Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies - Finding 3

The following state colleges and universities did not ensure that all of their employees completed cybersecurity awareness training during the audit period: Framingham State University (FSU), Holyoke Community College (HCC), Massachusetts Bay Community College (MBCC), Massasoit Community College (MCC), North Shore Community College (NSCC), Northern Essex Community College (NECC), and Westfield State University (WSU).

The table and graph below show our findings for these state colleges and universities.

On-Time Cybersecurity Awareness Training Completion Rates for State Colleges and Universities: Sample of All Employees

*  Note that this table is based on the sample of employees from each state college or university, not the population of employees.

If state colleges and universities do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.

EOTSS’s Information Security Risk Management Standard IS.010 states,

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. This course shall be conducted via web-based learning or in class training and shall be included in the new hire orientation checklist. The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training. Once implemented, automatic email reminders will be sent to personnel 12 months after course completion, alerting personnel to annual refresher training completion deadlines.

Management from each of the following state colleges and universities provided us with the following reasons for noncompliance:

• FSU management stated that its internal policy only recommended cybersecurity awareness training for its employees, instead of requiring it.
• HCC management stated that student employees did not have access to HCC’s computer network (which is only accessible with staff member accounts), so therefore, providing them with cybersecurity awareness training would not be required.
• MBCC management stated the following:

• Two student employees from our finding “never received student [employee] accounts, so they were missed in getting training assigned as part of the onboarding” (from an email MBCC sent to us on February 15, 2024);
• Two employees from our finding “did not elect to complete their training. . . . As a result, their employment with [MBCC] was discontinued” (from an email MBCC sent to us on February 15, 2024);
• One newly hired employee from our finding “started before the training program was in place, so [they] would not have had the option for [initial] training” (from an email MBCC sent to us on February 15, 2024); and
• One newly hired employee from our finding joined MBCC while the college was conducting annual refresher cybersecurity awareness training, so MBCC enrolled this employee in the annual refresher training rather than being trained on the same content twice in a short period of time by first being enrolled in the initial cybersecurity awareness training.

• MCC management stated that its internal policy only recommended cybersecurity awareness training for its employees, instead of requiring it.
• NSCC management stated that two newly hired employees did not complete the cybersecurity awareness training because its auto-enrollment process failed briefly in September 2022, leading to NSCC’s inability to enroll newly hired employees into the training during this period.
• NECC management stated that it has a written cybersecurity awareness training policy, but that the policy is not enforced. Management also stated that they are not allowed to limit user access for employees who do not complete cybersecurity awareness training.
• WSU management stated that they were not aware that contractors, part-time employees, or seasonal employees were required to complete the cybersecurity awareness training.

1. The aforementioned seven state colleges and universities should update their cybersecurity awareness training policies to require this training for all employees.
2. The aforementioned seven state colleges and universities should update their cybersecurity awareness training policies to include consequences for non-completion (e.g., restriction of access until they complete the training).

FSU

We are in agreement with the merits of the [EOTSS] Standard and the University is now aligned with the goals of the cybersecurity awareness training. To that end, since the completion of the field work associated with this audit, but prior to the receipt of this draft report, FSU developed and formally adopted campus policy consistent with the Information Security Risk Management Standard. Appendix A contains the text of this Policy on Cybersecurity Training for Employees established on July 17, 2024. The policy is currently in effect and will begin full implementation in October 2024 pursuant to the establishment of a bargained labor agreement that permits initial onboarding cybersecurity training and then subsequent annual training, including prescriptive penalties or remediations for noncompliance.

This local policy will achieve the same goals and mitigate the risks identified in the recommendations associated with Finding 3. We remain committed to the protection of the information technology assets and information retained by the University and share the mutual desire to remain vigilant to new and emerging threats to these digital assets and networks.

HCC

Upon learning that all HCC work study students, regardless of their need to access the network, must complete the cybersecurity training within 30 days of their assignment, HCC implemented the following policies and procedures:

Policy: HCC’s policy now mandates that all work study students will be notified they need to complete mandatory cybersecurity training within 30 days of starting their work assignment.

Consequences: Failure to complete the required training within 30 days of their work assignment will result in revoking their work study assignment/job until the training is completed.

