Overview
The Worcester County District Attorney’s Office (WCDA) did not ensure that all new employees completed cybersecurity awareness training as part of their orientation when they began working or that all employees completed annual cybersecurity awareness training.
Without educating all employees on their responsibility to protect the security of information assets, WCDA is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.
Authoritative Guidance
Section 6.2 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 states,
6.2.3 New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.
6.2.4 Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.
Reasons for Noncompliance
WCDA officials told us that they were unaware of the EOTSS requirement.
Recommendations
- WCDA should ensure that employees complete cybersecurity awareness training within 30 days of their orientation and annually thereafter.
- WCDA should ensure that its employees are aware of EOTSS requirements.
Auditee’s Response
After reviewing the draft audit report on the Worcester County District Attorney's Office, our office is in agreement on the finding and recommendations. . . .
The WCDA promptly implemented a mandatory annual cybersecurity program for all current and new employees using the KnowBE4 platform. The WCDA now requires newly hired employees receive initial cybersecurity awareness training within 30 days of their date of hire as part of the onboarding process. The WCDA engaged the cybersecurity vendor and implemented these policies and practices during the audit process.
The Information Technology Department of the WCDA will review the EOTSS policies and standards on a quarterly basis and continue interaction with professional [information technology] organizations to maintain current knowledge of policies and procedures. The WCDA will provide informational updates concerning policy and procedure updates to employees as needed.
Auditor’s Reply
Based on its response, WCDA has taken measures to address our concerns in this area.
Date published: | May 4, 2023 |
---|