The Massachusetts Office for Victim Assistance Did Not Ensure That Its Employees Received Cybersecurity Awareness Training.

The Massachusetts Office for Victim Assistance (MOVA) did not ensure that all new employees received cybersecurity awareness training as part of their orientation when they began working or that all other employees received annual cybersecurity awareness training. A lack of such training may lead to user error and compromise the integrity and security of protected information in MOVA’s information technology systems.

Section 6 of state Executive Order 504, which was in effect from January 1, 2009 through October 25, 2019, states,

All agency heads, managers, supervisors, and employees (including contract employees) shall attend mandatory information security training within one year of the effective date of this Order. For future employees, such training shall be part of the standardized orientation provided at the time they commence work. Such training shall include, without limitation, guidance to employees regarding how to identify, maintain and safeguard records and data that contain personal information.

Section 6.1.1 of the Executive Office of Technology Services and Security’s (EOTSS’s) Acceptable Use of Information Technology Policy IS.002, which went into effect October 15, 2018, requires all new hires to complete security awareness training during their orientation and regularly thereafter.

Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010, which went into effect October 15, 2018, states, “All personnel will be required to complete Annual Security Awareness Training.”

Section 3.1 of EOTSS’s Acceptable Use of Information Technology Policy IS.002 requires MOVA to comply with EOTSS’s security standards because MOVA uses services provided by EOTSS.

In an email on April 2, 2021, in response to our request for the names of employees who completed cybersecurity awareness training during our audit period, MOVA stated,

It is our understanding that the Executive Office of Technology Services and Security (EOTSS) annual information security awareness training (Cyber Security Awareness Training) is intended for Executive Department employees, which does not include MOVA staff as employees of an independent state agency.

Therefore, MOVA did not establish any policies and procedures that required its staff members to receive cybersecurity awareness training.

MOVA should establish policies and procedures that require all of its staff members to receive cybersecurity awareness training.

At the time of the audit’s initiation, MOVA was not aware that non-Executive Department employees utilizing the Executive Office of Technology Services and Security (EOTSS) services were required to complete the Annual Security Awareness Training. After MOVA learned of this requirement from the Office of the State Auditor, all MOVA employees completed the trainings within 60 days.

MOVA agrees with the recommendation provided by the Office of the State Auditor and has already implemented the suggested changes. In addition to the completion of the Annual Security Awareness Training by all current MOVA employees, MOVA has incorporated these trainings into the onboarding procedure for new staff, requires the trainings to be completed annually by all MOVA employees, and has implemented a process for tracking annual completion.

Based on its response, MOVA is taking steps to address this issue.