Report Rips Security In Michigan's Treasury DepartmentReport Rips Security In Michigan's Treasury Department

Michigan's Treasury Department isn't doing a good job protecting access to its mainframe information systems, potentially compromising the privacy of taxpayer records, according to a report issued by the state auditor general.

"The department's general controls over access to its mainframe information systems weren't effective," the report says. "As a result, there was a significant risk that the department's system of internal control couldn't prevent or detect unauthorized access to or use of confidential taxpayer information or the execution of fraudulent financial transactions."

The auditor general's office says the Treasury and IT departments have acknowledged the problems and are fixing them. Both departments have made improvements in the internal control over information systems; however, action was still required to fully correct the conditions cited in the report. Full compliance is expected by the end of September, the auditor general says.

What problems did the system face? According to the audit report, Treasury failed to establish:

A comprehensive IS security program. Without a comprehensive security program, the auditor says, management can't ensure that its internal control is operating as intended and that sensitive information will remain confidential.

Effective organizational controls to support critical IT. Auditors discovered that many of its findings, in part, were related to incompatible job assignments, critical functions not assigned, or insufficient expertise in control standards and techniques and information security.

Controls over access to its critical production system account. Access to the production system account can be used to gain unauthorized access to critical Treasury information resources that may go undetected, the audit says.

Effective access controls to mainframe IT files. Treasury stores thousands of files on the state's mainframe computer system. These files support the department's major tax systems as well as financial and other information systems. "We reviewed the access controls for these files and identified material-control conditions that prevent the department from maintaining the integrity and confidentiality of its information systems," the audit says.

Effectual access controls to its production, tax, and other information systems. Without effective access control to production application systems, the audit says, Treasury can't maintain the integrity of confidential taxpayer records and critical financial records.

Useful program and data-change controls. "This environment," the audit concludes, "doesn't provide department management with sufficient control to reduce the risk of unauthorized data changes to a reasonable level."