Massachusetts State College Building Authority - Finding 4

MSCBA did not have adequate information system general controls over its accounting and project management system. Specifically, we identified issues with management of employee access rights, employee cybersecurity awareness training, background checks, revocation of employee access rights, session lock mechanisms, configuration management, and audit log reviews.

1. The Massachusetts State College Building Authority did not adequately manage employee access rights.

MSCBA did not have documented management approval for its employees’ access rights to its accounting and project management system for 12 (80%) out of 15 users in the population of employees who were active during the audit period.

Without management approval, MSCBA does not have sufficient verification that system users were approved to access the system at all or that user accounts were limited to the fewest privileges necessary for the employees’ job duties.

Authoritative Guidance

Section 6.1 of EOTSS’s Access Management Standard IS.003 states,

6.1.5     Request access privileges: User requests for access privileges will follow a formal process. . . .

6.1.5.2     User registration and revocation procedures will be implemented for all information systems and services.

6.1.5.3     User access requests will be recorded (paper or tool-based), include a business justification for access, and be approved by the requestor’s supervisor and the appropriate Information Owner or authorized delegate.

Although MSCBA is not required to follow this standard, since it is not a Commonwealth agency within the executive branch and is instead categorized as a quasi-governmental agency, EOTSS still recommends that non-executive branch state agencies follow these standards. We also consider them best practices.

Reason for Issue

MSCBA did not have documented policies and procedures regarding recording and maintaining user access request approvals for its accounting and project management system during the audit period.

2. The Massachusetts State College Building Authority could not provide evidence that its employees completed cybersecurity awareness training.

MSCBA was unable to produce any attendance records or certificates of completion to verify that accounting and project management system users received cybersecurity awareness training during the audit period.

If MSCBA does not ensure that its employees complete cybersecurity awareness training, then it is exposed to an increased risk of cyberattacks and financial and/or reputational losses.

Authoritative Guidance

According to Section 6.2 of EOTSS’s Information Security Risk Standard IS.010,

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

Although MSCBA is not required to follow this standard, since it is not a Commonwealth agency within the executive branch and is instead categorized as a quasi-governmental agency, EOTSS still recommends that non-executive branch state agencies follow these standards. We also consider them best practices.

Reason for Issue

MSCBA did not have documented policies and procedures that required newly hired employees to complete cybersecurity awareness training within 30 days of their orientation or that required existing employees to complete annual refresher cybersecurity awareness training.

3. The Massachusetts State College Building Authority was missing documentation for a completed background check.

One (7%) out of 15 system users was missing documentation confirming that MSCBA had completed a required background check on them before they gained access to MSCBA’s accounting and project management system.

Without proper screening, MSCBA assumes a higher-than-acceptable risk of hiring individuals who may pose security threats to its systems and data.

Authoritative Guidance

According to Section C of MSCBA’s Employee Handbook, “The Authority will complete background checks for criminal records and social security verification for existing employees every five years and for new employees within 90 days of their start date.”

Reason for Issue

According to MSCBA officials, the one employee in our sample who was missing documentation for a completed background check was a post-retiree state employee who was returning to work part-time, and the background check was not performed.

4. The Massachusetts State College Building Authority did not promptly revoke access rights to its accounting and project management system.

MSCBA did not promptly revoke access rights to its accounting and project management system for the one former user whose employment ended during the audit period.

If MSCBA does not promptly revoke former employees’ access rights to its system, then there is an increased risk that former employees could improperly access and/or change information in the system.

Authoritative Guidance

According to Section 6 of EOTSS’s Access Management Standard IS.003,

6.1.8.3     If the termination date of a user is known in advance, the respective access privileges—specifically those with access to confidential information—will be configured to terminate automatically.

6.1.8.3.1.    If not, access must be manually removed within 24 business hours.

Although MSCBA is not required to follow this standard, since it is not a Commonwealth agency within the executive branch and is instead categorized as a quasi-governmental agency, EOTSS still recommends that non-executive branch state agencies follow these standards. We also consider them best practices.

Reason for Issue

According to MSCBA officials, the terminated employee whose access was not revoked was on a six-month leave of absence before their employment was terminated.

5. The Massachusetts State College Building Authority did not have session lock mechanisms in place.

MSCBA did not implement session lock mechanisms on its network or within its accounting and project management system. For instance, there was no established protocol for defining a specific duration of user inactivity that would trigger an automatic session lock.

If MSCBA does not have session lock mechanisms in place, then employees may remain logged on indefinitely, increasing the risk of unauthorized access and reducing the organization’s ability to effectively monitor and control system activity.

Authoritative Guidance

According to Section 6 of EOTSS’s Access Management Standard IS.003,

6.3.6   An automatic screen saver lock will be configured to become active no more than five (5) minutes after inactivity for workstations used by personnel with access to any Commonwealth network and information system.

6.3.6.1     Put devices into sleep or locked mode any time they are not in active use.

Although MSCBA is not required to follow this standard, since it is not a Commonwealth agency within the executive branch and is instead categorized as a quasi-governmental agency, EOTSS still recommends that non-executive branch state agencies follow these standards. We also consider them best practices.

Reason for Issue

MSCBA officials could not explain why they do not have a policy for session timeouts for its network or accounting and project management system.

6. The Massachusetts State College Building Authority did not have a documented configuration management policy.

MSCBA did not have a documented configuration management policy for its accounting and project management system to address how changes are processed before they are implemented. The configuration policy should include a testing plan, results of the testing plan, and the process to approve the changes to MSCBA’s accounting and project management system. Configuration management ensures that system settings, updates, and security patches are consistently applied.

