University of Massachusetts Boston - Finding 3

The University of Massachusetts Boston did not always ensure that its employees completed cybersecurity awareness training.

Table of Contents

Overview

UMass Boston did not always ensure that its employees completed cybersecurity awareness training. We determined that 28 out of 60 UMass Boston faculty/staff employees did not complete their cybersecurity awareness training. Additionally, UMass Boston could not provide evidence (i.e., training records) that 12 employees took the training, leaving a question as to whether they completed the training or not. In total, this amounted to 40 testing exceptions out of our population of 60 faculty/staff employees selected for testing.

We also determined that 35 out of 60 UMass Boston student/graduate employees did not complete their cybersecurity awareness training. Additionally, UMass Boston could not provide evidence (i.e., training records) that 19 employees took the training, leaving a question as to whether they completed the training or not. In total, this amounted to 54 testing exceptions out of our population of 60 student/graduate employees selected for testing.

If UMass Boston does not educate all employees on their responsibility to protect its information assets by requiring cybersecurity awareness training, then UMass Boston is exposed to a higher-than-acceptable risk of cybersecurity attacks, which may cause financial and/or reputational losses.

Authoritative Guidance

UMass Boston’s “Information Security Training and Awareness Policy” states,

All users shall complete security awareness training and training on information security policies upon hire and subsequently at least annually.

Reasons for Issue

UMass Boston management told us that training completion rates are low because currently there is no enforcement mechanism for employees who do not complete the training.

Recommendation

UMass Boston should revise its policy to implement a mechanism that requires employees to complete cybersecurity awareness training at hire and at least annually thereafter; UMass Boston should consider cutting off user access if an employee does not complete their training by a stated deadline.

Auditee’s Response

Cybersecurity awareness training is only one part of a highly sophisticated and comprehensive cybersecurity program deployed by the campus to detect and prevent threats to the campus’ information technology infrastructure, assets and data. All new employees are required to take the training as part of the on-boarding process. Annually, all employees are required to take a refresher course and emails are sent out with the link to the learning management system training site. Furthermore, management monitors whether employees have timely completed training. The training material will be reviewed periodically and if necessary, the material will be revised for any new and applicable authoritative guidelines.

UMass Boston has updated its Security Education Training and Awareness policy that reflects the new cybersecurity awareness training requirements.

Auditor’s Reply

As stated in our audit finding, we noted 40 testing exceptions (67%) out of our population of 60 faculty/staff employees selected for cybersecurity awareness training completion. In addition, for student/graduate employees, we noted 54 testing exceptions (90%) out of our population of 60 employees selected for testing. The requirement to provide this training is not new and UMass Boston has failed to comply with it in the vast majority of instances we tested. Therefore, we reiterate our recommendation for UMass Boston to implement a mechanism that requires employees to complete cybersecurity awareness training at hire and at least annually thereafter. The systems and processes used by UMass Boston have not proven adequate to meet its needs.

Date published: December 26, 2024

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.
Feedback