[ISN] STATE REVENUE DEPARTMENT: Agency's computer security too lax

From: InfoSec News (isn@private)
Date: Mon Mar 22 2004 - 00:27:03 PST

  • Next message: InfoSec News: "[ISN] Flaws Found in Two Symantec Apps"

    http://www.twincities.com/mld/pioneerpress/news/politics/8222341.htm
    
    BY PATRICK SWEENEY
    Pioneer Press
    Mar. 19, 2004
    
    The Minnesota Revenue Department's computer system that processes $5.5 
    billion a year in income taxes has multiple shortcomings that could 
    allow employees improper access to tax returns, a new audit concludes.
    
    "Our overall conclusion was we just didn't think the Department of 
    Revenue had the level of security controls that we expected to find," 
    said Christopher Buse, who led a four-person legislative audit team 
    that examined the computer system.
    
    An 18-page report released Thursday recommends the Revenue Department 
    do far more to limit access to the computer system by employees who do 
    not have a current need to use it in their jobs, and to quickly patch 
    security flaws in software.
    
    Department officials said, and Buse agreed, that the auditors found no 
    significant problems with security measures the Revenue Department has 
    in place to prevent outside hackers from obtaining confidential 
    taxpayer information. "The firewall, itself, was pretty darn good," 
    Buse said of the external security.
    
    Buse said the auditors found no evidence that any hackers had gained 
    access to the tax data, nor any evidence that employees used the 
    computer system improperly. But he also said that auditors did not 
    probe for such evidence.
    
    The most serious internal security problems are not listed in the 
    auditors' public report. Instead, those problems were detailed in five 
    confidential memos to the department.
    
    "We outlined a litany of detailed security weaknesses that we think 
    the department needs to address," Buse said.
    
    Dennis Erno, a deputy revenue commissioner, did not dispute the audit 
    team's findings and said many of the fixes the auditors recommended 
    already have been made. "We can say emphatically that we have the 
    strongest protection from outside sources that modern technology 
    permits," Erno said.
    
    Erno said an 11 percent budget cut at the Revenue Department during 
    the last budget period led to significantly less monitoring of 
    security policies. "We have purposely scaled back some of our internal 
    procedures," he said.
    
    The audit report's findings included:
    
    The department needs to do more regular security reviews.
    
    Many employees continued to have security clearances after they 
    changed jobs within the department or left state employment.
    
    Too many information technology workers had too much access to 
    sensitive tax data.
    
    The department allowed too much access to its system by employees 
    working from home, and sometimes allowed employees to share a 
    password.
    
    Employees sometimes failed to change readily available default 
    passwords on new software, and sometimes were slow to install software 
    "patches" to frustrate hackers.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Mar 22 2004 - 03:20:54 PST