Cape and Islands District Attorney’s Office - Finding 3

CIDAO should have provided annual cybersecurity awareness training to all its employees during the audit period. Additionally, the agency did not have sufficient policies to require that this training be administered to its active employees.

We found that 61 out of 75 CIDAO employees did not complete the required annual training for fiscal year 2023, and 65 out of 80 CIDAO employees did not complete the required annual training for fiscal year 2024.

We also found that 21 out of 22 CIDAO employees who were hired during the audit period did not complete training within the required 30 days of new hire orientation.

Without educating its employees on their responsibility to protect the security of information assets, CIDAO exposes itself to a higher risk of cybersecurity attacks and financial and/or reputational losses.

Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 states,

6.2.3   New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. This course will be conducted via web-based learning or in-class training and will be included in the new hire orientation checklist. The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4   Annual Security Awareness Training: All personnel are required to complete Annual Security Awareness Training. Once implemented, automatic email reminders will be sent to personnel 12 months after course completion, alerting personnel to annual refresher training completion deadlines.

Although CIDAO is not required to follow these standards because it is not an executive branch agency, we consider them best practices.

CIDAO management told us in an interview that CIDAO was not aware of the EOTSS training standards. Additionally, CIDAO management stated that the current administration had no knowledge of the prior administration’s policies regarding cybersecurity awareness training because the outgoing administration denied the incoming administration’s request to hold transition meetings.

1. CIDAO should ensure that all employees complete annual cybersecurity awareness training and that all newly hired employees complete initial training within the first 30 days of their new hire orientation.
2. CIDAO should design and implement policies and procedures to ensure that its employees complete cybersecurity awareness training. Additionally, CIDAO should retain copies of cybersecurity awareness training certificates as evidence that its employees completed the training.

Several months after taking office, the Cape and Islands District Attorney’s Office leadership team became aware that there was no compliance with cybersecurity under the previous administration. Aware of our obligation and the importance of cybersecurity, the Cape and Islands District Attorney’s Office first worked to staff the [information technology] department, as identified above, and then began the process of identifying the requirements and implementation of Cybersecurity training for our staff, which have since been completed.

CIDAO appears to be taking steps to address the issues raised in this finding. As part of our post-audit review process, we will follow up on this matter in approximately six months.