Overview
MCC did not ensure that all 37 of its employees completed required annual cybersecurity awareness training during the audit period. A lack of such training may lead to user error and compromise the integrity and security of protected information in MCC’s information technology systems.
Authoritative Guidance
The “Network Integrity & Personal Information Security” section of MCC’s Employee Handbook FY2020, effective August 22, 2019, states,
The Mass Cultural Council follows the Enterprise Information Security Policies and Standards established by the [Executive Office of Technology Services and Security, or EOTSS] Enterprise Security Office.
Section 6.1.1 of EOTSS’s Acceptable Use of Information Technology Policy IS.002, which went into effect October 15, 2018, requires all employees to complete cybersecurity awareness training during their orientation and regularly thereafter.
Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010, which went into effect October 15, 2018, states, “All personnel will be required to complete Annual Security Awareness Training.”
Reasons for Issue
MCC stated that it had not assigned an employee the responsibility of ensuring compliance with EOTSS’s cybersecurity awareness training policy.
Recommendations
- MCC should establish policies and procedures to ensure that all employees complete annual cybersecurity awareness training.
- MCC should assign an employee to be responsible for ensuring that the agency complies with EOTSS’s cybersecurity awareness training policy.
Auditee’s Response
[MCC] concurs in this finding that staff had not undergone cybersecurity training during the audit period. As was discussed during the course of the audit, certain Council staff did attempt to undertake the training and were not given access to the Commonwealth’s training module. The Commonwealth’s communications at the time even specifically indicated that such training was not available to independent agencies or other parties outside the Executive Branch. Consistent with the draft report’s recommendation that the Council assign an employee to be responsible for maintaining compliance with the Commonwealth’s cybersecurity training requirement, Mass Cultural Council’s newly-hired Director of People & Culture (11/2021) took responsibility for the training and successfully obtained access to Commonwealth’s cybersecurity training module in early 2022. Staff were noticed the training was available January 13, 2022 and 100% had completed the training by March 15, 2022. Cybersecurity training has also been implemented as part of the onboarding process for new employees. Staff will be required to complete such training annually as monitored by the Director of People & Culture.
Auditor’s Reply
Based on its response, MCC is taking measures to address our concerns on this matter.
Date published: | June 16, 2022 |
---|