By Mark Brunswick
November 01, 2007
Minnesota's chief law enforcement agency failed to adequately safeguard
non-public information in its computers and did not keep an accurate
inventory of some of its most critical property, such as its laptops and
cell phones, an audit found on Thursday.
The Department of Public Safety deals with sensitive issues such as
homeland security and statewide criminal investigations.
A report from the Legislative Auditor released Thursday showed that as
late as May of this year, nearly 950 of the department's laptops were
not encrypted, despite specific state policy requiring it. In addition,
about 300 of the department's laptops had no physical security, such as
The audit also found that the department did not adequately review
employee security profiles for excessive or unnecessary use of the
department's computer system. As of April of this year, five employees
had access to the department's system even though they no longer worked
for Public Safety.
Without proper controls over the laptops, confidential non-public
information could be compromised, the audit warns.
Audit manager David Poliseno said he considered the Public Safety
findings "quite significant." The department, he said, lacked the proper
supervisory review and had left itself open to exploitation and possible
"We don't believe any of that has happened," Poliseno said, "but we
found serious weaknesses in the system."
When auditors asked why hundreds of laptops with sensitive non-public
data were not encrypted, Poliseno said, "we were told it was because
they hadn't gotten around to it yet." That coupled with the department's
inability to track its physical inventory, he said, leaves the state
open to inadvertent disclosure of data.
Public Safety officials said there were no instances where confidential
or secure data was compromised because of any issues in the audit's
The department said it is conducting mandatory inventory training and
all divisions will be required to complete a physical inventory by June
of next year. In addition, the department said that it has attempted to
implement encryption for its laptops but that it has required extensive
planning, testing and financial investment.
The department asked for about $6 million for the next two budget years
for disaster recovery and to upgrade its security system, but the
Legislature provided less than half of what was asked for.
"We have absolutely no indication that there was any private or
sensitive data that was compromised. It's an issue of the schedule of
getting everything encrypted so that if something was lost it wouldn't
be compromised," Deputy Commissioner Mary Ellison said.
The audit said the department did not adequately protect some of its
most important assets, including equipment costing over $5,000 and
sensitive property defined as such things as portable computers, cell
phones and other items that can be easily stolen. There was no
indication that dangerous inventory such as firearms and other weapons
were not adequately protected, department officials said.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com