DDS Did Not Ensure That Its Employees Always Received Security Awareness Training.

DDS did not offer security awareness training to its employees for 2019, document completion of security awareness training for some employees, or ensure that new users who were granted access to HCSIS completed their security awareness training on time. To test information security controls, we randomly selected a nonstatistical sample of 25 DDS employees with access to HCSIS and found that 24 (96%) had not completed annual security awareness training for 2019. We also requested information for 25 new users granted access to HCSIS during the audit period. Six (24%) of these users had no record of security awareness training in their personnel files, and 11 completed their security awareness training after the 30 calendar days allowed. Insufficient security awareness training may lead to user error and compromise the integrity and security of protected information in HCSIS.

Section 6.2.4 of the Executive Office of Technology Services and Security’s “Information Security Risk Management Standard,” which was put into effect October 18, 2018, states, “All personnel will be required to complete Annual Security Awareness Training.”

Section 6 of Executive Order 504, which was effective from January 1, 2009 through October 25, 2019, states,

All agency heads, managers, supervisors, and employees (including contract employees) shall attend mandatory information security training within one year of the effective date of this Order. For future employees, such training shall be part of the standardized orientation provided at the time they commence work. Such training shall include, without limitation, guidance to employees regarding how to identify, maintain and safeguard records and data that contain personal information.

DDS did not have a formal process in place to ensure that annual security awareness training was provided to each employee, nor did it have effective monitoring controls to ensure that new HCSIS users completed security awareness training on time.

1. DDS should offer security awareness training each year.
2. DDS should develop a formal process to ensure that security awareness training is completed on time.

[DDS] prioritizes the security of sensitive information contained in the HCSIS system and has established internal administrative safeguards for staff that are approved HCSIS system access. In addition, the Commonwealth’s IT leadership requires annual cybersecurity awareness training for all state employees. DDS will coordinate with the Commonwealth’s IT leadership at the Executive Office of Health and Human Services and the Executive Office of Technology Services and Security to ensure that security awareness training is issued on an annual basis and that [DDS] staff complete these trainings on an annual basis.

Based on its response, DDS is taking measures to address our concerns in this area.