Overview
During our audit of Northern Essex Community College (NECC), we noted that NECC did not require new employees to take initial information security training as part of new hire orientation, nor did it require employees to take refresher training annually thereafter. Instead, information security training at NECC was voluntary.
Section 6.2 of the Executive Office of Technology Services and Security’s “Information Security Risk Management Standard,” effective October 15, 2018, states,
The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets. Commonwealth Offices and Agencies must ensure that all personnel are trained on all relevant rules and regulations for cybersecurity. . . .
6.2.1.3. The training shall:
6.2.1.3.1 Explain acceptable use of information technology
6.2.1.3.2 Inform personnel about relevant policies and standards
6.2.1.3.3 Detail each individual’s accountability for each of the provisions of all policies and the underlying procedures.
The standard also indicates that personnel should complete information security awareness training when they are initially hired and annually thereafter.
Without educating all its system users on their responsibility of helping protect the security of information assets by requiring training, NECC is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses. We strongly encourage NECC to require information security training for all new employees and annual refresher training for all employees.
| Date published: | June 30, 2021 |
|---|