| Organization: | Office of the State Auditor |
|---|---|
| Date published: | August 25, 2023 |
Executive Summary
In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Massachusetts Water Resources Authority (MWRA) for the period July 1, 2019 through June 30, 2021.
The purpose of this audit was to determine whether MWRA implemented specific areas of its risk and resilience assessment1 and emergency response plan2—certified on March 30, 2020 and September 29, 2020, respectively—in areas of information technology security, chemical delivery, and physical security in accordance with Section 2013 of the America’s Water Infrastructure Act.
Below is a summary of our findings and recommendations, with links to each page listed.
|
Finding 1 |
MWRA did not review and update its information security program (ISP) annually. |
|
Recommendations |
|
|
Finding 2 |
MWRA’s single point of contact (SPOC) did not inform the Management Information System (MIS) Department of contractors’ changes for user access and/or multifactor authentication statuses for its administrative computer network. |
|
Recommendation |
MWRA should develop a formal, written policy that includes monitoring controls and requires MWRA’s SPOC to notify the MIS Department of contractors’ user access and/or multifactor authentication statuses, including the authority to work remotely. MWRA should also train its employees on how to implement and follow this policy. |
|
Finding 3 |
MWRA did not ensure that all employees and contractors completed required cybersecurity awareness training for its administrative computer network. |
|
Recommendation |
MWRA should ensure that all its employees and contractors with access to its administrative computer network complete cybersecurity awareness training annually. MWRA should also implement internal controls to ensure that the employees and contractors complete the training. |
|
Finding 4 |
MWRA did not revoke employees’ and contractors’ access to its administrative computer network after their employment or contracted work ended. |
|
Recommendation |
MWRA should develop a written policy that includes monitoring controls and a 24–business hour timeframe to ensure that the SPOC informs the MIS Department about MWRA employees whose employment has ended and contractors whose contracts have ended. MWRA should also train its employees on how to implement and follow this policy. |
1. According to the America’s Water Infrastructure Act, a risk and resilience assessment evaluates the system’s vulnerabilities, threats to the system, and consequences from potential hazards—for example, mold, pipe corrosion, or flooding.
2. According to the America’s Water Infrastructure Act, an emergency response plan describes strategies, resources, plans, and procedures that MWRA can use to prepare for and respond to natural or man-made incidents that threaten life, property, or the environment—for example, a small main break or a hurricane.
Table of Contents
- Abbreviations
- Overview of the Audited Entity
- Audit Objectives, Scope, and Methodology
-
- The Massachusetts Water Resources Authority did not review and update its information security program annually.
- The Massachusetts Water Resources Authority’s single point of contact did not inform the Management Information System Department of contractors’ changes for user access and/or multifactor authentication statuses for its administrative computer network
- The MWRA did not ensure that all employees and contractors completed required cybersecurity awareness training for its administrative computer network.
- The MWRA did not revoke employees’ and contractors’ access to its administrative computer network after their employment or contracted work ended.