Audit of the Executive Office of Housing and Economic Development - Review of Cybersecurity Awareness Training
November 24, 2020 · Executive Office of Housing and Economic Development · Read the full official report on mass.gov ↗
source
“EOHED did not ensure that all information system users in HR/CMS completed the required cybersecurity awareness training.”
Read the plain-English breakdown
This is a Massachusetts State Auditor performance audit of the Executive Office of Housing and Economic Development, focused on cybersecurity awareness training.
“I am pleased to provide this performance audit of the Executive Office of Housing and Economic Development.”
Auditors checked whether EOHED made sure its HR/CMS users completed required cybersecurity awareness training during the audit period.
“The purpose of this audit was to determine whether, during our audit period, EOHED ensured that all its information system users1 in the Human Resources Compensation Management System (HR/CMS) managed by the state Human Resources Division completed the required cybersecurity awareness training.”
Cybersecurity training matters because untrained users can increase the chance of cyberattacks and harm to public agencies.
“By not ensuring that all users completed the required training, EOHED exposed itself to an increased risk of cybersecurity attacks and financial and/or reputation losses.”
For residents, this matters because state agencies handle public systems and information, and weak cybersecurity practices can create risks for services and public trust.
“All system users should receive this training to effectively reduce the risk of such an attack.”
At least 45 EOHED users did not complete the required cybersecurity awareness training, and documentation was missing for some interns.
“Of the 1,101 information system users listed in the Human Resources Compensation Management System as employed by agencies within the Executive Office of Housing and Economic Development (EOHED) during our audit period, at least 452 did not complete the required cybersecurity awareness training.”
The auditor recommended stronger tracking so EOHED can confirm training is completed and keep proof of completion.
“EOHED should establish effective monitoring controls over its cybersecurity awareness training to ensure that all information system users complete it in accordance with EOTSS standards and that EOHED maintains documentation of the completion of this training.”
The report is significant because the auditor found a real control weakness: EOHED’s monitoring did not consistently ensure required training was completed.
“In addition, although EOHED agencies conducted some periodic reviews of training records, the reviews were not consistently performed by each agency; therefore, this monitoring control was ineffective at ensuring compliance with the training requirements.”
HR/CMS is the state human resources and payroll system; PACE is the state training system EOHED used to administer training.
“EOHED uses the state’s Performance and Career Enhancement (PACE) Learning Management System to administer training and the state’s Human Resources Compensation Management System (HR/CMS) to administer payroll and other human resources functions.”
What the Auditor checked
- Did not comply Did EOHED ensure that all its information system users in the Human Resources Compensation Management System (HR/CMS) completed required cybersecurity awareness training that was in accordance with Section AT-2 of Revision 4 of the National Institute of Standards and Technology (NIST) Special Publication 800-53; Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security (EOTSS) Information Security Standard IS.010, “Information Security Risk Management Standard”; and Section E04-09, “Intern and Volunteer Records,” of the Massachusetts Statewide Records Retention Schedule 06-18?
What the Auditor found
Why it matters: EOHED faced an increased risk of cybersecurity attacks and financial or reputational losses.
Standard: NIST Special Publication 800-53 Section AT-2, EOTSS Information Security Standard IS.010 Sections 6.2.3 and 6.2.4, and Massachusetts Statewide Records Retention Schedule 06-18 Section E04-09. ( Section 6.2 of the Executive Office of Technology Services and Security Information Security Standard IS.010, “Information Security Risk Management”; Section E04-09, “Intern and Volunteer Records,” of the Massachusetts Statewide Records Retention Schedule 06-18 )
1 recommendation
- EOHED should establish effective monitoring controls over its cybersecurity awareness training to ensure that all information system users complete it in accordance with EOTSS standards and that EOHED maintains documentation of the completion of this training.
Agency response & Auditor reply
Agency: "Agency records provided to your staff do show that a relatively small number of employees and volunteer board members did not complete a cybersecurity training during the audit period."
Auditor: "As noted above, at least 45 of the information system users employed by agencies within EOHED during our audit period did not complete the required cybersecurity awareness training."