The Aeronautics Division Did Not Ensure That Staff Members Signed Its Acceptable Use Policy and Completed Cybersecurity Awareness Training.

The Aeronautics Division did not ensure that staff members signed the “Acceptable Use of Information Technology (IT) Resources” policy and completed cybersecurity awareness training. We requested all signed acceptable use policies for division staff members who were employed during the audit period. Division management could not produce any signed acceptable use policies for the staff members.

Also, the Aeronautics Division did not ensure that all its personnel completed security awareness training. We requested a list of all division staff members from the audit period, along with their cybersecurity awareness training certificates. We compared the certificates to the personnel list and found that 19 of 36 employees had not completed new hire or annual refresher cybersecurity awareness training.

Without educating all system users on their responsibility of protecting the security of information assets, the Aeronautics Division is exposed to a higher risk of viruses and malware, losses of sensitive data, unauthorized use of data, and financial and/or reputation losses.

MassDOT’s “Acceptable Use of Information Technology (IT) Resources” policy states,

This policy sets forth the rules and requirements for authorized access to and acceptable use of information technology (IT) resources for the Massachusetts Department of Transportation (“MassDOT”). It is intended to protect MassDOT IT systems and networks, and information created, stored, or transmitted thereon, from harm without inhibiting the ability of users to perform their day-to-day job functions. . . .

This policy applies to all users who employ MassDOT IT resources to perform work or conduct official business on behalf of MassDOT or for other acceptable uses. . . .

Users must read, sign, and abide by [this policy].

The Aeronautics Division follows EOTSS’s Information Security Risk Management Standard IS.010 for its information security training and awareness. Section 6.2 of the standard states,

The objective of the Commonwealth information security training is to educate users on their responsibility to help protect the confidentiality, availability and integrity of the Commonwealth’s information assets. Commonwealth Offices and Agencies must ensure that all personnel are trained on all relevant rules and regulations for cybersecurity.

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

The Aeronautics Division does not have a process in place to ensure that all personnel read and sign the required “Acceptable Use of Information Technology (IT) Resources” policy during onboarding.

In addition, there is no process to ensure that all new employees complete cybersecurity awareness training within 30 days of their hire dates or that other employees complete annual refresher training.

1. The Aeronautics Division should implement a policy requiring personnel to complete new hire and annual cybersecurity awareness training.
2. The Aeronautics Division should maintain a record of completion of cybersecurity awareness training for each employee.
3. The Aeronautics Division should require all personnel to sign the “Acceptable Use of Information Technology (IT) Resources” policy.

MassDOT will update the “Acceptable Use of Information Technology (IT) Resources” policy to include mandatory security awareness training at the time of onboarding and annually thereafter.

The onboarding process for personnel has been corrected to include Aeronautics contractors for the following mandatory actions:

1. Attestation of compliance with the “Acceptable Use of Information Technology (IT) Resources” policy.
2. Completion of the current security awareness training curriculum relevant to the person’s role. . . .

MassDOT will report on the completion of annual training after the next annual training campaign has completed.

Based on its response, the Aeronautics Division has taken measures to address our concerns on this matter.