This page, Massachusetts Growth Capital Corporation - Finding 4, is offered by
Office of the State Auditor

Massachusetts Growth Capital Corporation - Finding 4

The Massachusetts Growth Capital Corporation Did Not Provide Information Security Training to Its Employees Responsible for Managing and Accounting for COVID-19 Small Business Relief Grant Program Funds.

Skip table of contents

You skipped the table of contents section.

Overview

MGCC did not provide any information security training to the 10 MGCC employees responsible for managing and accounting for COVID-19 SBRGP funds during the audit period.

A lack of such training may lead to user error or compromise the integrity and security of MGCC’s information systems, such as MGCC’s accounting system, which was used to administer approximately $650 million in COVID-19 SBRGP funding.

Authoritative Guidance

MGCC’s Written Information Security Policy (WISP) includes the following provisions:

The purpose of this WISP is to ensure that . . . information security training is provided to all employees and staff.
Training will be provided on an ongoing basis, beginning with new employee and User orientation, as scheduled by the [information security officer] for full-time employees, part-time employees and contract/temporary employees.

Reasons for Issue

MGCC did not have effective monitoring controls to ensure that it provided information security training to all employees.

Recommendations

MGCC should provide information security training to its newly hired employees during orientation and on an ongoing basis for all employees.
MGCC should develop and implement monitoring controls to ensure that it provides information security training to all employees.

Auditee’s Response

MGCC acknowledges that it did not provide information security training to its newly hired and temporary employees during orientation during the COVID19 pandemic. During the period that MGCC was administering the COVID-19 SBRGP, MGCC was adding temporary and new staff at a rapid pace and was still adjusting to pandemic response orders that required employees to work from home. This oversight was noticed and MGCC has since provided information security training to all employees. MGCC also has incorporated the Written Information Security Policy, Guidance, Standards and Protocols (WISP) into its employee handbook and will annually require every current and new employee to receive a copy of the WISP and to sign a form acknowledging the employee has received, reviewed and understands that policy.

Auditor’s Reply

Based on its response, MGCC has taken measures to provide information security training to its current employees. We reiterate our recommendations that MGCC provide information security training to its newly hired employees during orientation and on an ongoing basis for all employees as well as develop and implement monitoring controls to ensure that it provides this training.

Date published:	August 28, 2024

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.