Other Matters: Suffolk County Registry of Probate and Family Court Staff Members Do Not Receive Cybersecurity Awareness Training.

In performing our audit testing, we found that the Suffolk County Registry of Probate and Family Court (SCRPFC) did not conduct, or require any of its staff members to obtain, cybersecurity awareness training. This type of training is required, upon hire and at least annually thereafter, for all employees of Commonwealth executive department agencies under Sections 6.2.3 and 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010. Although SCRPFC is not required to comply with EOTSS standards, this type of training is an accepted industry best practice for all organizations.

For example, Section AT-2 of Revision 4 of the National Institute of Standards and Technology³ Special Publication 800-53 establishes the following best practices:

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):

a.   As part of initial training for new users;

b.   When required by information system changes; and

c.    [Organization-defined frequency] thereafter.

In the Office of the State Auditor’s opinion, because SCRPFC does not require its employees, particularly those who have access to the Trial Court’s systems, to complete cybersecurity awareness training, there is an increased risk of cybersecurity attacks and financial and/or reputation losses.

We brought this matter to the attention of SCRPFC officials, who told us that on March 3, 2020, SCRPFC conducted a cybersecurity awareness training for its staff. While we believe that action was prudent, we also believe SCRPFC should consider adopting a policy that requires all of its staff members to receive cybersecurity awareness training upon hire and annually thereafter, which would bring it into line with the requirements for executive department agencies.