Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Parole Board
November 8, 2024 · Massachusetts Parole Board · Read the full official report on mass.gov ↗
source
“EOTSS did not ensure that all of its employees completed cybersecurity awareness training.”
Read the plain-English breakdown
Auditors checked whether the agencies followed EOTSS rules requiring cybersecurity training for employees.
“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
When employees miss cybersecurity training, agencies may be more vulnerable to cyberattacks, money losses, and damage to public trust.
“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
This matters to residents because state technology systems support everyday services for taxpayers, drivers, businesses, families, and other people using state government.
“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The audit’s main conclusion was that several public entities had gaps: some employees finished training late, and some did not finish it at all.
“Regarding the completion rates for the initial cybersecurity awareness training, we observed that 445 newly hired employees completed training late, while 601 did not complete training at all.”
The Auditor recommended stronger tracking, required training for all employees, and consequences when employees do not complete it.
“EOTSS should establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure that employees meet training deadlines.”
The report is significant because it says cybersecurity training should be treated as a basic safeguard across state government, not as an optional task.
“We regard EOTSS’s Information Security Risk Management Standard IS.010 as the baseline for best practices in cybersecurity awareness training across the Commonwealth’s agencies, and therefore, we used this as our audit criteria.”
“Cybersecurity awareness training” means basic training that teaches employees how to help protect state information systems and data.
“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”
What the Auditor checked
- Did not comply Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: EOTSS may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
4 recommendations
- EOTSS should strengthen its policy to improve oversight of executive branch state agencies, including timely completion of cybersecurity awareness trainings.
- EOTSS should maintain all employee training transcripts and include records of cybersecurity awareness training completion.
- EOTSS should ensure all employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
- EOTSS should monitor training completion rates and use HRD historical data to ensure employees meet deadlines.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Why it matters: The agencies may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
3 recommendations
- The agencies should provide initial and annual cybersecurity awareness training to all full-time employees, contractors, and interns.agency: partially agreed
- The agencies should monitor training completion rates and use HRD historical data to ensure deadlines are met.agency: partially agreed
- The agencies should add controls so onboarding includes all required cybersecurity awareness coursework.agency: partially agreed
Agency response & Auditor reply
Auditor: "Based on its response, DLS will take measures to address our concerns regarding this matter."
Why it matters: The colleges and universities may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
2 recommendations
- The seven colleges and universities should require cybersecurity awareness training for all employees.agency: agreed
- The seven colleges and universities should include consequences for failing to complete cybersecurity awareness training.agency: agreed
Agency response & Auditor reply
Agency: "The College agrees that cybersecurity training is critical and important."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Why it matters: The regional transit authorities may face increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Section 6.2.3 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 )
2 recommendations
- The three regional transit authorities should require cybersecurity awareness training for all employees.agency: partially agreed
- The three regional transit authorities should include consequences for failing to complete cybersecurity training.agency: partially agreed
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "As noted above within the auditees’ responses, many RTAs have already started addressing our concerns in this area."
More audits of this entity
Other Office of the State Auditor reports on Massachusetts Parole Board .
- Massachusetts Parole BoardAuthority / Commission · October 19, 2016
- Audit of the Massachusetts Parole BoardAuthority / Commission · March 24, 2021