Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Registry of Motor Vehicles
November 8, 2024 · Registry of Motor Vehicles · Read the full official report on mass.gov ↗
source
“EOTSS did not ensure that all of its employees completed cybersecurity awareness training.”
Read the plain-English breakdown
This is a state audit reviewing whether selected Massachusetts public entities made sure their employees completed cybersecurity awareness training.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Executive Office of Technology Services and Security (EOTSS), as well as 22 other executive branch agencies, state colleges and universities, and regional transit authorities.”
The auditor checked whether employees got the required initial and yearly cybersecurity training during the audit period.
“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
Missed cybersecurity training can leave public agencies more vulnerable to cyberattacks, money losses, and damage to public trust.
“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
These systems affect everyday residents because state technology supports services used by taxpayers, drivers, businesses, families, and visitors.
“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The auditor concluded that the reviewed entities did not fully meet the cybersecurity training standard.
“Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?”
The auditor recommended stronger monitoring, better records, and making sure employees complete training on time; the auditor also plans a follow-up review.
“We will follow up on this during our post-audit review process in approximately six months.”
The report treats cybersecurity training as a basic safeguard for protecting government information and reducing cyber risk across public agencies.
“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”
EOTSS is the state technology and cybersecurity office; IS.010 is its information security standard that says employees need cybersecurity training.
“The Executive Office of Technology Services and Security (EOTSS), located at 1 Ashburton Place in Boston, was established in 2017 in accordance with Section 2 of Chapter 7D of the Massachusetts General Laws.”
What the Auditor checked
- Did not comply Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: EOTSS may face increased cybersecurity attack risk and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.3; EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.4 )
4 recommendations
- EOTSS should strengthen its policy to improve oversight of executive branch state agencies, including timely completion of cybersecurity awareness trainings.
- EOTSS should ensure that all employee training transcripts are maintained and include cybersecurity awareness training completion records.
- EOTSS should ensure that all employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
- EOTSS should monitor employee cybersecurity awareness training completion rates during the training cycle and use HRD historical data to ensure deadlines are met.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Why it matters: The agencies may face increased cybersecurity attack risk and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.3; EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.4 )
3 recommendations
- The nine executive branch agencies should provide initial and annual refresher cybersecurity awareness training to all full-time employees, contractors, and interns.
- The agencies should monitor employee cybersecurity awareness training completion rates and use HRD historical data to ensure employees meet training deadlines.
- The agencies should add controls to ensure new hire onboarding includes all required cybersecurity awareness training coursework.
Agency response & Auditor reply
Agency: "MPB concurs with [the Office of the State Auditor’s] recommendations to (1) provide cybersecurity awareness training (both an initial training within 30 days of orientation and an annual refresher training thereafter) to all full-time employees, contractors, and interns; and (2) establish procedures to monitor employee completion throughout the training cycle to ensure that staff are meeting the training deadlines."
Auditor: "Based on their response, MassDOT and RMV have taken measures to address our concerns regarding this matter."
Why it matters: The colleges and universities may face increased cybersecurity attack risk and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.3; EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.4 )
2 recommendations
- The seven state colleges and universities should require cybersecurity awareness training for all employees.
- The seven state colleges and universities should establish consequences for non-completion, such as restricting access until training is completed.
Agency response & Auditor reply
Agency: "We are in agreement with the merits of the [EOTSS] Standard and the University is now aligned with the goals of the cybersecurity awareness training."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Why it matters: The transit authorities may face increased cybersecurity attack risk and financial or reputational losses.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.3; EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.4 )
2 recommendations
- The three regional transit authorities should require cybersecurity awareness training for all employees.
- The three regional transit authorities should establish consequences for non-completion, such as restricting access until training is completed.
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "As noted above within the auditees’ responses, many RTAs have already started addressing our concerns in this area."
More audits of this entity
Other Office of the State Auditor reports on Registry of Motor Vehicles .
- Audit of the Registry of Motor VehiclesState Agency / Office · September 6, 2018