Without a configuration management policy, MSCBA makes its accounting and project management system vulnerable to misconfigurations, security threats, and performance issues.

Authoritative Guidance

According to Section 6 of EOTSS’s Operations Management Standard IS.012,

6.3   Commonwealth Agencies and Offices must establish controls to maintain the integrity of information systems, including: . . .

6.3.3.    Create, maintain, and update standard operating procedures . . . for the secure configuration of information systems. Assess compliance with configuration requirements at least annually.

Although MSCBA is not required to follow this standard, since it is not a Commonwealth agency within the executive branch and is instead categorized as a quasi-governmental agency, EOTSS still recommends that non-executive branch state agencies follow these standards. We also consider them best practices.

Reason for Issue

MSCBA officials could not explain why MSCBA does not have established controls to ensure that procedures are in place to safeguard its accounting and project management system.

7. The Massachusetts State College Building Authority did not have established procedures to review audit logs.

MSCBA did not establish procedures to conduct regular reviews of audit logs for its accounting and project management system. Our testing found that user activity logs were not reviewed periodically but rather only when issues emerged, which limits the organization’s ability to detect unauthorized access or suspicious activity.

If MSCBA does not run regular audit logs of its accounting and project management system, then it exposes itself to a higher-than-acceptable risk of unauthorized user activity. It also exposes itself to a higher-than-acceptable risk that security incidents and policy violations go undetected by MSCBA management.

Authoritative Guidance

According to Section 6 of EOTSS’s Logging and Event Monitoring IS.011,

6.1.6     Log review and reporting

Commonwealth Agencies and Offices must ensure that logs are periodically reviewed by personnel from the Enterprise Security Office (or personnel with a security role in the agency) to detect anomalous events and apply resolution in a timely manner.

Although MSCBA is not required to follow this standard, since it is not a Commonwealth agency within the executive branch and is instead categorized as a quasi-governmental agency, EOTSS still recommends that non-executive branch state agencies follow these standards. We also consider them best practices.

Reason for Issue

MSCBA does not have a written policy to ensure that logs are run on a regular basis to track user activity.

1. MSCBA should ensure that documented records are kept to evidence supervisory approval for system user rights for its accounting and project management system.
2. MSCBA should develop and implement policies and procedures to ensure that all employees receive cybersecurity awareness training within 30 days of orientation and annually thereafter. Also, MSCBA should maintain certificates of completion of these trainings for all of its employees.
3. MSCBA should ensure that all employees with access to confidential information undergo background checks, as required by its policy. MSCBA should maintain documentation of these screenings to ensure accountability and compliance.
4. MSCBA should ensure that system privileges are revoked within 24 business hours of termination. Additionally, MSCBA should consider temporarily suspending employees’ privileges when they are on leaves of absence.
5. MSCBA should configure both its network and its accounting and project management system to lock out after a five-minute period of inactivity.
6. MSCBA should establish controls to ensure that configuration management procedures are in place to safeguard its accounting and project management system.
7. MSCBA should ensure that audit logs are run for its accounting and project management system on a regular basis, so that system user activity is tracked.

1. Supervisory review / approval of user access—The Authority, through its [information technology (IT)] vendor, currently utilizes forms to establish and terminate user access for its network. Separately, there is a process in place for establishing new employees’ access to . . . the Authority’s accounting and project management software, however, because network access is required to access [this software], there is a secondary level of control. The Authority acknowledges that it can improve the documentation of this portion of the process and is currently investigating and discussing further enhancements to the Authority’s existing processes.
2. Cybersecurity Training—Since 2021, the Authority has provided cybersecurity awareness training annually for its employees. These trainings were conducted by the Authority’s IT Network Service Provider . . . at an annual “All Staff” meeting. Consistent [with the Office of the State Auditor’s (OSA’s)] review, the Authority has adopted a more structured and documented approach. Since the informal exit conference with the OSA, the Authority has retrained all staff via its provider’s Learning Management System and has current certificates of completion. Existing employees will continue to complete such training annually and new staff members will be required to complete such training within 30 days of hire.
3. Employee Background Checks—The Authority’s policy is to ensure that all employees undergo appropriate background checks during the hiring process. The omission of a singular employee was in error.
4. Employee Access Changes upon Leave or Termination—The Authority regards access to the network and its security as a critical component to minimizing risk and routinely ensures that system privileges are revoked within 1 business day of an employee’s leave or termination. Moving forward, the Authority will make operational changes to ensure timely revocation of access for separated employees.
5. Inactivity Lockout—Since the OSA informal exit conference, based on the recommendation of its IT network service provider . . . the Authority has implemented a procedure by which automatic lockout is initiated after 15 minutes of inactivity. The 15-minute lockout standard is based upon the nationally recognized NIST (National Institute of Standards and Technology) recommendation.
6. Network Access / Configuration & Accounting / Project Management . . . Configuration—The Authority will work with its IT consultants and vendors to develop an IT Configuration Management Plan.
7. Audit Logs for the Accounting / Project Management . . . system—As previously noted, the Authority considers system access a critical component to minimizing risk and will investigate what reports, logs, and / or other tools are available to provide additional review capabilities of user activity to enhance internal controls.

Based on its response, MSCBA is taking measures to address our concerns regarding this matter. As part of our post-audit review process, we will follow up on this matter in approximately six months.