MBCC

[MBCC writes] in response to your email of July 19, 2024, regarding the recent audit of cybersecurity training at [MBCC]. Thank you for sharing the audit results and providing us with the opportunity to respond.

The two student employees mentioned did not receive student employee accounts and thus were not assigned training during onboarding. As part of our employee onboarding process, all MBCC employees receive an account and are enrolled in the new hire cybersecurity training program. This issue was identified in November 2023 due to this audit, and since then, MBCC has taken steps to ensure the enforcement of this process.

Two employees chose not to complete their training, leading to the termination of their employment with MBCC, underscoring the institution’s commitment to mandatory training.

One employee joined before the training program was established. The program is now fully operational, requiring all employees to complete it within 30 days of starting. If not, they are granted an additional 30 days then this [is] escalated to senior management and their access is restricted until it is completed.

Lastly, one newly hired employee started with MBCC during the annual cybersecurity awareness training. As the on boarding training is identical, they were not enrolled twice. Going forward we will ensure that they are enrolled in both.

Thank you again for the audit. Our policy states that all employees must complete the cybersecurity training, but this audit helped us identify areas for improvement. We have taken the necessary steps to remediate areas of concern. Going forward we anticipate we will be in full compliance with the State requirements.

MCC

The college fully acknowledges the need for, and importance of, cybersecurity training for all employees.

Massasoit Community College’s leadership is currently developing language to amend the existing Written Information Security Program (WISP) with the recommendations of the recent Executive Office of Technology Services and Security performance audit.

The college will be collaborating with the Unions, through impact bargaining, to ensure proper checks and balances are in place, that new hire training and annual re-training are conducted in a timely manner, and that, if necessary, reasonable gradated consequences for non-compliance are in place.

NSCC

The College agrees that cybersecurity training is critical and important. The College management and especially the [information technology] department has put a great deal of effort into a collaborative process ensuring that cybersecurity training is ongoing and annual, as demonstrated in our highest completion rate (80%) of those tested in the [Office of the State Auditor] draft report. Since that audit the College has gone further with tighter process improvements which now disables employee accounts that have not completed either the new employee training or annual training within the allotted time frames. Disabled accounts are reenabled upon request and employees are granted an additional week to complete the required training. Our training completion rate now stands at 97%.

NECC

At NECC we specifically value and understand the importance of Cybersecurity training. Recently we experienced a cyber incident caused by user error. Had it not been for the systems we have in place; this threat would have had significant impact on our operation. We also worked with EOTSS after the incident to discuss lessons learned from the attack, working with vendors and the Commonwealth.

In order to better comply with EOTSS’s Information Security Risk Management Standard IS.010, and industry’s best practices, we have developed a revised Cybersecurity Training Process. . . . NECC is implementing the process starting in the Fall. This process may be subject to impact bargaining with our [Massachusetts Community College Council] and [American Federation of State, County and Municipal Employees] union members.

Thank you again for the opportunity to respond to this audit and please do not hesitate to contact me should you have any additional questions.

WSU

Westfield State’s current Security Education Training and Awareness (SETA Program) already requires training as part of the campus onboarding program. . . . For the faculty collective bargaining unit, [Massachusetts State College Association], training was impact bargained and the final agreement was completed on March 21, 2024. As a result, beginning in the fall 2024, cyber security training will be required for faculty. . . .

The University’s Access Control Guidelines already allows for the suspension of access to information technology resources for non-compliance. Efforts are currently underway to formalize the consequences with Office of Information and Instructional Technology and the Human Resources Office. Progressive discipline actions may require further impact bargaining.

We appreciate the responses provided by the seven state colleges and universities we audited. The issue we identified is that these state colleges and universities did not consistently provide cybersecurity training to their employees. We regard EOTSS’s Information Security Risk Management Standard IS.010 as the baseline for best practices in cybersecurity awareness training across the Commonwealth’s agencies, and therefore, we used this as our audit criteria. According to Section 8.18 of the US Government Accountability Office’s Generally Accepted Government Auditing Standards, “Examples of criteria include: . . . (c) technically developed standards or norms; . . . (f) defined business practices; . . . and (h) benchmarks against which performance is compared, including performance of other entities or sectors.”

As noted above within the auditees’ responses, many colleges and universities have already started addressing our concerns in this area.