Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Finding 1

The Executive Office of Technology Services and Security (EOTSS) did not ensure that all of its employees who were active during the audit period completed initial and annual refresher cybersecurity awareness training.

The original due date for the training was August 31, 2022, but EOTSS executive management requested and received an extension from the Human Resources Division (HRD), which extended the due date for all executive branch agencies to October 14, 2022. HRD communicated this new deadline to executive branch managers through its Managers’ Corner Newsletter.

The table below shows our findings for EOTSS. Note that this table reflects the extended October 14, 2022 due date.

If EOTSS does not ensure that all of its employees complete cybersecurity awareness training, then EOTSS may expose itself to an increased risk of cybersecurity attacks and financial and/or reputational losses. 

EOTSS’s Information Security Risk Management Standard IS.010 states,

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. This course shall be conducted via web-based learning or in class training and shall be included in the new hire orientation checklist. The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training. Once implemented, automatic email reminders will be sent to personnel 12 months after course completion, alerting personnel to annual refresher training completion deadlines.

EOTSS management explained that contract employees undergo a different onboarding process compared to non-contact employees. EOTSS processes contract employees’ training assignments in batches and must create training accounts manually. This process is time-consuming and typically occurs only once or twice per month. Additionally, EOTSS management noted that they do not have access to training transcripts for former employees.

1. EOTSS should strengthen their policy to improve oversight of executive branch state agencies, including their timely completion of cybersecurity awareness trainings.
2. EOTSS should ensure that all employee training transcript for all employees are maintained and include records regarding cybersecurity awareness training completion.
3. EOTSS should ensure that all of its employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
4. EOTSS should establish procedures to monitor employee cybersecurity awareness training completion rates throughout the training cycle and use historical data retained by HRD to ensure that employees meet training deadlines.

Security awareness training is a critical component of the Commonwealth’s security compliance strategy. Mandatory cybersecurity training must be completed within 30 days of employee orientation. The new hire 30-day training completion requirement is tied to employee orientation, rather than date of hire, to accommodate business processes related to onboarding and credentialing into the training system. Further, the process for onboarding and credentialing contract employees is different than the process for non-contract employees. Contractors are assigned training in “batches” once or twice per month. The new hire 30-day training completion requirement is purposefully tied to orientation date, as opposed to new hire date to accommodate for such business processes. [The Office of the State Auditor] relied on hire date, rather than employee orientation/onboarding date to calculate the 30-day deadline.

Moving forward, EOTSS will evaluate its internal processes to identify areas for improvement related to new hire orientation and contractor onboarding.

Additionally, EOTSS will work with necessary partners to explore whether there is a technical solution to accessing transcript data of former agency employees.

We agree with EOTSS’s statement that “security awareness training is a critical component of the Commonwealth’s security compliance strategy,” and for this reason, we believe that all employees, regardless of classification, should complete their initial training within 30 days. The data provided by EOTSS in response to our data requests in this audit did not include new hire orientation dates, it included new hire start dates.

Additionally, while we acknowledge that EOTSS has established policies and procedures applicable to all Commonwealth agencies within the executive branch, based on the findings below respective to those executive branch agencies, we believe there is a need for EOTSS to enhance its oversight of these agencies to ensure greater compliance with the Enterprise Information Security Policies and Standards.¹²

Based on its response, EOTSS has indicated that it will take steps to address our concerns on this matter. We will follow up on this during our post-audit review process in approximately six months.