Department of Transitional Assistance - Finding 2

For DTA employees who had access to the Electronic Payment Process Internal Control (EPPIC) and BEACON systems, DTA did not consistently retain copies of its employees’ Criminal Offender Record Information (CORI) background checks upon hire and did not consistently require employees to complete cybersecurity awareness training annually as required by its Information System Security Plan.

During our audit, DTA could not provide copies of CORI background checks for 4 of the 60 BEACON users in our sample. We projected the test results from our random, statistical sample of 60 active BEACON users to the total population, and we are 95% confident that DTA would not be able to provide evidence of CORI background checks for at least 36 users who had access to the BEACON system during the audit period. Additionally, DTA did not ensure that all employees with access to the BEACON system completed cybersecurity awareness training annually.

In addition, DTA could not provide copies of CORI background checks for 2 of the 25 EPPIC users tested in our sample. Also, 1 of the 25 EPPIC users in our sample did not complete annual cybersecurity awareness training during the audit period.

If DTA does not ensure that it conducts CORI background checks, and that its employees complete cybersecurity awareness training before they are granted access to DTA systems, then there is a higher-than-acceptable risk of unauthorized access to program participants’ personally identifiable information (PII), and DTA cannot ensure the security of all participants’ information. Recipients entrust DTA with their personal information in order to access their benefits, and a breach would be a violation of that trust. Misuse of PII can not only have severe long-term consequences for program participants but also for DTA and the Commonwealth of Massachusetts. A breach of PII could expose the government to regulatory fines and costly litigation.

According to DTA’s Information System Security Plan,

PERSONNEL SCREENING

101 CMR 15.00 is a policy and procedure for the Executive Office of Health and Human Services (EOHHS), its agencies, and vendor programs regarding the review of criminal records of candidates for employment. This EOHHS Policy requires that an individual’s background, including any Criminal Offender Record Information (CORI) and other relevant information, be carefully considered so that the vulnerable populations served by EOHHS, and its agencies are protected. This policy requires that a criminal background check should only occur, and its results considered, in those instances where a current or prospective employee shall have been deemed otherwise qualified and the content of a criminal record is relevant to the duties and qualifications of the position. DTA has determined that all employees and contractors hired to work on the BEACON system must comply with this regulation. . . .

ACCESS AGREEMENTS

All individuals with access to BEACON must sign that they have read, understand, and agree to comply with the Acceptable Use Policy, Cyber Security Awareness and EOHHS Data Protection Policy and Procedures at time of hire and yearly thereafter.

Additionally, 101 CMR Section 15.01 states that it is to “Establish a core standardized policy and procedure for the Executive Office of Health and Human Services (EOHHS), its agencies, and vendor programs regarding the review of criminal records of candidates for employment.”

The Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, which was in effect during the audit period, stated,

6.2.4     Annual Security Awareness Training: All personnel are required to complete Annual Security Awareness Training.

According to 803 CMR 2.14(4),

CORI and/or CORI Acknowledgment Forms shall not be retained for longer than seven years from whichever of the following occurs later:

(a)  The subject’s last date of employment or volunteer service for which the CORI request was made; or

(b)  The date of the final decision regarding the employment or volunteer opportunity or licensing decision of the requestor regarding the subject.

DTA officials told us that the Executive Office of Health and Human Services (EOHHS) and the Human Resources Division are responsible for DTA’s hiring process. EOHHS notifies DTA whether or not an employee can be hired based on the results of their CORI background checks. As a result, DTA does not have direct access to employees’ CORI background check information. DTA officials also stated they were not aware that CORI background checks should be retained for seven years from the last date of employment.

DTA does not have monitoring controls to ensure that all employees complete cybersecurity awareness training annually.

1. DTA should coordinate with EOHHS and the Human Resources Division to maintain copies of each employee’s CORI background check documentation in DTA employee files for seven years from the last date of employment or the date of the final decision regarding employment.
2. DTA should regularly review and maintain employee files to ensure that required documents, such as CORI background checks, are retained.
3. DTA should implement monitoring controls to ensure that its employees complete cybersecurity awareness training at least annually.
4. DTA should suspend user access if an employee does not complete their cybersecurity awareness training by a required deadline.

DTA agrees with [the Office of the State Auditor’s (OSA’s)] first and second recommendations that it should collaborate with its Secretariat, the Executive Office of Health and Human Services (EOHHS) and the Commonwealth’s Human Resources Division (HRD) to ensure that completed CORI background checks for DTA employees are maintained in compliance with applicable regulations, DTA’s Information System Security Plan, and all relevant access agreements, as well as to ensure requisite documents are retained. While DTA acknowledges the OSA’s finding that it could not provide copies of CORI background checks for a total of 6 out of 85 users sampled, for the reasons stated below DTA disagrees with the OSA’s extrapolated finding that DTA would be unable to provide evidence of a CORI background check for at least 36 BEACON users during the audit period.

