DCAMM Did Not Retain Employees’ Cybersecurity Awareness Training Certificates.

During the audit period, there were 424 active DCAMM employees with Commonwealth-provided email addresses. There were no cybersecurity awareness training certificates in any employee’s personnel file to show that the employee had completed either initial or annual training for 2019. For calendar year 2020, from the sample of 40 employees tested, 1 employee’s personnel file lacked a security awareness training certificate to show that the employee had completed annual training.

Insufficient cybersecurity awareness training may lead to user error and compromise the integrity and security of protected information in LCPTracker and Business to Government Now.

Section 6.2 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, effective October 15, 2018, requires the following:

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . .

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

Section 6 of Executive Order 504, which was effective January 1, 2009 through October 25, 2019, states,

All agency heads, managers, supervisors, and employees (including contract employees) shall attend mandatory information security training within one year of the effective date of this Order. For future employees, such training shall be part of the standardized orientation provided at the time they commence work. Such training shall include, without limitation, guidance to employees regarding how to identify, maintain and safeguard records and data that contain personal information.

DCAMM did not have a formal process in place to ensure that cybersecurity awareness training certificates were collected and retained in each employee’s personnel file.

1. DCAMM should keep cybersecurity awareness training certificates in employee personnel files.
2. DCAMM should develop a formal process to ensure that cybersecurity awareness training certificates are collected and retained in all personnel files.

DCAMM has implemented both of the recommendations of the [Office of the State Auditor]. Since the Audit Period, DCAMM has created a dedicated role of Director of Training and Operations within the DCAMM Human Resources Department. The Director of Training and Operations is responsible, and has created a system, for collection and retention of cybersecurity awareness training certificates in each employee’s personnel file. The Director of Training and Operations also coordinates with [the Executive Office of Technology Services and Security] regarding upcoming trainings, sends agency communications and reminders, monitors training deadlines and completions, reports non-compliance if/when necessary.

Based on its response, DCAMM is taking measures to address our concerns on this matter.