Audit of the Office of the Inspector General (OIG) - Review of Cybersecurity Awareness Training
November 5, 2021 · Office of the Inspector General · Read the full official report on mass.gov ↗
source
“Our audit revealed no significant instances of noncompliance by OIG that must be reported under generally accepted government auditing standards.”
Read the plain-English breakdown
This is a state audit of whether the Massachusetts Office of the Inspector General properly ran cybersecurity awareness training for its staff during 2019 and 2020.
“In this performance audit, we determined whether OIG administered a cybersecurity awareness training program that complied with the Executive Office of Technology Services and Security’s (EOTSS’s) requirements and industry best practices.”
Auditors checked whether the office followed required state technology security rules and federal security control guidance for employee cybersecurity training.
“Did OIG administer a security awareness training program in accordance with Sections 6.2.3, 6.2.4, 6.2.1.3, 6.2.7, and 6.2.8 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 and Control AT-1 of the National Institute of Standards and Technology’s Special Publication 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations?”
Cybersecurity training helps public employees avoid mistakes that could expose government systems or public information to risk.
“This written policy would include establishing a requirement for all employees to receive cybersecurity awareness training upon hire and annually thereafter as required by EOTSS standards.”
For residents, the main benefit is basic assurance that a state watchdog agency trained employees on cybersecurity and corrected a policy gap.
“[OIG] is an independent agency that prevents and detects fraud, waste and abuse of public funds and public property and promotes transparency in government.”
The Office of the Inspector General added a formal cybersecurity training policy to its personnel manual after the audit.
“We brought this matter to the attention of OIG officials, and in March 2021, after our audit, OIG incorporated a cybersecurity awareness training policy into the 2021 edition of its Personnel Policies and Procedures Manual.”
This was a clean result overall: no major reportable compliance problems were found, but the audit still led to a concrete improvement in written procedures.
“Our audit revealed no significant instances of noncompliance that must be reported under generally accepted government auditing standards.”
“Cybersecurity awareness training” means training employees to recognize and avoid computer security risks; “internal control issue” means a weakness in how an organization sets rules or checks that work is being done properly.
“However, in performing our audit testing, we found an internal control issue: OIG had not established a written policy regarding its cybersecurity awareness training.”
What the Auditor checked
- Complied Did OIG administer a security awareness training program in accordance with Sections 6.2.3, 6.2.4, 6.2.1.3, 6.2.7, and 6.2.8 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 and Control AT-1 of the National Institute of Standards and Technology’s Special Publication 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations?
What the Auditor found
Why it matters: Without a written policy, OIG risked inconsistent administration of required cybersecurity awareness training for employees upon hire and annually thereafter.
Standard: Executive Office of Technology Services and Security standards requiring cybersecurity awareness training upon hire and annually thereafter. ( Sections 6.2.3, 6.2.4, 6.2.1.3, 6.2.7, and 6.2.8 of EOTSS’s Information Security Risk Management Standard IS.010 and Control AT-1 of NIST Special Publication 800-53r4 )
1 recommendation
- Establish a formal, written cybersecurity awareness training policy.agency: already implemented
More audits of this entity
Other Office of the State Auditor reports on Office of the Inspector General .
- Office of the Inspector General - Examination of Annual Internal Control QuestionnaireState Agency / Office · August 25, 2015