Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Massachusetts Department of Transportation
November 8, 2024 · Massachusetts Department of Transportation · Read the full official report on mass.gov ↗ · official site ↗
source
“EOTSS did not ensure that all of its employees completed cybersecurity awareness training.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit about whether state-related organizations followed cybersecurity training rules.
“I am pleased to provide to you the results of the enclosed performance audit.”
Auditors checked whether employees finished required cybersecurity awareness training on time.
“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
When employees miss cybersecurity training, agencies may be more vulnerable to cyberattacks and costly damage to their reputation or finances.
“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
This matters to residents because these systems support public services used by taxpayers, drivers, businesses, families, visitors, and others.
“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The auditor concluded that the audited organizations did not fully make sure employees completed the required cybersecurity training.
“No; see Findings 1, 2, 3, and 4”
The auditor recommended stronger tracking, better onboarding controls, and making sure employees complete training within required timeframes.
“EOTSS should establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure that employees meet training deadlines.”
The report is significant because EOTSS manages technology and digital services for many state agencies and tens of thousands of state employees.
“EOTSS also oversees and manages the enterprise technology and digital infrastructure and services for over 125 state agencies and over 43,000 state employees.”
Cybersecurity awareness training means teaching workers how to help protect government information from being exposed, unavailable, or tampered with.
“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”
What the Auditor checked
- Did not comply Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: EOTSS faced increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 require initial cybersecurity awareness training within 30 days of new hire orientation and annual refresher training for all personnel. ( Section 12 of Chapter 11 of the Massachusetts General Laws; EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 )
4 recommendations
- EOTSS should strengthen its policy to improve oversight of executive branch state agencies, including their timely completion of cybersecurity awareness trainings.
- EOTSS should ensure that all employee training transcripts are maintained and include cybersecurity awareness training completion records.
- EOTSS should ensure all employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
- EOTSS should establish procedures to monitor completion rates and use HRD historical data to ensure employees meet training deadlines.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Why it matters: The agencies faced increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 require initial cybersecurity awareness training within 30 days of new hire orientation and annual refresher training for all personnel. ( EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4; Section 2 of Chapter 7D of the Massachusetts General Laws )
3 recommendations
- The nine agencies should provide initial and annual refresher cybersecurity awareness training to all full-time employees, contractors, and interns.
- The nine agencies should monitor completion rates throughout the training cycle and use HRD historical data to ensure deadlines are met.
- The nine agencies should add controls so new hire onboarding includes all required cybersecurity awareness coursework.
Agency response & Auditor reply
Auditor: "Based on its response, DLS will take measures to address our concerns regarding this matter."
Why it matters: The institutions faced increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 require initial cybersecurity awareness training within 30 days of new hire orientation and annual refresher training for all personnel. ( EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4; Generally Accepted Government Auditing Standards, Section 8.18 )
2 recommendations
- The seven state colleges and universities should update their cybersecurity awareness training policies to require training for all employees.
- The seven state colleges and universities should update cybersecurity awareness training policies to include consequences for non-completion.
Agency response & Auditor reply
Agency: "We are in agreement with the merits of the [EOTSS] Standard and the University is now aligned with the goals of the cybersecurity awareness training."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Why it matters: The regional transit authorities faced increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 require initial cybersecurity awareness training within 30 days of new hire orientation and annual refresher training for all personnel. ( EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4; Chapter 161B, Section 2 of the Massachusetts General Laws )
2 recommendations
- The three regional transit authorities should update cybersecurity awareness training policies to require training for all employees.agency: partially agreed
- The three regional transit authorities should update cybersecurity training policies to include consequences for non-completion.agency: partially agreed
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "As noted above within the auditees’ responses, many RTAs have already started addressing our concerns in this area."
More audits of this entity
Other Office of the State Auditor reports on Massachusetts Department of Transportation .
-
Audit of the Massachusetts Department of Transportation - Millbury Roadway Reconstruction and Related Work (Contract 86774)State Agency / Office · October 19, 2021 -
Close-out of Agencies and Authorities combined into the Massachusetts Department of TransportationState Agency / Office · October 18, 2012 -
Audit of the Massachusetts Department of Transportation Aeronautics DivisionState Agency / Office · June 30, 2022 -
The Department of Transportation's Office of Information Technology's Activities Relating to the Registry of Motor VehiclesState Agency / Office · July 20, 2011 -
Massachusetts Department of Transportation Use of Consultants and Contract EmployeesState Agency / Office · January 9, 2014 -
Massachusetts Department of Transportation Aeronautics DivisionState Agency / Office · August 18, 2017