Audit of the Executive Office of Housing and Economic Development—Review of Cybersecurity Awareness Training Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Executive Office of Housing and Economic Development (EOHED) for the period May 14, 2018 through June 30, 2019.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is our audit objective, indicating the question we intended our audit to answer, the conclusion we reached regarding the objective, and where the objective is discussed in the audit findings.

In addition to our finding, we identified an issue we believe warrants EOHED’s attention, which we have disclosed in the “Other Matters” section of this report.

We conducted this performance audit using policies, procedures, and standards issued by EOHED, enterprise security policies and standards issued by EOTSS, and the Massachusetts Statewide Records Retention Schedule 06-18 as criteria. A preliminary version of the EOTSS enterprise security policies and standards was available to agencies in October 2017, and agencies were required to comply with a finalized version on October 15, 2018. Although compliance with these policies was not required for the whole audit period, they were available for agencies to view on EOTSS’s website and represented best practices that state agencies such as EOHED should have followed.

We also used Revision 4 of NIST’s Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. Although EOHED is not required to follow this industry standard, it represents best practices for information system security.

To achieve our audit objective, we first gained an understanding of the internal controls related to the objective by conducting interviews with EOHED management and other staff members involved in administering the agency’s cybersecurity awareness training, as well as performing observations of certain management activities related to this training.

During the performance of our data reliability assessment, EOHED could not provide evidence of cybersecurity awareness training documentation for all the non–HR/CMS users within its Massachusetts Marketing Partnership agency (MMP). Because MMP did not maintain this training documentation, we modified our audit objective to limit the scope to HR/CMS users.

Next, to assess whether the EOHED information system users on a list obtained from HR/CMS had completed the required cybersecurity awareness training, we performed the following procedures:

• We obtained EOHED’s cybersecurity awareness training records through the Performance and Career Enhancement (PACE) Learning Management System and compared this information to a list of users provided by EOHED to determine which information system users completed the training.
• We reviewed PACE training records to determine whether the records for all users were retained.
• We conducted follow-up meetings with EOHED management to discuss the users who did not complete this training according to PACE.

To assess the reliability of the list of HR/CMS users provided by EOHED, we tested for missing data, duplicate data, and data outside the audit period. We also interviewed the EOHED human resources officer who was involved in maintaining the user list. Based on the results of these data reliability assessment procedures, we determined that the data obtained from HR/CMS for audit testing were sufficiently reliable for the purpose of the audit.

To assess the reliability of EOHED’s cybersecurity awareness training records in PACE, we tested for missing data, duplicate data, and data outside the audit period. We also interviewed EOHED’s human resources training director and the PACE administrator and observed the PACE administrator exporting the training records from PACE. Based on the results of these data reliability assessment procedures, we determined that the data obtained from PACE for our audit were sufficiently reliable for the purpose of the audit.