This page, Southfield Redevelopment Authority - Finding 4, is offered by
Office of the State Auditor

Southfield Redevelopment Authority - Finding 4

The Southfield Redevelopment Authority Does Not Have a Documented Information Technology Policies and Procedures Manual and Did Not Provide Cybersecurity Awareness Training to Its Employees.

Skip table of contents

You skipped the table of contents section.

Overview

During our assessment of SRA’s computer information system network, we found that SRA does not have a documented information technology policies and procedures manual that dictates access control, security awareness and training, audit and accountability, identification and authentication, and employee security. Further, SRA did not provide its employees any cybersecurity awareness training.

If SRA does not educate all employees on their responsibility to protect its information assets by creating an information technology policies and procedures manual or providing cybersecurity awareness training to all its employees, then SRA may be exposed to a higher-than-acceptable risk of cyberattacks, resulting in potential financial and/or reputational losses.

Authoritative Guidance

Sections AC-1, AT-1, AU-1, IA-1, PS-1, and AT-3 of the National Institute of Standards and Technology’s Security and Privacy Controls for Information Systems and Organizations state that organizations should develop and provide to employees cybersecurity awareness training and policies on access control, audit and accountability, identification and authentication, and employee security.

While SRA is not required to follow these guidelines, we consider them to be a best practice.

Reasons for Issue

SRA management stated that the BOD was unaware that an information technology policies and procedures manual or cybersecurity awareness training were required for a small organization.

Recommendations

SRA should develop, disseminate, and periodically review and update a documented information technology policies and procedures manual. The manual should address the purpose, scope, roles, responsibilities, management commitment, and coordination among employees. The manual should also contain an access control policy, a cybersecurity awareness and training policy, an audit and accountability policy, an identification and authentication policy, and an employee security policy.
SRA should ensure that it provides annual cybersecurity awareness training to all employees who have access to its computer network system.

Auditee’s Response

The Authority agrees with the recommendations and will work to implement them in coordination with our [information technology] consultant. Both staff members completed Cybersecurity Awareness Training in April of 2024, and have marked their calendars for the first Monday in April to continue the training.

Auditor’s Reply

SRA states that it agrees with our recommendations and is taking action to implement them.

Date published:	December 20, 2024

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.