Middlesex Community College Did Not Ensure That Its Users Who Had Access to the Finance and/or Financial Aid Modules in Banner Completed Cybersecurity Awareness Training.

Middlesex Community College (MCC) did not ensure that system users who had access to the finance and/or financial aid modules in its Banner database system completed required cybersecurity awareness training. Fifteen of the 35 sampled users did not complete cybersecurity awareness training as required: 13 were assigned the training but did not complete it, and 2 were not assigned the training.

Without educating all system users on their responsibility of protecting the security of information assets, MCC is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.

Section 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 states, “All personnel will be required to complete Annual Security Awareness Training.”

MCC does not have policies and procedures that clearly define the contents and administration of its cybersecurity awareness training program. MCC officials told us that employees were confused about the contents of the program. From 18 training modules that address topics like recognizing phishing attempts, protecting data, and working from home, MCC’s director of professional instructional development designs a training program for each department at MCC. The programs usually contain two or three modules. Each user receives an email completion acknowledgment upon completion of each module. Some users thought they had completed the training because they received such acknowledgments after finishing their first modules. Additionally, MCC lacked monitoring controls to ensure that users completed the cybersecurity awareness training modules assigned to them.

The issue of training not being assigned to two employees was due to an oversight by MCC’s training program administrator.

1. MCC should implement policies and procedures that clearly define the contents and administration of its cybersecurity awareness training program.
2. MCC should implement monitoring controls to ensure that users complete the cybersecurity awareness training modules assigned to them.

Middlesex Community College agrees with the Auditor’s Report Findings, and the implementation of policies, procedures, and monitoring controls to ensure users complete cybersecurity awareness training, that are outlined by MCC in the following response to the Draft Audit Report. . . .

Of the fifteen selected users from MCC’s Cost Managers who were identified in the auditor’s report as out of compliance with annual cybersecurity awareness training, thirteen completed training after the period selected for the audit. Practices have been introduced to ensure that no employee is inadvertently overlooked when training is being assigned. Two employees among this group were assigned training but did not complete it. These were faculty who had their access to Banner removed. . . .

Since the auditing period, MCC has adopted a policy and procedures document which aligns MCC’s cybersecurity awareness practices with Commonwealth of Massachusetts information security and risk mitigation mandates. The design of the annual cybersecurity awareness training has been simplified in order to avoid confusion among employees. . . .

In the policy we have now adopted, cybersecurity awareness training must be completed within 30 days of the initial assignment. Failure to comply will result in non-compliant employees having their access to key information system[s] (Banner, shared drives) revoked until these employees are in compliance with [the] annual cybersecurity awareness training requirement. The director of professional development, who is responsible for the deployment of training, will use the college’s organizational chart as a review tool to ensure that there are no gaps in the list of employees assigned cybersecurity awareness training.

Based on its response, MCC is taking steps to address this issue.