MCAD Staff Members Responsible for the Management of CARES Act Funds Did Not Receive Cybersecurity Awareness Training.

During the audit period, MCAD did not provide cybersecurity awareness training to its two employees who were responsible for managing CARES Act funds received. The last cybersecurity awareness training that either employee attended was in January 2019, before the COVID-19 pandemic began.

Incomplete cybersecurity awareness training may lead to user error and compromise the integrity and security of protected information in MCAD’s information technology systems.

MCAD officials told us that MCAD had adopted the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010. Section 6.2.4 of that standard states, “All personnel will be required to complete Annual Security Awareness Training.”

MCAD officials told us that although MCAD had adopted EOTSS Information Security Risk Management Standard IS.010, the commission had been unable to coordinate with EOTSS for the two employees to receive the required cybersecurity awareness training.

MCAD should coordinate with EOTSS to ensure that cybersecurity awareness training is held annually for all employees.

The agency has coordinated with the Commonwealth’s Human Resources Division (HRD) to provide the requisite, yearly Cybersecurity training to MCAD via the new MassAchieve platform [in] which the MCAD is now a fully participating agency. During the audit period, this training was offered through EOTSS via the [Performance and Career Enhancement] platform.

Based on its response, MCAD is taking measures to address our concerns on this matter.