By way of background, and for clarification regarding the “Reasons for Issue” section of the OSA’s draft report, DTA works closely with EOHHS when it hires new employees. DTA, not EOHHS or HRD, is responsible for the hiring of its employees. DTA agrees with the OSA that it is critical that clients can trust DTA with their personal information, and a data breach could have consequences for the agency and the Commonwealth. As a result, DTA considers that its employees will have access to sensitive and confidential client information when it hires new employees. Therefore, DTA completes a resume review, a reference check, and, perhaps most importantly, a CORI background check before DTA extends an offer of employment.

Before 2022, DTA conducted and maintained CORI checks on its prospective employees. DTA stored and maintained these files in compliance with all applicable regulations and record retention policies. All six of the BEACON and EPPIC users identified in OSA’s sample for which DTA could not produce CORI records were hired at least 9 years ago. . . . During the time of the audit, DTA was moving its offices, and all associated files, from 600 Washington Street to the John W. McCormack building at 1 Ashburton Place in Boston. DTA suggests that this may have contributed to its inability to locate some of the files in the OSA’s sample. In addition, DTA notes that the fact it was unable to provide documentation that a CORI background check was conducted is not evidence that the background check did not occur.

Since 2022, EOHHS has conducted the required CORI background checks for DTA new hires. EOHHS maintains files for all DTA CORIs in a secure online environment in accordance with all relevant regulations and records retention policies. DTA believes that the process in place for the last 4 years with EOHHS constitutes an improved, centralized control for maintaining CORI background check documentation, which addresses the OSA’s concerns in its recommendations.

DTA agrees with OSA’s third and fourth recommendations. As already stated, DTA understands that it is critical for its employees to understand the importance of securely maintaining clients’ Personally Identifiable Information (PII). To that end, since the beginning of the audit period, DTA, in partnership with the Executive Office of Technology Services and Security (EOTSS), EOHHS, and HRD, has put robust monitoring controls in place to ensure that all DTA employees complete cybersecurity awareness training annually, and to ensure that user access is suspended if an employee fails to timely complete their cybersecurity awareness training.

Since the start of the audit period, EOTSS and EOHHS have developed and implemented additional procedures and controls to ensure compliance with annual cybersecurity awareness training requirements. Cybersecurity awareness training is offered through the Commonwealth’s Learning Management System, MassAchieve. HRD provides the initial communications about the training availability and due date, followed by periodic email reminders to all employees regarding requisite training. In addition, EOHHS Human Resources has developed and implemented a robust system of controls, including regular emails to agency management containing status updates on agency training progress, as well as weekly emails as the deadline approaches with lists of employees and training completion status. EOHHS Human Resources further promotes completion of the training by alerting staff to the consequences of non-compliance. EOHHS Human Resources also notifies agency management about any employees who are non-compliant with the deadline, along with instructions about next steps. When DTA managers are informed of staff who have not completed the training, they too follow up with their supervisees. For any employees who are non-compliant, beginning with the 2022 mandatory cybersecurity training period, EOTSS has implemented a control that shuts down the network access of any employees who have not completed the annual training requirement by the requisite deadline. Access can only be restored once the employee completes the training.

We acknowledge DTA’s response and its agreement with our recommendations to enhance controls over CORI background check documentation and to ensure compliance with cybersecurity training requirements.

DTA states in their response that these employees were hired many years ago, and that the relocation of its office led to the missing documentation. While we recognize these factors, we emphasize that agencies are required to retain CORI background check records in accordance with applicable regulations and records retention schedules, regardless of how long ago employees were hired or of changes in office location. DTA was unable to produce these documents, hindering our ability to confirm that these CORI background checks were conducted. Our projection of the results of our sample to the population is consistent with standard audit methodology.

We commend DTA for transitioning in 2022 to a system where EOHHS conducts and maintains CORI background checks for new hires. Although this centralized approach appears to improve controls, it does not change our audit finding that CORI background check documentation was not consistently retained for some users during the audit period.

Regarding cybersecurity awareness training, we acknowledge DTA’s agreement with the finding and recommendations. The additional controls implemented by the Executive Office of Technology Services and Security, EOHHS, and the Human Resources Division appear to address the deficiencies identified in the audit.

Based on its response, DTA is taking measures to address our concerns in this area. We will review progress on this matter as part of our post-audit review process in approximately six months.