Skip to main content
  • This page, Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies Overview of Audited Entity, is   offered by
  • Office of the State Auditor

Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies Overview of Audited Entity

This section describes the makeup and responsibilities of the Audit of Cybersecurity Awareness Training Compliance Across Multiple State Agencies.
Skip table of contents

Table of Contents

You skipped the table of contents section.

Overview

The Executive Office of Technology Services and Security (EOTSS), located at 1 Ashburton Place in Boston, was established in 2017 in accordance with Section 2 of Chapter 7D of the Massachusetts General Laws. According to its website, EOTSS was created to “improve data security, safeguard privacy, and promote better service delivery across the Commonwealth.” EOTSS operates under the direction of the Commonwealth’s chief information officer, who is appointed by the Governor.

According to its website,

The Executive Office of Technology Services and Security (EOTSS) seeks to provide secure and quality digital information, services, and tools to customers and constituents when and where they need them. . . . EOTSS provides responsive digital and security services that enable taxpayers, motorists, businesses, visitors, families, and other citizens to do business with the Commonwealth. . . . EOTSS also oversees and manages the enterprise technology and digital infrastructure and services for over 125 state agencies and over 43,000 state employees. . . . Since its creation, EOTSS has made critical investments in infrastructure resiliency, unifying cybersecurity operations, and deploying a Standard Operating Environment (SOE) and technology architecture across all agencies. The organization has also collaborated with agencies to improve the centralized delivery of digital services for constituents, schools, businesses, government agencies, and municipalities.

According to its website, EOTSS employed 452 full-time employees as of May 24, 2023. 

Multi-Agency Approach

This report covers 22 additional agencies’ compliance with EOTSS’s cybersecurity awareness training standard. We separated them out into three categories (other executive branch agencies in addition to EOTSS, state colleges and universities, and regional transit authorities) for the purposes of this report.

The organization chart below shows the applicability of EOTSS guidance for the agencies in this report.

Applicability of Information Security Risk Management Standard IS.0101

This object is an organizational chart showing the applicability of EOTSS’s Information Security Risk Management Standard IS.010 to the agencies in this report. EOTSS, the agency responsible for establishing information technology policies and procedures for the state executive branch, represents the beginning of the chart. After EOTSS are the executive branch agencies either under audit or overseeing secretariat agencies under audit. They are as follows: the Executive Office of Labor and Workforce Developm

EOTSS and Other Executive Branch Agencies

EOTSS is responsible for the development and maintenance of the Enterprise Information Security Policies and Standards, pursuant to Section 2 of Chapter 7D of the General Laws, which requires all executive branch agencies to “adhere to the policies, procedures, and objectives established by the executive office of technology services and security.” EOTSS states in its Information Security Risk Management Standard IS.010 that this standard “applies to the Executive Department including all executive offices, and all boards, commissions, agencies, departments, divisions, councils, and bureaus.” This report outlines our audit of the following executive branch agencies regarding cybersecurity awareness training:

  • EOTSS itself;
  • the Bureau of the State House (BSH);
  • the Civil Service Commission (CSC);
  • the Department of Labor Standards (DLS);
  • the Department of Mental Health (DMH);
  • the Department of Public Health (DPH);
  • the Department of Revenue (DOR);
  • the Group Insurance Commission (GIC);
  • the Massachusetts Department of Transportation (MassDOT);
  • the Massachusetts Parole Board (MPB);
  • the Registry of Motor Vehicles (RMV); and
  • the State 911 Department (911).

The table below shows the state appropriations for each of these executive branch agencies.2 (Note that 911 does not receive state appropriations. Instead, it receives funding through an annual surcharge of $1.50 on all telephone lines capable of accessing the 911 system. These funds are kept by 911 in a trust fund account.)

AgencyState Appropriations
Fiscal Year 2021		State Appropriations
Fiscal Year 2022		State Appropriations
Fiscal Year 2023
EOTSS$3,105,778$3,105,778$3,204,513
BSH$3,677,814$3,927,814$4,569,197
CSC$623,938$625,406$843,762
DLS$3,949,551$4,349,551$4,628,025
DMH$911,642,258$951,956,760$1,018,768,861
DPH$769,034,718$819,954,348$938,273,734
DOR$1,356,399,209$1,399,872,660$1,483,244,288
MassDOT$613,006,824$635,459,988$752,237,634
GIC$2,263,612,328$2,344,120,760$2,463,402,384
MPB$21,908,514$20,943,687$21,649,317
RMV$182,380,000$131,573,000$131,653,000

State Colleges and Universities

The state colleges and universities in Massachusetts work to improve higher education, support economic development and growth, and support communities across the Commonwealth. The following state colleges and universities (which were established in accordance with Section 5 of Chapter 15A of the General Laws) are a system of public institutions of higher education, and were subjects of this audit:

  • Framingham State University (FSU);
  • Holyoke Community College (HCC);
  • Massachusetts Bay Community College (MBCC);
  • Massasoit Community College (MCC);
  • North Shore Community College (NSCC);
  • Northern Essex Community College (NECC); and
  • Westfield State University (WSU).

