This page, Other Matters - BCSO, is offered by
Office of the State Auditor

Other Matters - BCSO

The Barnstable County Sheriff’s Office needs to improve its internal controls over its information technology systems.

You skipped the table of contents section.

Overview

The Barnstable County Sheriff’s Office (BCSO) has not established adequate internal controls over its information technology (IT) systems: the Offender Management System and the Correctional Electronic Medical Records system. Specifically, BCSO had no written policies and procedures regarding administering critical aspects of these systems, such as the following:

IT system access
IT system security awareness and training
IT system audit and accountability

In addition to not having the aforementioned policies and procedures, BCSO does not conduct certain critical IT system control activities. Specifically, BCSO does not provide cybersecurity awareness training to its employees who have access to its IT systems. In comparison, standards established by the National Institute of Standards and Technology’s Special Publication 800-53r5 include conducting IT system control activities, such as regular cybersecurity awareness training for all employees.

In the opinion of the Office of the State Auditor, BCSO should take immediate measures to improve the internal controls over its IT systems. Inadequate or nonexistent controls make the information in BCSO’s IT systems more vulnerable to unauthorized access and use by agency employees and to cyberattacks that could result in financial and/or reputational losses.

Auditee’s Response

Addressing the "Other Matters" section of the Draft Audit Report No. [2022]-1443-3J, it was cited that “The Barnstable County Sheriff’s Office needs to improve its internal controls over its information technology systems.” The draft report stated, "Specifically, BCSO had no written policies and procedures regarding administering critical aspects of these systems, such as the following:
IT system access
IT system security awareness and training
IT system audit and accountability.”
Contrary to the above findings, the BCSO addresses all three of these topics in Policy 201.06 Computer, Mobile, and Electronic Communications and Policy 201.09 Passwords.

Regarding the report of BCSO not conducting certain critical IT system control activities such as cybersecurity awareness training to all of its employees, the BCSO has applied for a Municipal Cybersecurity Awareness Grant Program. The program promotes overall cybersecurity posture through evaluation, end user training, and threat simulation. The Executive Office of Technology Services and Security’s (EOTSS) Office of Municipal and School Technology procures and manages the program. The program includes cyber threat assessment, assignments and testing as well as simulated phishing emails.

Auditor’s Reply

We commend BCSO for updating Policies 201.06 and 201.09 after our audit period, and for applying for a Municipal Cybersecurity Awareness Grant, to address our concerns in these areas.

Date published:	March 16, 2023

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.