Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Attorney General’s Office - Review of Cybersecurity Awareness Training

October 29, 2021 · Attorney General · Read the full official report on mass.gov ↗

Published October 29, 2021 Audit covers July 1, 2018 – July 31, 2020 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that the Attorney General’s Office had a gap in cybersecurity training: some employees were not offered required training for part of the audit period, and the office was told to keep training available during vendor changes.
source
“AGO did not offer cybersecurity awareness training during a portion of the audit period.”
Read the plain-English breakdown
What is this?

This is a performance audit by the Massachusetts State Auditor reviewing whether the Attorney General’s Office handled cybersecurity awareness training properly from July 1, 2018 through July 31, 2020.

“This report details the audit objective, scope, methodology, finding, and recommendations for the audit period, July 1, 2018 through July 31, 2020.”
Why was it audited?

Auditors wanted to know whether Attorney General’s Office employees completed cybersecurity training and acknowledged information technology policies.

“In this performance audit, we reviewed AGO’s cybersecurity awareness training and practices to determine whether all employees had completed cybersecurity awareness training and signed information technology policies.”
Why it matters

If employees are not trained on cybersecurity, they may be more likely to fall for attacks, which can put the agency’s systems and information at risk.

“Lack of training for new employees and lack of refresher training for existing employees create a greater risk that employees and the agency may be vulnerable to a cyberattack.”
What's in it for me?

For residents, this matters because the Attorney General’s Office serves the public and handles work involving consumers, fraud, crime, workers, civil rights, and the environment, so strong cybersecurity helps protect public services and information.

“The Massachusetts Attorney General’s Office is an advocate and resource for the people of Massachusetts in many ways, including protecting consumers, combating fraud and corruption, investigating and prosecuting crime, and protecting the environment, workers, and civil rights.”
The bottom line

The office had cybersecurity training in place at some points, but there was a long break between its old training system and the new one, and some categories of users were not required to take the earlier training.

“Consequently, the transition from SANS to KnowBe4 resulted in a period when there was no cybersecurity awareness training in place at AGO.”
What happens next

The auditor recommended that the office make sure cybersecurity training is always available for new hires and annually for current employees, including during transitions to a new vendor or program.

“AGO should ensure that initial cybersecurity awareness training for new hires and annual training thereafter for existing employees are always available.”
Why it's significant

The finding was limited but important: the Attorney General’s Office only partially met the audit objective, and the auditor said the office later took steps to address the concern.

“Based on its response and the information provided to the Office of the State Auditor during the audit regarding AGO’s new cybersecurity awareness training policy, AGO has taken measures to address our concerns on this matter.”
Jargon, unpacked

Cybersecurity awareness training means training staff to recognize and avoid digital risks, such as phishing or unsafe computer practices; the audit used state and federal security standards as its yardstick.

“All personnel will be required to complete Annual Security Awareness Training.”

What the Auditor checked

What the Auditor found

The Attorney General’s Office did not offer cybersecurity awareness training during part of the audit period.
cybersecurityinternal controls

Why it matters: Employees and the agency faced a greater risk of vulnerability to cyberattack because new employees lacked training and existing employees lacked refresher training.

Standard: Section 6.2 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 requires new-hire and annual security awareness training. ( Section 6.2 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )

2 recommendations
  • AGO should ensure that initial cybersecurity awareness training for new hires and annual training thereafter for existing employees are always available.agency: already implemented
  • If a new vendor or training program is selected, an interim training plan should always be in place to ensure continuity in cybersecurity awareness training during the transition to the new vendor or program.agency: already implemented
Agency response & Auditor reply
Agency: "Consequently, the AGO has satisfied the . . . recommendations . . . of the Draft Audit Report."
Auditor: "Based on its response and the information provided to the Office of the State Auditor during the audit regarding AGO’s new cybersecurity awareness training policy, AGO has taken measures to address our concerns on this matter."

More audits of this entity

Other Office of the State Auditor reports on Attorney General .

See this entity's page with all 2 audits →