the Revenue Department 
do far more to limit access to the computer system by employees who do 
not have a current need to use it in their jobs, and to quickly patch 
security flaws in software.

Department officials said, and Buse agreed, that the auditors found no 
significant problems with security measures the Revenue Department has 
in place to prevent outside hackers from obtaining confidential 
taxpayer information. "The firewall, itself, was pretty darn good," 
Buse said of the external security.

Buse said the auditors found no evidence that any hackers had gained 
access to the tax data, nor any evidence that employees used the 
computer system improperly. But he also said that auditors did not 
probe for such evidence.

The most serious internal security problems are not listed in the 
auditors' public report. Instead, those problems were detailed in five 
confidential memos to the department.

"We outlined a litany of detailed security weaknesses that we think 
the department needs to address," Buse said.

Dennis Erno, a deputy revenue commissioner, did not dispute the audit 
team's findings and said many of the fixes the auditors recommended 
already have been made. "We can say emphatically that we have the 
strongest protection from outside sources that modern technology 
permits," Erno said.

Erno said an 11 percent budget cut at the Revenue Department during 
the last budget period led to significantly less monitoring of 
security policies. "We have purposely scaled back some of our internal 
procedures," he said.

The audit report's findings included:

The department needs to do more regular security reviews.

Many employees continued to have security clearances after they 
changed jobs within the department or left state employment.

Too many information technology workers had too much access to 
sensitive tax data.

The department allowed too much access to its system by employees 
working from home, and sometimes allowed employees to share a 

Employees sometimes failed to change readily available default 
passwords on new software, and sometimes were slow to install software 
"patches" to frustrate hackers.

ISN is currently hosted by

To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn'
in the BODY of the mail.

Reply via email to