Essex County District Attorney’s Office - Finding 2

EDAO should ensure that all of its employees complete cybersecurity awareness training.

We found that 10 out of 35 (29%) EDAO employees in our sample did not complete all of the required bimonthly cybersecurity awareness training.

Additionally, we found that of the 1,599 training records we reviewed, 235 (15%) of trainings were completed after the five-week deadline. As a result, we determined that EDAO was not in compliance with its internal cybersecurity awareness training policy.

We also found that 10 out of 20 (50%) EDAO employees in our sample who were hired during the audit period did not complete cybersecurity training within 30 days of new hire orientation. Seven of these 10 newly hired employees completed the training after the 30-day deadline, and the remaining 3 newly hired employees did not complete training at all.

If EDAO does not ensure that all of its employees complete cybersecurity awareness training, then EDAO exposes itself to an increased risk of cybersecurity attacks and financial and/or reputational losses.

According to the training schedule outlined in EDAO’s “Security Awareness Training” policy, “Six trainings are scheduled throughout each calendar year. . . . generated in February, April, June, August, October, December. [In this policy, April and December are bolded to indicate that those sessions are longer than the others.] Trainings must be completed within 5 weeks of enrollment.”

According to Section 6.2.3 of the Executive Office of Technology Services and Security’s Information Security Risk Standard IS.010, “New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.”

EDAO did not have effective monitoring controls in place to ensure that all of its employees completed the required initial and bimonthly cybersecurity awareness trainings.

EDAO should implement effective monitoring controls to ensure that all employees complete agency-required bimonthly cybersecurity awareness training and that newly hired employees complete initial training within the first 30 days of their new hire orientation.

The EDAO is committed to ensuring all employees receive proper cybersecurity training. The EDAO’s “Security Training and Awareness” policy requires all employees to complete bimonthly cybersecurity awareness training. We acknowledge that some employees in your sample did not complete the required training within the 30-day new hire period or the bimonthly schedule. The Executive Office of Technology Services and Security (EOTSS) Information Security Risk Management Standard IS.010 recommends new employees complete this training within 30 days of their orientation. The EDAO’s policy does not specify a timeframe for initial training. All new personnel are required to complete an initial Security Awareness Training, and while a number of employees completed it outside the 30-day period, all required trainings were eventually completed.

We recognize that our monitoring controls were not as effective as they should have been. To address this, we will implement more rigorous monitoring to ensure all new employees complete their initial training within the first 30 days of their new hire orientation, and that all existing employees complete the required bimonthly trainings in a timely manner. We are dedicated to mitigating the risk of cybersecurity attacks and protecting sensitive information.

Based on its response, EDAO is taking measures to address our concerns regarding this matter. As part of our post-audit review process, we will follow up on this matter in approximately six months.