This page, Audit Calls for Improvements in Cybersecurity Training at Holyoke Community College, is offered by
Press Release

Press Release Audit Calls for Improvements in Cybersecurity Training at Holyoke Community College

HCC did not implement an IT security training program for employees until October 2018, more than nine years after a state executive order required it to do so.
For immediate release:
8/11/2020
  • Office of the State Auditor

Media Contact for Audit Calls for Improvements in Cybersecurity Training at Holyoke Community College

Noah Futterman

An image of the Holyoke Community College logo.

BostonIn an audit released today, State Auditor Suzanne M. Bump called on Holyoke Community College (HCC) to improve its employee information technology (IT) and cybersecurity awareness training. Bump’s audit, which examined the period of July 1, 2017 through March 31, 2019, found HCC did not develop an IT security training program until long after it was required to do so, and did not ensure all employees took part in this training. This left the college and its technological assets more vulnerable to cyberattacks and financial losses.

“Employees at Holyoke Community College are the school’s front-line defense against cyberattacks. Their staff must have the knowledge and skills to identify and avoid these potential threats,” Bump said of the audit. “While our audit shows many employees did not receive critical IT security training, I commend the school for taking action to address this issue to keep its technological and financial assets safe.”  

The audit shows that HCC did not implement an IT security training program for employees until October 2018, more than nine years after a state executive order required it to do so. Additionally, the vast majority of employees reviewed by Bump’s office had not completed the initial training, completed it late, or were never assigned to take the training. The audit also revealed HCC could not show that a substantial number of employees had signed the required acceptable use policy, which dictates appropriate uses of technological devices.

In the audit, Bump calls on HCC to develop and distribute a formal policy for staff IT training, monitor staff compliance with training requirements, maintain signed acceptable use forms, and negotiate through collective bargaining to require IT security training of all HCC system users. In its response, HCC indicated it has begun to take steps to implement these recommendations.

Bump’s audit notes that Massachusetts requires all state employees working in executive departments, including public colleges, to participate in IT security training. 

HCC is one of 15 community colleges in Massachusetts. The community college is an accredited public two-year institution, offering more than 65 associate degree programs and certificate programs. In fiscal year 2018, HCC had 10,749 students enrolled in credit and non-credit classes.

The full report is available here.

###

Media Contact for Audit Calls for Improvements in Cybersecurity Training at Holyoke Community College

Office of the State Auditor 

The Office of State Auditor Suzanne M. Bump (OSA) conducts audits, investigations, and studies to promote accountability and transparency, improve performance, and make government work better.
Feedback