Bristol County District Attorney’s Office - Finding 1

The Bristol County District Attorney’s Office (BCDA) did not provide cybersecurity awareness training to its employees during the audit period.

If BCDA does not educate its employees on their responsibility to protect the security of information assets, then BCDA exposes itself to a higher-than-acceptable risk of cybersecurity attacks and financial and/or reputational losses.

The Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 states,

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

Although BCDA is not required to follow this standard, since it is not an executive branch agency, EOTSS still recommends that non-executive branch agencies follow these standards. We also consider it a best practice. According to the Office of the Comptroller of the Commonwealth’s website, EOTSS’s Enterprise Information Security Policies and Standards “are the default standard for non-Executive departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.” BCDA’s internal control plans in effect during our audit period did not contain comparable cyber and data security standards.

BCDA did not have policies and procedures that require newly hired employees to complete cybersecurity awareness training within 30 days of their orientation or that require existing employees to receive annual refresher cybersecurity awareness training.

1. BCDA should provide cybersecurity awareness training to its employees.
2. BCDA should develop, document, and implement policies and procedures that require employees to complete cybersecurity awareness training within 30 days of their orientation and annually thereafter.

The [BCDA] agrees that although EOTSS has established policies and procedures for cybersecurity awareness training, non-executive agencies (including the [BCDA]) are not required to follow or implement said policies and procedures.

The [BCDA], nonetheless, has implemented an online cybersecurity awareness training program for all staff beginning in June of 2023. The [BCDA] staff receive quarterly online cybersecurity awareness training, which exceeds the recommendation of EOTSS. All new [BCDA] hires receive an initial security awareness training within 30 days of hire.

Based on its response, BCDA has taken measures to address our concerns regarding this matter. As part of our post-audit review process, we will follow up on this matter in approximately six months.