EOEA Did Not Always Ensure That Its Employees Who Had Access to COVID 19 Funds Completed Cybersecurity Awareness Training.

EOEA was unable to provide evidence that two of its seven employees who had access to COVID-19 funds completed annual cybersecurity awareness training for 2020, and it was unable to provide evidence that four out of seven employees completed annual cybersecurity awareness training for 2021. If EOEA does not ensure that its employees complete cybersecurity awareness training, it is exposed to a higher risk of cyberattacks and financial and/or reputation losses.

Section 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, which went into effect October 15, 2018, states, “All personnel will be required to complete Annual Security Awareness Training.”

EOEA stated that it encountered obstacles when retrieving certificates of completion of cybersecurity awareness training associated with transitioning to a different cybersecurity awareness training provider.

EOEA should develop and implement policies, procedures, and controls to ensure that its employees with access to COVID-19 funds complete EOTSS-compliant cybersecurity awareness training.

Documentation of cybersecurity awareness training has migrated from PACE to MassAchieve. EOEA will assess the MassAchieve reporting capability and establish a process to track and monitor cybersecurity awareness training, determine an appropriate means by which to ensure such training is complete, and incorporate the resulting process into its policies and procedures to ensure compliance.

Based on its response, EOEA is taking measures to address our concerns on this matter.