The Massachusetts District Attorneys Association Did Not Ensure That Employees Received Cybersecurity Awareness Training.

The Massachusetts District Attorneys Association (MDAA) did not ensure that employees received cybersecurity awareness training: none of the 13 employees who worked at MDAA during the audit period received either initial training (if they were new hires) or annual training (if they were not new hires). Insufficient cybersecurity awareness training may lead to user error and compromise the integrity and security of the district attorneys’ computer network, which MDAA manages.

According to the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010,

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

MDAA does not have policies and procedures that require new employees to receive cybersecurity awareness training within 30 days of their hire dates or that require employees to receive annual cybersecurity awareness training.

1. MDAA should develop and implement policies and procedures that require newly hired employees to receive initial cybersecurity awareness training within 30 days of their hire dates.
2. MDAA should develop and implement policies and procedures that require all employees to receive annual cybersecurity awareness training.
3. MDAA should retain records of training completion for each employee.

MDAA has implemented policies and procedures and a security awareness training program to enhance its security awareness practices for its employees. MDAA will require that newly hired employees receive initial cybersecurity awareness training within 30 days of their hire date as part of its onboarding process. MDAA will require that all employees receive annual cybersecurity awareness training. MDAA will retain records of training completion for all cybersecurity awareness trainings.

During the audit process, MDAA engaged a cybersecurity training vendor to provide an automated security awareness system and to create both an initial training and ongoing training program. MDAA staff have completed the first phase of cybersecurity awareness training. MDAA has drafted policies that outline the responsibilities and procedures for reporting phishing and suspicious emails, as well as the responsibilities and procedures for the [information technology] department to respond to these events.

Based on its response, MDAA has taken measures to address our concerns on this matter.