Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Department of Mental Health (November 8, 2024)
November 8, 2024 · Department of Mental Health · Read the full official report on mass.gov ↗
source
“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of cybersecurity awareness training compliance across EOTSS and 22 other public entities for July 1, 2021 through April 30, 2023.
“This audit covers the period July 1, 2021 through April 30, 2023 and includes the following agencies:”
The Auditor reviewed whether these public entities followed EOTSS rules requiring new employees to take initial cybersecurity training and existing employees to take annual refresher training.
“Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?”
Cybersecurity training helps employees avoid mistakes that can lead to cyberattacks, financial losses, and damage to public trust.
“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
For ordinary residents, this matters because these agencies serve taxpayers, drivers, families, businesses, students, transit riders, and other members of the public.
“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The Auditor’s answer was no: the audited entities did not consistently ensure employees completed cybersecurity awareness training.
“No; see Findings 1, 2, 3, and 4”
The Auditor recommended that agencies tighten policies, monitor training completion, keep better records, and use consequences such as limiting system access when employees do not complete training.
“EOTSS should establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure that employees meet training deadlines.”
The report is significant because it found gaps across multiple parts of state government, including the central technology office, other executive branch agencies, public colleges and universities, and regional transit authorities.
“This report covers 22 additional agencies’ compliance with EOTSS’s cybersecurity awareness training standard.”
“Cybersecurity awareness training” means training employees on their responsibility to help protect government information systems and data from security threats.
“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”
What the Auditor checked
- Did not comply Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: EOTSS may expose itself to an increased risk of cybersecurity attacks and financial and/or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.3; EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.4 )
4 recommendations
- EOTSS should strengthen their policy to improve oversight of executive branch state agencies, including their timely completion of cybersecurity awareness trainings.
- EOTSS should ensure that all employee training transcripts for all employees are maintained and include records regarding cybersecurity awareness training completion.
- EOTSS should ensure that all of its employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
- EOTSS should establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure that employees meet training deadlines.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Why it matters: The agencies may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.3; EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.4 )
3 recommendations
- The agencies should provide cybersecurity awareness training to all full-time employees, contractors, and interns.
- The agencies should establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure employees meet training deadlines.
- The agencies should implement additional controls to ensure that the new hire onboarding process includes all required coursework regarding cybersecurity awareness training.
Agency response & Auditor reply
Agency: "MPB concurs with [the Office of the State Auditor’s] recommendations to (1) provide cybersecurity awareness training (both an initial training within 30 days of orientation and an annual refresher training thereafter) to all full-time employees, contractors, and interns; and (2) establish procedures to monitor employee completion throughout the training cycle to ensure that staff are meeting the training deadlines."
Auditor: "Based on its response, MPB will take measures to address our concerns regarding this matter."
Why it matters: The colleges and universities may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.3; EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.4 )
2 recommendations
- The colleges and universities should update their cybersecurity awareness training policies to require this training for all employees.
- The colleges and universities should update their cybersecurity awareness training policies to include consequences for non-completion.
Agency response & Auditor reply
Agency: "We are in agreement with the merits of the [EOTSS] Standard and the University is now aligned with the goals of the cybersecurity awareness training."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Why it matters: The regional transit authorities may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.3; EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.4 )
2 recommendations
- The regional transit authorities should update their cybersecurity awareness training policies to require this training for all employees.agency: partially agreed
- The regional transit authorities should update their cybersecurity training policies to include consequences for non-completion.agency: partially agreed
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "We appreciate the responses provided by the regional transit authorities we audited."
More audits of this entity
Other Office of the State Auditor reports on Department of Mental Health .
-
Audit of Settlement Agreements and Confidentiality Clauses Across Multiple State Agencies - Department of Mental Health (January 28, 2025)State Agency / Office · January 28, 2025 - Audit of the Department of Mental HealthState Agency / Office · August 1, 2019