Trustworthy Information Systems Handbook: Section 11
Bibliography
Minnesota Legislative Auditor Reports, 1996 to Present.
Office of the Legislative Auditor.
Complete summaries of the following reports are offered at: http://www.auditor.leg.state.mn.us/
Department of Public Safety Security Audit: Web-based Motor Vehicle Registration Renewal System. April 2005. Report No. 05-23.
{need for comprehensive security program; formal systems development standards and systems security tests; security standards for wireless technologies; periodic scans for unauthorized wireless access points; documentation of access control standards; access in line with employee duties; no sharing of accounts and passwords; use of complex passwords; procedures for promptly installing security-related patches; need to define security events to log; regular review of security logs; periodic system scans for known security weaknesses}
Minnesota Board of Podiatric Medicine, July 1, 2000 through June 30, 2003. February 2005. Report No. 05-10.
{need to restrict access to systems; separation of incompatible duties and security clearances; access in line with employee duties}
Minnesota Board of Marriage and Family Therapy, July 1, 2000 through June 30, 2003. February 2005. Report No. 05-08.
{need to restrict access to systems; separation of incompatible duties and security clearances; access in line with employee duties}
Minnesota Board of Dietetics and Nutrition Practice, July 1, 2000 through June 30, 2003. February 2005. Report No. 05-07.
{need to restrict access to systems; separation of incompatible duties and security clearances; access in line with employee duties}
Minnesota Board of Dentistry, July 1, 2000 through June 30, 2003. February 2005. Report No. 05-06.
{need to restrict access to systems; separation of incompatible duties and security clearances; access in line with employee duties}
Minnesota Board of Chiropractic Examiners, July 1, 2000 through June 30, 2003. February 2005. Report No. 05-05.
{need to restrict access to systems; separation of incompatible duties and security clearances; access in line with employee duties}
Minnesota Board of Veterinary Medicine, July 1, 2000 through June 30, 2003. January 2005. Report No. 05-04.
{need to restrict access to systems; separation of incompatible duties and security clearances; access in line with employee duties}
Minnesota Board of Nursing, July 1, 2000 through June 30, 2003. January 2005. Report No. 05-03.
{need for review of access to systems; need to restrict access to systems}
Department of Human Services, State Operated Services, July 1, 2002 through December 31, 2003. September 2004. Report No. 04-40.
{separation of incompatible duties and security clearances; access in line with employee duties}
Minnesota State Colleges and Universities: Information Technology Security Follow-Up. September 2004. Report No. 04-39.
{need for comprehensive security program}
Financial Audit Division Report: Minnesota State Colleges and Universities. September 2004. Report No. 04-37.
{access in line with employee duties; separation of incompatible duties and security clearances}
Financial Audit Division Report: Departments of Employee Relations, Finance, and Administration, SEMA4 Information Technology Audit. August 2004. Report No. 04-36.
{password management; access in line with employee duties; audit trails for individuals}
Financial Audit Division Report: Minnesota State Court System, Fourth Judicial District, Seventh Judicial District. August 2004. Report No. 04-35.
{separation of incompatible duties and security clearances; access in line with employee duties; restriction of access to private data}
Financial Audit Division Report: Department of Transportation, Fiscal Years 2001 through 2003. August 2004. Report No. 04-34.
{separation of incompatible duties and security clearances}
Financial Audit Division Report: Minnesota State Colleges and Universities Data Warehouse Controls Information Technology Audit. July 2004. Report No. 04-29.
{development and documentation of formal data extraction standards and procedures; periodic information technology risk assessments; development of detailed system security baselines; independent assessment of security controls; separation of incompatible duties and security clearances}
Financial Audit Division Report: Minnesota State Colleges and Universities, Degree Audit Reporting and Course Applicability Systems Information Technology Audit. July 2004. Report No. 04-28.
{need for comprehensive security infrastructure; active management of systems; periodic testing and validation of controls; separation of incompatible duties and security clearances; access to data from uncontrolled environments and interfaces; access in line with employee duties; password management; audit trails for individuals}
Financial Audit Division Report: Department of Health, Fiscal Years 2001 through 2003. June 2004. Report No. 04-26.
{separation of incompatible duties and security clearances}
Financial Audit Division Report: Department of Agriculture, Fiscal Years 2001 through 2003. June 2004. Report No. 04-24.
{periodic review of appropriateness of security clearances}
Financial Audit Division Report: Perpich Center for Arts Education, Fiscal Years 2001 through 2003. June 2004. Report No. 04-23.
{need for records retention schedule}
Financial Audit Division Report: State Agricultural Society, Year Ended October 21, 2003. May 2004. Report No. 04-20.
{need for comprehensive security infrastructure addressing current information technology risks}
Information Technology Audit: Department of Revenue, Selected Individual Income Tax Processing Controls. March 2004. Report No. 04-16.
