The Division of Banks Did Not Ensure That All of Its Employees Promptly Completed Cybersecurity Awareness Training.

The Division of Banks (DOB) did not ensure that all new employees received cybersecurity awareness training when they began working at DOB or that all current employees received annual cybersecurity awareness training in a timely manner. Specifically, of the 196 DOB employees who were active users of the Regulatory Management System and Non-Depository Regulatory System during our audit period, 3 received their annual cybersecurity awareness training 18 to 39 days late, and 7 newly hired employees did not receive cybersecurity awareness training until 39 to 235 days after they began work.

Untimely cybersecurity awareness training may lead to user error and compromise the integrity and security of protected information in DOB’s information technology systems.

Section 5.1.1 of the Executive Office of Technology Services and Security’s (EOTSS’s) Acceptable Use of Information Technology Policy IS.002, which was in effect January 10, 2017, states, “All new hires must complete security awareness training within the established new hire training timeline and regularly thereafter.”

Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010, which went into effect October 15, 2018, states, “All personnel will be required to complete Annual Security Awareness Training.”

Section 6 of state Executive Order 504, which was in effect January 1, 2009 through October 25, 2019, states,

All agency heads, managers, supervisors, and employees (including contract employees) shall attend mandatory information security training within one year of the effective date of this Order. For future employees, such training shall be part of the standardized orientation provided at the time they commence work. Such training shall include, without limitation, guidance to employees regarding how to identify, maintain and safeguard records and data that contain personal information.

DOB does not have policies and procedures that require all current employees to receive annual cybersecurity awareness training. It also does not have policies and procedures that require newly hired employees to receive cybersecurity awareness training during orientation or within a prescribed timeline before they have access to DOB’s systems.

1. DOB should develop and implement policies and procedures, in accordance with EOTSS policies, that require all current employees to receive annual cybersecurity awareness training.
2. DOB should develop and implement policies and procedures, in accordance with EOTSS policies, that require newly hired employees to receive cybersecurity awareness training during orientation or within a prescribed timeline before they have access to DOB’s systems.

The DOB reviewed the recommendations, and we are developing and implementing policies and procedures in accordance with EOTSS policies to ensure employees receive the training in a timely manner. Additionally, the DOB will engage with [the Executive Office of Housing and Economic Development’s Information Technology Department] and human resources to ensure newly hired employees receive cybersecurity awareness training during orientation or within a prescribed timeline before they have access to DOB’s systems. Our agency recognizes the critical role of cybersecurity training and preparedness in all organizations, and we will ensure our policies and procedures align with the EOTSS policies.

Based on its response, DOB is taking steps to address these issues.