Holyoke Community College Did Not Ensure That Required Information Security Training Was Completed or Retain Copies of Signed Acceptable Use Policies.

Holyoke Community College (HCC) did not ensure that its system users received required information security training and did not retain copies of users’ signed acceptable use policies. Without educating all system users on their responsibility of helping protect the security of information assets by requiring training and formal user acknowledgment of acceptable use policies, HCC is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.

HCC did not establish a program to ensure that users received information security training until October 2018, and after a program was established, HCC did not ensure that all users were trained under the program. We reviewed 60 Banner users to determine whether HCC administered an information security training program to individuals who had access to its systems when it implemented its security awareness training on October 11, 2018.

From our sample of 60 system users, 1 user was terminated before the training was rolled out, and 8 users (6 employees, 1 work-study student, and 1 contract employee) were not assigned training. Of the remaining 51 users, 6 completed the training within 60 days, as required by HCC, and 2 completed the training after the required date. The other 43 users were assigned training but did not complete it.

For the same sample of 60 users, HCC could produce only 35 (58%) of the required signed acceptable use policies.

Massachusetts Executive Order 504 (effective September 19, 2008 through October 25, 2019) states,

All agency heads, managers, supervisors, and employees (including contract employees) shall attend mandatory information security training within one year of the effective date of this Order.

In addition, the Executive Office of Technology Services and Security’s Information Security Risk Management Standard (IS.010), effective October 15, 2018, states,

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation. . . .

6.2.8     All new hires must sign the acceptable use policy.

The National Institute of Standards and Technology (NIST)³ Special Publication 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations, defines the controls to be implemented as a best practice to ensure the security of an entity’s information technology. These controls include the following:

AT-2     The organization provides basic security awareness training to information system users . . .

a. As part of initial training for new users. . . .

PS-6     [The organization ensures] that individuals requiring access to organizational information and information systems:

1.   Sign appropriate access agreements.

HCC told us that no information security training program was implemented until October 2018 because the administration struggled with determining which department (Human Resources or Information Technology) should be responsible for ensuring the training of system users. As cybersecurity issues became an escalating threat in 2018, HCC decided the Information Technology Department would manage information security training.

HCC also does not have an information security training policy that documents its requirements for monitoring the information security training program, including the collection of user-signed acceptable use policies. According to NIST Special Publication 800-53r4, this type of policy could address areas such as “purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.”

HCC officials also stated that members of the Massachusetts Community College Council union⁴ would not take training without additional compensation. The officials stated that the existing union contracts lacked specific language requiring the information security training and that HCC therefore could not require it.

1. HCC should develop, document, and disseminate to personnel an information security training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
2. HCC’s Information Technology Department should continuously monitor compliance with the policy to ensure successful completion of information security training for all system users.
3. HCC should have signed acceptable use policies on file for all system users.
4. HCC should negotiate collective bargaining agreements to include information security training requirements for all system users.

HCC’s [Information Technology] department did in fact administer an industry standard training program from [the SysAdmin, Audit, Network, and Security Institute], which is the same program that the state supplies to their users. We did not implement this training until 2018 because there were multiple positions in the [Information Technology] department that were in transition, and we also did not have an Information Security Officer in place.

Once we started implementing the training program, we were able to monitor the completions by running reports. We could not enforce the completion of the training because of union issues. We have since bargained with the [Massachusetts Community College Council] and [American Federation of State, County and Municipal Employees] unions to allow us to mandate the training. To better enforce the completion of the training, we will run reports and send lists to supervisors and deans so that they can assist in getting their staff to comply with the mandate and restrict access until completed.

We also have multiple reminders setup to alert users about the training:

1. An initial email goes out to all employees whether they are new, or are in need of taking the annual training, with a link to the training and a deadline to complete the training.
2. A reminder email goes out 15 days before the due date to remind users to complete the training. We are going to increase the number of reminders to 7 days, and 30 days.
3. Lastly, we have a notification that goes out 1 and 7 days after the training is overdue to alert users that they have not completed it.

Human Resources disseminates the Acceptable Use Policy to all new employees through their onboarding process. The users have to read and accept the policy by completing a task in the onboarding system, which is stored electronically. Access to Banner, [the Massachusetts Management Accounting and Reporting System], and [the state’s Human Resource Compensation Management System] will not be granted until completed. . . .

HCC will disseminate a policy and will ensure all users acknowledge receipt on an annual basis to continue to have access to enterprise systems. . . .

HCC runs reports monthly on completion of the training. We will enforce this completion by working with supervisors and deans in accordance with union contractual agreements. . . .

HCC will maintain an electronic record of users’ acknowledgment of the College’s Acceptable Use Policy. . . .

HCC successfully impact bargained the change with the unions and they have agreed to do security training.