• This page, Audit of the Attorney General’s Office—Review of Cybersecurity Awareness Training, is offered by
  • Office of the State Auditor

Audit  Audit of the Attorney General’s Office—Review of Cybersecurity Awareness Training

A review of the Attorney General’s Office’s (AGO) information technology (IT) security practices showed that not all AGO employees were offered or required to take cybersecurity awareness training during a portion of the audit period. The audit examined the period of July 1, 2018 through July 31, 2020.

Organization: Office of the State Auditor
Date published: October 29, 2021

Executive Summary

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Attorney General’s Office (AGO) for the period July 1, 2018 through July 31, 2020. In this performance audit, we reviewed AGO’s cybersecurity awareness training and practices to determine whether all employees had completed cybersecurity awareness training and signed information technology policies.

Below is a summary of our finding and our recommendations, with links to each page listed.

Finding 1
 

AGO did not offer cybersecurity awareness training during a portion of the audit period.

Recommendations
 

  1. AGO should ensure that initial cybersecurity awareness training for new hires and annual training thereafter for existing employees are always available.
  2. If a new vendor or training program is selected, an interim training plan should always be in place to ensure continuity in cybersecurity awareness training during the transition to the new vendor or program.

 

A PDF copy of the audit of the Attorney General’s Office—Review of Cybersecurity Awareness Training is available here.

 

Post-Audit Action

During the audit, AGO management provided the audit team with the agency’s then-current draft of its cybersecurity awareness training policy. Our review of this draft policy indicated that AGO had addressed the concern discussed in the audit report regarding the lack of training for employees, such as student interns, who were compensated outside the Human Resources Compensation Management System during the audit period. It did so by including these employees in future trainings.

Downloads

Contact

Feedback