This page, Commonwealth Corporation Did Not Ensure That Its Employees Completed Cybersecurity Awareness Training, is offered by
Office of the State Auditor

Commonwealth Corporation Did Not Ensure That Its Employees Completed Cybersecurity Awareness Training

If CommCorp does not ensure that its employees complete cybersecurity awareness training, then it exposes itself to a higher-than-acceptable risk of cybersecurity attacks and financial and/or reputational losses.

Skip table of contents

You skipped the table of contents section.

Overview

CommCorp did not ensure that its employees completed cybersecurity awareness training. While CommCorp officials told us that they provided newly hired employees with a verbal overview of CommCorp’s information technology policies during orientation, CommCorp did not test these newly hired employees on their understanding of these policies. Further, CommCorp was unable to provide evidence that it provided annual cybersecurity awareness training to its employees in either calendar years 2021 or 2022.

Authoritative Guidance

Section 8 of the “Commonwealth Corporation Information Security Policy” states,

CommCorp shall ensure that employees understand their security responsibilities and have the requisite skills and knowledge to ensure the effective execution of the roles they are assigned to reduce the risk of unauthorized access, use or modification of Information Assets, including:
Mandatory Security Training
Semi-Annual training will be provided to all new hires; and
Annual training will be provided to all staff.

Section 6.2 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 states,

6.2.1 Implement an enterprise-wide information security awareness and training program. . . .
6.2.1.3 The training shall: . . .

6.2.1.3.4     Test each individual’s understanding of all policies and of his or her role in maintaining the highest ethical standards. . . .
6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.
6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

Although CommCorp is not required to follow this standard, since it is not an executive branch agency, EOTSS still recommends that non-executive branch agencies follow these standards. We also consider it a best practice.

Reasons for Noncompliance

CommCorp did not have monitoring controls to ensure that all employees complete cybersecurity awareness training.

Beginning in 2021, CommCorp implemented an annual mandatory cybersecurity awareness training program for its employees. However, CommCorp officials told us that CommCorp encountered obstacles when retrieving certificates of completion of cybersecurity awareness training because of employee turnover.

CommCorp officials told us that, because they began transitioning to a different cybersecurity awareness training provider in 2022, they did not have established courses with the new provider.

Recommendations

CommCorp should develop, document, and implement monitoring controls to ensure that its employees complete cybersecurity awareness training within 30 days of their orientation and annually thereafter. The cybersecurity awareness training should include a test of each individual’s understanding of all policies and their role in maintaining the security of CommCorp’s information technology systems.
CommCorp should maintain a record of completion of cybersecurity awareness training for each employee.

Auditee’s Response

Commonwealth Corporation has implemented mandatory comprehensive cybersecurity training. In August of 2022, CommCorp transitioned to using the LinkedIn Learning platform for its information technology and cybersecurity training. As part of CommCorp’s commitment to maintaining a secure environment, all employees, [temporary workers], interns, and contractors must complete mandatory cybersecurity training during onboarding and annually thereafter. This is consistent with the best practices recommended above.
Employees must provide a certificate of completion to CommCorp’s [information technology] department at the end of the training as proof of completion; such certificates are kept on file. CommCorp also can track and pull progress reports on training assignments for individual employees, contractors, etc. The monitoring tools help ensure compliance with cybersecurity training requirements and provide valuable insights into CommCorp’s security awareness efforts. The comprehensive training curriculum includes assessments of each employee so that additional and individualized follow up can be scheduled if needed.
Commonwealth Corporation recognizes the importance of cybersecurity and remains dedicated to ensuring security awareness, risk mitigation, and accountability among employees.

Auditor’s Reply

Based on its response, CommCorp has taken measures to address our concerns on this matter.

Date published:	July 9, 2024

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.