This page, Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies, is offered by
Office of the State Auditor

Audit

Audit Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies

Our office conducted a cybersecurity awareness training compliance audit of the Executive Office of Technology Services and Security (EOTSS), as well as 22 other executive branch agencies, state colleges and universities, and regional transit authorities from July 1, 2021 through April 30, 2023.

Organization:	Office of the State Auditor
Date published:	November 8, 2024

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Executive Office of Technology Services and Security (EOTSS), as well as 22 other executive branch agencies, state colleges and universities, and regional transit authorities. This audit covers the period July 1, 2021 through April 30, 2023 and includes the following agencies:

Executive Branch Agencies	State Colleges and Universities	Regional Transit Authorities
Executive Office of Technology Services and Security (EOTSS)	Framingham State University (FSU)	Cape Ann Transportation Authority (CATA)
Bureau of the State House (BSH)	Holyoke Community College (HCC)	Cape Cod Regional Transit Authority (CCRTA)
Civil Service Commission (CSC)	Massachusetts Bay Community College (MBCC)	Martha’s Vineyard Regional Transit Authority (VTA)
Department of Labor Standards (DLS)	Massasoit Community College (MCC)	Nantucket Regional Transit Authority (NRTA)
Department of Mental Health (DMH)	North Shore Community College (NSCC)
Department of Public Health (DPH)	Northern Essex Community College (NECC)
Department of Revenue (DOR)	Westfield State University (WSU)
Massachusetts Department of Transportation (MassDOT)
Group Insurance Commission (GIC)
Massachusetts Parole Board (MPB)
Registry of Motor Vehicles (RMV)
State 911 Department (911)

The purpose of our audit was to determine whether EOTSS and the above executive branch agencies, state colleges and universities, and regional transit authorities ensured that their employees completed cybersecurity awareness training in accordance with Sections 6.2.3 and 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010.

Below is a summary of our findings, the effects of those finds, and our recommendations, with links to each page listed.


Finding 1	EOTSS did not ensure that all of its employees completed cybersecurity awareness training.
Effect	If EOTSS does not ensure that all of its employees complete cybersecurity awareness training, then EOTSS may expose itself to an increased risk of cybersecurity attacks and financial and/or reputational losses.
Recommendations	EOTSS should strengthen their policy to improve oversight of executive branch state agencies, including their timely completion of cybersecurity awareness trainings. EOTSS should ensure that all employee training transcripts for all employees are maintained and include records regarding cybersecurity awareness training completion. EOTSS should ensure that all of its employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter. EOTSS should establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure that employees meet training deadlines.
Finding 2	CSC, DLS, DMH, DPH, DOR, MassDOT, GIC, MPB, and RMV did not ensure that all of their employees completed cybersecurity awareness training.
Effect	If executive branch agencies do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.
Recommendation	The aforementioned nine executive branch agencies should do the following: provide cybersecurity awareness training (both an initial training within 30 days of orientation and an annual refresher training thereafter) to all full-time employees, contractors, and interns; establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure employees meet training deadlines; and implement additional controls to ensure that the new hire onboarding process includes all relevant coursework regarding cybersecurity awareness training.
Finding 3	Seven state colleges and universities did not ensure that all of their employees completed cybersecurity awareness training.
Effect	If state colleges and universities do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.
Recommendations	The aforementioned seven state colleges and universities should update their cybersecurity awareness training policies to require this training for all employees. The aforementioned seven state colleges and universities should update their cybersecurity awareness training policies to include consequences for non-completion (e.g., restriction of access until they complete the training).


Finding 4	CATA, CCRTA, and VTA did not ensure that all of their employees completed cybersecurity awareness training.
Effect	If regional transit authorities do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.
Recommendations	The aforementioned three regional transit authorities should do the following: update their cybersecurity awareness training policies to require this training for all employees and update their cybersecurity training policies to include consequences for non-completion (e.g., restriction of access until training is completed).

Downloads

Open PDF file, 1.02 MB, Audit Report - Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies (English, PDF 1.02 MB)

Contact

Phone

Main (617) 727-2075

Online

Auditor@MassAuditor.gov

Fax

(617) 727-3014

Address

Massachusetts State House
Room 230
Boston, MA 02133

Directions

Contact

Office of State Auditor Diana DiZoglio

Phone

Main (617) 727-2075

Online

Auditor@MassAuditor.gov

Fax

(617) 727-3014

Address

Massachusetts State House
Room 230
Boston, MA 02133

Directions

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the State Auditor.

Audit Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies

Executive Summary

Table of Contents

Downloads

Contact

Office of State Auditor Diana DiZoglio

Phone

Online

Fax

Address

Help Us Improve Mass.gov with your feedback