Audit of the Massachusetts District Attorneys Association
June 2, 2022 · Massachusetts District Attorneys Association · Read the full official report on mass.gov ↗
source
“MDAA did not ensure that employees received cybersecurity awareness training.”
Read the plain-English breakdown
This is a state performance audit of the Massachusetts District Attorneys Association, covering July 1, 2019 through June 30, 2021.
“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2019 through June 30, 2021.”
Auditors checked whether the association followed state technology security rules for employee cybersecurity training and acceptable use policy signoffs.
“In this performance audit, we examined whether MDAA ensured that its employees completed initial and annual cybersecurity awareness training and signed an acceptable use policy as required by the state’s Executive Office of Technology Services and Security.”
The issue matters because untrained users can make mistakes that put the district attorneys’ computer network at risk.
“Insufficient cybersecurity awareness training may lead to user error and compromise the integrity and security of the district attorneys’ computer network, which MDAA manages.”
For ordinary residents, this is about whether a public agency that supports prosecutors and victim-witness advocates is protecting the technology systems it manages.
“MDAA supports the District Attorneys by managing statewide business technology services and administering grants in the area of Violence Against Women and Motor Vehicle Crimes.”
The main finding was that none of the 13 employees reviewed had the required cybersecurity awareness training during the audit period.
“The Massachusetts District Attorneys Association (MDAA) did not ensure that employees received cybersecurity awareness training: none of the 13 employees who worked at MDAA during the audit period received either initial training (if they were new hires) or annual training (if they were not new hires).”
The association said it has started fixing the problem by adding policies, procedures, training, and recordkeeping for cybersecurity awareness training.
“MDAA has implemented policies and procedures and a security awareness training program to enhance its security awareness practices for its employees.”
The audit also flagged a recordkeeping problem: the association did not keep many required IT reports, which could make it harder to spot or review cyber threats.
“Because MDAA does not retain IT reports or audit log history, it cannot effectively audit to identify cybersecurity threats or to ensure that its network has been effectively and efficiently protected.”
“Cybersecurity awareness training” means training employees to recognize and avoid basic computer security risks, including suspicious emails and phishing.
“MDAA has drafted policies that outline the responsibilities and procedures for reporting phishing and suspicious emails, as well as the responsibilities and procedures for the [information technology] department to respond to these events.”
What the Auditor checked
- Did not comply Do MDAA employees complete initial and annual cybersecurity awareness training as required by Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010?
- Complied Do MDAA employees sign an acceptable use policy as required by Section 6.2.8 of EOTSS’s Information Security Risk Management Standard IS.010?
What the Auditor found
Why it matters: Insufficient cybersecurity awareness training may lead to user error and compromise the integrity and security of the district attorneys’ computer network.
Standard: Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, Sections 6.2.3 and 6.2.4 ( Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, Section 6.2.3; Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, Section 6.2.4 )
3 recommendations
- MDAA should develop and implement policies and procedures that require newly hired employees to receive initial cybersecurity awareness training within 30 days of their hire dates.agency: already implemented
- MDAA should develop and implement policies and procedures that require all employees to receive annual cybersecurity awareness training.agency: already implemented
- MDAA should retain records of training completion for each employee.agency: already implemented
Agency response & Auditor reply
Agency: "MDAA has implemented policies and procedures and a security awareness training program to enhance its security awareness practices for its employees."
Auditor: "Based on its response, MDAA has taken measures to address our concerns on this matter."
Why it matters: Because MDAA does not retain IT reports or audit log history, it cannot effectively audit to identify cybersecurity threats or to ensure that its network has been effectively and efficiently protected.
Standard: MDAA’s “Media and Records Policy” and EOTSS’s Logging and Event Monitoring Standard IS.011, Section 6.1.6.4 ( MDAA’s “Media and Records Policy”; Section 6.1.6.4 of EOTSS’s Logging and Event Monitoring Standard IS.011 )
1 recommendation
- MDAA should follow the record retention requirements in its policy and retain an audit log history in accordance with Section 6.1.6.4 of EOTSS’s Logging and Event Monitoring Standard IS.011.
Agency response & Auditor reply
Agency: "MDAA will review its record retention policy and ensure that all staff receive and follow the updated policy."
Auditor: "Based on its response, MDAA is taking measures to address our concerns on this matter."
More audits of this entity
Other Office of the State Auditor reports on Massachusetts District Attorneys Association .
- Audit of the Massachusetts District Attorneys Association (November 17, 2025)District Attorney · November 17, 2025