{need for periodic information technology risk assessments; need to develop detailed system security baselines; independent assessment of security controls; need to develop standard access request protocols; timely review of security clearances; password management; audit trails for individuals; access in line with employee duties; control of network access points; review systems for unnecessary and insecure services; prompt installation of security-related patches; ongoing monitoring of systems for security-related events}
Management Letter: Department of Administration, Fiscal Year Ended June 30, 2003. March 2004. Report No. 04-14.
{access controls for computer program libraries}
Management Letter: Department of Human Services, Fiscal Year Ended June 30, 2003. March 2004. Report No. 04-11.
{password and account management; access controls for computer program libraries}
Information Technology Audit: Department of Finance, Information Warehouse Data Integrity Audit. February 2004. Report No. 04-07.
{No major weaknesses were identified.}
Financial-Related Audit: Minnesota State Colleges and Universities, SCUPPS Information Technology Audit. June 2003. Report No. 03-33.
{timely review of security clearances; access in line with employee duties; formal standards and procedures for access; access controls for mission-critical systems; password management, montioring of security-related events; encryption during file transmission}
Financial-Related Audit: Saint Paul College, July 1, 1999 - June 30, 2002. June 2003. Report No. 03-31.
{timely review of security clearances; access in line with employee duties; unique user accounts}
Financial-Related Audit: Anoka Ramsey Community College, July 1, 2000 - June 30, 2002. June 2003. Report No. 03-28.
{timely review of security clearances; access in line with employee duties}
Financial-Related Audit: Anoka-Hennpin Technical College, July 1, 2000 - june 30, 2002. May 2003. Report No. 03-24.
{timely review of security clearances; access in line with employee duties; unique user accounts}
Management Letter: Department of Finance, Fiscal Year Ended June 30, 2002. March 2003. Report No. 03-17.
{timely review of security clearances; access in line with employee duties; unique user accounts; password control}
Management Letter: Department of Children, Families & Learning, Fiscal Year Ended June 30, 2002. March 2003. Report No. 03-15.
{documentation of system design; cross-training of computer staff}
Financial-Related Audit: Department of Finance, MAPS Interface Controls. November 2002. Report No. 02-68.
{timely review of security clearances, access in line with employee duties; password control and encryption, encryption of data over public networks; data quality checks}
Financial-Related Audit: Department of Natural Resources, July 1, 1999, through June 30, 2002. October 2002. Report No. 02-65.
{timely review of security clearances, access in line with employee duties; procedures; written documentation}
Financial-Related Audit: Public Employees Retirement Association. September 2002. Report No. 02-62.
{lack of comprehensive security program leading to numerous weakness}
Financial-Related Audit: Minnesota Veterans Homes Board, July 1, 1997, through June 30, 2002. September 2002. Report No. 02-61.
{access in line with employee duties}
Financial-Related Audit: Minnesota Housing Finance Agency, July 1, 1997, through June 30, 2002. September 2002. Report No. 02-59.
{timely review of security clearances, access in line with employee duties}
Financial-Related Audit: Metropolitan State University, July 1, 1999, through June 30, 2001. September 2002. Report No. 02-58.
{timely review of security clearances, access in line with employee duties; procedures; written documentation}
Financial-Related Audit: Department of Employee Relations, Department of Finance SEMA4 Information Technology Audit. August 2002. Report No. 02-57.
{access in line with employee duties; encryption during file transmission}
Financial-Related Audit: Department of Human Services MAXIS Data Integrity Audit. August 2002. Report No. 02-53.
{access in line with employee duties; access controls to mission-critical programs; information technology risk assessment}
Financial-Related Audit: Hennepin Technical College, July 1, 1998, through June 30, 2001. July 2002. Report No. 02-46.
{access in line with employee duties}
Financial-Related Audit: Minnesota West Community and Technical College, July 1, 1998, through June 30, 2001. June 2002. Report No. 02-43.
{access in line with employee duties}
Financial-Related Audit: Minnesota State Colleges and Universities, Office of the Chancellor, July 1, 1998, through June 30, 2001. June 2002. Report No. 02-42.
{timely review of security clearances, access in line with employee duties}
Financial-Related Audit: Vermillion Community College , July 1, 1998, through June 30, 2001. June 2002. Report No. 02-37.
{timely review of security clearances, access in line with employee duties; procedures; written documentation}
Financial-Related Audit: Mesabi Range Community and Technical College , July 1, 1998, through June 30, 2001. June 2002. Report No. 02-36.
{timely review of security clearances, access in line with employee duties; procedures; written documentation}
Financial-Related Audit: Department of Administration InterTechnologies Group, System-Wide Access to Mainframe Data Follow-up. May 2002. Report No. 02-26.
