Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Framingham State University
November 8, 2024 · Framingham State University · Read the full official report on mass.gov ↗ · official site ↗
source
“EOTSS did not ensure that all of its employees completed cybersecurity awareness training.”
Read the plain-English breakdown
This is a State Auditor performance audit checking whether EOTSS and 22 other public entities followed cybersecurity training rules during the audit period.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Executive Office of Technology Services and Security (EOTSS), as well as 22 other executive branch agencies, state colleges and universities, and regional transit authorities.”
Auditors wanted to know whether employees at the covered agencies completed cybersecurity awareness training required by EOTSS standards.
“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
When public employees miss cybersecurity training, agencies may be more vulnerable to cyberattacks and the costs or reputational damage that can follow.
“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
This matters to residents because EOTSS supports digital services used by taxpayers, motorists, businesses, families, visitors, and other people dealing with state government.
“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The auditor found problems across executive branch agencies, state colleges and universities, and regional transit authorities: not everyone completed the required training.
“CSC, DLS, DMH, DPH, DOR, MassDOT, GIC, MPB, and RMV did not ensure that all of their employees completed cybersecurity awareness training.”
The auditor recommended stronger policies, better tracking, required training for all employees, and consequences for not completing training; the office also said it would check back later.
“We will follow up on this during our post-audit review process in approximately six months.”
The report treats cybersecurity training as a basic safeguard for public agencies, not a minor paperwork issue.
“Cybersecurity awareness policies are not just guidelines; they are essential safeguards in today’s digital landscape.”
Cybersecurity awareness training means teaching government workers their role in protecting state information so it stays private, available, and accurate.
“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”
What the Auditor checked
- Did not comply Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: EOTSS may expose itself to an increased risk of cybersecurity attacks and financial and/or reputational losses.
Standard: EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4. ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
4 recommendations
- EOTSS should strengthen their policy to improve oversight of executive branch state agencies, including their timely completion of cybersecurity awareness trainings.
- EOTSS should ensure that all employee training transcripts for all employees are maintained and include records regarding cybersecurity awareness training completion.
- EOTSS should ensure that all of its employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
- EOTSS should establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure that employees meet training deadlines.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Why it matters: The agencies may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.
Standard: EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4. ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
3 recommendations
- Provide initial cybersecurity awareness training within 30 days of orientation and annual refresher training thereafter to all full-time employees, contractors, and interns.agency: partially agreed
- Establish procedures to monitor completion rates throughout the training cycle and use HRD historical data to ensure employees meet deadlines.agency: partially agreed
- Implement additional controls to ensure new hire onboarding includes all required cybersecurity awareness training coursework.agency: partially agreed
Agency response & Auditor reply
Agency: "GIC was given the opportunity to respond to a draft version of this audit report and did not provide a written response."
Auditor: "We urge DMH to implement an alternative method for employees without system access to complete their training, such as offering a paper-based training option."
Why it matters: The colleges and universities may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.
Standard: EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4. ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
2 recommendations
- The seven state colleges and universities should update cybersecurity awareness training policies to require training for all employees.agency: agreed
- The seven state colleges and universities should update cybersecurity awareness training policies to include consequences for non-completion.agency: agreed
Agency response & Auditor reply
Agency: "We are in agreement with the merits of the [EOTSS] Standard and the University is now aligned with the goals of the cybersecurity awareness training."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Why it matters: The regional transit authorities may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.
Standard: EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4. ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
2 recommendations
- The three regional transit authorities should update cybersecurity awareness training policies to require training for all employees.agency: partially agreed
- The three regional transit authorities should update cybersecurity training policies to include consequences for non-completion.agency: partially agreed
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "We urge the regional transit authorities to implement an alternative method to complete training for employees without system access, such as offering a paper-based training option."
More audits of this entity
Other Office of the State Auditor reports on Framingham State University .
-
Audit of the Framingham State University (FSU)College / University · November 23, 2020 - Framingham State University's Use of American Recovery and Reinvestment Act FundsCollege / University · May 26, 2011
-
Framingham State UniversityCollege / University · December 20, 2012