This page, The Committee for Public Counsel Services Did Not Ensure That Interns Receive Cybersecurity Awareness Training., is offered by
Office of the State Auditor

The Committee for Public Counsel Services Did Not Ensure That Interns Receive Cybersecurity Awareness Training.

The Committee for Public Counsel Services (CPCS) employed 24 interns during the audit period, of whom 20 did not receive cybersecurity awareness training.

Skip table of contents

You skipped the table of contents section.

Overview

The Committee for Public Counsel Services (CPCS) employed 24 interns during the audit period, of whom 20 did not receive cybersecurity awareness training.

CPCS is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses without educating interns on their responsibility of protecting CPCS’s information by requiring training.

Authoritative Guidance

Section 6.2.3 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 states, “All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.”

Reasons for Issue

CPCS management stated that interns were not required to attend orientation, which included cybersecurity awareness training. In addition, after implementing the cybersecurity awareness training video requirement for interns in May 2021, CPCS did not have a system in place to document the receipt of emails from interns who watched the video.

Recommendations

CPCS should require that interns receive cybersecurity awareness training.
CPCS should have a system to document the receipt of emails from interns who watch the cybersecurity awareness training video.

Auditee’s Response

CPCS augmented its prior policies and procedures to ensure that all interns receive cybersecurity awareness training, as it does for all agency employees. CPCS completed both development and implementation of a new electronic platform to ensure all interns receive cybersecurity awareness training during onboarding or within 30 days of hire. The electronic platform creates and maintains a record that cybersecurity training was completed by all interns. CPCS management believes that all users of its systems, including all short-term summer interns, must be educated concerning the dangers posed by cybersecurity threats as well as the acceptable use and safeguarding of the agency’s electronic resources.

Auditor’s Reply

Based on its response, CPCS has taken measures to address our concerns in this area.

Date published:	June 9, 2023

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.