{timely review of security clearances; access in line with employee duties; written documentation}
Management Letter: State Agricultural Society for the Year Ended October 31, 2001. April 2002. Report No. 02-23.
{lack of comprehensive security program; written documentation}
Management Letter: Department of Children, Families and Learning Fiscal Year Ended June 30, 2001.April 2002. Report No. 02-16.
{lack of training}
Management Letter: Department of Administration, Fiscal Year Ended June 30, 2001. January 2002. Report No. 02-05.
{access in line with employee duties}
Financial-Related Audit: Anoka-Hennepin Technical College, July 1, 1997, through June 30, 2000. October 2001. Report No. 01-50.
{access in line with employee duties; password control}
Financial-Related Audit: Inver Hills Community College, July 1, 1997, through June 30, 2000. October 2001. Report No. 01-49.
{timely review of security clearances; access in line with employee duties}
Financial-Related Audit: Department of Public Safety, Web-Based Motor Vehicle Registration Renewal System as of April 2001. August 2001. Report No. 01-43.
{system-development planning; formal risk assessment; timely review of security clearances; access in line with employee duties; password control; physical environment; security incident detection and response; written documentation of system, standards, policies, and procedures}
Financial-Related Audit: Perpich Center for Arts Education, July 1, 1997, through June 30, 2000. August 2001. Report No. 01-40.
{accuracy of records}
Financial-Related Audit: Rochester Community and Technical College, July 1, 1997, through June 30, 2000. July 2001. Report No. 01-37.
{periodic review of system security; timely review of security clearances; access in line with employee duties}
Financial-Related Audit: Minnesota State College - Southeast Technical, Three Years Ended June 30, 2000. July 2001. Report No. 01-36.
{access in line with employee duties; written documentation}
Financial-Related Audit: Office of the Ombudsman for Mental Health and Mental Retardation, July 1, 1997, through June 30, 2000. June 2001. Report No. 01-32.
{access in line with employee duties; written documentation}
Financial-Related Audit: Riverland Community College, July 1, 1997, through June 30, 2000. June 2001. Report No. 01-30.
{timely review of security clearances; access in line with employee duties}
Financial-Related Audit: Hibbing Community College, Three Fiscal Years Ended June 30, 2000. May 2001. Report No. 01-28.
{access in line with employee duties}
Financial-Related Audit: Board of Barber Examiners, July 1, 1995, through June 30, 2000. May 2001. Report No. 01-21.
{access controls; disaster recovery plans, system backups}
Management Letter: State Agricultural Society For the Year Ended October 31, 2000. April 2001. Report No. 01-19.
{written system documentation}
Financial-Related Audit: North Hennepin Community College, July 1, 1997, through June 30, 2000. March 2001. Report No. 01-16.
{timely review of security clearances; access in line with employee duties}
Financial Audit: Minnesota Council on Disability, July 1, 1997, through June 30, 2000. February 2001. Report No. 01-03.
{access in line with employee duties}
Financial-Related Audit: Minnesota State Colleges and Universities System Access to MnSCU Data. November 2000. Report No. 00-53.
{formal risk assessment; timely review of security clearances; access in line with employee duties; security policies and procedures}
Financial-Related Audit: Ombudsman for Corrections, Three Fiscal Years Ending June 30, 2000. October 2000. Report No. 00-50.
{timely review of security clearances}
Financial-Related Audit: Department of Administration Intertechnologies Group, System-wide Access to Mainframe Data. October 2000. Report No. 00-49.
{timely review of security clearances; access in line with employee duties; written documentation}
Financial-Related Audit: Department of Finance, Information Warehouse Data Integrity as of May 2000. September 2000. Report No. 00-45.
{access in line with employee duties; password controls}
Financial-Related Audit: Minneapolis Community and Technical College, July 1, 1996, through December 31, 1999. September 2000. Report No. 00-44.
{access in line with employee duties; unique users IDs and passwords}
Financial-Related Audit: Alexandria Technical College, July 1, 1996, through December 31, 1999. September 2000. Report No. 00-43.
{access in line with employee duties; records retention policies, documentation, and training}
Financial-Related Audit: Lake Superior College, July 1, 1996, through December 31, 1999. September 2000. Report No. 00-42.
{timely review of security clearances; access in line with employee duties}
Financial-Related Audit: Pine Technical College, July 1, 1996, through December 31, 1999. August 2000. Report No. 00-41.
{timely review of security clearances; access in line with employee duties}
Financial-Related Audit: Departments of Commerce and Public Service, July 1, 1996, through December 31, 1999. August 2000. Report No. 00-40.
{system audit trails}
Financial-Related Audit: Minnesota State University Moorhead, July 1, 1996, through December 31, 1999. August 2000. Report No. 00-37.
{timely review of security clearances; access in line with employee duties}
Financial-Related Audit: Dakota County Technical College, July 1, 1996, through December 31, 1999. August 2000. Report No. 00-36.
