This page, The Worcester County District Attorney’s Office Did Not Ensure that its Employees Completed Cybersecurity Awareness Training., is offered by
Office of the State Auditor

The Worcester County District Attorney’s Office Did Not Ensure that its Employees Completed Cybersecurity Awareness Training.

Without educating all employees on their responsibility to protect the security of information assets, WCDA is exposed to a higher risk of cybersecurity attacks and financial and/or reputation losses.

Skip table of contents

You skipped the table of contents section.

Overview

The Worcester County District Attorney’s Office (WCDA) did not ensure that all new employees completed cybersecurity awareness training as part of their orientation when they began working or that all employees completed annual cybersecurity awareness training.

Authoritative Guidance

Section 6.2 of the Executive Office of Technology Services and Security’s (EOTSS’s) Information Security Risk Management Standard IS.010 states,

6.2.3 New Hire Security Awareness Training: All new personnel must complete an Initial Security Awareness Training course. . . . The New Hire Security Awareness course must be completed within 30 days of new hire orientation.

6.2.4 Annual Security Awareness Training: All personnel will be required to complete Annual Security Awareness Training.

Reasons for Noncompliance

WCDA officials told us that they were unaware of the EOTSS requirement.

Recommendations

WCDA should ensure that employees complete cybersecurity awareness training within 30 days of their orientation and annually thereafter.
WCDA should ensure that its employees are aware of EOTSS requirements.

Auditee’s Response

After reviewing the draft audit report on the Worcester County District Attorney's Office, our office is in agreement on the finding and recommendations. . . .

The WCDA promptly implemented a mandatory annual cybersecurity program for all current and new employees using the KnowBE4 platform. The WCDA now requires newly hired employees receive initial cybersecurity awareness training within 30 days of their date of hire as part of the onboarding process. The WCDA engaged the cybersecurity vendor and implemented these policies and practices during the audit process.

The Information Technology Department of the WCDA will review the EOTSS policies and standards on a quarterly basis and continue interaction with professional [information technology] organizations to maintain current knowledge of policies and procedures. The WCDA will provide informational updates concerning policy and procedure updates to employees as needed.

Auditor’s Reply

Based on its response, WCDA has taken measures to address our concerns in this area.

Date published:	May 4, 2023

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the State Auditor. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback.

If you need assistance, please contact the State Auditor.

Please let us know how we can improve this page.