The Department of Higher Education Did Not Ensure That All Employees Who Were Responsible for Managing and Administering Governor’s Emergency Education Relief Funding Completed Annual Cybersecurity Awareness Training.

Five of the 10 Department of Higher Education (DHE) employees who were responsible for managing and administering Governor’s Emergency Education Relief funding did not complete annual cybersecurity awareness training. A lack of such training may lead to user error and compromise the integrity and security of protected information in DHE’s information technology systems.

Section 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 states, “All personnel will be required to complete Annual Security Awareness Training.”

DHE does not have internal controls to ensure that all employees complete required annual training. It also does not have a department or individual designated to oversee the assignment and completion of required training. DHE relies solely on the support of the Human Resources Department of the state Executive Office of Education to notify employees of required training via email.

1. DHE should develop internal controls to ensure that all employees complete the required training annually.
2. DHE should designate a department or individual to be responsible for overseeing the assignment and completion of required training.

The DHE acknowledges the . . . finding that five of the ten employees did not timely complete their annual cybersecurity training during the audit period of March 27, 2020 to February 28, 2021.

The Department agrees with the auditor’s note that the Department relies solely on the support of Executive Office of Education’s (EOE) Human Resource Department to notify employees of required training, and would like to remind the [Office of the State Auditor] that in 2015, HR functions across the Executive Branch agencies were consolidated at the Secretariat level. Rather than a Director for Human Resources within the DHE, each Secretariat has [a Human Resources Department] and agencies are assigned Business Partners. The fact that the function is removed and not directly managed by the DHE, coupled with lack of adequate administrative resources, has made it challenging to thoroughly assess the timely completion of required trainings. The DHE has had an agency-wide decrease in full-time-equivalent positions, from 65 in fiscal year 2015 to 55 at the end of fiscal year 2017. Further exacerbating this challenge was the transition to remote work during the period of the audit at the height of the COVID-19 global pandemic.

The Department appreciates the auditor’s finding and affirms its commitment to working closely with EOE to help ensure that all staff are adequately and timely trained. To that end, the DHE has designated an Agency Learning Administrator which is a security role that allows the person the ability to run analytic reports across the Department, build and assign learning curriculum and to assign that to all employees in the agency, and to view individual employee transcripts among other functions. The Agency Learning Administrator is not a new position but is managed within the Department’s [full time equivalent employee] cap and current resources. MassAchieve is the new learning system for Executive Department employees and was launched after the audit period in August 2021.

The Department notes that several of employees identified for the . . . audit have completed their cybersecurity training for this year and the Department is committed to ensuring it is in full compliance and will work with EOE to ensure all employees’ trainings are complete within the appropriate training cycle.

Based on its response, it appears that DHE is taking the recommended actions to correct the deficiencies noted during the audit and prevent their reoccurrence.