Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Executive Office of Housing and Economic Development - Review of Cybersecurity Awareness Training

November 24, 2020 · Executive Office of Housing and Economic Development · Read the full official report on mass.gov ↗

Published November 24, 2020 Audit covers May 14, 2018 – June 30, 2019 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that EOHED did not make sure everyone with access to its HR system completed required cybersecurity training.
source
“EOHED did not ensure that all information system users in HR/CMS completed the required cybersecurity awareness training.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Executive Office of Housing and Economic Development, focused on cybersecurity awareness training.

“I am pleased to provide this performance audit of the Executive Office of Housing and Economic Development.”
Why was it audited?

Auditors checked whether EOHED made sure its HR/CMS users completed required cybersecurity awareness training during the audit period.

“The purpose of this audit was to determine whether, during our audit period, EOHED ensured that all its information system users1 in the Human Resources Compensation Management System (HR/CMS) managed by the state Human Resources Division completed the required cybersecurity awareness training.”
Why it matters

Cybersecurity training matters because untrained users can increase the chance of cyberattacks and harm to public agencies.

“By not ensuring that all users completed the required training, EOHED exposed itself to an increased risk of cybersecurity attacks and financial and/or reputation losses.”
What's in it for me?

For residents, this matters because state agencies handle public systems and information, and weak cybersecurity practices can create risks for services and public trust.

“All system users should receive this training to effectively reduce the risk of such an attack.”
The bottom line

At least 45 EOHED users did not complete the required cybersecurity awareness training, and documentation was missing for some interns.

“Of the 1,101 information system users listed in the Human Resources Compensation Management System as employed by agencies within the Executive Office of Housing and Economic Development (EOHED) during our audit period, at least 452 did not complete the required cybersecurity awareness training.”
What happens next

The auditor recommended stronger tracking so EOHED can confirm training is completed and keep proof of completion.

“EOHED should establish effective monitoring controls over its cybersecurity awareness training to ensure that all information system users complete it in accordance with EOTSS standards and that EOHED maintains documentation of the completion of this training.”
Why it's significant

The report is significant because the auditor found a real control weakness: EOHED’s monitoring did not consistently ensure required training was completed.

“In addition, although EOHED agencies conducted some periodic reviews of training records, the reviews were not consistently performed by each agency; therefore, this monitoring control was ineffective at ensuring compliance with the training requirements.”
Jargon, unpacked

HR/CMS is the state human resources and payroll system; PACE is the state training system EOHED used to administer training.

“EOHED uses the state’s Performance and Career Enhancement (PACE) Learning Management System to administer training and the state’s Human Resources Compensation Management System (HR/CMS) to administer payroll and other human resources functions.”

What the Auditor checked

What the Auditor found

EOHED did not ensure that all HR/CMS information system users completed required cybersecurity awareness training.
cybersecurityrecordkeeping/documentationinternal controls

Why it matters: EOHED faced an increased risk of cybersecurity attacks and financial or reputational losses.

Standard: NIST Special Publication 800-53 Section AT-2, EOTSS Information Security Standard IS.010 Sections 6.2.3 and 6.2.4, and Massachusetts Statewide Records Retention Schedule 06-18 Section E04-09. ( Section 6.2 of the Executive Office of Technology Services and Security Information Security Standard IS.010, “Information Security Risk Management”; Section E04-09, “Intern and Volunteer Records,” of the Massachusetts Statewide Records Retention Schedule 06-18 )

1 recommendation
  • EOHED should establish effective monitoring controls over its cybersecurity awareness training to ensure that all information system users complete it in accordance with EOTSS standards and that EOHED maintains documentation of the completion of this training.
Agency response & Auditor reply
Agency: "Agency records provided to your staff do show that a relatively small number of employees and volunteer board members did not complete a cybersecurity training during the audit period."
Auditor: "As noted above, at least 45 of the information system users employed by agencies within EOHED during our audit period did not complete the required cybersecurity awareness training."