Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Massasoit Community College
November 8, 2024 · Massasoit Community College · Read the full official report on mass.gov ↗ · official site ↗
source
“EOTSS did not ensure that all of its employees completed cybersecurity awareness training.”
Read the plain-English breakdown
This is a state performance audit about whether public agencies followed cybersecurity training rules during the period from July 1, 2021 through April 30, 2023.
“This audit covers the period July 1, 2021 through April 30, 2023 and includes the following agencies:”
The audit checked whether EOTSS and other public entities made sure employees completed cybersecurity awareness training required by EOTSS standards.
“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
Cybersecurity training matters because untrained employees can increase the risk of cyberattacks and financial or reputational harm to public agencies.
“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
For residents, this matters because these agencies provide public services and handle government systems, data, and digital services people rely on.
“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The audit’s answer was no: the audited agencies did not consistently ensure employees completed the required cybersecurity training.
“No; see Findings 1, 2, 3, and 4”
The auditor recommended stronger policies, better tracking, required training for all employees, and consequences when training is not completed.
“EOTSS should establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure that employees meet training deadlines.”
This report is significant because it covers 23 entities across state agencies, public colleges, and regional transit authorities, not just one office.
“This report covers 22 additional agencies’ compliance with EOTSS’s cybersecurity awareness training standard.”
Cybersecurity awareness training means basic training that teaches employees their role in protecting government information systems and data.
“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”
What the Auditor checked
- Did not comply Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: EOTSS may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
4 recommendations
- EOTSS should strengthen its policy to improve oversight of executive branch state agencies, including timely completion of cybersecurity awareness training.
- EOTSS should maintain employee training transcripts for all employees, including cybersecurity awareness training completion records.
- EOTSS should ensure that all employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
- EOTSS should monitor training completion rates throughout the training cycle and use HRD historical data to ensure employees meet deadlines.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Why it matters: The agencies may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
3 recommendations
- The nine agencies should provide initial and annual cybersecurity awareness training to all full-time employees, contractors, and interns.agency: partially agreed
- The nine agencies should monitor training completion rates and use HRD historical data to ensure employees meet deadlines.agency: partially agreed
- The nine agencies should add controls so new hire onboarding includes all required cybersecurity awareness coursework.agency: partially agreed
Agency response & Auditor reply
Agency: "DOR agrees with the results of the audit."
Auditor: "Based on its response, DOR has taken, and will continue to take, measures to address our concerns regarding this matter."
Why it matters: The colleges and universities may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
2 recommendations
- The seven state colleges and universities should update cybersecurity awareness training policies to require training for all employees.agency: partially agreed
- The seven state colleges and universities should update policies to include consequences for noncompletion.agency: partially agreed
Agency response & Auditor reply
Agency: "The College agrees that cybersecurity training is critical and important."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Why it matters: The transit authorities may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
2 recommendations
- The three regional transit authorities should update cybersecurity awareness training policies to require training for all employees.agency: partially agreed
- The three regional transit authorities should update cybersecurity training policies to include consequences for noncompletion.agency: partially agreed
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "We appreciate the responses provided by the regional transit authorities we audited."
More audits of this entity
Other Office of the State Auditor reports on Massasoit Community College .
-
Massasoit Community CollegeCollege / University · May 12, 2011 -
Massasoit Community CollegeCollege / University · AUGUST 28, 2000 -
Massasoit Community CollegeCollege / University · August 10, 2016 -
Audit of Massasoit Community College (MCC)College / University · April 20, 2021