The Attorney General’s Office Did Not Offer Cybersecurity Awareness Training During a Portion of the Audit Period.

The Attorney General’s Office (AGO) only offered its SysAdmin, Audit, Network, and Security (SANS) cybersecurity awareness training to current and new employees through September 28, 2018. Any employees hired after that date were not offered, or required to take, cybersecurity awareness training until June 30, 2020, when AGO finalized the implementation of its KnowBe4 training. Employees who received training in 2018 did not receive refresher training until they were required to take the new KnowBe4 training. Additionally, AGO management did not require users who were not compensated through the Human Resources Compensation Management System (HR/CMS), such as student interns, to take the SANS training. Lack of training for new employees and lack of refresher training for existing employees create a greater risk that employees and the agency may be vulnerable to a cyberattack.

Section 6.2 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010, effective October 15, 2018, requires the following:

6.2.3          New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . .

6.2.4          Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

AGO management told us in an email,

As we’ve previously discussed, unlike our current protocol, the SANS training was available on a one-time basis and therefore did not capture everyone who worked at the Office during the audit period. This was a function of the tools then available, cost considerations, and adherence to EOTSS procedures at the time.

Consequently, the transition from SANS to KnowBe4 resulted in a period when there was no cybersecurity awareness training in place at AGO.

1. AGO should ensure that initial cybersecurity awareness training for new hires and annual training thereafter for existing employees are always available.
2. If a new vendor or training program is selected, an interim training plan should always be in place to ensure continuity in cybersecurity awareness training during the transition to the new vendor or program.

In addition to specific comments about the audit finding, AGO also provided the following general comments:

In addition to keeping our large staff productive through provision and constant support of IT resources, the [IT] team continuously monitors cybersecurity risks and implements state-of-the-art defense mechanisms, both technological and behavioral. They do all of this seamlessly while laboring under the tight budgetary restrictions of the AGO’s annual appropriation. The IT team’s philosophy with respect to system vulnerabilities is proactive, not reactive, as evidenced by the sophisticated and multi-layered approach toward technological risk management that they promote.

Among the numerous security precautions the AGO’s IT team has adopted in accordance with [National Institute of Standards and Technology] guidelines are:

• robust endpoint security features, including up-to-date anti-virus software; firewall protection; next-generation cloud-native [artificial intelligence]–driven endpoint protection; and full disk encryption
• routine and urgent patch management, implemented remotely
• firewall redundancy
• industry-leading intrusion prevention software
• multiple approaches to web filtering, including daily updates of known security risks
• continuous network monitoring
• [uniform resource locator, or URL] defense software
• outside email warning flags (implemented by the Commonwealth’s Executive Office of Technology Services and Security [EOTSS])
• standardized image on all AGO-issued devices, standard user accounts, and locked administrator privileges to prevent unauthorized software installations.
• restriction of personal devices to secure remote work
• multi-factor authentication requirements and [virtual private network] for remote work
• a multi-pronged cybersecurity awareness and training (CSAT) program, enforced through mandatory office policy, which includes
• required annual training for all holders of AGO information system user accounts
• required training for all new account holders as they on-board
• optional monthly training for all users
• phishing tests several times a year
• a phish alert button to report suspected phishing emails to IT
• additional mandatory training for all who click a phishing test link

Implementation of these and other security tools are sponsored and supported by AGO leadership at the highest levels. Coupled with the constant focus of our IT team on system security, these strategies have protected the integrity of the AGO’s network, which has never experienced a breach. We are proud of our record and committed to continuing to ensure strong security protection for the AGO’s information system.

Regarding the audit finding, AGO stated,

The AGO implemented two [Cybersecurity Awareness and Training, or CSAT] campaigns during the audit period and one since, which is ongoing. These three campaigns are described below.

SANS July–September 2018

The AGO selected SANS as its CSAT provider in 2018. . . . At the time, EOTSS had chosen SANS, a reputable leader in CSAT, as a vendor and was offering discounted pricing, so the AGO purchased the program for all employees through a chargeback mechanism. Based on comparative risk analysis and pecuniary considerations, the AGO made the determination to require the training of all employees compensated through the HR/CMS system, but not temporary staff, interns, co-op students, or volunteers, whose access to sensitive data is more limited. Unlike the AGO’s current CSAT protocol, discussed below, the SANS training was available on a one-time basis and not offered to everyone who worked at the AGO during the audit period. The structure of the campaign was a function of the tools then available, cost considerations, and adherence to contemporary EOTSS protocols.

The AGO’s IT team ran the SANS CSAT campaign from July to September 2018 and achieved greater than 95% compliance from 573 enrolled users. The First Assistant Attorney General, the General Counsel, and the [chief information officer] acted as executive-level sponsors and promoters. The SANS tool tracked user completion, allowing for follow-up with users who did not timely complete the training module.

KnowBe4 June 2020

By late 2019, CSAT had jumped in popularity and more varied program options were becoming available. At that time, AGO IT staff started evaluating KnowBe4, an industry leader, to provide a comprehensive ongoing CSAT program. . . . The AGO ultimately selected KnowBe4 and subsequently learned that EOTSS had done so as well. After exploring the possibility of securing a volume pricing discount by licensing the KnowBe4 program through EOTSS, the AGO decided to contract with KnowBe4 directly to enable us to tailor administration of the program to our needs by controlling such factors as the frequency and content of phishing tests. The AGO’s KnowBe4 purchase and implementation was delayed for several months due to the unprecedented and rapid shift to remote work in the first quarter of 2020 necessitated by Covid-19.

The AGO ran the KnowBe4 campaign for three weeks in June 2020 and required its completion by 632 holders of AGO information system user accounts. Compliance was secured by 99.8% of the enrolled users (631 out of 632). Following completion of the mandatory training program in June, the AGO continued providing KnowBe4 CSAT modules throughout the year, including multiple phishing tests, required additional training for those that failed the phishing test, sent supplemental dramatized content monthly, and regular emails cautioning users against particular cybersecurity vulnerabilities.

KnowBe4 June 2021

On June 1, 2021, the AGO commenced a new required CSAT program, with expanded content from the 2020 program. The campaign was sent to 625 current employees and is delivered to all new employees on an ongoing basis. All new users are assigned the KnowBe4 CSAT on their first day of employment and are required to complete it within one week. As of the date of this letter, we have secured a 100% compliance level. As in 2020, we are supplementing this required training regularly by pushing out additional content, conducting periodic phishing tests, and required remedial training for those who fail those tests. Consequently, the AGO has satisfied the . . . recommendations . . . of the Draft Audit Report.

As outlined herein, the AGO is, and has been, diligent, proactive, and resourceful in its implementation of CSAT and attention to matters of cybersecurity.

Based on its response and the information provided to the Office of the State Auditor during the audit regarding AGO’s new cybersecurity awareness training policy, AGO has taken measures to address our concerns on this matter.