Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Northern Essex Community College
November 8, 2024 · Northern Essex Community College · Read the full official report on mass.gov ↗ · official site ↗
source
“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
Read the plain-English breakdown
This is a State Auditor performance audit about whether public employees completed cybersecurity training during the period July 1, 2021 through April 30, 2023.
“This audit covers the period July 1, 2021 through April 30, 2023 and includes the following agencies:”
The Auditor checked whether agencies followed the state’s cybersecurity training rules for new employees and annual refresher training.
“Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?”
Missed cybersecurity training can make public agencies more vulnerable to cyberattacks and costly damage.
“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
This matters to residents because EOTSS supports digital services used by taxpayers, motorists, businesses, visitors, families, and others dealing with state government.
“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The Auditor’s answer was no: the reviewed organizations did not consistently make sure employees completed cybersecurity awareness training.
“No; see Findings 1, 2, 3, and 4”
The report recommends tighter policies, better tracking, training for all workers, and follow-up to see whether agencies fix the problems.
“We will follow up on this during our post-audit review process in approximately six months.”
The report treats cybersecurity training as a basic public-sector safeguard, not a paperwork exercise.
“Cybersecurity awareness policies are not just guidelines; they are essential safeguards in today’s digital landscape.”
Cybersecurity awareness training means teaching employees how their actions help protect government information from being exposed, lost, or disrupted.
“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”
What the Auditor checked
- Did not comply Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: EOTSS may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
4 recommendations
- EOTSS should strengthen its policy to improve oversight of executive branch state agencies, including timely completion of cybersecurity awareness trainings.
- EOTSS should maintain all employee training transcripts, including cybersecurity awareness training completion records.
- EOTSS should ensure all employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
- EOTSS should monitor completion rates throughout the training cycle and use HRD historical data to ensure employees meet deadlines.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Why it matters: The agencies may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
3 recommendations
- Provide initial cybersecurity awareness training within 30 days of orientation and annual refresher training thereafter to all full-time employees, contractors, and interns.agency: partially agreed
- Establish procedures to monitor training completion rates throughout the cycle and use HRD historical data to ensure deadlines are met.agency: partially agreed
- Implement additional controls to ensure new hire onboarding includes all required cybersecurity awareness coursework.agency: partially agreed
Agency response & Auditor reply
Agency: "DMH recognizes that the [Office of the State Auditor] assesses compliance with the policy or standard as written, and that it reads Section 6.2 of EOTSS’s Information Security Risk Management Standards as requiring cybersecurity training for “all personnel.”"
Auditor: "DMH must ensure that contractors are trained in compliance with EOTSS’s Information Security Risk Management Standard IS.010."
Why it matters: The colleges and universities may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
2 recommendations
- Update cybersecurity awareness training policies to require training for all employees.agency: partially agreed
- Update cybersecurity awareness training policies to include consequences for non-completion, such as restricting access until training is completed.agency: partially agreed
Agency response & Auditor reply
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Why it matters: The regional transit authorities may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
2 recommendations
- Update cybersecurity awareness training policies to require training for all employees.agency: partially agreed
- Update cybersecurity training policies to include consequences for non-completion, such as restricting access until training is completed.agency: partially agreed
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "We appreciate the responses provided by the regional transit authorities we audited."
More audits of this entity
Other Office of the State Auditor reports on Northern Essex Community College .
-
Northern Essex Community CollegeCollege / University · November 30, 2016 -
Audit of Northern Essex Community College (NECC)College / University · June 30, 2021 -
Northern Essex Community CollegeCollege / University · January 26, 2012