Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Bridgewater State University

June 14, 2022 · Bridgewater State University · Read the full official report on mass.gov ↗ · official site ↗

Published June 14, 2022 Audit covers March 1, 2020 – March 31, 2021 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found Bridgewater State University generally handled COVID-19 education relief money properly, but it failed to make sure every employee completed required cybersecurity training.
source
“BSU did not ensure that all employees completed required cybersecurity awareness training.”
Read the plain-English breakdown
What is this?

This is a state performance audit of Bridgewater State University covering March 1, 2020 through March 31, 2021.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of Bridgewater State University (BSU) for the period March 1, 2020 through March 31, 2021.”
Why was it audited?

Auditors checked whether BSU properly used federal COVID-19 education relief funds and followed state guidance on internal controls and cybersecurity training.

“The purpose of our audit was to determine whether BSU administered the federal assistance it received in accordance with the criteria established by US DOE and MDHE.”
Why it matters

Cybersecurity training matters because untrained employees can increase the risk of cyberattacks and financial or reputational harm.

“Without educating all employees on their responsibility of protecting information assets by requiring training, BSU is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.”
What's in it for me?

If you are a student, employee, taxpayer, or community member, the audit says COVID-19 relief money was reviewed and the main problem found was a cybersecurity training gap that could affect protection of university systems and information.

“Below is a summary of our findings and recommendations, with links to each page listed.”
The bottom line

BSU passed the audit questions about COVID-19 relief fund administration and pandemic internal controls, but failed the question about required cybersecurity awareness training.

“Did BSU adhere to Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 with regard to cybersecurity awareness training?”
What happens next

The auditor recommended that BSU create and enforce cybersecurity training policies for all employees and work with unions so union employees are included.

“BSU officials should negotiate with union officials to establish initial and annual cybersecurity awareness training requirements for all employees who are union members.”
Why it's significant

The significant finding was not misuse of COVID-19 relief funding; it was that BSU lacked a complete system to require, monitor, and document cybersecurity training for all workers.

“However, the policy does not include requirements for initial and annual cybersecurity awareness training or internal controls to monitor and document completion of such training.”
Jargon, unpacked

The report uses many acronyms; one key term is HEERF, which means the Higher Education Emergency Relief Fund, a federal COVID-19 aid program for colleges and universities.

“HEERF consists of three separate grants related to the 2019 coronavirus pandemic emergency that were directly funded from US DOE under the CARES Act (HEERF I), CRRSAA (HEERF II), and American Rescue Plan Act (HEERF III).”

What the Auditor checked

What the Auditor found

Bridgewater State University did not ensure that all employees completed required cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: Without required cybersecurity awareness training for all employees, BSU faces increased risk of cybersecurity attacks and financial or reputational losses.

Standard: Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 ( Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 )

2 recommendations
  • BSU should document and implement policies and procedures that require all employees to complete initial and annual cybersecurity awareness training. The policies and procedures should include internal controls to monitor and document completion of the training.agency: already implemented
  • BSU officials should negotiate with union officials to establish initial and annual cybersecurity awareness training requirements for all employees who are union members.agency: agreed
Agency response & Auditor reply
Agency: "Bridgewater State University acknowledges the finding and notes that both new hire security awareness training as well as annual security awareness training is provided, tracked, and documented through the KnowBe4 [software] platform, and required of all employees, except unit members of the Massachusetts State College Association / Massachusetts Teachers Association (MSCA)."
Auditor: "We commend BSU for taking measures to address our concerns on this matter."

More audits of this entity

Other Office of the State Auditor reports on Bridgewater State University .

See this entity's page with all 3 audits →