Nobles and Buse warned legislators Wednesday that they will have to be prepared to pay more, particularly in salaries for information security experts, to safeguard computerized data.
State Sen. Claire Robling, R-Jordan, one of the legislators who received Nobles' report, said the problems detailed in the audit are serious, even though there have been no proven examples of data theft.
"Our systems are not very secure," Robling said. The report issued Wednesday â€” available at www.auditor.leg.state.mn.us â€” says some recommendations for security improvements made in 2000 and 2002 have not been acted on by state officials.
The report offers a general description of security problems that the audit staff reported in much greater detail in private documents delivered to state information technology officials. Auditors kept the information private so it would not provide a roadmap to hackers on how to compromise the state computers.
Problems cited in the most recent audit report include:
â€¢ Too many state employees have security clearances that give them wide access across multiple state computer systems.
â€¢ Too many employees are allowed physical access to mainframe computers.
â€¢ Some computer accounts allow users access to data without passwords, and software programs that require passwords to be changed regularly are sometimes bypassed.
â€¢ State employees working from home receive unencrypted data, making it easier for hackers to steal.
In at least one case, did not change the default password supplied with a software product wasn't changed, leaving the software accessible to hackers.
Buse said it is not possible for state officials to shut down most of the computer systems at risk, as they had with the online license tab renewal system.
"The guts of government run on these machines," he said of the mainframe computers, " and there are not alternative manual processes to fall back on."