The table below shows the state appropriations for each of these state colleges and universities.


 

AgencyState Appropriations
Fiscal Year 2021		State Appropriations
Fiscal Year 2022		State Appropriations
Fiscal Year 2023
FSU$32,545,150$33,193,587$36,087,625
HCC$22,697,040$23,207,079$23,851,448
MBCC$17,779,141$18,136,472$18,746,043
MCC$24,064,288$24,474,243$25,391,675
NSCC$24,154,641$24,600,186$25,517,333
NECC$21,986,040$22,385,471$23,251,578
WSU$30,992,952$31,621,476$34,336,799

State Colleges and Universities

The state colleges and universities in Massachusetts work to improve higher education, support economic development and growth, and support communities across the Commonwealth. The following state colleges and universities (which were established in accordance with Section 5 of Chapter 15A of the General Laws) are a system of public institutions of higher education, and were subjects of this audit:

  • Framingham State University (FSU);
  • Holyoke Community College (HCC);
  • Massachusetts Bay Community College (MBCC);
  • Massasoit Community College (MCC);
  • North Shore Community College (NSCC);
  • Northern Essex Community College (NECC); and
  • Westfield State University (WSU).

The table below shows the state appropriations for each of these state colleges and universities.


 

AgencyState Appropriations
Fiscal Year 2021		State Appropriations
Fiscal Year 2022		State Appropriations
Fiscal Year 2023
FSU$32,545,150$33,193,587$36,087,625
HCC$22,697,040$23,207,079$23,851,448
MBCC$17,779,141$18,136,472$18,746,043
MCC$24,064,288$24,474,243$25,391,675
NSCC$24,154,641$24,600,186$25,517,333
NECC$21,986,040$22,385,471$23,251,578
WSU$30,992,952$31,621,476$34,336,799

Regional Transit Authorities

Regional transit authorities provide public transportation services in different communities within Massachusetts, meeting the specific transit needs of each community. The following regional transit authorities were established in accordance with Section 2 of Chapter 161B of the General Laws and were subjects of this audit:

  • the Cape Ann Transportation Authority (CATA);
  • the Cape Cod Regional Transit Authority (CCRTA);
  • the Martha’s Vineyard Regional Transit Authority (VTA); and
  • the Nantucket Regional Transit Authority (NRTA).

The table below shows the operating revenues for each of these regional transit authorities.

AgencyOperating Revenues
Fiscal Year 2021		Operating Revenues
Fiscal Year 2022		Operating Revenues
Fiscal Year 2023
CATA$13,642,963$2,604,218$512,110
CCRTA$9,083,000$1,456,000$1,139,000
VTA$1,289,000$1,779,000$1,798,000
NRTA$389,492$578,464$614,688

Cybersecurity Awareness Training

EOTSS has established policies and procedures that apply to all Commonwealth agencies within the executive branch. These policies and procedures require executive branch agencies to implement procedures that ensure that their employees comply with the requirements in EOTSS’s aforementioned policies and procedures. EOTSS recommends, but does not require, non-executive branch agencies to follow its policies and procedures. Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 states,

The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets. Commonwealth Offices and Agencies must ensure that all personnel are trained on all relevant rules and regulations for cybersecurity.

To ensure that employees in all Commonwealth agencies within the executive branch are clear on their responsibilities, EOTSS’s policies and procedures require that all newly hired employees3 must complete an initial cybersecurity awareness training course within 30 days of their orientation, and that all existing employees4 complete an annual refresher cybersecurity awareness course.

1.   Agencies marked as "not under audit" are not included in this report. Additionally, EOTSS's Information Security Risk Management Standard IS.010 states the following regarding its scope: "Executive Department agencies and offices are required to implement procedures that ensure their personnel comply with the requirements herein to safeguard information."

2.    This table shows state appropriations exclusively; however, some agencies receive additional funding from other sources. State appropriations include a variety of different spending categories, including personnel, technology, and pass-through spending. As an example, GIC (line item 1108-5100) received $4,385,239, $4,385,240, and $4,738,587 in state appropriations in fiscal years 2021, 2022, and 2023, respectively. GIC’s state appropriations include group insurance premium and plan costs (line item 1108-5200), which accounted for $1,747,367,959, $1,826,778,807, and $1,921,206,747 in state appropriations in fiscal years 2021, 2022, and 2023, respectively. GIC’s state appropriations also include the State Retiree Benefits Trust Fund (line item 1599-6152), which accounted for $500,000,000 in state appropriations in fiscal years 2021 and 2022 and $525,000,000 in state appropriations in fiscal year 2023. See the GIC's Historical Budget Summary for more information.

3.   For the purposes of this audit report, we use the term newly hired employees to refer to employees who were hired during the audit period, unless stated otherwise.

4.   For the purposes of this audit report, we use the term existing employees to refer to employees who were hired before the start of the audit period (July 1, 2021), unless stated otherwise.

Date published: November 8, 2024

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback