Mount Wachusett Community College - Finding 3

Our review of the completion report from the third-party platform MWCC uses to provide its annual Social Engineering Red Flags training to its employees showed that not all required employees were assigned this training. Out of the 718 employees required to complete this training, 144 employees (20%) were not assigned training. Additionally, out of the 574 individuals assigned training, there was no evidence that 341 employees (59%) completed the training. In total, out of the 718 employees required to complete this training, MWCC could not provide evidence of completion for 485 (68%) employees.

Additionally, our review of the completion reports from the third-party platforms MWCC uses to provide both its initial and annual data security training to its employees did not contain evidence of the completion of training for each year of the audit period.

Without educating all employees on their responsibility of protecting the security of information assets, MWCC may be exposed to a higher risk of cybersecurity attacks and financial and/or reputational losses.

Section 6.2 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 states,

6.2.3  The New Hire Security Awareness course must be completed within 30 days of new hire orientation. . . .

6.2.4  Annual Security Awareness Training: All personnel are required to complete Annual Security Awareness Training.

MWCC’s information technology director informed us that there is no technical connection between the college’s system and the third-party platform that provides the annual Social Engineering Red Flags training. This resulted in discrepancies in the data between MWCC and the third-party platform.

MWCC’s vice president of human resources told us in an email, dated August 28, 2024, that the third-party platform used for both the initial and annual data security trainings “clears the history every year; they are essentially resetting the assignment date so their system does not register that the employee already completed the training.”

Additionally, MWCC’s vice president of human resources stated that MWCC does not place a certificate of completion for the training in employees’ personnel files.

1. MWCC should take steps to establish a connection between MWCC’s internal system and the systems used by the third-party training providers to ensure that all employees are assigned to take initial cybersecurity awareness training upon being hired and refresher training on an annual basis.
2. MWCC should ensure that all employees complete initial and refresher cybersecurity awareness training.
3. MWCC should ensure that it retains certificates on file for its employees to document their completion of cybersecurity awareness training.

MWCC has implemented an annual employee check between [the Human Resources Compensation Management System] (state payroll) and Banner to ensure that the employee list matches between the two systems. In addition, MWCC has connected the Active Directory, location of employee accounts, with [the cybersecurity awareness training system]. Thus, [the cybersecurity awareness training system] is updated daily on account status (new accounts, deleted accounts). During the 2024-2025 cyber training, MWCC will reach out to the manager of the employee if training is not completed by the initial deadline. In the new Acceptable Use Policy that is going through governance this year, MWCC will be able to remove network access to a user who does not complete the training. This will be implemented with the next training cycle once the policy is approved with the goal of 2025-2026. In addition, MWCC is implementing steps to ensure a backup file is maintained by the college to the vendor’s system results of the annual cyber training.

Based on its response, MWCC is taking measures to address our concerns regarding this matter. As part of our post-audit review process, we will follow up on this matter in approximately six months.