The Plymouth County District Attorney’s Office Did Not Provide Cybersecurity Awareness Training to Its Employees.

PCDA did not provide cybersecurity awareness training to its employees during the audit period.

Without educating its employees on their responsibility to protect the security of information assets, PCDA exposes itself to a higher risk of cybersecurity attacks and financial and/or reputational losses.

Section 6.2 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 states,

6.2.3     New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4     Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

Although PCDA is not required to follow this standard, we consider it a best practice.

PCDA did not have policies and procedures that require new employees to complete cybersecurity awareness training within 30 days of their orientation or that require employees to receive annual cybersecurity awareness training.

1. PCDA should provide cybersecurity awareness training to its employees.
2. PCDA should develop and implement policies and procedures that require employees to complete cybersecurity awareness training within 30 days of their orientation and annually thereafter.

As stated above and confirmed by the EOTSS General Counsel/Chief Privacy Officer, . . . our agency was not required to follow the EOTSS policy for annual cybersecurity training during the audit period.

During the audit period, we followed the [Performance and Career Enhancement (PACE) Learning Management System] training schedule established by the Commonwealth for employees to complete within 90 days of hire. Cyber Security training was not offered as part of the PACE trainings.

Cyber Security training is currently offered via MassAchieve which we do not currently or have ever had access to. As of January 2022, we have required all employees to complete cybersecurity awareness training annually via KnowBe4, an Automated Security Awareness Program which we pay for.

Giving all departments access to MassAchieve seems the most cost-effective way for every state employee to be trained.

PCDA is correct in stating that it is not required to follow EOTSS’s Information Security Risk Management Standard IS.010. However, this policy represents what the Commonwealth considers a best practice for protecting information when conducting business on behalf of Massachusetts. According to the Office of the Comptroller of the Commonwealth’s website, EOTSS’s Enterprise Information Security Policies and Standards “are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.”

Based on its response, PCDA is taking steps to address this issue. We urge PCDA to fully implement our recommendations.