{timely review of security clearances; access in line with employee duties}
Financial-Related Audit: Normandale Community College, July 1, 1996, through December 31, 1999. August 2000. Report No. 00-35.
{access in line with employee duties; control of user IDs}
Financial-Related Audit: Public Utilities Commission, July 1, 1997, through December 31, 1999. July 2000. Report No. 00-34.
{timely review of security clearances}
Selected-Scope Financial Audit Report: Department of Corrections, Three Fiscal Years Ended June 30, 1999. July 2000. Report No. 00-32.
{timely review of security clearances}
Audit Report: Metropolitan State University, Period from July 1, 1996, through December 31, 1999. July 2000. Report No. 00-29.
{timely review of security clearances; access in line with employee duties; unique passwords}
Financial Audit: Anoka-Metro Regional Treatment Center, Three Fiscal Years Ended June 30, 1999. June 2000. Report No. 00-27.
{access in line with employee duties}
Financial Audit: Board of Architecture, Engineering, Land Surveying, Landscape Architecture, Geoscience, and Interior Design, July 1, 1996, through December 31, 1999. June 2000. Report No. 00-25.
{access control; written system documentation; user training; backup procedures and storage}
Financial Audit: Fergus Falls Community College, July 1, 1996, through December 31, 1999. June 2000. Report No. 00-24.
{timely review of security clearances}
Financial-Related Audit: Department of Economic Security Mainframe Scheduled Batch Processing and MIPS Accounting System for the Period Ending February 2000. May 2000. Report No. 00-21.
{timely review of security clearances; access in line with employee duties; quality controls; unique user accounts; password management}
Financial Audit: Winona State University, Period from July 1, 1996, through December 31, 1999. May 2000. Report No. 00-18.
{timely review of security clearances; access in line with employee duties; unique passwords}
Management Letter: State Agricultural Society for Year Ended October 31, 1999. April 2000. Report No. 00-14.
{written system documentation}
Financial-Related Audit: Board of Electricity for the Period July 1, 1996, through December 31, 1999. April 2000. Report No. 00-13.
{access in line with employee duties}
Department of Economic Security: Statewide Audit—Selected Audit Areas, Fiscal Year Ended June 30, 1998. March 1999. Report No. 99-21.
{security procedures; access controls; written documentation; disaster recovery plan}
Minnesota Department of Employee Relations, Minnesota Department of Finance, SEMA4 Database Security Audit. December 1998. Report No. 98-63.
{formal risk assessment; timely review of security clearances; password control; written documentation of system, policies, and procedures}
South Central Technical College Financial Audit: For the Period July 1, 1995, Through June 30, 1997. October 1998. Report No. 98-59.
{timely review of security clearances; access in line with employee duties; unique users IDs and passwords}
Department of Finance: Information Warehouse Data Integrity Review. June 1998. Report No. 98-36.
{data integrity and security; procedures}
Minnesota Veterans Homes Board: Financial Audit—Two Years Ended June 30, 1997. April 1998. Report No. 98-23.
{timely review of security clearances}
Department of Economic Security: Financial Audit—Fiscal Year Ended June 30, 1997. March 1998. Report No. 98-19
{timely review of security clearances; access in line with employee duties; security administration; security procedures and documentation; disaster recovery plan}
Department of Children, Families and Learning, Selected Programs: Fiscal Year 1997 Statewide Audit. March 1998. Report No. 98-12.
{quality control; security administration; written documentation; user training; disaster recovery plan}
Department of Public Safety, Selected Programs: Fiscal Year 1997 Statewide Audit. February 1998. Report No. 98-10.
{transaction history files; access in line with employee duties; unique user accounts; disaster recovery plan}
Department of Labor and Industry: Financial Audit—Fiscal Year Ended June 30, 1997. February 1998. Report No. 98-5.
{timely review of security clearances; access in line with employee duties}
Minnesota Accounting and Procurement System / Minnesota Statewide Employee Management System. September 1996. Report No. 96-39.
{security administration; security policies; timely review of security clearances; access in line with employee duties; external systems}
Department of Human Services: Programs Selected for Statewide Audit for the Fiscal Year Ended June 30, 1995. June 1996. Report No. 96-22.
{access control; timely review of security clearances; access in line with employee duties; system documentation}
Department of Public Safety, Selected Programs: Fiscal Year 1995 Statewide Audit. April 1996. Report No. 96-15.
{transaction history files; access in line with employee duties; disaster recovery plan}
Department of Labor and Industry: Programs Selected for Fiscal Year 1995 Statewide Audit. February 1996. Report No. 96-8.
{access control; clearance in line with employee duties}
TIS Handbook last updated July 2002, Version 4.
Bibliography updated 27 April 2005
