The Norfolk District Attorney’s Office Did Not Ensure That Its Employees Completed Cybersecurity Awareness Training

NDAO did not ensure that its employees completed cybersecurity awareness training. Specifically, NDAO provided its 32 new employees with a verbal overview of NDAO’s information technology policies during orientation and had these new employees sign acknowledgement forms confirming that they received this training. However, NDAO did not test these new employees on their understanding of these policies or on their role in maintaining the security of NDAO’s information technology systems.

Additionally, although all 114 employees in our sample who were assigned to take the 2020 annual refresher cybersecurity awareness training completed the training, we found that 4 employees completed the training late. One of these employees completed the training 318 days late; one completed the training 284 days late; one completed the training 5 days late; and one completed the training 1 day late.

A lack of cybersecurity awareness training for new employees and untimely annual refresher cybersecurity awareness training for existing employees exposes NDAO to a higher risk of cybersecurity attacks and financial and/or reputational losses.

The Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 states,

6.2.1     Implement an enterprise-wide information security awareness and training program. . . .

             6.2.1.3  The training shall: . . .

                          6.2.1.3.4  Test each individual’s understanding of all policies and of his or her role in                                                              maintaining the highest ethical standards. . . .

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

When asked about the lack of training for new employees, NDAO officials told us that they were unaware of the requirements outlined in EOTSS’s Information Security Risk Management Standard IS.010. Additionally, NDAO did not have monitoring controls to ensure that its employees completed their cybersecurity awareness training on time.

1. NDAO should ensure that its employees complete cybersecurity awareness training within 30 days of their orientation and annually thereafter. The cybersecurity awareness training should include a test of each individual’s understanding of all policies and their role in maintaining the security of NDAO’s information technology systems.
2. NDAO should implement monitoring controls to ensure that its employees complete their cybersecurity awareness training on time.
3. NDAO should ensure that its employees are informed on all requirements outlined in EOTSS’s Information Security Risk Management Standard IS.010.
4. NDAO should maintain a record of completion of cybersecurity awareness training for each employee.

During the audit period, the NDAO repeatedly advised the SAO that its office did not fall within the Executive Branch and thus was not required to comply with any Executive Branch mandates including the mandate that requires compliance with EOTSS Information Security Risk Management Standard IS.010.

Attached, please find a letter dated July 31, 2023 from . . . [EOTSS’s] General Counsel/Chief Privacy Officer. In it, the letter confirms that “the Norfolk County District Attorney’s office was not subject to the EOTSS required annual cybersecurity training during the scope of the audit currently in progress.”

Notwithstanding the fact that the NDAO is not required to follow Executive Branch mandates, the NDAO takes cyber security and cyber training seriously. On its own initiative, the NDAO purchased KnowBe4 software to help train and educate staff on cyber security issues. It annually trains it staff, provides mock exercises to teach employees about cyber issues to ensure a safe network and provides a platform to easily track and monitor users’ training and track training completion. The NDAO also sends out frequent emails, news stories and articles about cyber security, the risks involved with using technology and the important part each employee plays in keeping our network safe.

NDAO is correct in stating that it does not fall within the state executive branch and therefore is not required to follow EOTSS’s Information Security Risk Management Standard IS.010. However, this policy does represent what the Commonwealth considers a best practice for protecting information when conducting business on behalf of the state. According to the Office of the Comptroller of the Commonwealth’s website, EOTSS’s Enterprise Information Security Policies and Standards “are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.”

We acknowledge that NDAO provides annual cybersecurity awareness training to its employees, which includes mock exercises and cybersecurity-related news articles. However, as noted above, during the audit period, we found that the cybersecurity awareness training NDAO provided to its new employees only contained a verbal overview of NDAO’s information technology policies. NDAO did not test these employees on their understanding of NDAO’s information technology policies or on their role in maintaining the security of NDAO’s information technology systems. In addition, annual training for current employees was not always completed on time.

We urge NDAO to implement our recommendations fully and to improve its cybersecurity policies and practices.