Overview
Massachusetts College of Art and Design (MassArt) does not require new employees in its Administration and Finance Department to take cybersecurity awareness training as part of new hire orientation, nor does it require employees in the department to take training annually thereafter. MassArt did not require annual cybersecurity awareness training of the 13 employees in the department who were responsible for processing funding from the Higher Education Emergency Relief Fund. Although MassArt does provide voluntary cybersecurity awareness training, the college does not maintain employee training attendance records.
Without educating all system users on their responsibility of protecting the security of information assets, MassArt is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.
Authoritative Guidance
According to the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, effective October 15, 2018,
6.2.3 New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. This course shall be conducted via web-based learning or in class training and shall be included in the new hire orientation checklist. The New Hire Security Awareness course must be completed within 30 days of new hire orientation.
6.2.4 Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training. Once implemented, automatic email reminders will be sent to personnel 12 months after course completion, alerting personnel to annual refresher training completion deadlines.
Reason for Noncompliance
MassArt does not have policies requiring cybersecurity awareness training for new and current employees. According to the assistant vice president of technology / chief information officer, MassArt has had challenges, including delays resulting from the 2019 coronavirus pandemic, in implementing cybersecurity policies.
Recommendations
- MassArt should implement a policy requiring personnel to complete new-hire and annual cybersecurity awareness training.
- MassArt should maintain a record of completion of cybersecurity awareness training for each employee.
Auditee's Response
The college acknowledges that during the time period of the audit cybersecurity training was not required of staff. . . .
MassArt has implemented a mandatory annual cybersecurity awareness training program for all current and new employees using the KnowBE4 platform, and now records and tracks completion rates. Users are sent regular email reminders from the KnowBE4 system to complete the training.
MassArt has also verified that the thirteen employees in Administration and Finance mentioned in the audit have completed their annual cybersecurity training.
We appreciate the guidance provided to the college and its Finance and [information technology] teams during the period of the audit and remain committed to adhering to the best practices possible in all of the college's operations.
Auditor's Reply
Based on its response, MassArt has taken measures to address our concerns on this matter.