Of the 1,101 information system users listed in the Human Resources Compensation Management System as employed by agencies within the Executive Office of Housing and Economic Development (EOHED) during our audit period, at least 452 did not complete the required cybersecurity awareness training. The 45 included new hires and existing users. Additionally, three interns who worked for EOHED’s Massachusetts Marketing Partnership agency (MMP) were information system users during the audit period but may not have completed this training; MMP did not maintain cybersecurity awareness training documentation for these interns. By not ensuring that all users completed the required training, EOHED exposed itself to an increased risk of cybersecurity attacks and financial and/or reputation losses.
Section AT-2 of Revision 4 of the National Institute of Standards and Technology Special Publication 800-53 establishes the following best practices:
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Annually] thereafter.
Additionally, Section 6.2 of the Executive Office of Technology Services and Security (EOTSS) Information Security Standard IS.010, “Information Security Risk Management,” effective October 15, 2018, requires the following:
6.2.3 New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . .
6.2.4 Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.
Additionally, Section E04-09, “Intern and Volunteer Records,” of the Massachusetts Statewide Records Retention Schedule 06-18 establishes the following requirement:
Retain 6 years after separation.
Documents individual volunteer and intern involvement with agency. Includes resumes, applications, agreements, work plans, and related correspondence.
Reasons for Noncompliance
EOHED officials stated that they believed the three MMP interns might have completed the required cybersecurity awareness training, but that because of miscommunication among MMP and EOHED human resources personnel, any such training was not documented. In addition, although EOHED agencies conducted some periodic reviews of training records, the reviews were not consistently performed by each agency; therefore, this monitoring control was ineffective at ensuring compliance with the training requirements.
EOHED should establish effective monitoring controls over its cybersecurity awareness training to ensure that all information system users complete it in accordance with EOTSS standards and that EOHED maintains documentation of the completion of this training.
Agency records provided to your staff do show that a relatively small number of employees and volunteer board members did not complete a cybersecurity training during the audit period. We would like to note that 13 of the 45 persons identified by your staff as not having completed a cybersecurity training were volunteer board members who do not have (and never had) access to the EOHED network.
As of May, 2018, EOHED and all agencies within the executive office have been utilizing updated, standardized cybersecurity training materials developed by the Executive Office of Technology Services and Security (EOTSS). This training program is administered by the Commonwealth Human Resources Department, and is provided to new employees through the statewide Performance and Career Enhancement (PACE) Learning Management System. The training program is required for all new employees, and must be completed within 30 days of the employee’s start date. In addition, all existing employees were required to complete a cybersecurity training program developed by EOTSS and provided through a third party vendor. It is our expectation that EOTSS will make additional training sessions available in the future. We currently are working with EOTSS and [the state’s Human Resources Division, or HRD] to establish a tracking system so that EOHED can confirm whether and when employees within the executive office have completed cybersecurity training.
Although not technically within the scope of the audit or related to the audit finding, I would like to note that EOHED agencies do not rely solely on HRD/EOTSS cybersecurity training to keep employees informed of good cybersecurity practices. For example, the onboarding process for new employees includes a mandatory review and acknowledgement of the Acceptable Use of Information Technology Policy. Additionally, each EOHED agency lists its IT policies on an intranet site accessible to all employees. Further, all employees regularly receive email from EOTSS regarding best practices for avoiding cybersecurity threats and regular notification of phishing frauds and other known cybersecurity threats. The EOHED IT team routinely reissues these EOTSS notifications to ensure employees are aware of current threats. Agencies also regularly post notices in areas where employees congregate (e.g., copy machines and lunch areas) to remind employees of cybersecurity threats and ways to avoid them.
As noted above, at least 45 of the information system users employed by agencies within EOHED during our audit period did not complete the required cybersecurity awareness training.
EOHED notes that there were 13 volunteer board members who did not have access to EOHED’s network and would not have been required to complete the cybersecurity awareness training. We confirmed that the 45 employees did not include 13 volunteer board members but were regular employees who had access to EOHED’s network.
In its response, EOHED asserts that these 45 employees represent a “relatively small number of employees”; however, even a single employee can be vulnerable to a cybersecurity attack. All system users should receive this training to effectively reduce the risk of such an attack.
Based on its response, EOHED is taking measures to ensure that its system users are properly trained in cybersecurity in accordance with EOTSS standards and is also working with EOTSS and HRD to establish a tracking system to monitor staff compliance with this training requirement. We again urge EOHED to maintain documentation of this training’s completion.
|Date published:||November 24, 2020|