The Woods Hole, Martha’s Vineyard and Nantucket Steamship Authority Does Not Have a Formal, Documented Cybersecurity Awareness Training Program and Does Not Monitor the Assignment and Completion of Cybersecurity Awareness Training Courses.

Although the Woods Hole, Martha’s Vineyard and Nantucket Steamship Authority (the Steamship Authority) currently follows an undocumented cybersecurity awareness training practice, the Steamship Authority does not have a formal, documented cybersecurity awareness training program that includes knowledge checks, monitoring, and updates, as needed. Additionally, the Steamship Authority does not ensure that all of its employees are assigned to and complete cybersecurity awareness training courses in accordance with the Steamship Authority’s current practice.

During our review, we noted that the Steamship Authority’s cybersecurity awareness training practice does not include the following attributes that we consider best practices for Commonwealth agencies to follow:

• documented policies and procedures for the implementation and maintenance of the cybersecurity awareness training practice;
• a 30-day completion requirement for newly hired employees to complete required cybersecurity awareness training;
• monitoring of employee training assignment and completion;
• knowledge checks to test employees’ comprehension of training content;
• updates to training content as technology evolves and risks are identified;
• follow-up for employees who do not complete training; and
• assignment of annual refresher training for all employees.

During our review of the Steamship Authority’s current cybersecurity awareness training practice, we examined the cybersecurity awareness training course records of 200 new employees who were hired during the audit period and 711 existing employees who were hired before the start of the audit period (January 1, 2020). For each of the required cybersecurity awareness training courses, we noted the following.⁵

Electronic Communications Policy Course

• During the audit period, 114 newly hired employees were required to complete this course. Out of these 114 employees, 27 were not assigned to the course and 37 did not complete it, for a total of 64 (56%) required newly hired employees who did not complete this course.
• During the audit period, 663 existing employees were required to complete this course. Out of these 663 employees, 99 were not assigned to the course, 261 did not complete it, and 115 completed it after 12 months, for a total of 475 (72%) required existing employees who did not complete this course (either in a timely manner or at all).

Email and Phishing Warning Course

• During the audit period, 114 newly hired employees were required to complete this course. Out of these 114 employees, 26 were not assigned to the course and 36 did not complete it, for a total of 62 (54%) required newly hired employees who did not complete this course.
• During the audit period, 662 existing employees were required to complete this course. Out of these 662 employees, 97 were not assigned to the course, 258 did not complete it, and 111 completed it after 12 months, for a total of 466 (70%) required existing employees who did not complete this course (either in a timely manner or at all).

Safeguarding of Personal Information Policy Course

• During the audit period, 113 newly hired employees were required to complete this course. Out of these 113 employees, 26 were not assigned to the course, 37 did not complete it, and 1 completed it after 12 months, for a total of 64 (57%) required newly hired employees who did not complete this course (either in a timely manner or at all).
• During the audit period, 662 existing employees were required to complete this course. Out of these 662 employees, 100 were not assigned to the course, 272 did not complete it, and 110 completed it after 12 months, for a total of 482 (73%) required existing employees who did not complete this course (either in a timely manner or at all).

If the Steamship Authority does not ensure that all employees are trained on their responsibility to protect information assets, then the Steamship Authority is exposed to a higher risk of cybersecurity attacks and financial and/or reputational losses.

During an interview with the Steamship Authority on April 21, 2022, its management told us that the Steamship Authority’s undocumented cybersecurity awareness training practice has a 12-month completion requirement for all assignments.

Although the Steamship Authority is not required to follow the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010, since it is not a Commonwealth agency within the executive branch, EOTSS still recommends that non-executive branch agencies follow these standards. We also consider it a best practice.

For the design and implementation of a strong cybersecurity awareness training program, EOTSS’s Information Security Risk Management Standard IS.010 includes cybersecurity awareness training standards, as follows:

                6.2.1.3        The training shall:

                                    6.2.1.3.1     Explain acceptable use of information technology

                                    6.2.1.3.2     Inform personnel about relevant policies and standards

                                    6.2.1.3.3     Detail each individual’s accountability for each of the provisions of all policies                                                         and the underlying procedures.

                                    6.2.1.3.4     Test each individual’s understanding of all policies and of his or her role in                                                             maintaining the highest ethical standards. . . .

6.2.3           New Hire Security Awareness Training: All new personnel must complete an Initial Security                                   Awareness Training course. . . . within 30 days of new hire orientation.

6.2.4           Annual Security Awareness Training: All personnel will be required to complete Annual Security                           Awareness Training. . . .

6.2.6           The awareness program shall be updated regularly by the Enterprise Security Office so that it stays                     in line with organizational policies and procedures, and shall be built on lessons learned from                               information security incidents.

According to Steamship Authority officials, the agency does not have a formal, documented cybersecurity program because the responsibility to document, administer, and monitor the cybersecurity awareness training practice was not clearly defined by Steamship Authority management.

In addition, according to the Steamship Authority, not all Steamship Authority employees had access to computers, which are needed to take cybersecurity awareness training courses in the web-based training system. This led to difficulty in administering the training to all employees.

1. The Steamship Authority should replace its current, undocumented cybersecurity awareness training practice with a formal, documented cybersecurity awareness training program that follows best practices for these programs.
2. The Steamship Authority should implement monitoring controls to ensure that all employees are assigned to and complete cybersecurity awareness training.
3. The Steamship Authority should clearly define and document the positions responsible for administering and monitoring its formal, documented cybersecurity awareness training program.
4. If the Steamship Authority provides cybersecurity awareness training on a web-based platform, then it should ensure that all employees have access to computers to take the training.

We agree with the importance of a comprehensive, documented training program and monitoring plan relative to cybersecurity awareness training. In addition to the currently established cybersecurity training courses, the Steamship Authority’s Director of Management Information Systems will be responsible for establishing and maintaining a more formal comprehensive cybersecurity awareness training program that follows best practices as recommended by the Office of the State Auditor and the Executive Office of Technology Services and Security.

The Director of Management Information Systems will coordinate with the Director of Human Resources to ensure that the cybersecurity awareness training program is uploaded to the Steamship Authority’s Learning Management System (LMS) and is continuously updated with the current best practices.

The Director of Human Resources will be responsible for tracking the completion of these LMS classes and will work with the appropriate Department Heads to ensure compliance with the training requirements. In addition;

• All new hires will need to complete the cybersecurity awareness training program prior to being issued system credentials and passwords.
• Employees without access to the network systems will have 30 days to complete the cybersecurity awareness training.
• Periodic refresher training for personnel will be conducted.

The Steamship Authority has already purchased and distributed training laptops to all locations, including vessels, to provide access for employees to complete the training. Department Heads will be responsible for ensuring that laptops or other devices for the employees to access the LMS system are available and working properly.

Based on its response, the Steamship Authority is taking measures to address our concerns on this matter.