Berkshire County District Attorney’s Office - Finding 2

BCDA did not provide cybersecurity awareness training to its employees during the audit period. Additionally, the agency did not have any policy to require that this training be administered to its staff members.

Without educating its employees on their responsibility to protect the security of information assets, BCDA exposes itself to a higher risk of cybersecurity attacks and financial and/or reputational losses.

The National Institute of Standards and Technology’s “Special Publication 800-53r5, Security and Privacy Controls for Information Systems and Organizations,” states,

AT-2 LITERACY TRAINING AND AWARENESS . . .

a.   Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):

1.   As part of initial training for new users and . . . [organization-defined frequency] thereafter.

Section 6.2 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 states,

6.2.3  New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. This course will be conducted via web-based learning or in-class training and will be included in the new hire orientation checklist. The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4  Annual Security Awareness Training: All personnel are required to complete Annual Security Awareness Training. Once implemented, automatic email reminders will be sent to personnel 12 months after course completion, alerting personnel to annual refresher training completion deadlines.

Although BCDA is not required to follow these standards, we consider them best practices.

The District Attorney stated that policies related to cybersecurity awareness training were not in place when he started his administration.

1. BCDA should develop, document, and implement policies and procedures that require employees to complete cybersecurity awareness training within 30 days of their orientation and annually thereafter.
2. BCDA should ensure that it provides and documents cybersecurity awareness training for its employees.

The [BCDA] current administration was unaware of any requirement from the previous administration administering cybersecurity awareness training. The [BCDA] under the current administration has contracted to use a cybersecurity training system known as “KnowB4”. The [BCDA] now requires cybersecurity awareness training to be completed as part of the onboarding process and as an annual requirement for all staff. The training must be completed within 30 days of hire and then renewed annually for all staff. Additionally, the Chief of Information Technology also performs random screenings to ensure compliance. Compliance for initial and annual completion of the KnowB4 training is monitored by the Chief of Information Technology. In addition to the KnowB4 training, the Employee Handbook [newly implemented by the current BCDA administration] outlines procedures for Fraud Prevention, Computer Viruses, Network Security, and provides staff with the standards known as “WISP” (Written Information Security Program) for the protection of personal information.

Based on its response, BCDA is taking measures to address our concerns regarding this matter. As part of our post-audit review process, we will follow up on this matter in approximately six months.