Audit of the Massachusetts Office for Victim Assistance
March 4, 2022 · Massachusetts Office for Victim Assistance · Read the full official report on mass.gov ↗
source
“MOVA did not ensure that its employees received cybersecurity awareness training.”
Read the plain-English breakdown
This is a state performance audit of the Massachusetts Office for Victim Assistance, covering January 1, 2019 through December 31, 2020.
“I am pleased to provide this performance audit of the Massachusetts Office for Victim Assistance.”
Auditors checked whether MOVA provided victim-rights materials to key organizations and properly handled the Garden of Peace memorial.
“In this performance audit, we determined whether MOVA printed materials explaining victim and witness rights and services and provided the materials to medical facilities, social service organizations, and law enforcement agencies, as required by Sections 4(a), 4(b), and 4(c) of Chapter 258B of the General Laws.”
Cybersecurity training matters because staff mistakes can put protected information at risk.
“A lack of such training may lead to user error and compromise the integrity and security of protected information in MOVA’s information technology systems.”
If you are a crime victim, witness, or family member, MOVA is supposed to help make rights and services easier to find and understand.
“The mission of the Massachusetts Office for Victim Assistance (MOVA) is to empower all crime victims and witnesses in the Commonwealth of Massachusetts.”
The main finding was narrow: MOVA needed better policies to ensure all staff complete cybersecurity awareness training.
“MOVA should establish policies and procedures that require all of its staff members to receive cybersecurity awareness training.”
After the audit, MOVA said it arranged cybersecurity training for staff and added it to onboarding and annual requirements.
“After MOVA learned of this requirement from the Office of the State Auditor, all MOVA employees completed the trainings within 60 days.”
The audit also flagged a practical improvement: MOVA should keep a current list of organizations that may need victim-rights information, so outreach is easier and more complete.
“In the Office of the State Auditor’s (OSA’s) opinion, MOVA should maintain a complete and up-to-date list of all organizations that may need information about victim and witness rights and services.”
“Cybersecurity awareness training” means basic required training that teaches employees how to handle information safely and avoid security mistakes.
“Such training shall include, without limitation, guidance to employees regarding how to identify, maintain and safeguard records and data that contain personal information.”
What the Auditor checked
- Complied Does MOVA print and make available materials explaining victim and witness rights and services for medical facilities, social service organizations, and law enforcement agencies as required by Sections 4(a), 4(b), and 4(c) of Chapter 258B of the General Laws?
- Complied Does MOVA administer the operations of the Garden of Peace in accordance with Section 4(e) of Chapter 258B of the General Laws?
What the Auditor found
Why it matters: A lack of cybersecurity awareness training may lead to user error and compromise the integrity and security of protected information in MOVA's information technology systems.
Standard: State Executive Order 504 and Executive Office of Technology Services and Security policies and standards required security awareness training for employees. ( Section 6 of state Executive Order 504; Section 6.1.1 of the Executive Office of Technology Services and Security's Acceptable Use of Information Technology Policy IS.002; Section 6.2.4 of EOTSS's Information Security Risk Management Standard IS.010; Section 3.1 of EOTSS's Acceptable Use of Information Technology Policy IS.002 )
1 recommendation
- MOVA should establish policies and procedures that require all of its staff members to receive cybersecurity awareness training.agency: already implemented
Agency response & Auditor reply
Agency: "MOVA agrees with the recommendation provided by the Office of the State Auditor and has already implemented the suggested changes."
Auditor: "Based on its response, MOVA is taking steps to address this issue."
More audits of this entity
Other Office of the State Auditor reports on Massachusetts Office for Victim Assistance .
- Massachusetts Office for Victim AssistanceOther · July 7, 2017
- Massachusetts Office for Victim AssistanceOther · April 20, 2011