Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Massachusetts District Attorneys Association

June 2, 2022 · Massachusetts District Attorneys Association · Read the full official report on mass.gov ↗

Published June 2, 2022 Audit covers July 1, 2019 – June 30, 2021 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that the Massachusetts District Attorneys Association did not make sure its employees completed required cybersecurity awareness training during the audit period.
source
“MDAA did not ensure that employees received cybersecurity awareness training.”
Read the plain-English breakdown
What is this?

This is a state performance audit of the Massachusetts District Attorneys Association, covering July 1, 2019 through June 30, 2021.

“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2019 through June 30, 2021.”
Why was it audited?

Auditors checked whether the association followed state technology security rules for employee cybersecurity training and acceptable use policy signoffs.

“In this performance audit, we examined whether MDAA ensured that its employees completed initial and annual cybersecurity awareness training and signed an acceptable use policy as required by the state’s Executive Office of Technology Services and Security.”
Why it matters

The issue matters because untrained users can make mistakes that put the district attorneys’ computer network at risk.

“Insufficient cybersecurity awareness training may lead to user error and compromise the integrity and security of the district attorneys’ computer network, which MDAA manages.”
What's in it for me?

For ordinary residents, this is about whether a public agency that supports prosecutors and victim-witness advocates is protecting the technology systems it manages.

“MDAA supports the District Attorneys by managing statewide business technology services and administering grants in the area of Violence Against Women and Motor Vehicle Crimes.”
The bottom line

The main finding was that none of the 13 employees reviewed had the required cybersecurity awareness training during the audit period.

“The Massachusetts District Attorneys Association (MDAA) did not ensure that employees received cybersecurity awareness training: none of the 13 employees who worked at MDAA during the audit period received either initial training (if they were new hires) or annual training (if they were not new hires).”
What happens next

The association said it has started fixing the problem by adding policies, procedures, training, and recordkeeping for cybersecurity awareness training.

“MDAA has implemented policies and procedures and a security awareness training program to enhance its security awareness practices for its employees.”
Why it's significant

The audit also flagged a recordkeeping problem: the association did not keep many required IT reports, which could make it harder to spot or review cyber threats.

“Because MDAA does not retain IT reports or audit log history, it cannot effectively audit to identify cybersecurity threats or to ensure that its network has been effectively and efficiently protected.”
Jargon, unpacked

“Cybersecurity awareness training” means training employees to recognize and avoid basic computer security risks, including suspicious emails and phishing.

“MDAA has drafted policies that outline the responsibilities and procedures for reporting phishing and suspicious emails, as well as the responsibilities and procedures for the [information technology] department to respond to these events.”

What the Auditor checked

What the Auditor found

The Massachusetts District Attorneys Association did not ensure that employees received cybersecurity awareness training.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: Insufficient cybersecurity awareness training may lead to user error and compromise the integrity and security of the district attorneys’ computer network.

Standard: Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 ( Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, Section 6.2.3; Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, Section 6.2.4 )

3 recommendations
  • MDAA should develop and implement policies and procedures that require newly hired employees to receive initial cybersecurity awareness training within 30 days of their hire dates.agency: already implemented
  • MDAA should develop and implement policies and procedures that require all employees to receive annual cybersecurity awareness training.agency: already implemented
  • MDAA should retain records of training completion for each employee.agency: already implemented
Agency response & Auditor reply
Agency: "MDAA has implemented policies and procedures and a security awareness training program to enhance its security awareness practices for its employees."
Auditor: "Based on its response, MDAA has taken measures to address our concerns on this matter."
The Massachusetts District Attorneys Association did not retain required information technology records and audit log history.
cybersecurityrecordkeeping/documentationinternal controls

Why it matters: Because MDAA does not retain IT reports or audit log history, it cannot effectively audit to identify cybersecurity threats or to ensure that its network has been effectively and efficiently protected.

Standard: MDAA’s “Media and Records Policy” and EOTSS’s Logging and Event Monitoring Standard IS.011, Section 6.1.6.4 ( MDAA’s “Media and Records Policy”; Section 6.1.6.4 of EOTSS’s Logging and Event Monitoring Standard IS.011 )

1 recommendation
  • MDAA should follow the record retention requirements in its policy and retain an audit log history in accordance with Section 6.1.6.4 of EOTSS’s Logging and Event Monitoring Standard IS.011.
Agency response & Auditor reply
Agency: "MDAA will review its record retention policy and ensure that all staff receive and follow the updated policy."
Auditor: "Based on its response, MDAA is taking measures to address our concerns on this matter."

More audits of this entity

Other Office of the State Auditor reports on Massachusetts District Attorneys Association .

See this entity's page with all 2 audits →