Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Massachusetts Office for Victim Assistance

March 4, 2022 · Massachusetts Office for Victim Assistance · Read the full official report on mass.gov ↗

Published March 4, 2022 Audit covers January 1, 2019 – December 31, 2020 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that MOVA generally did what it was supposed to do for victim-rights materials and the Garden of Peace, but it failed to make sure staff got required cybersecurity training.
source
“MOVA did not ensure that its employees received cybersecurity awareness training.”
Read the plain-English breakdown
What is this?

This is a state performance audit of the Massachusetts Office for Victim Assistance, covering January 1, 2019 through December 31, 2020.

“I am pleased to provide this performance audit of the Massachusetts Office for Victim Assistance.”
Why was it audited?

Auditors checked whether MOVA provided victim-rights materials to key organizations and properly handled the Garden of Peace memorial.

“In this performance audit, we determined whether MOVA printed materials explaining victim and witness rights and services and provided the materials to medical facilities, social service organizations, and law enforcement agencies, as required by Sections 4(a), 4(b), and 4(c) of Chapter 258B of the General Laws.”
Why it matters

Cybersecurity training matters because staff mistakes can put protected information at risk.

“A lack of such training may lead to user error and compromise the integrity and security of protected information in MOVA’s information technology systems.”
What's in it for me?

If you are a crime victim, witness, or family member, MOVA is supposed to help make rights and services easier to find and understand.

“The mission of the Massachusetts Office for Victim Assistance (MOVA) is to empower all crime victims and witnesses in the Commonwealth of Massachusetts.”
The bottom line

The main finding was narrow: MOVA needed better policies to ensure all staff complete cybersecurity awareness training.

“MOVA should establish policies and procedures that require all of its staff members to receive cybersecurity awareness training.”
What happens next

After the audit, MOVA said it arranged cybersecurity training for staff and added it to onboarding and annual requirements.

“After MOVA learned of this requirement from the Office of the State Auditor, all MOVA employees completed the trainings within 60 days.”
Why it's significant

The audit also flagged a practical improvement: MOVA should keep a current list of organizations that may need victim-rights information, so outreach is easier and more complete.

“In the Office of the State Auditor’s (OSA’s) opinion, MOVA should maintain a complete and up-to-date list of all organizations that may need information about victim and witness rights and services.”
Jargon, unpacked

“Cybersecurity awareness training” means basic required training that teaches employees how to handle information safely and avoid security mistakes.

“Such training shall include, without limitation, guidance to employees regarding how to identify, maintain and safeguard records and data that contain personal information.”

What the Auditor checked

What the Auditor found

The Massachusetts Office for Victim Assistance did not ensure that its employees received cybersecurity awareness training.
cybersecurityinternal controls

Why it matters: A lack of cybersecurity awareness training may lead to user error and compromise the integrity and security of protected information in MOVA's information technology systems.

Standard: State Executive Order 504 and Executive Office of Technology Services and Security policies and standards required security awareness training for employees. ( Section 6 of state Executive Order 504; Section 6.1.1 of the Executive Office of Technology Services and Security's Acceptable Use of Information Technology Policy IS.002; Section 6.2.4 of EOTSS's Information Security Risk Management Standard IS.010; Section 3.1 of EOTSS's Acceptable Use of Information Technology Policy IS.002 )

1 recommendation
  • MOVA should establish policies and procedures that require all of its staff members to receive cybersecurity awareness training.agency: already implemented
Agency response & Auditor reply
Agency: "MOVA agrees with the recommendation provided by the Office of the State Auditor and has already implemented the suggested changes."
Auditor: "Based on its response, MOVA is taking steps to address this issue."

More audits of this entity

Other Office of the State Auditor reports on Massachusetts Office for Victim Assistance .

See this entity's page with all 3 audits →