Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Martha's Vineyard Regional Transit Authority
November 8, 2024 · Martha's Vineyard Regional Transit Authority · Read the full official report on mass.gov ↗
Read the plain-English breakdown
This is a State Auditor performance audit checking whether selected state agencies, public colleges, and regional transit authorities followed cybersecurity training standards from July 1, 2021 through April 30, 2023.
“This audit covers the period July 1, 2021 through April 30, 2023 and includes the following agencies:”
Auditors wanted to know whether employees at these public entities completed required cybersecurity training, including new-hire and annual refresher training.
“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
When employees miss cybersecurity training, agencies may be more vulnerable to cyberattacks and the costs or public trust damage that can follow.
“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
These agencies handle public services and government systems that residents rely on, so better cybersecurity training helps reduce risks to state services and information.
“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The audit found gaps across EOTSS, nine executive branch agencies, seven state colleges and universities, and three regional transit authorities.
“Below is our audit objective, indicating the question we intended our audit to answer; the conclusion we reached regarding our objective; and, if applicable, where our objective is discussed in the audit findings.”
The Auditor recommended that agencies require training, track completion, keep records, and add consequences or controls so employees finish on time.
“EOTSS should establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure that employees meet training deadlines.”
The report treats cybersecurity training as a basic government safeguard, not just an internal paperwork requirement.
“Security awareness training is a critical component of the Commonwealth’s security compliance strategy.”
“Cybersecurity awareness training” means basic training that teaches workers their role in protecting government information systems and data.
“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”
What the Auditor checked
- Did not comply Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: EOTSS faced increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
4 recommendations
- EOTSS should strengthen its policy to improve oversight of executive branch state agencies, including timely completion of cybersecurity awareness trainings.
- EOTSS should maintain employee training transcripts for all employees, including cybersecurity awareness training completion records.
- EOTSS should ensure that all employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
- EOTSS should establish procedures to monitor completion rates and use HRD historical data to ensure employees meet deadlines.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Why it matters: The agencies faced increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
3 recommendations
- The nine executive branch agencies should provide initial and annual cybersecurity awareness training to all full-time employees, contractors, and interns.
- The nine executive branch agencies should monitor completion rates and use HRD historical data to ensure employees meet deadlines.
- The nine executive branch agencies should add controls to ensure new hire onboarding includes required cybersecurity awareness coursework.
Agency response & Auditor reply
Agency: "DOR agrees with the results of the audit."
Auditor: "Based on its response, DOR has taken, and will continue to take, measures to address our concerns regarding this matter."
Why it matters: The colleges and universities faced increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
2 recommendations
- The seven state colleges and universities should update policies to require cybersecurity awareness training for all employees.
- The seven state colleges and universities should update policies to include consequences for not completing training.
Agency response & Auditor reply
Agency: "The college fully acknowledges the need for, and importance of, cybersecurity training for all employees."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Why it matters: The regional transit authorities faced increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
2 recommendations
- The three regional transit authorities should update cybersecurity awareness training policies to require training for all employees.
- The three regional transit authorities should update cybersecurity training policies to include consequences for not completing training.
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "As noted above within the auditees’ responses, many RTAs have already started addressing our concerns in this area."
More audits of this entity
Other Office of the State Auditor reports on Martha's Vineyard Regional Transit Authority .
- Audit of the Martha’s Vineyard Regional Transit AuthorityTransit Authority · October 10, 2018
- Martha's Vineyard Regional Transit AuthorityTransit Authority · March 28, 2013