The Franklin Regional Transit Authority Did Not Ensure That Its Employees and Contractors Completed Initial or Annual Cybersecurity Awareness Training.

The Franklin Regional Transit Authority (FRTA) did not ensure that its employees and contractors completed initial or annual cybersecurity awareness training. During the two-year audit period, none of FRTA’s 23 employees and contractors completed cybersecurity awareness training.

Without educating all its employees and contractors on their responsibility to protect information assets, FRTA is exposed to a higher risk of cybersecurity attacks and financial and/or reputational losses.

As a best practice, FRTA should follow the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, effective October 15, 2018, which the Massachusetts Department of Transportation is required to follow. This standard states,

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. This course shall be conducted via web-based learning or in class training and shall be included in the new hire orientation checklist. The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training. Once implemented, automatic email reminders will be sent to personnel 12 months after course completion, alerting personnel to annual refresher training completion deadlines.

FRTA’s management stated that, during the audit period, the Massachusetts Department of Transportation did not require FRTA’s employees and contractors to complete initial or annual cybersecurity awareness training.

FRTA should ensure that its employees and contractors complete initial and annual cybersecurity awareness training.

The current FRTA Administrative staff (4 employees) have all participated in [the Massachusetts Department of Transportation’s] cyber training program in 2021. . . . Our Councils on Aging and other vendors do not interface with our computers and none of those groups are employed by FRTA.

During our audit, we requested and received a list of users with access to the transit scheduling and dispatching system from FRTA’s assistant administrator. This list included 23 active system users. Four of the users were FRTA employees and the other 19 were contractors. During our assessment of FRTA’s information system general controls in June 2022, the assistant administrator informed us that system users were not required to complete security awareness training.

During our informal exit meeting with FRTA in November 2022, its administrator told us that the four FRTA employees received the Massachusetts Department of Transportation’s cybersecurity awareness training in 2021 and that they would look into finding any certificates of completion for this training. However, FRTA did not provide us with these certificates of completion; therefore, we could not determine whether or when these four employees received this cybersecurity awareness training.

We encourage FRTA to document its cybersecurity awareness training procedures and retain documentation that provides evidence that its employees completed cybersecurity training and what date they completed it. Furthermore, we strongly encourage FRTA to require the contractors / vendors who have access to its transit scheduling and dispatching system to complete cybersecurity awareness training, in an effort to protect the integrity of its information assets.