Cape Cod Community College - Finding 3

CCCC did not ensure that all employees (newly hired and existing employees) completed cybersecurity awareness training during the audit period. Regarding the initial cybersecurity awareness training for our sample of 35 newly hired employees, we found the following:

• Out of our sample of 35 newly hired employees, 20 (57%) were never enrolled in initial cybersecurity awareness training and, therefore, never completed the training.
• Out of our sample of 35 newly hired employees, 8 (23%) were enrolled in initial cybersecurity awareness training but never completed the training.
• Out of our sample of 35 newly hired employees, 1 (3%) completed initial cybersecurity awareness training 350 days late.

Regarding the annual refresher cybersecurity awareness training, from our sample of 40 existing employees, we found the following:

• For the 2021 annual refresher cybersecurity awareness training:
  • Out of our sample of 40 existing employees, 5 (13%) were never enrolled in the annual refresher cybersecurity awareness training, and, therefore, never completed the training.
  • Out of our sample of 40 existing employees, 8 (20%) were enrolled in the annual refresher cybersecurity awareness training but did not complete the training.
• CCCC did not provide annual refresher cybersecurity awareness training to CCCC’s employees in calendar year 2022.
• For the 2023 annual refresher cybersecurity awareness training:
  • Out of our sample of 40 existing employees, 5 (13%) were never enrolled in the annual refresher cybersecurity awareness training and, therefore, never completed the training.
  • Out of our sample of 40 existing employees, 19 (48%) were enrolled in the annual refresher cybersecurity awareness training but did not complete the training.

If CCCC does not ensure that all of its employees complete cybersecurity awareness training, then CCCC exposes itself to an increased risk of cybersecurity attacks, and financial and/or reputational losses.

According to CCCC’s “Cyber / Information Security Awareness Training” policy,

All users of CCCC information resources will complete security awareness training with respect to CCCC information security policies and procedures upon hire and subsequently at least annually. Human Resources is responsible for notifying the Chief Information and Technology Officer (CITO) of a new hire immediately so that the workforce member can be trained in a timely manner. Employees will receive documentation of completion upon successfully finishing the training indicating that they understand the basis of cybersecurity and information protection. After the training has been conducted, CCCC will maintain such records, as it deems appropriate, to confirm that an employee or contractor received such training.

According to Section 6.2.3 of the Executive Office of Technology Services and Security’s Information Security Risk Standard IS.010,

6.2.3  New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

According to Section AT-3 of Revision 5 of the National Institute of Standards and Technology’s Special Publication 800-53,

ROLE-BASED TRAINING

Control:

a.   Provide role-based security and privacy training to personnel with the following roles and responsibilities: . . .

1.   Before authorizing access to the system, information, or performing assigned duties, and [at least annually] thereafter.

CCCC did not have monitoring controls in place during the audit period to ensure that all of its employees were enrolled in and completed the required initial and annual refresher cybersecurity awareness trainings.

According to CCCC management, there was employee turnover in the chief information officer position during calendar year 2022. This position would have been responsible for providing cybersecurity awareness training to CCCC employees. As a result, CCCC did not offer cybersecurity awareness training in calendar year 2022.

CCCC should develop and implement monitoring controls to ensure that all employees are enrolled in and complete initial and annual refresher cybersecurity awareness training.

The College recognizes that during the audit period not all employees had completed cybersecurity awareness training, and the tracking of college-wide training completion has not always been complete. While the Community Colleges do not fall under the Executive Office of Technology Services and Security (EOTSS) and its requirements, the College acknowledges [EOTSS] models as best practices.

The College was the victim of a cyber security attack in 2018 that resulted in a significant loss of funds. However, through quick identification of the crime and follow up with law enforcement and bank investigators, most of the funds were recovered. The College worked very closely with the US Attorney for the Southern District of New York in the prosecution and sentencing of three criminals involved in this crime. As a result, the College is hyper-focused on cyber security issues and becoming a standard bearer for excellence in this space both in technology and social engineering awareness training. Cape Cod Community College was the first Community College to introduce Multi-Factor Authentication to verify users. We were one of the first to introduce Managed Detection and Response (MDR) which is software that monitors and detects a potential cyber breach, along with Endpoint Detection and Response (EDR) which isolates and shuts down a computer under the suspicion of a breach.

Attackers do not always attack when staff are in the office. Often, these attacks happen in the middle of the night, so we have safeguards in place that protect our systems 24/7. The College uses [a software platform] as protection services for our hardware and [a member of a third-party company] as a Cyber Security officer. Both services are designed to protect the College in a manner that uses a modern security approach and verifies access request, regardless of where it comes from, to keep our systems and community safe. The College’s goal is protecting everyone through smart, adaptive safeguards.

It is noteworthy, that the 2018 cybercrime occurred in a functional area of the College where all users had received cybersecurity training when the actual crime occurred. Noting the sophistication of the social engineering that was utilized, we recognize the continuing need for training our employees to become more familiar with developments in cybersecurity.

The College agrees that education of our employees is important, and we have provided training during Opening Day and Professional Day but have not recorded all the participants. The College has been running weekly Phishing-Email campaigns and “Scam of the week” messages using [third-party, web-based training program]. Also, in October 2024, the College initiated a cyber-training module to all full-time non-unit professional employees (managers) and recorded a 75% completion percentage.

The College’s new [chief information officer] will work closely with [human resources] to be sure we increase our percentages of training for new employees within the first 30 days by requiring that the training be completed onsite and give time for new employees to complete, like the Commonwealth does for required state ethics training. The College will link our [student records, accounting, and finance system] to our [third-party, web-based training program] . . . to be able to provide one comprehensive listing. The College has also hired a new Administrative Support personnel who works in both [information technology and human resources] to assist in this type of follow-up that previously was done by the department head.

Based on its response, CCCC is taking measures to address our concerns regarding this matter. As part of our post-audit review process, we will follow up on this matter in approximately six months.