Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Office of the Inspector General (OIG) - Review of Cybersecurity Awareness Training

November 5, 2021 · Office of the Inspector General · Read the full official report on mass.gov ↗

Published November 5, 2021 Audit covers January 1, 2019 – December 31, 2020 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that the Office of the Inspector General generally met cybersecurity training requirements, but it was missing a written policy for that training. The office created one after auditors pointed it out.
source
“Our audit revealed no significant instances of noncompliance by OIG that must be reported under generally accepted government auditing standards.”
Read the plain-English breakdown
What is this?

This is a state audit of whether the Massachusetts Office of the Inspector General properly ran cybersecurity awareness training for its staff during 2019 and 2020.

“In this performance audit, we determined whether OIG administered a cybersecurity awareness training program that complied with the Executive Office of Technology Services and Security’s (EOTSS’s) requirements and industry best practices.”
Why was it audited?

Auditors checked whether the office followed required state technology security rules and federal security control guidance for employee cybersecurity training.

“Did OIG administer a security awareness training program in accordance with Sections 6.2.3, 6.2.4, 6.2.1.3, 6.2.7, and 6.2.8 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 and Control AT-1 of the National Institute of Standards and Technology’s Special Publication 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations?”
Why it matters

Cybersecurity training helps public employees avoid mistakes that could expose government systems or public information to risk.

“This written policy would include establishing a requirement for all employees to receive cybersecurity awareness training upon hire and annually thereafter as required by EOTSS standards.”
What's in it for me?

For residents, the main benefit is basic assurance that a state watchdog agency trained employees on cybersecurity and corrected a policy gap.

“[OIG] is an independent agency that prevents and detects fraud, waste and abuse of public funds and public property and promotes transparency in government.”
What happens next

The Office of the Inspector General added a formal cybersecurity training policy to its personnel manual after the audit.

“We brought this matter to the attention of OIG officials, and in March 2021, after our audit, OIG incorporated a cybersecurity awareness training policy into the 2021 edition of its Personnel Policies and Procedures Manual.”
Why it's significant

This was a clean result overall: no major reportable compliance problems were found, but the audit still led to a concrete improvement in written procedures.

“Our audit revealed no significant instances of noncompliance that must be reported under generally accepted government auditing standards.”
Jargon, unpacked

“Cybersecurity awareness training” means training employees to recognize and avoid computer security risks; “internal control issue” means a weakness in how an organization sets rules or checks that work is being done properly.

“However, in performing our audit testing, we found an internal control issue: OIG had not established a written policy regarding its cybersecurity awareness training.”

What the Auditor checked

What the Auditor found

OIG had not established a written cybersecurity awareness training policy during the audit period.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: Without a written policy, OIG risked inconsistent administration of required cybersecurity awareness training for employees upon hire and annually thereafter.

Standard: Executive Office of Technology Services and Security standards requiring cybersecurity awareness training upon hire and annually thereafter. ( Sections 6.2.3, 6.2.4, 6.2.1.3, 6.2.7, and 6.2.8 of EOTSS’s Information Security Risk Management Standard IS.010 and Control AT-1 of NIST Special Publication 800-53r4 )

1 recommendation
  • Establish a formal, written cybersecurity awareness training policy.agency: already implemented

More audits of this entity

Other Office of the State Auditor reports on Office of the Inspector General .

See this entity's page with all 2 audits →