Public Safety data not secure, audit finds

Public Safety data not secure, audit finds
Public Safety data not secure, audit finds 

By Mark Brunswick
Star Tribune
November 01, 2007

Minnesota's chief law enforcement agency failed to adequately safeguard 
non-public information in its computers and did not keep an accurate 
inventory of some of its most critical property, such as its laptops and 
cell phones, an audit found on Thursday.

The Department of Public Safety deals with sensitive issues such as 
homeland security and statewide criminal investigations.

A report from the Legislative Auditor released Thursday showed that as 
late as May of this year, nearly 950 of the department's laptops were 
not encrypted, despite specific state policy requiring it. In addition, 
about 300 of the department's laptops had no physical security, such as 
cable locks.

The audit also found that the department did not adequately review 
employee security profiles for excessive or unnecessary use of the 
department's computer system. As of April of this year, five employees 
had access to the department's system even though they no longer worked 
for Public Safety.

Without proper controls over the laptops, confidential non-public 
information could be compromised, the audit warns.

Audit manager David Poliseno said he considered the Public Safety 
findings "quite significant." The department, he said, lacked the proper 
supervisory review and had left itself open to exploitation and possible 

"We don't believe any of that has happened," Poliseno said, "but we 
found serious weaknesses in the system."

When auditors asked why hundreds of laptops with sensitive non-public 
data were not encrypted, Poliseno said, "we were told it was because 
they hadn't gotten around to it yet." That coupled with the department's 
inability to track its physical inventory, he said, leaves the state 
open to inadvertent disclosure of data.

Public Safety officials said there were no instances where confidential 
or secure data was compromised because of any issues in the audit's 

The department said it is conducting mandatory inventory training and 
all divisions will be required to complete a physical inventory by June 
of next year. In addition, the department said that it has attempted to 
implement encryption for its laptops but that it has required extensive 
planning, testing and financial investment.

The department asked for about $6 million for the next two budget years 
for disaster recovery and to upgrade its security system, but the 
Legislature provided less than half of what was asked for.

"We have absolutely no indication that there was any private or 
sensitive data that was compromised. It's an issue of the schedule of 
getting everything encrypted so that if something was lost it wouldn't 
be compromised," Deputy Commissioner Mary Ellison said.

The audit said the department did not adequately protect some of its 
most important assets, including equipment costing over $5,000 and 
sensitive property defined as such things as portable computers, cell 
phones and other items that can be easily stolen. There was no 
indication that dangerous inventory such as firearms and other weapons 
were not adequately protected, department officials said.

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - 

Site design & layout copyright © 1986-2015 CodeGods