Audit of the Bristol County District Attorney’s Office (September 30, 2024)
September 30, 2024 · Bristol County District Attorney's Office · Read the full official report on mass.gov ↗
source
“BCDA did not provide cybersecurity awareness training to its employees.”
Read the plain-English breakdown
This is a state performance audit of selected activities at the Bristol County District Attorney’s Office for July 1, 2020 through June 30, 2022.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Bristol County District Attorney’s Office (BCDA) for the period July 1, 2020 through June 30, 2022.”
Auditors checked whether the office properly spent forfeiture funds, handled forfeited assets from closed cases, and made sure employees completed cybersecurity training.
“The purpose of our audit was to determine the following:”
Without cybersecurity training, the office is more exposed to cyberattacks and possible financial or reputational damage.
“If BCDA does not educate its employees on their responsibility to protect the security of information assets, then BCDA exposes itself to a higher-than-acceptable risk of cybersecurity attacks and financial and/or reputational losses.”
For residents, this matters because the office prosecutes crimes in Bristol County and handles public-facing law enforcement funds and information systems.
“BCDA serves the 20 cities and towns within Bristol County.”
The audit found no problems with forfeiture spending or asset handling, but did find a cybersecurity training gap.
“No; see Finding 1”
The auditor said the office had taken steps to address the issue and that the auditor’s office would check back in about six months.
“As part of our post-audit review process, we will follow up on this matter in approximately six months.”
This was a narrow audit with one finding: the office needed a documented training requirement and cybersecurity awareness training for staff.
“BCDA should develop, document, and implement policies and procedures that require employees to complete cybersecurity awareness training within 30 days of their orientation and annually thereafter.”
Asset forfeiture means law enforcement can seize money or property tied to illegal drug activity, and cybersecurity awareness training means teaching employees how to help protect government information.
“To prevent individuals from profiting from illegal drug activity, Section 47 of Chapter 94C of the General Laws authorizes law enforcement agencies to seize assets such as any profits of drug distribution or any property that is used, or was intended to be used, for illegal drug activity.”
What the Auditor checked
- Complied Did BCDA make forfeiture trust fund expenditures in accordance with Section 47(d) of Chapter 94C of the General Laws?
- Complied Did BCDA ensure that forfeited assets from closed cases were collected, deposited, and distributed in accordance with Section 47(d) of Chapter 94C of the General Laws?
- Did not comply Did BCDA ensure that its employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: BCDA exposed itself to higher cybersecurity, financial, and reputational risks.
Standard: Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010 ( Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010; Section 12 of Chapter 11 of the Massachusetts General Laws )
2 recommendations
- BCDA should provide cybersecurity awareness training to its employees.agency: already implemented
- BCDA should develop, document, and implement policies and procedures that require employees to complete cybersecurity awareness training within 30 days of their orientation and annually thereafter.
Agency response & Auditor reply
Agency: "The [BCDA], nonetheless, has implemented an online cybersecurity awareness training program for all staff beginning in June of 2023."
Auditor: "Based on its response, BCDA has taken measures to address our concerns regarding this matter."
More audits of this entity
Other Office of the State Auditor reports on Bristol County District Attorney's Office .
- Audit of the Bristol County District Attorney’s OfficeDistrict Attorney · October 1, 2018
- Norfolk County District Attorney's OfficeDistrict Attorney · January 3, 2013
- Bristol County District Attorney's OfficeDistrict Attorney · February 15, 2013
- Suffolk County District Attorney's OfficeDistrict Attorney · December 28, 2012
- Suffolk County District Attorney's OfficeDistrict Attorney · April 12, 2016