This page, Fitchburg State University Was Unable To Provide Complete Documentation That Its Employees Responsible for the Management of COVID-19 Funds Completed Cybersecurity Awareness Training., is offered by
Office of the State Auditor

Fitchburg State University Was Unable To Provide Complete Documentation That Its Employees Responsible for the Management of COVID-19 Funds Completed Cybersecurity Awareness Training.

While there was evidence that FSU developed cybersecurity awareness training, there was incomplete documentation to confirm that seven out of eight employees (88%) from our sample who were required to complete training during the audit period completed such training.

Skip table of contents

You skipped the table of contents section.

Overview

Although Fitchburg State University (FSU) provided us some documentation, such as attendance sheets, to confirm that the employees responsible for handling COVID-19 funds completed cybersecurity awareness training, this documentation was incomplete. While there was evidence that FSU developed cybersecurity awareness training, there was incomplete documentation to confirm that seven out of eight employees (88%) from our sample who were required to complete training during the audit period completed such training.

If FSU does not retain documentation to confirm that its employees complete cybersecurity awareness training, it cannot ensure that employees complete this training, which may lead to user error and compromise the integrity and security of protected information in FSU’s information security systems.

Authoritative Guidance

According to the Executive Office of Technology Services and Security Information Security Risk Management Standard IS.010,

6.2.3 New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . .The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4 Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

Reasons for Issue

According to FSU officials, during the pandemic, cybersecurity awareness trainings were held virtually instead of in person, and an FSU Human Resources Department employee who attended the trainings recorded employee attendance on attendance sheets. FSU officials told us that they were unable to locate the attendance sheets for our sampled employees. FSU did not have monitoring controls to ensure that it retained attendance sheets for these trainings.

Recommendations

FSU should retain attendance sheets to provide evidence that its employees completed cybersecurity awareness training.
FSU should implement monitoring controls to ensure that it retains attendance sheets for its cybersecurity awareness training.

Auditee’s Response

We have addressed the noted finding related to the documentation of cyber security training and attendance tracking and have already implemented the necessary process to ensure compliance. KnowBe4 online Cyber Security Training software was put into effect in December 2022.

Auditor’s Reply

Based on its response, FSU is taking measures to address our concerns on this matter.

Date published:	September 15, 2023

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.