Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - State 911 Department

November 8, 2024 · State 911 Department · Read the full official report on mass.gov ↗

Published November 8, 2024 Audit covers July 1, 2021 – April 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
The audit found that many Massachusetts state agencies, public colleges, universities, and regional transit authorities did not make sure all employees completed required cybersecurity awareness training.
source
“EOTSS did not ensure that all of its employees completed cybersecurity awareness training.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit about whether state-related organizations made workers take cybersecurity awareness training.

“The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.”
Why was it audited?

The Auditor checked whether employees got initial cybersecurity training after starting work and yearly refresher training afterward, as required by EOTSS standards.

“Did EOTSS and other executive branch agencies, state colleges and universities, and regional transit authorities ensure that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010?”
Why it matters

Cybersecurity training matters because untrained employees can increase the risk of cyberattacks and damage public agencies financially or reputationally.

“If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.”
What's in it for me?

For residents, this matters because these agencies serve taxpayers, drivers, families, businesses, students, and transit riders, and weak cybersecurity practices can put public services and information at greater risk.

“EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth.”
The bottom line

The Auditor concluded the audited organizations did not meet the cybersecurity training standard overall.

“No; see Findings 1, 2, 3, and 4”
What happens next

The report recommends that agencies require training, track completion, keep records, and add consequences such as restricting access until training is finished.

“The aforementioned three regional transit authorities should do the following:”
Why it's significant

The report is significant because it covers 23 entities across state government, public higher education, and regional transit, not just one office.

“This report covers 22 additional agencies’ compliance with EOTSS’s cybersecurity awareness training standard.”
Jargon, unpacked

Cybersecurity awareness training is basic training meant to teach employees how to help protect government information and systems.

“The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets.”

What the Auditor checked

What the Auditor found

EOTSS did not ensure that all active employees completed required cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: EOTSS may face increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.3; EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.4 )

4 recommendations
  • EOTSS should strengthen their policy to improve oversight of executive branch state agencies, including their timely completion of cybersecurity awareness trainings.
  • EOTSS should ensure that all employee training transcripts for all employees are maintained and include records regarding cybersecurity awareness training completion.
  • EOTSS should ensure that all of its employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
  • EOTSS should establish monitoring procedures for cybersecurity awareness training completion rates and use HRD historical data to ensure deadlines are met.
Agency response & Auditor reply
Agency: "Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding."
Auditor: "Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter."
Nine executive branch agencies did not ensure all employees completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The agencies may face increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.3; EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.4 )

3 recommendations
  • The nine executive branch agencies should provide initial and annual refresher cybersecurity awareness training to all full-time employees, contractors, and interns.
  • The agencies should monitor cybersecurity awareness training completion throughout the training cycle and use HRD historical data to ensure deadlines are met.
  • The agencies should add controls to ensure new hire onboarding includes all required cybersecurity awareness coursework.
Agency response & Auditor reply
Agency: "MPB concurs with [the Office of the State Auditor’s] recommendations to (1) provide cybersecurity awareness training (both an initial training within 30 days of orientation and an annual refresher training thereafter) to all full-time employees, contractors, and interns; and (2) establish procedures to monitor employee completion throughout the training cycle to ensure that staff are meeting the training deadlines."
Auditor: "Based on their response, MassDOT and RMV have taken measures to address our concerns regarding this matter."
Seven state colleges and universities did not ensure all employees completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The colleges and universities may face increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.3; EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.4 )

2 recommendations
  • The seven state colleges and universities should require cybersecurity awareness training for all employees.
  • The seven state colleges and universities should add consequences for non-completion of cybersecurity awareness training.
Agency response & Auditor reply
Agency: "We are in agreement with the merits of the [EOTSS] Standard and the University is now aligned with the goals of the cybersecurity awareness training."
Auditor: "As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area."
Three regional transit authorities did not ensure all employees completed cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: The regional transit authorities may face increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.3; EOTSS’s Information Security Risk Management Standard IS.010, Section 6.2.4 )

2 recommendations
  • The three regional transit authorities should update their policies to require cybersecurity awareness training for all employees.
  • The three regional transit authorities should add consequences for non-completion of cybersecurity training.
Agency response & Auditor reply
Agency: "The Cape Ann Transportation Authority agrees with the recommendations."
Auditor: "As noted above within the auditees’ responses, many RTAs have already started addressing our concerns in this area."

More audits of this entity

Other Office of the State Auditor reports on State 911 Department .

See this entity's page with all 3 audits →