Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies (November 8, 2024)

November 8, 2024 · Cybersecurity Awareness Training Compliance Across Multiple State Agencies · Read the full official report on mass.gov ↗

Published November 8, 2024 Audit covers July 1, 2021 – April 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
The Auditor found that many reviewed Massachusetts public agencies did not make sure all workers finished required cybersecurity training, which can raise cyber, financial, and reputation risks.
source
“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit about whether state agencies, colleges, universities, and regional transit authorities followed cybersecurity training rules.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Executive Office of Technology Services and Security (EOTSS), as well as 22 other executive branch agencies, state colleges and universities, and regional transit authorities.”
Why was it audited?

Auditors checked whether employees completed required cybersecurity awareness training during the audit period.

“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
Why it matters

Cybersecurity training is meant to help workers protect government information and systems that residents rely on.

“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”
What's in it for me?

For an ordinary resident, this matters because state systems serve taxpayers, drivers, businesses, families, visitors, and other people who interact with Massachusetts government.

“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The bottom line

The audit’s answer was no: the reviewed entities did not fully ensure that employees completed cybersecurity awareness training.

“Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?”
What happens next

The Auditor recommended stronger policies, better tracking, and consequences for missed training, and said the office would follow up later.

“We will follow up on this during our post-audit review process in approximately six months.”
Why it's significant

The report treats training as a basic safeguard: without it, agencies, colleges, and transit authorities may be more exposed to cyberattacks and related losses.

“Cybersecurity awareness policies are not just guidelines; they are essential safeguards in today’s digital landscape.”
Jargon, unpacked

“Cybersecurity awareness training” means basic instruction for employees about their role in protecting government information from security threats.

“Commonwealth Offices and Agencies must ensure that all personnel are trained on all relevant rules and regulations for cybersecurity.”

What the Auditor checked

What the Auditor found

EOTSS did not ensure all employees completed required cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: EOTSS increased its risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 require new hire and annual security awareness training. ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

4 recommendations
  • EOTSS should strengthen their policy to improve oversight of executive branch state agencies, including their timely completion of cybersecurity awareness trainings.
  • EOTSS should ensure that all employee training transcript for all employees are maintained and include records regarding cybersecurity awareness training completion.
  • EOTSS should ensure that all of its employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
  • EOTSS should establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure that employees meet training deadlines.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Nine executive branch agencies did not ensure all employees completed required cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: The agencies increased their risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 require new hire and annual security awareness training. ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

3 recommendations
  • Provide cybersecurity awareness training to all full-time employees, contractors, and interns.
  • Establish procedures to monitor cybersecurity awareness training completion rates and use HRD historical data to ensure employees meet deadlines.
  • Implement additional controls to ensure new hire onboarding includes all required cybersecurity awareness training coursework.
Agency response & Auditor reply
Agency: "DOR agrees with the results of the audit."
Auditor: "Based on its response, DOR has taken, and will continue to take, measures to address our concerns regarding this matter."
Seven state colleges and universities did not ensure all employees completed cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: The colleges and universities increased their risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 require new hire and annual security awareness training. ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • The seven state colleges and universities should update cybersecurity awareness training policies to require training for all employees.
  • The seven state colleges and universities should update cybersecurity awareness training policies to include consequences for non-completion.
Agency response & Auditor reply
Agency: "The College agrees that cybersecurity training is critical and important."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Three regional transit authorities did not ensure all employees completed cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: The regional transit authorities increased their risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 require new hire and annual security awareness training. ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • The three regional transit authorities should update cybersecurity awareness training policies to require training for all employees.agency: agreed
  • The three regional transit authorities should update cybersecurity training policies to include consequences for non-completion.agency: agreed
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "As noted above within the auditees’ responses, many RTAs have already started addressing our concerns in this area."