Bristol Community College - Finding 1

Bristol Community College (BRC) did not ensure that all employees with access to its Banner system completed cybersecurity awareness training. Specifically, 47 (78%) of the 60 employees in our sample¹⁰ did not complete all required annual cybersecurity awareness trainings during the period. Additionally, 33 (66%) of the 50 newly hired employees in our sample did not complete initial cybersecurity awareness training within 30 days of their hire date. Of these 33 newly hired employees, we found that 24 completed the training late and 9 did not complete the training at all.

The table below breaks down annual training completion for BRC employees sampled for the audit period.

*    Individuals who were not employed at BRC in a given year were assessed as not applicable. This would include, for example, newly hired employees and employees who left before the training was assigned.

**  Two individuals in our sample had employment termination dates before the training was assigned in 2020. These were assessed as not applicable for the audit period.

If BRC does not ensure that all of its employees complete cybersecurity awareness training, then it may expose itself to an increased risk of cybersecurity attacks and financial and/or reputational losses.

Section 6.2 of the Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010 states,

6.2.3   New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security course must be completed within 30 days of orientation.

6.2.4   Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

According to BRC officials, in 2020, BRC encouraged employees to take the training, but it was considered optional. However, in 2021 and onward, BRC made cybersecurity awareness training mandatory for all employees. BRC did not have sufficient procedures in place to monitor employee cybersecurity awareness training completion throughout the training cycle.

1. BRC should ensure that all its newly hired employees complete cybersecurity awareness training within 30 days of orientation and annually thereafter.
2. BRC should establish sufficient procedures to monitor employee cybersecurity awareness training throughout the training cycle and establish management controls to ensure that it detects issues of noncompliance.

Bristol Community College acknowledges this audit finding and is appreciative of the effort and collaboration with the Office of [the State] Auditor on this process. Bristol has made significant progress on ensuring that new and existing employees are properly trained on best practices in the awareness of cybersecurity threats. The College has aligned all required employee training programs and communication is shared across all areas for annual training. Additionally, a focus has been placed on working with leadership throughout the college to ensure that employees understand the necessary nature of required training programs. In addition to Bristol’s training program, employees and students are enrolled in simulated phishing email messages to raise awareness and informational campaigns are routinely shared with the College community. From a technical perspective, robust tools are available to the College with third-party vendors providing continuous support for potential threats. We agree with the recommendations suggested.

Based on its response, BRC is taking measures to address our concerns regarding this matter. As part of our post-audit review process, we will follow up on this matter in approximately six months.