Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Massachusetts Bay Community College

November 8, 2024 · Massachusetts Bay Community College · Read the full official report on mass.gov ↗ · official site ↗

Published November 8, 2024 Audit covers July 1, 2021 – April 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
The auditor found that many Massachusetts state agencies, colleges, universities, and transit authorities did not make sure all workers completed required cybersecurity training.
source
“EOTSS did not ensure that all of its employees completed cybersecurity awareness training.”
Read the plain-English breakdown
What is this?

This is a state audit checking whether public employees completed cybersecurity awareness training during the audit period.

“This audit covers the period July 1, 2021 through April 30, 2023 and includes the following agencies:”
Why was it audited?

The auditor wanted to know whether the covered public entities followed EOTSS cybersecurity training rules.

“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
Why it matters

When employees miss cybersecurity training, public agencies may be more vulnerable to cyberattacks, money losses, and damage to public trust.

“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
What's in it for me?

These agencies support services people use, including transportation, public health, taxes, motor vehicles, and other state services, so better cybersecurity training helps protect public systems and information.

“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The bottom line

The audit’s answer was no: the reviewed entities did not consistently ensure employees completed the required cybersecurity training.

“No; see Findings 1, 2, 3, and 4”
What happens next

The auditor recommended stronger policies, better tracking, required training for all employees, and consequences when training is not completed; the office also plans follow-up review.

“We will follow up on this during our post-audit review process in approximately six months.”
Why it's significant

The report treats cybersecurity training as a basic statewide safeguard, not a paperwork exercise, because trained employees help reduce cyber risk.

“Comprehensive employee training and shared responsibility are critical to mitigating potential cyber threats.”
Jargon, unpacked

EOTSS is the state technology and security office; IS.010 is the cybersecurity risk-management standard used as the benchmark for training requirements.

“EOTSS’s Information Security Risk Management Standard IS.010 states, “All new personnel must complete an Initial Security Awareness Training course,” and that EOTSS does not provide an exemption to this policy for employees who lack access to computers.”

What the Auditor checked

What the Auditor found

EOTSS did not ensure that all employees completed required cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: EOTSS may expose itself to increased cybersecurity attack risk and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 )

4 recommendations
  • EOTSS should strengthen their policy to improve oversight of executive branch state agencies, including their timely completion of cybersecurity awareness trainings.
  • EOTSS should ensure that all employee training transcripts for all employees are maintained and include records regarding cybersecurity awareness training completion.
  • EOTSS should ensure that all employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
  • EOTSS should establish procedures to monitor cybersecurity awareness training completion rates and use HRD historical data to ensure deadlines are met.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Nine executive branch agencies did not ensure all employees completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The agencies may expose themselves to increased cybersecurity attack risk and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 )

3 recommendations
  • Provide initial and annual refresher cybersecurity awareness training to all full-time employees, contractors, and interns.agency: partially agreed
  • Establish procedures to monitor completion throughout the training cycle and use HRD historical data to ensure deadlines are met.agency: partially agreed
  • Implement additional controls to ensure new hire onboarding includes all required cybersecurity awareness coursework.agency: partially agreed
Agency response & Auditor reply
Agency: "DOR agrees with the results of the audit."
Auditor: "Based on their response, MassDOT and RMV have taken measures to address our concerns regarding this matter."
Seven state colleges and universities did not ensure all employees completed cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: The colleges and universities may expose themselves to increased cybersecurity attack risk and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 )

2 recommendations
  • Update cybersecurity awareness training policies to require this training for all employees.agency: agreed
  • Update cybersecurity awareness training policies to include consequences for non-completion, such as restricting access until training is completed.agency: agreed
Agency response & Auditor reply
Agency: "We are in agreement with the merits of the [EOTSS] Standard and the University is now aligned with the goals of the cybersecurity awareness training."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Three regional transit authorities did not ensure all employees completed cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: The regional transit authorities may expose themselves to increased cybersecurity attack risk and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 )

2 recommendations
  • Update cybersecurity awareness training policies to require this training for all employees.agency: partially agreed
  • Update cybersecurity training policies to include consequences for non-completion, such as restricting access until training is completed.agency: partially agreed
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "We appreciate the responses provided by the regional transit authorities we audited."

More audits of this entity

Other Office of the State Auditor reports on Massachusetts Bay Community College .

See this entity's page with all 5 audits →