Overview
The following regional transit authorities did not ensure that all of their employees completed cybersecurity awareness training during the audit period: the Cape Ann Transportation Authority (CATA), the Cape Cod Regional Transit Authority (CCRTA), and the Martha’s Vineyard Regional Transit Authority (VTA).
The table and graph below show our findings for these regional transit authorities.
On-Time Cybersecurity Awareness Training Completion Rates for Regional Transit Authorities: Sample of All Employees
| Regional Transit Authority | On-Time Training Completion Percentage* | Total Number of Employees Tested | Number of Tested Employees Who Completed Training Late | Number of Tested Employees Who Did Not Complete Training |
|---|---|---|---|---|
| CATA | 66.7% | 3 | — | 1 |
| CCRTA | 25.0% | 8 | — | 6 |
| VTA | 50.0% | 8 | — | 4 |
* Note that this table is based on the sample of employees from each regional transit authority, not the population of employees.
If regional transit authorities do not ensure that all of their employees complete cybersecurity awareness training, then they may expose themselves to an increased risk of cybersecurity attacks and financial and/or reputational losses.
Authoritative Guidance
EOTSS’s Information Security Risk Management Standard IS.010 states,
6.2.3 New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. This course shall be conducted via web-based learning or in class training and shall be included in the new hire orientation checklist. The New Hire Security Awareness course must be completed within 30 days of new hire orientation.
6.2.4 Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training. Once implemented, automatic email reminders will be sent to personnel 12 months after course completion, alerting personnel to annual refresher training completion deadlines.
Reasons for Issue
Management from each of the following regional transit authorities provided us with the following reasons for noncompliance:
- CATA management stated that the employee from our finding overlooked the email reminders for the cybersecurity awareness training and did not know they could complete training after the due date.
- CCRTA management stated that not all employees participated in the cybersecurity awareness training, as it was given only to staff members with access to sensitive customer or agency data.
- VTA management stated that some employees did not have computer network access, and therefore, VTA did not require them to take cybersecurity awareness training.
Recommendations
- The aforementioned three regional transit authorities should do the following:
- update their cybersecurity awareness training policies to require this training for all employees and
- update their cybersecurity training policies to include consequences for non-completion (e.g., restriction of access until training is completed).
Auditees’ Responses
CATA
The Cape Ann Transportation Authority agrees with the recommendations.
CCRTA
The [Office of the State Auditor] audit findings are based on a limited compliance review conducted in accordance with the EOTSS IS.010 cybersecurity policy, which the CCRTA did not opt to adopt as permitted under the policy (AUTHORITY Section 2, 2.1: “Notwithstanding any general or special law, rule, regulation, executive order, policy or procedure to the contrary, all executive department agencies shall, and other state agencies may, adhere to the policies, procedures and objectives established by the executive office of technology services and security with respect to activities concerning information technology.”).
VTA
VTA stated that 4 of the 8 employees selected did not have computer network access as part of their job duties.
Auditor’s Reply
We appreciate the responses provided by the regional transit authorities we audited. The issue we identified is that these regional transit authorities did not consistently provide cybersecurity training to their employees. We regard EOTSS’s Information Security Risk Management Standard (IS.010) as the baseline for best practices in cybersecurity awareness training across the Commonwealth’s agencies, and therefore we used this as our audit criteria. Per Generally Accepted Government Auditing Standards 8.18, examples of criteria include: (C) technically developed standards or norms, (f) defined business practices, and (h) benchmarks for performance comparison, including those of other entities or sectors.
We also note here that EOTSS’s Information Security Risk Management Standard IS.010 is applicable to the use of information systems and resources by all Commonwealth agencies within the executive branch, encompassing, as it states, “all executive offices, and all boards, commissions, agencies, [and] departments.” This EOTSS standard is designed to safeguard information and serves as a minimum requirement for cybersecurity awareness training.
Regarding training employees who do not have computer network access, we maintain that EOTSS’s Information Security Risk Management Standard IS.010 states, “All new personnel must complete an Initial Security Awareness Training course” and that EOTSS does not provide an exemption to this policy for employees who lack access to computer systems. We urge the regional transit authorities to implement an alternative method to complete training for employees without system access, such as offering a paper-based training option.
As noted above within the auditees’ responses, many RTAs have already started addressing our concerns in this area.
| Date published: | November 8, 2024 |
|---|