SOC Did Not Ensure That Elections Division Employees, Who Were Responsible for the Management of Coronavirus Aid, Relief, and Economic Security Act Funds, Completed Annual Cybersecurity Awareness Training.

SOC did not ensure that Election Division employees, who were responsible for the management of Coronavirus Aid, Relief, and Economic Security (CARES) Act funds, completed the required annual cybersecurity awareness training.

Based on our audit testing, we determined that 10 of the 14 individuals identified as being responsible for the management of CARES Act funds did not complete the required annual cybersecurity awareness training in the 2020 calendar year. These 10 individuals were all Elections Division employees.

If SOC does not always ensure that its employees complete cybersecurity awareness training, SOC is exposed to a higher risk of cyberattacks and financial losses.

Section 6.2.4 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 states, “All personnel will be required to complete Annual Security Awareness Training.”

Section 3.1 of EOTSS’s Acceptable Use of Information Technology Policy IS.002 requires SOC to comply with its security standards because SOC uses services provided by EOTSS.

SOC does not have internal controls in place to ensure that all employees complete cybersecurity awareness training annually. Additionally, SOC officials told us that it did not provide cybersecurity awareness training to all employees in the Elections Division during 2020 because of the COVID-19 pandemic and because these employees were busy during the 2020 election season.

1. SOC should ensure that cybersecurity awareness training is provided annually for all employees, including Elections Division employees.
2. SOC should implement internal controls to ensure that all employees complete the required cybersecurity awareness training annually.

The [draft audit report] found that 10 out of 14 SOC employees who were responsible for the management of CARES funds had not completed cybersecurity training. First, we’d like to dispute the methodology used to determine the number of employees who managed CARES funds. The [draft audit report] states that 10 employees of the Elections Division were responsible for management of CARES funds, which is not accurate. Any federal spending, whether for CARES funding or other federal grants received by the Elections Division, must be approved by the Director and has been recognized by the awarding agency, the Election Assistance Commission, as appropriate.

We acknowledge that not all employees completed cybersecurity training in 2020. While many state offices shifted to an entirely remote workforce, the Elections Division and most of the other departments within the SOC remained working fully in person in their normal place of business and following strict COVID-19 protocols. During the state of emergency, Elections Division employees needed to be physically present to accept nomination papers and perform other functions as required by state law necessary for the orderly administration of the 2020 state primaries and election as well as support the local election officials for their municipal elections. As a result, the Elections Division successfully administered the 2020 state primaries and election, which saw the highest voter turnout in Massachusetts history, and without any cyber  incidents.

The SOC has implemented mandatory, robust cybersecurity training for all staff, including the Elections Division. All employees in the Elections Division have completed annual cybersecurity training and have successfully responded to orchestrated phishing tests randomly administered throughout the past year. . . .

[The First Deputy Secretary Director/Legal Counsel of the Elections Division] is the Elections Division employee who is responsible for the approval of expenditures of any federal grant funds relating to elections. We acknowledge that she did not complete the required SOC issued cybersecurity training in 2020, but has since completed SOC cybersecurity training annually as well as federal cybersecurity training through the Department of Homeland Security.

As noted in this audit report, during the audit we found that not all Elections Division employees completed the required annual cybersecurity awareness training. During the audit, we asked SOC officials for a list of employees responsible for CARES Act funds and SOC provided us with a list that included the 10 Elections Division employees. We understood that the Elections Division received CARES Act funds during our audit period and used this list for our audit testing. This list included the First Deputy Secretary Director/Legal Counsel of the Elections Division, who SOC cites in its response as an employee responsible for the management of CARES Act funds. None of the 10 Elections Division employees received cybersecurity awareness training during 2020, including the First Deputy Secretary Director/Legal Counsel. Therefore, we believe that our finding that not all Elections Division employees received the required annual cybersecurity awareness training during the audit period is accurate.

Based on its response, it appears that SOC has taken measures to address this issue.