WSU Did Not Ensure That Information System Security Awareness Training Was Completed As Required by the Executive Office of Technology Services and Security

WSU did not ensure that employees who had access to its systems received information system security awareness training as required by the Executive Office of Technology Services and Security (EOTSS). Specifically, WSU did not provide initial information system security awareness training to new employees when they were hired or require employees to receive training each year. WSU officials conducted periodic training using a PowerPoint presentation, but attendance was not required. Without this training, WSU is exposed to a higher risk of cybersecurity attacks, such as the one discussed in the previous finding, and financial and/or reputation losses.

EOTSS’s “Information Security Risk Management Standard” states,

Commonwealth Offices and Agencies must ensure that all personnel are trained on all relevant rules and regulations for cybersecurity. . . .

All new personnel must complete an Initial Security Awareness Training course. . . . All personnel will be required to complete Annual Security Awareness Training.

WSU did not have a formal program requiring new and existing users to take information system security awareness training. Initially, WSU officials told us that training was not required upon hire for new employees or annually for all employees because they believed they could not require the training in WSU’s collective bargaining agreements or policies, since the agreements did not include compensation for the extra time needed for such training. They stated that for this reason, they could not mandate information system security awareness training or implement a formal policy requiring it. However, during the audit, WSU researched this issue and determined that it could require the training of all employees, including those under collective bargaining agreements.

1. WSU should implement a formal information system security awareness training program requiring new users to receive training and existing users to be retrained annually.
2. WSU should establish monitoring controls to ensure that all of its employees with access to its systems comply with these requirements.

WSU currently conducts security awareness training with all constituents who are required to attend training for [Payment Card Industry—Data Security Standard] compliance. Knowing more is needed in this area, at onboarding and for periodic review, WSU has purchased and begun the implementation process of a security awareness education program software that will allow for ad-hoc, scheduled, refresher training and compliance monitoring to meet the needs for good security practice, compliance, and the ever-changing security landscape.

Based on the response above, WSU is responding to our concerns.