Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Executive Office of Technology Services Security (November 8, 2024)

November 8, 2024 · Executive Office of Technology Services Security · Read the full official report on mass.gov ↗

Published November 8, 2024 Audit covers July 1, 2021 – April 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
The audit found that EOTSS and many other Massachusetts public agencies did not consistently make sure employees completed required cybersecurity awareness training.
source
“EOTSS did not ensure that all of its employees completed cybersecurity awareness training.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit about whether state agencies, public colleges, universities, and regional transit authorities followed cybersecurity training rules.

“This audit covers the period July 1, 2021 through April 30, 2023 and includes the following agencies:”
Why was it audited?

The auditor checked whether these public entities made employees take cybersecurity awareness training required by EOTSS standards.

“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
Why it matters

When employees miss cybersecurity training, agencies may be more vulnerable to attacks, financial damage, and harm to public trust.

“If EOTSS does not ensure that all of its employees complete cybersecurity awareness training, then EOTSS may expose itself to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
What's in it for me?

These agencies run digital services that residents use, so better cybersecurity training can help protect public systems people rely on.

“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth. . . .”
The bottom line

The auditor’s answer was no: the audited entities did not all ensure employees completed the required training.

“The Executive Office of Technology Services and Security (EOTSS) did not ensure that all of its employees who were active during the audit period completed initial and annual refresher cybersecurity awareness training.”
What happens next

The report recommends tighter policies, better tracking, training for all workers, and consequences when training is not completed.

“We will follow up on this during our post-audit review process in approximately six months.”
Why it's significant

The issue was broad: the report covered EOTSS plus 22 other public entities, not just one office.

“This report covers 22 additional agencies’ compliance with EOTSS’s cybersecurity awareness training standard.”
Jargon, unpacked

Cybersecurity awareness training means basic instruction for employees about how to help protect government information and systems from security risks.

“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”

What the Auditor checked

What the Auditor found

EOTSS did not ensure that all employees completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: EOTSS may face increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

4 recommendations
  • EOTSS should strengthen its policy to improve oversight of executive branch state agencies, including timely cybersecurity awareness training completion.
  • EOTSS should ensure that employee training transcripts are maintained and include cybersecurity awareness training completion records.
  • EOTSS should ensure that employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
  • EOTSS should monitor training completion rates and use HRD historical data to ensure employees meet training deadlines.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Nine executive branch agencies did not ensure that all employees completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The agencies may expose themselves to increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

3 recommendations
  • Provide initial and annual refresher cybersecurity awareness training to all full-time employees, contractors, and interns.agency: partially agreed
  • Monitor completion rates throughout the training cycle and use HRD historical data to ensure deadlines are met.agency: partially agreed
  • Add controls to ensure new hire onboarding includes all required cybersecurity awareness training coursework.agency: partially agreed
Agency response & Auditor reply
Agency: "CSC appreciates receiving clarification from the Office of the State Auditor that seasonal interns and contract employees are required to complete the cybersecurity awareness training."
Auditor: "Based on its response, CSC has taken measures to address our concerns regarding this matter."
Seven state colleges and universities did not ensure that all employees completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The colleges and universities may expose themselves to increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • Update cybersecurity awareness training policies to require training for all employees.agency: partially agreed
  • Update cybersecurity awareness training policies to include consequences for non-completion.agency: partially agreed
Agency response & Auditor reply
Agency: "We are in agreement with the merits of the [EOTSS] Standard and the University is now aligned with the goals of the cybersecurity awareness training."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Three regional transit authorities did not ensure that all employees completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The regional transit authorities may expose themselves to increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • Update cybersecurity awareness training policies to require training for all employees.agency: partially agreed
  • Update cybersecurity training policies to include consequences for non-completion.agency: partially agreed
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "We appreciate the responses provided by the regional transit authorities we audited."