University of Massachusetts Amherst - Finding 3

UMass Amherst has not implemented cybersecurity awareness training in accordance with Center for Internet Security (CIS) Control 14. At UMass Amherst, the Written Information Security Policy (WISP) does not require employees to complete cybersecurity training at hire and at least annually thereafter. Additionally, while cybersecurity training courses are made available to employees who request it, employees are not required to complete the training per the WISP and are not enrolled in it, annually or at hire.

If UMass Amherst does not educate all employees on their responsibility to protect its information assets by requiring cybersecurity awareness training, then UMass Amherst is exposed to an elevated risk of cybersecurity attacks, which may cause financial and/or reputational losses.

According to UMass system management, UMass Amherst follows Section 1 of Control 14 (Security Awareness and Skills Training) of the CIS’s Critical Security Controls for the cybersecurity awareness training of their employees. This control states,

Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.

UMass Amherst management told us that given the size of the campus’s workforce, it is difficult to implement policy and enforce compliance. The issue arises primarily due to a lack of clear policy mandates and insufficient prioritization of cybersecurity awareness training within UMass Amherst’s WISP. Although high-risk areas are addressed with specific cybersecurity training requirements (e.g., employee training needed for Health Insurance Portability and Accountability Act or Payment Card Industry compliance), other departments are lacking clear policy.

UMass Amherst management should update its WISP to require all employees to complete cybersecurity training at hire and at least annually thereafter. UMass Amherst should also devise means by which it can enforce and monitor compliance with an updated training policy. UMass Amherst should enroll all of its employees, contractors, and interns in cybersecurity awareness training.

Cybersecurity awareness training is only one part of a highly sophisticated and comprehensive cybersecurity program deployed by the campus to detect and prevent threats to the campus’ information technology infrastructure, assets and data. All new employees will be required to take the training as part of the on-boarding process. Annually, all employees will be required to take a refresher course and emails will be sent out with the link to the learning management system training site. Furthermore, management will monitor whether employees have timely completed training. The training material will be reviewed periodically and if necessary, the material will be revised for any new and applicable authoritative guidelines.

UMass Amherst will update its WISP to reflect the new cybersecurity awareness training requirements.

Based on its response, UMass Amherst will take measures to address our concerns regarding this matter. We note that the requirement to provide this training is not new and will follow up on this in approximately six months as part of our post audit review process.