University of Massachusetts Chan Medical School - Finding 2

UMass Chan did not ensure that workforce members completed cybersecurity awareness training in a timely manner. Regarding the initial cybersecurity awareness training, for 14 newly hired workforce members out of our sample of 60, we found the following:¹⁷

• Out of our sample of newly hired workforce members, 11 completed the training outside of the allotted timeframe of 14 days. Based on the assignment date for each of these workforce members, the median number of days past due for these trainings was 21 days beyond the allotted 14 days.
• Out of our sample of newly hired workforce members, 3 never completed their initial cybersecurity awareness training.¹⁸

Regarding the annual refresher cybersecurity awareness training, from our sample of 60 existing workforce members, we found the following.

• For the 2021 annual refresher cybersecurity awareness training assignment, while 34 workforce members completed the training in a timely manner, we found the following:¹⁹

• Out of our sample of existing workforce members, 8 completed the training outside of the allotted timeframe of 60 days. Based on the assignment date for each of these workforce members, the median number of days past due for these trainings was 60 days beyond the allotted 60 days.
• Out of our sample of existing workforce members, 1 never completed the training.

• For the 2022 annual refresher cybersecurity awareness training assignment, while 28 workforce members completed the training in a timely manner, we found the following:²⁰

• Out of our sample of existing workforce members, 18 completed the training outside of the allotted timeframe of 60 days. Based on the assignment date for each of these workforce members, the median number of days past due for these trainings was 48.5 days beyond the allotted 60 days.

If UMass Chan does not educate all workforce members on their responsibility to protect information assets by requiring cybersecurity awareness training, then UMass Chan is exposed to a higher-than-acceptable risk of cybersecurity attacks, which could cause financial and/or reputational losses.

According to UMass Chan’s “Privacy and Security Training Policy,”

All UMass Chan faculty, staff, contingent workers, contractors and students in its schools, departments, centers and business units are required to complete privacy and information security training. . . .

Initial training must be completed within fourteen (14) days after receiving access to UMass Chan networks or systems for all Workforce members. . . .

Annual Security and Privacy training for all Workforce members must be completed within sixty (60) days.

UMass Chan officials told us that some workforce members were never assigned access to the UMass Chan computer network because these employees did not complete the necessary steps to receive this access. As for the other workforce members, UMass Chan officials could not provide an explanation as to why these workforce members did not complete the required cybersecurity awareness training, either in a timely manner or at all.

UMass Chan should ensure that all workforce members who have access to its computer network complete cybersecurity awareness training in a timely manner, upon hire and annually thereafter.

UMass Chan has implemented a mature and effective Information Security and Privacy Training Program dedicated to educating our students, faculty, and workforce on how to recognize and respond to cybersecurity threats. As reflected in a nearly 100% completion rate, we are focused on effectively applying this critical security control and are committed to the program’s continuous improvement. Awareness training is only one part of a highly sophisticated and comprehensive defense-in-depth cybersecurity framework deployed by the campus to detect and prevent threats to the campus’ information technology infrastructure, assets and data. It is important to note that the individuals who were not assigned training was done so in line with UMass Chan policy because they never received access to the UMass Chan network and, as such, posed no security risk. Furthermore, the few individuals who did not complete cybersecurity awareness training have since either done so or left UMass Chan.

We acknowledge that the workforce members noted in footnotes 17, 19, and 20 were not assigned cybersecurity awareness training because they never received access to the UMass Chan computer network, which is in line with UMass Chan policy. We included these footnotes because these workforce members appeared in our sample, which was selected from a list—provided to us by UMass Chan officials—of workforce members who were employed at some point during the audit period. According to UMass Chan officials, they provided us with this list—as opposed to a list of only the workforce members who had access to UMass Chan’s computer network—because they were unable to provide the latter. (See “Cybersecurity Awareness Training” in the Audit Objectives, Scope, and Methodology section of this report for more information.) Nevertheless, of the workforce members in our sample who did receive access to the UMass Chan computer network, we identified 37 workforce members (11 newly hired and 26 existing workforce members) who completed the cybersecurity awareness training late (both the initial and the annual refresher trainings), 3 newly hired workforce members who never completed the initial training, and 1 existing workforce member who never completed the 2021 annual refresher training. It is also possible that workforce members outside of our sample completed their training late or did not complete their training at all.

In its response, UMass Chan states that it “has implemented a mature and effective Information Security and Privacy Training Program . . . to recognize and respond to cybersecurity threats,” but such a program requires timely cybersecurity awareness training for workforce members upon hire and annually thereafter. Such a program also requires continual monitoring by management if it is to be an effective program that protects UMass Chan’s systems and data. Therefore, we strongly encourage UMass Chan to implement our recommendation regarding this matter.