Massachusetts Bay Transportation Authority—Automated Fare Collection System 2.0 Project - Finding 4

We discovered during our data reliability assessment that the MBTA did not ensure that all its information system users completed cybersecurity awareness training. Specifically, for the MBTA’s payroll management system, 4 out of 10 randomly sampled newly hired MBTA employees did not complete new hire cybersecurity awareness training.

If the MBTA does not ensure that all its information system users complete cybersecurity awareness training, then the MBTA may expose itself to an increased risk of financial and/or reputational losses.

The National Institute of Standards and Technology’s Special Publication 800–53r5, Security and Privacy Controls for Information Systems and Organizations, states,

AT-2 LITERACY TRAINING AND AWARENESS . . .

a.   Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):

1.    As part of initial training for new users and . . . [organization-defined frequency] thereafter.

The Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 states,

6.2.3   New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. This course will be conducted via web-based learning or in-class training and will be included in the new hire orientation checklist. The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4   Annual Security Awareness Training: All personnel are required to complete Annual Security Awareness Training. Once implemented, automatic email reminders will be sent to personnel 12 months after course completion, alerting personnel to annual refresher training completion deadlines.

The MBTA did not provide a reason why the cybersecurity awareness training certificates for the sampled employees could not be provided to us.

The MBTA should ensure that all its information system users complete cybersecurity awareness training as part of initial training and on an annual basis.

The MBTA has identified the four individuals that the MBTA was unable to provide evidence of completion of the MBTA’s cybersecurity training, none of whom are current employees. . . . The MBTA is reviewing to determine if these former employees did not complete cybersecurity training or the MBTA’s report on the completion of cybersecurity training omitted these former employees. The MBTA notes that the HRCMS system which the SAO reviewed for its Data Reliability Assessment is not a program used directly for the AFC 2.0 project. The HRCMS system is used across the MBTA and across the Commonwealth of Massachusetts, most commonly for employees to enter their timesheets.

The MBTA claims that none of the four individuals identified during testing are current employees. However, these individuals were employees during the audit period and thus should have received cybersecurity awareness training upon being hired. Their current employment status is irrelevant to the finding. We encourage the MBTA to follow our recommendation so that history does not repeat itself, with current or future employees not receiving needed training.