This page, The Cannabis Control Commission Did Not Provide Cybersecurity Awareness Training to Its Employees., is offered by
Office of the State Auditor

The Cannabis Control Commission Did Not Provide Cybersecurity Awareness Training to Its Employees.

A lack of cybersecurity training may lead to user error or compromise the integrity and security of protected information in CCC’s information technology systems.

Skip table of contents

You skipped the table of contents section.

Overview

CCC employees did not receive cybersecurity awareness training during CCC’s first 15 months of operation. CCC was established in December 2018, and CCC’s cybersecurity awareness training was implemented in March 2020. A lack of such training may lead to user error or compromise the integrity and security of protected information in CCC’s information technology systems.

Authoritative Guidance

The Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, effective October 15, 2018, requires the following:

6.2.3 New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training Course. . . .

6.2.4 Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

Section 6 of state Executive Order 504, which was effective January 1, 2009 through October 25, 2019, states,

All agency heads, managers, supervisors, and employees (including contract employees) shall attend mandatory information security training within one year of the effective date of this Order. For future employees, such training shall be part of the standardized orientation provided at the time they commence work. Such training shall include, without limitation, guidance to employees regarding how to identify, maintain and safeguard records and data that contain personal information.

Reasons for Noncompliance

CCC management stated that at the time they began operations, they prioritized the completion of CCC’s information technology systems and the development of related policies and procedures over procuring a cybersecurity awareness training program and conducting training.

Recommendation

CCC should ensure that all new employees receive initial cybersecurity awareness training and that all employees complete annual cybersecurity awareness training thereafter.

Auditee’s Response

The Commission acknowledges this finding. The Commission implemented cybersecurity training for all employees in February 2020. All new staff members, including Commissioners, are now required to complete initial training within 30 days of their first day of work. The Commission has quarterly cybersecurity training and random testing, through the KnowBe4 cybersecurity training platform.

Auditor’s Reply

Based on its response, CCC has taken measures to address our concerns in this area.

Date published:	September 26, 2023

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.