Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Department of Revenue (includes 62F Tax Review) (November 8, 2024)

November 8, 2024 · Department of Revenue (includes 62F Tax Review) · Read the full official report on mass.gov ↗

Published November 8, 2024 Audit covers July 1, 2021 – April 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
The auditor found that many Massachusetts state agencies, colleges, universities, and transit authorities did not make sure every employee completed required cybersecurity training.
source
“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
Read the plain-English breakdown
What is this?

This is a state performance audit checking whether public employees got cybersecurity awareness training during the audit period.

“This audit covers the period July 1, 2021 through April 30, 2023 and includes the following agencies:”
Why was it audited?

The State Auditor reviewed whether agencies followed EOTSS cybersecurity training standards.

“Pursuant to our governing statute, Section 12 of Chapter 11 of the General Laws, our audit covers multiple entities’ compliance with EOTSS’s cybersecurity training standards.”
Why it matters

If employees miss cybersecurity training, agencies may be more vulnerable to cyberattacks and financial or reputational harm.

“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
What's in it for me?

This matters to ordinary residents because state technology systems support services used by taxpayers, motorists, businesses, visitors, families, and citizens.

“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The bottom line

The audit’s overall answer was no: the audited organizations did not fully ensure employees completed the required training.

“Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?”
What happens next

EOTSS said it would look for improvements, and the auditor said the office would check back after the audit.

“We will follow up on this during our post-audit review process in approximately six months.”
Why it's significant

The report treats cybersecurity training as a basic safeguard for public agencies, not a minor paperwork issue.

“Cybersecurity awareness policies are not just guidelines; they are essential safeguards in today’s digital landscape.”
Jargon, unpacked

EOTSS is the state technology office; cybersecurity awareness training teaches workers how to protect state information systems and data.

“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”

1 figure(s) pending source verification - not shown

What the Auditor checked

What the Auditor found

Nine executive branch agencies did not ensure that all employees completed required cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The agencies may face increased risk of cybersecurity attacks and financial and/or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

3 recommendations
  • The nine executive branch agencies should provide initial cybersecurity awareness training within 30 days of orientation and annual refresher training thereafter to all full-time employees, contractors, and interns.agency: partially agreed
  • The nine executive branch agencies should establish procedures to monitor completion rates throughout the training cycle and use historical HRD data to ensure employees meet deadlines.agency: partially agreed
  • The nine executive branch agencies should implement additional controls to ensure that new hire onboarding includes all required cybersecurity awareness training coursework.agency: partially agreed
Agency response & Auditor reply
Agency: "DLS] management agrees with the finding."
Auditor: "Based on its response, DLS will take measures to address our concerns regarding this matter."
Seven state colleges and universities did not ensure that all employees completed required cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The colleges and universities may face increased risk of cybersecurity attacks and financial and/or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • The seven state colleges and universities should update their cybersecurity awareness training policies to require this training for all employees.agency: agreed
  • The seven state colleges and universities should update their cybersecurity awareness training policies to include consequences for non-completion, such as access restriction until training is completed.agency: agreed
Agency response & Auditor reply
Agency: "We are in agreement with the merits of the [EOTSS] Standard and the University is now aligned with the goals of the cybersecurity awareness training."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Three regional transit authorities did not ensure that all employees completed required cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: The regional transit authorities may face increased risk of cybersecurity attacks and financial and/or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • The three regional transit authorities should update their cybersecurity awareness training policies to require this training for all employees.agency: partially agreed
  • The three regional transit authorities should update their cybersecurity training policies to include consequences for non-completion, such as restricting access until training is completed.agency: partially agreed
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "We appreciate the responses provided by the regional transit authorities we audited."

More audits of this entity

Other Office of the State Auditor reports on Department of Revenue (includes 62F Tax Review) .

See this entity's page with all 2 audits →