Overview
MDAO should ensure that all employees complete cybersecurity awareness training.
Regarding calendar year 2022, we found that none of the 25 required employees in our sample of 40 completed annual refresher cybersecurity awareness training, and none of the 4 new employees completed initial cybersecurity awareness training within 30 days of their hire date.
Regarding calendar year 2023, we found that 1 of the 28 required employees in our sample of 40 did not complete annual refresher cybersecurity awareness training, and 1 of the 8 new employees did not complete initial cybersecurity awareness training within 30 days of their hire date.
The following table breaks down annual refresher and initial training completion for sampled MDAO employees who were active during the audit period.
| Calendar Year | Annual Refresher Training Required | Annual Refresher Training Not Completed | Initial Training Required | Initial Training Not Completed | Not Applicable* |
|---|---|---|---|---|---|
| 2022 | 25 | 25 | 4 | 4 | 11 |
| 2023 | 28 | 1 | 8 | 1 | 4 |
| 2024 | 32 | 0 | 1 | 0 | 7 |
* The Not Applicable column regards individuals who were not employed at MDAO in a given year. This would include, for example, employees who left MDAO employment before the training was assigned.
If MDAO does not educate its employees on their responsibility to protect the security of information assets, then MDAO may expose itself to a higher-than-acceptable risk of cybersecurity attacks and financial and/or reputational losses.
Authoritative Guidance
Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010 states,
6.2.3 New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. This course will be conducted via web-based learning or in-class training and will be included in the new hire orientation checklist. The New Hire Security Awareness course must be completed within 30 days of new hire orientation.
6.2.4 Annual Security Awareness Training: All personnel are required to complete Annual Security Awareness Training. Once implemented, automatic email reminders will be sent to personnel 12 months after course completion, alerting personnel to annual refresher training completion deadlines.
Although MDAO is not required to follow these standards, since it is not an executive branch state agency, we consider them best practices.
Reason for Issue
MDAO stated that it did not provide cybersecurity awareness training before 2023, though we note that it has been recommended by EOTSS since 2018.
Recommendation
MDAO should ensure that all employees complete annual refresher cybersecurity awareness training and that all newly hired employees complete the initial training within the first 30 days of their new hire orientation.
Auditee’s Response
As the Auditor’s report indicates, the Middlesex District Attorney’s Office is not required to follow the guidance from EOTSS since it is not an Executive Branch state agency. However, in June 2022, the Office of the State Auditor recommended that the Massachusetts District Attorney’s Association (MDAA) develop and implement policies and procedures requiring newly hired employees to receive cybersecurity awareness training. . . . Recognizing the value of such training, the Middlesex District Attorney’s Office immediately adopted this guidance and purchased the . . . cybersecurity training platform. That training launched in January 2023, just six months after the Auditor’s recommendation. As this audit shows, by 2024, the Office was in full compliance. As part of our ongoing commitment to information security, all new employees now complete the training immediately upon hire.
Auditor’s Reply
Based on its response, MDAO has taken measures to address our concerns regarding this matter. As part of our post-audit review process, we will follow up on this matter in approximately six months.
| Date published: | December 19, 2025 |
|---|