Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of Holyoke Community College (HCC)

August 11, 2020 · Holyoke Community College · Read the full official report on mass.gov ↗ · official site ↗

Published August 11, 2020 Audit covers July 1, 2017 – March 31, 2019 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that Holyoke Community College did not make sure all computer system users completed required cybersecurity training, and it did not keep all required signed computer-use agreements on file.
source
“HCC did not ensure that required information security training was completed or retain copies of signed acceptable use policies.”
Read the plain-English breakdown
What is this?

This is a state performance audit of Holyoke Community College covering July 1, 2017 through March 31, 2019.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of Holyoke Community College (HCC) for the period July 1, 2017 through March 31, 2019.”
Why was it audited?

Auditors checked whether people with access to HCC computer systems had taken information security training and signed acceptable-use rules.

“In this performance audit, we reviewed HCC’s information security training and awareness practices to determine whether system users had completed information security training and signed acceptable use policies.”
Why it matters

If users are not trained and do not formally agree to safe computer-use rules, the college faces more risk from cyberattacks and possible financial or reputation damage.

“Without educating all system users on their responsibility of helping protect the security of information assets by requiring training and formal user acknowledgment of acceptable use policies, HCC is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.”
What's in it for me?

For students, staff, and taxpayers, this matters because better cybersecurity practices help protect college systems and information from avoidable risks.

“HCC is a member of the Massachusetts public higher-education system, which consists of 15 community colleges, nine state universities, and five University of Massachusetts campuses.”
The bottom line

The college started cybersecurity training in 2018, but many sampled users still had not completed it, and the college could not produce all signed acceptable-use agreements.

“From our sample of 60 system users, 1 user was terminated before the training was rolled out, and 8 users (6 employees, 1 work-study student, and 1 contract employee) were not assigned training.”
What happens next

The auditor recommended that HCC create and share a cybersecurity training policy, monitor training completion, keep signed acceptable-use policies for all users, and put training requirements into union agreements.

“HCC should negotiate collective bargaining agreements to include information security training requirements for all system users.”
Why it's significant

The finding points to a basic cybersecurity control gap at a public college: people had access to systems without proof that all required training and signed use agreements were completed.

“For the same sample of 60 users, HCC could produce only 35 (58%) of the required signed acceptable use policies.”
Jargon, unpacked

An acceptable use policy is basically the written rulebook for how employees and other users may use the college’s computer equipment.

“According to the SysAdmin, Audit, Network, and Security Institute, acceptable use policies outline the acceptable use of computer equipment by an organization’s computer system users.”

What the Auditor checked

What the Auditor found

Holyoke Community College did not ensure required information security training was completed and did not retain signed acceptable use policies.
cybersecurityrecordkeeping/documentationinternal controls

Why it matters: This increased the risk of cybersecurity attacks and financial or reputational losses.

Standard: Massachusetts Executive Order 504; EOTSS Information Security Risk Management Standard IS.010; NIST Special Publication 800-53r4. ( Section 12 of Chapter 11 of the Massachusetts General Laws; Massachusetts Executive Order 504; Executive Office of Technology Services and Security’s Information Security Risk Management Standard (IS.010); National Institute of Standards and Technology Special Publication 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations )

4 recommendations
  • HCC should develop, document, and disseminate to personnel an information security training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.agency: agreed
  • HCC’s Information Technology Department should continuously monitor compliance with the policy to ensure successful completion of information security training for all system users.agency: agreed
  • HCC should have signed acceptable use policies on file for all system users.agency: agreed
  • HCC should negotiate collective bargaining agreements to include information security training requirements for all system users.agency: already implemented
Agency response & Auditor reply
Agency: "We have since bargained with the [Massachusetts Community College Council] and [American Federation of State, County and Municipal Employees] unions to allow us to mandate the training."

More audits of this entity

Other Office of the State Auditor reports on Holyoke Community College .

See this entity's page with all 4 audits →