Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Nantucket Regional Transit Authority

November 8, 2024 · Nantucket Regional Transit Authority · Read the full official report on mass.gov ↗

Published November 8, 2024 Audit covers July 1, 2021 – April 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
The auditor found that many Massachusetts state agencies, public colleges, universities, and regional transit authorities did not make sure all employees finished required cybersecurity awareness training.
source
“EOTSS did not ensure that all of its employees completed cybersecurity awareness training.”
Read the plain-English breakdown
What is this?

This is a State Auditor performance audit looking at whether 23 public entities followed cybersecurity training standards during the period from July 1, 2021 through April 30, 2023.

“This audit covers the period July 1, 2021 through April 30, 2023 and includes the following agencies:”
Why was it audited?

The audit was done to check whether employees at these public agencies completed cybersecurity awareness training required under EOTSS security standards.

“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
Why it matters

If public employees miss cybersecurity training, agencies may be more vulnerable to cyberattacks and could suffer money losses or damage to their reputation.

“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
What's in it for me?

For an ordinary resident, this matters because these agencies provide public services and handle government systems; weak training can increase the risk that public services or information systems are harmed by cyberattacks.

“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The bottom line

The bottom line is that cybersecurity training was supposed to happen for all personnel, but the audit found missed, late, or incomplete training across several groups of agencies.

“Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?”
What happens next

The auditor recommended stronger policies, better tracking, and consequences when employees do not complete training; EOTSS said it would look for improvements and the auditor said it would follow up later.

“We will follow up on this during our post-audit review process in approximately six months.”
Why it's significant

The report is significant because it found a system-wide compliance problem, not just one missed training at one office: executive agencies, colleges, universities, and transit authorities were all included in the findings.

“No; see Findings 1, 2, 3, and 4”
Jargon, unpacked

Cybersecurity awareness training means basic training that teaches employees how to help protect state information systems and data.

“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”

What the Auditor checked

What the Auditor found

EOTSS did not ensure that all employees completed required cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: EOTSS may face increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 12 of Chapter 11 of the Massachusetts General Laws; EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 )

4 recommendations
  • EOTSS should strengthen its policy to improve oversight of executive branch state agencies, including timely completion of cybersecurity awareness trainings.
  • EOTSS should maintain employee training transcripts for all employees, including cybersecurity awareness training completion records.
  • EOTSS should ensure all employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
  • EOTSS should monitor training completion rates throughout the cycle and use HRD historical data to ensure employees meet deadlines.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Nine executive branch agencies did not ensure all employees completed required cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The agencies may face increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4; Section 2 of Chapter 7D of the Massachusetts General Laws )

3 recommendations
  • The nine agencies should provide initial and annual refresher cybersecurity awareness training to all full-time employees, contractors, and interns.agency: partially agreed
  • The nine agencies should monitor cybersecurity training completion rates throughout the training cycle and use HRD historical data to ensure employees meet deadlines.agency: partially agreed
  • The nine agencies should implement additional controls so new hire onboarding includes all required cybersecurity awareness coursework.agency: partially agreed
Agency response & Auditor reply
Auditor: "Based on its response, DLS will take measures to address our concerns regarding this matter."
Seven state colleges and universities did not ensure all employees completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The colleges and universities may face increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4; Generally Accepted Government Auditing Standards, Section 8.18 )

2 recommendations
  • The seven state colleges and universities should update cybersecurity awareness training policies to require training for all employees.agency: agreed
  • The seven state colleges and universities should update cybersecurity awareness training policies to include consequences for non-completion.agency: agreed
Agency response & Auditor reply
Agency: "We are in agreement with the merits of the [EOTSS] Standard and the University is now aligned with the goals of the cybersecurity awareness training."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Three regional transit authorities did not ensure all employees completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The regional transit authorities may face increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4; Generally Accepted Government Auditing Standards 8.18 )

2 recommendations
  • The three regional transit authorities should update cybersecurity awareness training policies to require training for all employees.agency: partially agreed
  • The three regional transit authorities should update cybersecurity training policies to include consequences for non-completion.agency: partially agreed
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "We appreciate the responses provided by the regional transit authorities we audited."

More audits of this entity

Other Office of the State Auditor reports on Nantucket Regional Transit Authority .

See this entity's page with all 2 audits →