Audit of the “Attorney General’s Office—Review of Cybersecurity Awareness Training Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Attorney General’s Office (AGO) for the period July 1, 2018 through July 31, 2020.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is our audit objective, indicating the question we intended our audit to answer, the conclusion we reached regarding the objective, and where the objective is discussed in the audit findings.

We conducted this performance audit using policies, procedures, and standards issued by AGO. We also used NIST’s Special Publication 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations. Although AGO is not required to follow this industry standard, it represents best practices for information system security. Additionally, we used criteria from enterprise security policies and standards issued by EOTSS. A preliminary version of the EOTSS enterprise security policies was available to agencies in October 2017, and agencies were required to comply with a final version starting October 15, 2018. Although AGO is an independent agency,¹ agencies that use EOTSS resources are required to comply with these policies and standards.

To achieve our audit objective, we first gained an understanding of the internal controls related to the objective by conducting interviews with AGO management and other staff members involved in administering the agency’s cybersecurity awareness training, as well as observing certain management activities related to this training. Additionally, we performed the following procedures to address our audit objective.

To determine whether all personnel completed the annual cybersecurity awareness training, we obtained a list of all personnel at AGO during the audit period. For employees who were in the Human Resources Compensation Management System (HR/CMS),² we reviewed the electronic training records in the SysAdmin, Audit, Network, and Security (SANS) and KnowBe4 training systems. We also reviewed the training records in SANS and KnowBe4 to determine whether all employees completed the training within the timeframe set by AGO. For personnel, such as interns and volunteers, who were not in HR/CMS because they were not paid through that system and whose access to the network was more restricted than that of full-time employees, AGO provided us with documentation indicating that it did not provide the same training outside HR/CMS during the audit period because of cost considerations.

We also examined and reviewed the SANS and KnowBe4 programs, including their training content and training procedures, to ensure that they were in accordance with EOTSS’s Information Security Risk Management Standard IS.010.

We selected a nonstatistical, random sample of 35 of 243 newly hired users whom the agency required to take the training. For each user in our sample, we reviewed and compared the electronic records with the new hire orientation date to determine whether the user completed the initial cybersecurity awareness training within 30 days of new hire orientation. In addition, we requested from AGO’s Human Resources Department the signed Employee Manual Acknowledgment Statement that included the acknowledgment of AGO’s information technology (IT) policy for each newly hired user in our sample. We performed an observation to verify the signature on the Employee Manual Acknowledgment Statement for each user in the sample to ensure that all users had signed and acknowledged AGO’s IT policy. Because we used a nonstatistical approach for our audit sample, we could not project our results to the entire population of employees.

AGO provided a list of users in HR/CMS. To assess the reliability of the list, we tested for duplicate data, missing data, and data outside the audit period. We also compared the list to the list of users in the Commonwealth Information Warehouse.³

To assess the reliability of AGO’s cybersecurity awareness training records from SANS and KnowBe4, we tested for missing and duplicate data. We also interviewed AGO’s chief information officer and observed him exporting the training records from both systems. Based on the results of these data reliability assessment procedures, we determined that the data obtained from HR/CMS, SANS, and KnowBe4 for our audit were sufficiently reliable for the purpose of the audit.