Audit questions Minnesota Education Department computer security

State computers that direct billions of dollars in state and federal funds to schools and contain private information on students need better security measures to protect that data and the network's integrity, Minnesota's legislative auditor has found.

The report released this week found no breaches or stolen data from the mammoth computer systems of the Minnesota Department of Education, but found that the department lacked "adequate internal controls" and comprehensive security plans and had failed to document where private data was held or the internal controls needed to secure it.

"The findings are very concerning to us," said Josh Collins, communications director for the Education Department. "The security of student data is very important to us." The department agreed with the audit's findings and vowed to work with the office of MN.IT Services, the state's information technology experts, to address them.

The report said the department employs more than 100 separate computer applications to track distribution of state aid to schools, teacher licensure, lunch programs and special education. A total of 60 MN.IT employees are assigned to the department, managing more than 1,000 department computers, servers, mobile devices and printers. Just two of the department's applications, the audit stated, processed $7.3 billion in state and federal payments to schools in 2012.

The audit concluded, among other things, that internal controls were not adequately protecting hardware and software. One important application used to parcel out billions of dollars in state funding "allowed simple passwords" and "permitted insecure methods to administer the system," the audit stated.

The legislative auditor found potential security weaknesses for the 21 servers that control the department's major applications. Some servers were not being regularly scanned for vulnerabilities, and problems that were found were not being addressed quickly, the audit said. Another finding: The department's systems lacked enough controls to prevent unauthorized access to its databases.

Unlike high-profile cases in which state driver's license data has been viewed inappropriately, this audit dealt with prevention, rather than response to an existing data problem. Cecile Ferkul, deputy legislative auditor, said one concern is that an unauthorized person could get into the system and make changes to the data or to an underlying program without being caught.

"These are important systems that process large amounts of state financial activity," Ferkul said. "Some of these systems have data about students."

Education Commissioner Brenda Cassellius and MN.IT Commissioner Carolyn Parnell agreed with the findings and outlined plans to address them.

Their letter to the legislative auditor pointed out that some of the potential vulnerabilities involve older "legacy systems" that eventually will be updated, including the application used to process state spending for schools. The two commissioners said they would create a team to work on "vulnerability management" that would regularly search for problems and respond to them.

"We're working on all of those," said Cathy de Moll, assistant commissioner at MN.IT. "We do security checks on 30,000 computers a day. We're watching all the time for attacks and breaches, protecting our systems from being brought down."

Jim Ragsdale • 651-925-5042