DCR Did Not Ensure That All Employees Completed Required Annual Cybersecurity Awareness Training During the Audit Period.

In our review of 10 of 81 training records belonging to 10 active DCR Massachusetts Management Accounting and Reporting System users during the audit period, we found that 7 of the users did not receive annual cybersecurity awareness training. Of the 3 of these 10 users who were hired during our audit period, 2 did not have cybersecurity awareness training upon hire.

If employees do not receive cybersecurity awareness training, DCR could face a higher risk of cybersecurity attacks and financial and/or reputation losses.

The Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010, effective October 15, 2018, states,

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

DCR officials told us that it was DCR’s understanding that EOTSS required DCR to complete cybersecurity training every two years. Regarding new hires, DCR personnel stated that DCR’s training was handled at the secretariat level: the Commonwealth’s Human Resources Division tells the Executive Office of Energy and Environmental Affairs’ Human Resources Office, which oversees DCR’s training, which EOTSS training programs (including cybersecurity awareness training) are required for each employee. DCR does not have its own human resources department or its own policies and procedures to ensure that all employees complete initial and annual cybersecurity awareness training.

1. DCR should stay informed about all requirements of EOTSS’s Information Security Risk Management Standard IS.010.
2. DCR should document and implement policies and procedures that require all employees to complete initial and annual cybersecurity awareness training. The policies and procedures should include internal controls to monitor and document completion of the training.

DCR uses centralized systems offered to comply with required employee training. During the audit period, DCR complied with [the state Human Resources Division, or HRD] and EOTSS annual training through [the Performance and Career Enhancement system] and other independent EOTSS cyber security providers, which did not make information on employee completion of training readily available to managers. As a result, managers may not have timely verified whether all team members completed their required training during the audit period.

DCR now has new tools and controls to ensure that all employees complete required training, including cybersecurity training. DCR follows EOTSS annual training requirements on cybersecurity provided through MassAchieve, the new training module provided by HRD. In the event that an employee does not comply with cybersecurity training, their access to computers and department and state systems is terminated until they complete the training. This termination will take effect 10/15/2022 for any who have not completed training that was due 8/31/2022.

Based on its response, DCR has taken measures to address our concerns on this matter.