Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Cape Ann Regional Transit Authority

November 8, 2024 · Cape Ann Regional Transit Authority · Read the full official report on mass.gov ↗

Published November 8, 2024 Audit covers July 1, 2021 – April 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
A state audit found that many Massachusetts agencies, public colleges, and regional transit authorities did not make sure all employees completed required cybersecurity awareness training on time, or at all.
source
“EOTSS did not ensure that all of its employees completed cybersecurity awareness training.”
Read the plain-English breakdown
What is this?

This is an official Massachusetts State Auditor performance audit about whether government employees completed cybersecurity awareness training during the audit period.

“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
Why was it audited?

The Auditor checked compliance because state technology rules require new employees to get cybersecurity training soon after orientation and require yearly refresher training after that.

“To ensure that employees in all Commonwealth agencies within the executive branch are clear on their responsibilities, EOTSS’s policies and procedures require that all newly hired employees3 must complete an initial cybersecurity awareness training course within 30 days of their orientation, and that all existing employees4 complete an annual refresher cybersecurity awareness course.”
Why it matters

If workers are not trained, agencies may be more vulnerable to cyberattacks, money losses, and damage to public trust.

“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
What's in it for me?

For residents, this matters because these agencies handle public services and information; better training helps protect government systems that people rely on.

“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”
The bottom line

The audit’s answer was no: the audited organizations did not consistently ensure that employees completed cybersecurity awareness training as required or expected.

“No; see Findings 1, 2, 3, and 4”
What happens next

The Auditor recommended stronger policies, better tracking, required training for all employees, and consequences such as limiting access until training is completed.

“The aforementioned three regional transit authorities should do the following:”
Why it's significant

This is significant because the audit covered EOTSS plus 22 other agencies and found problems across executive branch agencies, state colleges and universities, and regional transit authorities.

“Pursuant to our governing statute, Section 12 of Chapter 11 of the General Laws, our audit covers multiple entities’ compliance with EOTSS’s cybersecurity training standards.”
Jargon, unpacked

“Cybersecurity awareness training” means basic training that teaches employees how to help protect government information and systems from cyber risks.

“Commonwealth Offices and Agencies must ensure that all personnel are trained on all relevant rules and regulations for cybersecurity.”

What the Auditor checked

What the Auditor found

EOTSS did not ensure that all employees completed required cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: This increased EOTSS’s risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

4 recommendations
  • EOTSS should strengthen their policy to improve oversight of executive branch state agencies, including their timely completion of cybersecurity awareness trainings.
  • EOTSS should ensure that all employee training transcripts for all employees are maintained and include records regarding cybersecurity awareness training completion.
  • EOTSS should ensure that all of its employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
  • EOTSS should establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure that employees meet training deadlines.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Nine executive branch agencies did not ensure that all employees completed required cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The agencies faced increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

3 recommendations
  • The nine executive branch agencies should provide cybersecurity awareness training to all full-time employees, contractors, and interns.
  • The nine executive branch agencies should monitor cybersecurity awareness training completion rates and use HRD historical data to ensure deadlines are met.
  • The nine executive branch agencies should add controls to ensure onboarding includes all required cybersecurity awareness coursework.
Agency response & Auditor reply
Agency: "DOR agrees with the results of the audit."
Auditor: "Based on its response, DOR has taken, and will continue to take, measures to address our concerns regarding this matter."
Seven state colleges and universities did not ensure that all employees completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The colleges and universities faced increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • The seven state colleges and universities should update their cybersecurity awareness training policies to require training for all employees.
  • The seven state colleges and universities should update their cybersecurity awareness training policies to include consequences for non-completion.
Agency response & Auditor reply
Agency: "We are in agreement with the merits of the [EOTSS] Standard and the University is now aligned with the goals of the cybersecurity awareness training."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Three regional transit authorities did not ensure that all employees completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The regional transit authorities faced increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • The three regional transit authorities should update cybersecurity awareness training policies to require training for all employees.
  • The three regional transit authorities should update cybersecurity training policies to include consequences for non-completion.
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "We appreciate the responses provided by the regional transit authorities we audited."