Bridgewater State University Did Not Ensure That All Employees Completed Required Cybersecurity Awareness Training.

Bridgewater State University (BSU) did not ensure that all employees completed the required initial cybersecurity awareness training upon hire or annual cybersecurity awareness training thereafter. Without educating all employees on their responsibility of protecting information assets by requiring training, BSU is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.

The Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 states,

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

BSU stated that it had a comprehensive information technology security policy that documented procedures required to ensure that its network was safe from cybersecurity threats. However, the policy does not include requirements for initial and annual cybersecurity awareness training or internal controls to monitor and document completion of such training. Further, BSU management explained that they could not enforce a requirement of cybersecurity awareness training because of issues with union contracts.

1. BSU should document and implement policies and procedures that require all employees to complete initial and annual cybersecurity awareness training. The policies and procedures should include internal controls to monitor and document completion of the training.
2. BSU officials should negotiate with union officials to establish initial and annual cybersecurity awareness training requirements for all employees who are union members.

Bridgewater State University acknowledges the finding and notes that both new hire security awareness training as well as annual security awareness training is provided, tracked, and documented through the KnowBe4 [software] platform, and required of all employees, except unit members of the Massachusetts State College Association / Massachusetts Teachers Association (MSCA). University leadership, through the Board of Higher Education, is committed to negotiating with the MSCA union, consistent with its M.G.L. c. 150E obligations, the requirement that MSCA unit members complete security awareness training.

We understand that after the audit period, BSU implemented the KnowBe4 software to provide, track, and document cybersecurity awareness training for all employees. We also understand that BSU is discussing with the Massachusetts State College Association and the Massachusetts Teachers Association the possibility of all union members receiving cybersecurity awareness training. We commend BSU for taking measures to address our concerns on this matter.