http://www.twincities.com/mld/pioneerpress/news/politics/8222341.htm BY PATRICK SWEENEY Pioneer Press Mar. 19, 2004 The Minnesota Revenue Department's computer system that processes $5.5 billion a year in income taxes has multiple shortcomings that could allow employees improper access to tax returns, a new audit concludes. "Our overall conclusion was we just didn't think the Department of Revenue had the level of security controls that we expected to find," said Christopher Buse, who led a four-person legislative audit team that examined the computer system. An 18-page report released Thursday recommends the Revenue Department do far more to limit access to the computer system by employees who do not have a current need to use it in their jobs, and to quickly patch security flaws in software. Department officials said, and Buse agreed, that the auditors found no significant problems with security measures the Revenue Department has in place to prevent outside hackers from obtaining confidential taxpayer information. "The firewall, itself, was pretty darn good," Buse said of the external security. Buse said the auditors found no evidence that any hackers had gained access to the tax data, nor any evidence that employees used the computer system improperly. But he also said that auditors did not probe for such evidence. The most serious internal security problems are not listed in the auditors' public report. Instead, those problems were detailed in five confidential memos to the department. "We outlined a litany of detailed security weaknesses that we think the department needs to address," Buse said. Dennis Erno, a deputy revenue commissioner, did not dispute the audit team's findings and said many of the fixes the auditors recommended already have been made. "We can say emphatically that we have the strongest protection from outside sources that modern technology permits," Erno said. Erno said an 11 percent budget cut at the Revenue Department during the last budget period led to significantly less monitoring of security policies. "We have purposely scaled back some of our internal procedures," he said. The audit report's findings included: The department needs to do more regular security reviews. Many employees continued to have security clearances after they changed jobs within the department or left state employment. Too many information technology workers had too much access to sensitive tax data. The department allowed too much access to its system by employees working from home, and sometimes allowed employees to share a password. Employees sometimes failed to change readily available default passwords on new software, and sometimes were slow to install software "patches" to frustrate hackers. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Mar 22 2004 - 03:20:54 PST