Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Holyoke Community College

November 8, 2024 · Holyoke Community College · Read the full official report on mass.gov ↗ · official site ↗

Published November 8, 2024 Audit covers July 1, 2021 – April 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
The audit found that many Massachusetts state agencies, public colleges, and regional transit authorities did not make sure all employees completed required cybersecurity awareness training on time or at all.
source
“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
Read the plain-English breakdown
What is this?

This is a performance audit by the Massachusetts State Auditor reviewing cybersecurity training compliance across EOTSS and 22 other public entities from July 1, 2021 through April 30, 2023.

“This audit covers the period July 1, 2021 through April 30, 2023 and includes the following agencies:”
Why was it audited?

The Auditor checked whether employees were getting the cybersecurity training that state standards require, including new-hire training and yearly refresher training.

“Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?”
Why it matters

When employees miss cybersecurity training, agencies may be more vulnerable to cyberattacks, money losses, and damage to public trust.

“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
What's in it for me?

This matters to residents because state technology systems serve taxpayers, drivers, businesses, visitors, families, and other people who interact with Massachusetts government.

“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The bottom line

The Auditor concluded the reviewed agencies did not fully meet the cybersecurity training standard.

“No; see Findings 1, 2, 3, and 4”
What happens next

The report recommends tighter policies, better tracking, training for all workers, and consequences such as restricting access until training is completed.

“The aforementioned three regional transit authorities should do the following:”
Why it's significant

The report treats cybersecurity training as an important statewide safeguard, not just an internal paperwork requirement.

“Security awareness training is a critical component of the Commonwealth’s security compliance strategy.”
Jargon, unpacked

Cybersecurity awareness training means teaching workers their role in protecting state information systems and data from security risks.

“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”

What the Auditor checked

What the Auditor found

EOTSS did not ensure that all of its employees completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: EOTSS may face increased risk of cybersecurity attacks and financial or reputational losses.

Standard: EOTSS’s Information Security Risk Management Standard IS.010 requires new personnel to complete initial security awareness training within 30 days of orientation and all personnel to complete annual security awareness training. ( Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

4 recommendations
  • EOTSS should strengthen their policy to improve oversight of executive branch state agencies, including their timely completion of cybersecurity awareness trainings.
  • EOTSS should ensure that all employee training transcripts for all employees are maintained and include records regarding cybersecurity awareness training completion.
  • EOTSS should ensure that all of its employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
  • EOTSS should establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure that employees meet training deadlines.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "We agree with EOTSS’s statement that “security awareness training is a critical component of the Commonwealth’s security compliance strategy,” and for this reason, we believe that all employees, regardless of classification, should complete their initial training within 30 days."
Nine executive branch agencies did not ensure that all employees completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The agencies may face increased risk of cybersecurity attacks and financial or reputational losses.

Standard: EOTSS’s Information Security Risk Management Standard IS.010 requires initial and annual cybersecurity awareness training for personnel. ( Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

3 recommendations
  • Provide cybersecurity awareness training, both initial training within 30 days of orientation and annual refresher training thereafter, to all full-time employees, contractors, and interns.
  • Establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure employees meet training deadlines.
  • Implement additional controls to ensure that the new hire onboarding process includes all required cybersecurity awareness training coursework.
Agency response & Auditor reply
Agency: "MPB concurs with [the Office of the State Auditor’s] recommendations to (1) provide cybersecurity awareness training (both an initial training within 30 days of orientation and an annual refresher training thereafter) to all full-time employees, contractors, and interns; and (2) establish procedures to monitor employee completion throughout the training cycle to ensure that staff are meeting the training deadlines."
Auditor: "Based on its response, MPB will take measures to address our concerns regarding this matter."
Seven state colleges and universities did not ensure that all employees completed cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: The institutions may face increased risk of cybersecurity attacks and financial or reputational losses.

Standard: EOTSS’s Information Security Risk Management Standard IS.010 was used as the audit criterion and requires initial and annual cybersecurity awareness training for personnel. ( Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • The seven state colleges and universities should update their cybersecurity awareness training policies to require this training for all employees.
  • The seven state colleges and universities should update their cybersecurity awareness training policies to include consequences for non-completion.
Agency response & Auditor reply
Agency: "We are in agreement with the merits of the [EOTSS] Standard and the University is now aligned with the goals of the cybersecurity awareness training."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Three regional transit authorities did not ensure that all employees completed cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: The authorities may face increased risk of cybersecurity attacks and financial or reputational losses.

Standard: EOTSS’s Information Security Risk Management Standard IS.010 was used as the baseline criterion for cybersecurity awareness training. ( EOTSS’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • The three regional transit authorities should update their cybersecurity awareness training policies to require this training for all employees.
  • The three regional transit authorities should update their cybersecurity training policies to include consequences for non-completion.
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "We appreciate the responses provided by the regional transit authorities we audited."

More audits of this entity

Other Office of the State Auditor reports on Holyoke Community College .

See this entity's page with all 4 audits →