The University of Massachusetts Lowell’s Cybersecurity Awareness Training Documentation Was Missing Crucial Information, and the University Did Not Ensure That All Nonfaculty Employees Completed Cybersecurity Awareness Training.

Regarding newly hired employees, while UMass Lowell had documentation confirming that 16 newly hired employees (out of a sample of 20 newly hired employees who were required to complete cybersecurity awareness training during the audit period) completed this training, there was no documentation that confirmed the dates on which these employees were assigned to or completed this training. For the remaining 4 newly hired employees, 2 were assigned training but did not complete it and the other 2 were neither assigned nor completed the training.

Regarding existing employees, while UMass Lowell had documentation confirming that 48 existing employees (out of a sample of 60 existing employees who were required to complete cybersecurity awareness training during the audit period) completed this training, there was no documentation that confirmed the dates on which these employees were assigned to or completed this training. The remaining 12 existing employees were assigned training but did not complete it.

We projected the test results for the completion of cybersecurity awareness trainings from our sample of 80 nonfaculty employees to the population of 1,137 nonfaculty employees during our audit period. Based on this, we are 95% confident that at least 125 nonfaculty employees did not complete cybersecurity awareness training.

If UMass Lowell does not educate all employees on their responsibility to protect its information assets by requiring cybersecurity awareness training, then UMass Lowell is exposed to a higher-than-acceptable risk of cybersecurity attacks, which could cause financial and/or reputational losses.

According to Section V (Procedures) of UMass Lowell’s “Security Awareness Policy IT-5-112,”

Video Awareness Training — The Information Security Office will work with appropriate constituent groups to identify appropriate personnel and their roles (PCI-DSS, PII, Data Steward, and General Staff) and will ensure that all personnel attend appropriate awareness training upon hire and at least annually thereafter.

Cybersecurity awareness training records should be retained, according to the “Massachusetts Statewide Records Retention Schedule,” effective June 2018 and revised July 2021, which states,

E04-08: Employee Training and Certification Records . . .

Documents the training of staff in compliance with state laws or agency rules and regulations. Includes training program materials, session schedules, attendance reports, continuing education documentation, in-service documentation, certification lists and documents, and related correspondence.

E04-08 (a): If filed separately from personnel file

Retain 10 years.

E04-08 (b): If filed in personnel file

Retain as long as personnel file is kept.

According to UMass Lowell’s chief information security officer, when UMass Lowell updated its cybersecurity awareness training platform, the certificate of completion feature¹³ was not enabled, and UMass Lowell lost the ability to track the dates when a training was assigned and/or completed during our audit period. It also lost the ability to create and print training certificates. In addition, during the cybersecurity awareness training platform update process, digital training records older than six months were inadvertently lost.

1. UMass Lowell should configure its cybersecurity awareness training platform so that it has the ability to monitor the assignment and completion of the trainings.
2. UMass Lowell should ensure that its nonfaculty employees complete cybersecurity awareness training when they are hired and annually thereafter.
3. UMass Lowell should retain sufficient cybersecurity awareness training documentation.

1. & 2.     Cybersecurity awareness training is only one part of a highly sophisticated and comprehensive cybersecurity program deployed by the campus to detect and prevent threats to the campus’ information technology infrastructure, assets and data. UMass Lowell Information Technology is working with Human Resources to implement a new employee learning management platform that will track the completion of cybersecurity awareness training.

3.            UMass Lowell Information Technology will collect and retain all cybersecurity awareness training records.

Based on its response, UMass Lowell is taking measures to address our concerns on this matter.