Overview
UMass Dartmouth did not provide required cybersecurity awareness training for newly hired employees or annually thereafter for existing employees. Specifically, UMass Dartmouth did not ensure that all 84 newly hired employees and 605 existing employees completed any cybersecurity awareness training.
If UMass Dartmouth does not educate all employees on their responsibility to protect its information assets by requiring cybersecurity awareness training, then UMass Dartmouth is exposed to a higher‑than‑acceptable risk of cybersecurity attacks, which could cause financial and/or reputational losses.
Authoritative Guidance
According to UMass system management, UMass Dartmouth follows Section 1 of Control 14 (Security Awareness and Skills Training) of the Center for Internet Security’s Critical Security Controls for the cybersecurity awareness training of their employees. This control states,
Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
Reasons for Issue
UMass Dartmouth information technology management stated in an interview with us on May 22, 2023 that “cybersecurity awareness training fell on the backburner these past years due to a 20% staffing shortage.” They also stated that the current UMass Dartmouth information security policy does not contain verbiage to enforce, monitor, or document completion of cybersecurity awareness training requirements for newly hired employees or annual training for existing employees.
Recommendations
- UMass Dartmouth should provide cybersecurity awareness training to all employees when they are hired and annually thereafter.
- UMass Dartmouth should establish and implement a cybersecurity awareness training component to its information security policy. This component should include documented procedures, monitoring controls, and record retention requirements.
Auditee’s Response
2. UMass Dartmouth’s Human Resource and Information Technology departments will develop and implement a Campus Cybersecurity Awareness Policy; once approved, it will be posted on the Campus website.
Auditor’s Reply
Based on its response, UMass Dartmouth is taking measures to address our concerns on this matter.
Date published: | May 2, 2024 |
---|