Department of Children and Families - Finding 4

DCF was unable to provide evidence that 2 of its 10 employees who had access to COVID-19 funding completed annual refresher cybersecurity awareness training for fiscal year 2020. Additionally, DCF was unable to provide evidence that 1 out of 10 employees with access to COVID-19 funds completed annual refresher cybersecurity awareness training for fiscal year 2021.

If DCF does not ensure that all its employees complete cybersecurity awareness training, then it is exposed to a higher-than-acceptable risk of cyberattacks and financial and/or reputational losses.

Section 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, which went into effect October 15, 2018, states, “All personnel will be required to complete Annual Security Awareness Training.”

DCF stated that it encountered obstacles when retrieving certificates of completion of cybersecurity awareness training associated with transitioning to a different cybersecurity awareness training provider.

DCF should develop and implement policies, procedures, and controls to ensure that all its employees complete cybersecurity awareness training.

Since the audit review period, the Department and the Executive Office of Technology Services and Security (EOTSS) has developed and implemented additional procedures and controls to ensure compliance with annual refresher cybersecurity awareness training requirements. The trainings are offered through the Commonwealth’s Learning Management System, MassAchieve. From the data in MassAchieve, DCF’s Office of Management Planning and Analysis has developed and distributes monthly management reports which provide the status of individual employees’ completion of cybersecurity awareness training prior to the established training deadline. Managers use these reports to follow-up with employees and ensure they complete the annual refresher training by the requisite deadline. In addition, the Department’s Deputy Commissioner for Administration and Finance monthly reports out the status of the agency’s compliance with completing the annual refresher cybersecurity awareness training to the agency’s leadership at the monthly Statewide Managers Meeting. Lastly, EOTSS has implemented a control which shuts down network access of employees who have not completed the annual refresher cybersecurity awareness training by the requisite deadline. Access can only be restored once the employee completes the training.

We commend DCF for implementing stronger monitoring controls to ensure that all employees complete cybersecurity awareness training and believe DCF is taking steps to address this issue.