Quinsigamond Community College - Finding 1

Quinsigamond Community College (QCC) employees were not required by QCC to complete cybersecurity awareness training before February 16, 2023, though it has been required by the Executive Office of Technology Services and Security (EOTSS) since 2018, and we consider this a best practice for QCC. On February 16, 2023, QCC established a March 10, 2023 deadline for all of its 1,258 employees to complete cybersecurity awareness training. We determined that on the March 10, 2023 deadline, 553 employees (44%) did not complete the training, and that 138 employees (11%) completed the training late. Also, QCC did not require the 37 employees hired between March 10, 2023 and June 30, 2023 to complete the cybersecurity awareness training within 30 days of hire.

Without educating all employees on their responsibility of protecting the security of information assets, QCC may be exposed to a higher risk of cybersecurity attacks and financial and/or reputational losses.

Section 6.2 of EOTSS’s Information Security Risk Management Standard IS.010, effective October 15, 2018, stated,

6.2.3   The New Hire Security Awareness course must be completed within 30 days of new hire orientation. . . .

6.2.4   Annual Security Awareness Training: All personnelare required to complete Annual Security Awareness Training.

QCC stated that it did not require cybersecurity awareness training for all employees. In addition, no training was completed during one year of the audit period (2021). Also, while transitioning to its current training system, QCC was unable to fully implement it in time for employees to complete their cybersecurity awareness training in 2022.

1. QCC should ensure that all employees complete annual cybersecurity awareness training and that all newly hired employees complete the initial training within the first 30 days of orientation.
2. QCC should design and implement a monitoring control to track the completion of cybersecurity awareness training.

QCC is dedicated to educating its users about the cybersecurity risks that affect us all. During the audit period the College was challenged by the COVID-19 pandemic and its after-effect. As the College and society move toward normal operations, the College is committed to ensuring that all employees, including newly hired employees, undertake cybersecurity training and the College monitors confirmation of employee training.

At this juncture, QCC must note that [the Office of the State Auditor’s (OSA’s)] audit request to the College was part of OSA’s multi-entity audit to review cybersecurity training and other issues involving employees of the College, including information considered Personally Identifiable Information (“PII”) for the audit period of March 1, 2020 through June 30, 2023. The College disputes OSA’s premise that the College is an Executive Branch Agency, is required to follow Executive Branch requirements, is overseen by the Executive Office of Education, and is subject to cybersecurity training standards, Information Security Risk Management Standard, and other standards, policies, orders, and rules promulgated by the Executive Office of Technology Services and Security (EOTSS). The College was established under the authority of [Chapter 15A of the Massachusetts General Laws] and is governed by an independent board of trustees, that it is not subject to certain rules of the Executive Branch of the Commonwealth of Massachusetts, including cybersecurity and other rules promulgated by the Executive Office of Technology Services and Security (EOTSS). Nonetheless, the College cooperated with OSA’s inquiries regarding sensitive information.

In 2022, state community colleges and universities collaborated with Berry Dunn to survey and evaluate their security postures. These institutions are utilizing CIS (Critical Security Controls) version 8, which provides guidance on establishing and maintaining a security awareness training program. Additionally, our Cybersecurity insurance requires awareness training for all our users. QCC is committed to adhering to this guidance in alignment with our peer institutions as well for compliance.

Starting in 2023, the Information Technology department implemented several changes to improve our cybersecurity training completion rates. They adopted the KnowBe4 training software, which offers a better platform for managing and tracking training. In collaboration with QCC Human Resources, they streamlined active employee information and enhanced the onboarding process for new employees. Most importantly, [the Information Technology Department] established clear guidelines for training expectations, making it mandatory for all QCC email account holders. Accounts were disabled if the training was not completed by the deadline. These efforts resulted in a 96% completion rate in 2023.

In 2024, the team further improved the process through better communication and increased involvement from managers to ensure employees completed the training on time. We are now approaching a 100% completion rate for existing employees and all new employees. QCC will continue to assess processes and look for improvements as needed.

QCC states in its reply that “the College disputes [the Office of the State Auditor’s] premise that the College is an Executive Branch Agency, is required to follow Executive Branch requirements.” To be clear, we are aware that QCC is not an executive branch state agency, and accordingly, we stated in the “Overview of Audited Entity" section of this audit report that, while QCC is not required to follow this standard because it is a non-executive branch state agency, we consider it a best practice. QCC also states in its reply that it used “CIS (Critical Security Controls) version 8, which provides guidance on establishing and maintaining a security awareness training program”; however, this is the first time QCC has disclosed this to us. Therefore, we did not consider it as part of our audit.

Based on its response, QCC is taking measures to address our concerns regarding this matter. As part of our post-audit review process, we will follow up on this matter in approximately six months.