Massachusetts Convention Center Authority - Finding 9

We identified the following issues in our testing of MCCA’s information system general controls:

1. One out of nine users (11%) who were newly provided with access to the procurement system during the audit period was not recorded as being in attendance for an initial cybersecurity awareness training.
2. MCCA was unable to produce any attendance records or certificates of completion to verify that procurement system users received annual refresher cybersecurity awareness training.
3. MCCA does not document supervisor reviews of user access rights.

If MCCA does not conduct reviews of user access rights, it has an elevated risk of exposure to unauthorized access. If MCCA does not ensure that its employees complete initial and annual refresher cybersecurity awareness trainings, it is exposed to an increased risk of cyberattacks and financial and/or reputational losses.

Section AT-2 of MCCA’s “Information Security Policy” states:

Prior to a user being granted access to MCCA’s business information systems or corporate network, security awareness training must be provided for all level of users within MCCA. Users must also be trained following the implementation of changes to information systems, and periodically thereafter.

Section 6.1.10.2 of the Executive Office of Technology Services and Security’s Access Management Standard IS.003 states, “A review of user access must be conducted, at a minimum, semiannually, and all unauthorized accounts and access must be removed.”

We consider the Executive Office of Technology Services and Security’s policies and standards to be a best practice. 

MCCA officials told us that supervisors review user access rights annually and monthly; however, the reviews are not documented. MCCA did not give a reason it could not provide documentation of attendance for annual refresher cybersecurity awareness training.

1. MCCA should maintain certificates of completion of cybersecurity awareness training for all of its employees in their respective personnel files and/or on a centralized list.
2. MCCA should conduct and document user access reviews at least twice per year.

While the MCCA has a comprehensive cybersecurity training program that includes annual cybersecurity training, quarterly phishing training, and annual vendor cybersecurity training, it acknowledges that some official attendance records for participants in the annual training were missing. To address this issue, the MCCA has implemented a centralized online learning management system (LMS). This new system will ensure that official records of attendance and training completion are accurately maintained each year and stored for future review.

The MCCA conducts annual reviews of user access to the MCCA financial management system which is independently verified each year by our annual audit. These reviews encompass the onboarding and offboarding of employees, as well as an evaluation of all users with elevated access rights. Additionally, the MCCA performs an annual license review of users in the system. During the audit period, in conjunction with the State Auditor’s Office audit team, it was identified that the MCCA should maintain a documented record of each system user to verify that no official user roles have changed. The MCCA accepted this recommendation and has implemented the necessary changes as part of its annual review of system users, access, and roles.

In its response, MCCA indicates that system user access is tested annually by its independent auditors. However, as noted above, MCCA was unable to demonstrate that user access rights to its procurement system were reviewed during our audit period. In addition, MCCA was unable to provide evidence that it provided annual cybersecurity awareness training to its procurement system users during our audit period. We reiterate our recommendation that MCCA should maintain a record of completion of cybersecurity awareness training for each employee. Further, MCCA should ensure that it conducts and documents periodic access reviews (at least semiannually) to ensure that users’ access rights to its procurement system are limited to their individual job requirements. Based on its response, MCCA is taking measures to address our concerns.