Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Department of Labor Standards - Division of Apprentice Standards (November 8, 2024)
November 8, 2024 · Department of Labor Standards—Division of Apprentice Standards · Read the full official report on mass.gov ↗
source
“EOTSS did not ensure that all of its employees completed cybersecurity awareness training.”
Read the plain-English breakdown
This is a State Auditor performance audit of cybersecurity training compliance at EOTSS and other state-related entities.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Executive Office of Technology Services and Security (EOTSS), as well as 22 other executive branch agencies, state colleges and universities, and regional transit authorities.”
Auditors wanted to see whether employees at the covered agencies actually completed cybersecurity awareness training required by EOTSS standards.
“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
When employees miss cybersecurity training, agencies may be more vulnerable to cyberattacks and the public costs that can follow.
“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
These agencies support public services that residents, drivers, taxpayers, businesses, and families use, so better cybersecurity training helps protect systems behind everyday government services.
“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The Auditor says the training standard is a basic cybersecurity practice and should be treated as the minimum expectation across the audited public entities.
“We regard EOTSS’s Information Security Risk Management Standard IS.010 as the baseline for best practices in cybersecurity awareness training across the Commonwealth’s agencies, and therefore, we used this as our audit criteria.”
EOTSS said it would review its processes and look for ways to improve tracking of former employees’ training records.
“Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding.”
The report found the same basic problem across executive agencies, colleges and universities, and regional transit authorities: not everyone completed cybersecurity training.
“No; see Findings 1, 2, 3, and 4”
MassAchieve is the state training system used by executive branch agencies for cybersecurity awareness training.
“MassAchieve is a training platform used by executive branch agencies to administer cybersecurity awareness training.”
What the Auditor checked
- Did not comply Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: EOTSS may expose itself to increased cybersecurity attack risk and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 require initial cybersecurity awareness training for new personnel within 30 days of orientation and annual training for all personnel. ( Section 12 of Chapter 11 of the Massachusetts General Laws; EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 )
4 recommendations
- EOTSS should strengthen its policy to improve oversight of executive branch state agencies, including their timely completion of cybersecurity awareness trainings.
- EOTSS should ensure all employee training transcripts are maintained and include cybersecurity awareness training completion records.
- EOTSS should ensure all employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
- EOTSS should establish procedures to monitor training completion rates and use historical HRD data to ensure employees meet deadlines.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Why it matters: The agencies may expose themselves to increased cybersecurity attack risk and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010. ( EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 )
3 recommendations
- The nine executive branch agencies should provide initial and annual cybersecurity awareness training to all full-time employees, contractors, and interns.agency: partially agreed
- The agencies should monitor training completion rates and use HRD historical data to ensure employees meet training deadlines.agency: partially agreed
- The agencies should add controls to ensure onboarding includes all required cybersecurity awareness coursework.agency: partially agreed
Agency response & Auditor reply
Agency: "MPB concurs with [the Office of the State Auditor’s] recommendations to (1) provide cybersecurity awareness training (both an initial training within 30 days of orientation and an annual refresher training thereafter) to all full-time employees, contractors, and interns; and (2) establish procedures to monitor employee completion throughout the training cycle to ensure that staff are meeting the training deadlines."
Auditor: "Based on its response, MPB will take measures to address our concerns regarding this matter."
Why it matters: The colleges and universities may expose themselves to increased cybersecurity attack risk and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010. ( EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4; US Government Accountability Office’s Generally Accepted Government Auditing Standards, Section 8.18 )
2 recommendations
- The seven state colleges and universities should update cybersecurity awareness training policies to require training for all employees.agency: partially agreed
- The seven state colleges and universities should update policies to include consequences for non-completion.agency: partially agreed
Agency response & Auditor reply
Agency: "We are in agreement with the merits of the [EOTSS] Standard and the University is now aligned with the goals of the cybersecurity awareness training."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Why it matters: The regional transit authorities may expose themselves to increased cybersecurity attack risk and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010. ( EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4; Generally Accepted Government Auditing Standards 8.18 )
2 recommendations
- The three regional transit authorities should update cybersecurity awareness training policies to require training for all employees.agency: partially agreed
- The three regional transit authorities should update cybersecurity training policies to include consequences for non-completion.agency: partially agreed
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "We appreciate the responses provided by the regional transit authorities we audited."
More audits of this entity
Other Office of the State Auditor reports on Department of Labor Standards—Division of Apprentice Standards .
-
- Audit of the Department of Labor Standards - Division of Apprentice StandardsState Agency / Office · August 15, 2019