University of Massachusetts Boston - Finding 3

UMass Boston did not always ensure that its employees completed cybersecurity awareness training. We determined that 28 out of 60 UMass Boston faculty/staff employees did not complete their cybersecurity awareness training. Additionally, UMass Boston could not provide evidence (i.e., training records) that 12 employees took the training, leaving a question as to whether they completed the training or not. In total, this amounted to 40 testing exceptions out of our population of 60 faculty/staff employees selected for testing.

We also determined that 35 out of 60 UMass Boston student/graduate employees did not complete their cybersecurity awareness training. Additionally, UMass Boston could not provide evidence (i.e., training records) that 19 employees took the training, leaving a question as to whether they completed the training or not. In total, this amounted to 54 testing exceptions out of our population of 60 student/graduate employees selected for testing.

If UMass Boston does not educate all employees on their responsibility to protect its information assets by requiring cybersecurity awareness training, then UMass Boston is exposed to a higher-than-acceptable risk of cybersecurity attacks, which may cause financial and/or reputational losses.

UMass Boston’s “Information Security Training and Awareness Policy” states,

All users shall complete security awareness training and training on information security policies upon hire and subsequently at least annually.

UMass Boston management told us that training completion rates are low because currently there is no enforcement mechanism for employees who do not complete the training.

UMass Boston should revise its policy to implement a mechanism that requires employees to complete cybersecurity awareness training at hire and at least annually thereafter; UMass Boston should consider cutting off user access if an employee does not complete their training by a stated deadline.

Cybersecurity awareness training is only one part of a highly sophisticated and comprehensive cybersecurity program deployed by the campus to detect and prevent threats to the campus’ information technology infrastructure, assets and data. All new employees are required to take the training as part of the on-boarding process. Annually, all employees are required to take a refresher course and emails are sent out with the link to the learning management system training site. Furthermore, management monitors whether employees have timely completed training. The training material will be reviewed periodically and if necessary, the material will be revised for any new and applicable authoritative guidelines.

UMass Boston has updated its Security Education Training and Awareness policy that reflects the new cybersecurity awareness training requirements.

As stated in our audit finding, we noted 40 testing exceptions (67%) out of our population of 60 faculty/staff employees selected for cybersecurity awareness training completion. In addition, for student/graduate employees, we noted 54 testing exceptions (90%) out of our population of 60 employees selected for testing. The requirement to provide this training is not new and UMass Boston has failed to comply with it in the vast majority of instances we tested. Therefore, we reiterate our recommendation for UMass Boston to implement a mechanism that requires employees to complete cybersecurity awareness training at hire and at least annually thereafter. The systems and processes used by UMass Boston have not proven adequate to meet its needs.