Audit of the Bridgewater State University
June 14, 2022 · Bridgewater State University · Read the full official report on mass.gov ↗ · official site ↗
source
“BSU did not ensure that all employees completed required cybersecurity awareness training.”
Read the plain-English breakdown
This is a state performance audit of Bridgewater State University covering March 1, 2020 through March 31, 2021.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of Bridgewater State University (BSU) for the period March 1, 2020 through March 31, 2021.”
Auditors checked whether BSU properly used federal COVID-19 education relief funds and followed state guidance on internal controls and cybersecurity training.
“The purpose of our audit was to determine whether BSU administered the federal assistance it received in accordance with the criteria established by US DOE and MDHE.”
Cybersecurity training matters because untrained employees can increase the risk of cyberattacks and financial or reputational harm.
“Without educating all employees on their responsibility of protecting information assets by requiring training, BSU is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.”
If you are a student, employee, taxpayer, or community member, the audit says COVID-19 relief money was reviewed and the main problem found was a cybersecurity training gap that could affect protection of university systems and information.
“Below is a summary of our findings and recommendations, with links to each page listed.”
BSU passed the audit questions about COVID-19 relief fund administration and pandemic internal controls, but failed the question about required cybersecurity awareness training.
“Did BSU adhere to Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 with regard to cybersecurity awareness training?”
The auditor recommended that BSU create and enforce cybersecurity training policies for all employees and work with unions so union employees are included.
“BSU officials should negotiate with union officials to establish initial and annual cybersecurity awareness training requirements for all employees who are union members.”
The significant finding was not misuse of COVID-19 relief funding; it was that BSU lacked a complete system to require, monitor, and document cybersecurity training for all workers.
“However, the policy does not include requirements for initial and annual cybersecurity awareness training or internal controls to monitor and document completion of such training.”
The report uses many acronyms; one key term is HEERF, which means the Higher Education Emergency Relief Fund, a federal COVID-19 aid program for colleges and universities.
“HEERF consists of three separate grants related to the 2019 coronavirus pandemic emergency that were directly funded from US DOE under the CARES Act (HEERF I), CRRSAA (HEERF II), and American Rescue Plan Act (HEERF III).”
What the Auditor checked
- Complied Did BSU administer the student portion of funding under Section 18004(a)(1) of the Coronavirus Aid, Relief, and Economic Security (CARES) Act in accordance with Question 13 of Section C; Question 18 of Section D; and Questions 19, 20, 23, 25, and 26 of Section E within the United States Department of Education’s (US DOE’s) Higher Education Emergency Relief Fund (HEERF) Frequently Asked Questions (FAQ) Rollup Document?
- Complied Did BSU administer the institutional portion of funding under Sections 18004(a)(1) and 18004(a)(2) of the CARES Act in accordance with Questions 30, 31, 33, 41, and 44 of Section F within US DOE’s Higher Education Emergency Relief Fund (HEERF) Frequently Asked Questions (FAQ) Rollup Document?
- Complied Did BSU administer the student portion of funding under Section 314(a)(1) of the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSAA) in accordance with Questions 7, 8, 11, 15, 24, and 27 within US DOE’s Higher Education Emergency Relief Fund (HEERF) II Public and Private Nonprofit Institution (a)(1) Programs ([Catalog of Federal Domestic Assistance, or CFDA] 84.425E and 84.425F) Frequently Asked Questions?
- Complied Did BSU administer the institutional portion of funding under Sections 314(a)(1) and 314(a)(2) of the CRRSAA in accordance with Questions 10, 15, 18, 19, and 24 within US DOE’s Higher Education Emergency Relief Fund (HEERF) II Public and Private Nonprofit Institution (a)(1) Programs (CFDA 84.425E and 84.425F) Frequently Asked Questions?
- Complied Did BSU administer Governor’s Emergency Education Relief (GEER) funding in accordance with Questions A16, A17, and A18 of US DOE’s Frequently Asked Questions about the Governor’s Emergency Education Relief Fund (GEER Fund) and/or “Attachment A—Terms of Performance and Justifications” within its interdepartmental service agreement (ISA) with the Massachusetts Department of Higher Education (MDHE)?
- Did not comply Did BSU adhere to Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 with regard to cybersecurity awareness training?
- Complied Did BSU update its internal control plan (ICP) to address the 2019 coronavirus (COVID-19) pandemic, in accordance with the Office of the Comptroller of the Commonwealth’s (CTR’s) “COVID-19 Pandemic Response Internal Controls Guidance,” dated September 30, 2020?
What the Auditor found
Why it matters: Without required cybersecurity awareness training for all employees, BSU faces increased risk of cybersecurity attacks and financial or reputational losses.
Standard: Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 ( Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 )
2 recommendations
- BSU should document and implement policies and procedures that require all employees to complete initial and annual cybersecurity awareness training. The policies and procedures should include internal controls to monitor and document completion of the training.agency: already implemented
- BSU officials should negotiate with union officials to establish initial and annual cybersecurity awareness training requirements for all employees who are union members.agency: agreed
Agency response & Auditor reply
Agency: "Bridgewater State University acknowledges the finding and notes that both new hire security awareness training as well as annual security awareness training is provided, tracked, and documented through the KnowBe4 [software] platform, and required of all employees, except unit members of the Massachusetts State College Association / Massachusetts Teachers Association (MSCA)."
Auditor: "We commend BSU for taking measures to address our concerns on this matter."
More audits of this entity
Other Office of the State Auditor reports on Bridgewater State University .
-
Bridgewater State UniversityCollege / University · June 10, 2014 -
Bridgewater State UniversityCollege / University · January 31, 2011