This page, The Massachusetts Office of Business Development Did Not Ensure That All of Its Employees Completed Annual Cybersecurity Awareness Training, is offered by
Office of the State Auditor

The Massachusetts Office of Business Development Did Not Ensure That All of Its Employees Completed Annual Cybersecurity Awareness Training

If MOBD does not ensure that all of its employees complete annual cybersecurity awareness training, then MOBD risks assuming a higher-than-acceptable user error rate.

Skip table of contents

You skipped the table of contents section.

Overview

In our review of cybersecurity awareness training records corresponding to the 11 MOBD employees who were active as of June 30, 2021, we found that 1 MOBD employee did not complete annual cybersecurity awareness training.

If MOBD does not ensure that all of its employees complete annual cybersecurity awareness training, then MOBD risks assuming a higher-than-acceptable user error rate. It also risks compromising the integrity and security of protected information in MOBD’s information technology systems.

Authoritative Guidance

The Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010, effective October 15, 2018 and updated July 15, 2020, states,

2.1 [Chapter 7D of the Massachusetts General Laws] provides that “. . . All executive department agencies shall . . . adhere to the policies, procedures and objectives established by the executive office of technology services and security with respect to activities concerning information technology.” . . .
6.2.4 Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

Reasons for Noncompliance

MOBD officials told us that MOBD was transitioning to a new cybersecurity awareness training platform during the audit period. During the transition, MOBD overlooked ensuring that one employee completed the cybersecurity awareness training.

Recommendation

MOBD should ensure that all of its employees complete annual cybersecurity awareness training.

Auditee’s Response

Finding 2 correctly states that MOBD did not ensure that all of its employees completed annual cyber security awareness training, and we note that only a single MOBD employee failed to complete the training on time, and this employee completed the training within 2 months of the applicable deadline.
As stated during the Audit, the entire executive branch was transitioning to a new cybersecurity awareness training platform during the audit period. Cybersecurity training is now offered by Human Resources Division, and new procedures already have been put into place to ensure that all executive branch employees complete annual cybersecurity awareness training.

Auditor’s Reply

Based on its response, MOBD is taking measures to address our concerns on this matter.

Date published:	July 2, 2024

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.