BOSTON – In an audit of the Massachusetts District Attorneys Association (MDAA), the Office of State Auditor Suzanne M. Bump (OSA) found that MDAA did not ensure employees received cybersecurity awareness training. The audit, which reviewed the period of July 1, 2019 through June 30, 2021, is one of several audits conducted by the OSA that have reviewed cybersecurity awareness training compliance.
To address the lack of cybersecurity awareness training, the audit recommended MDAA develop and implement policies and procedures which require newly hired employees to receive initial cybersecurity awareness training within 30 days of their hiring, as well as annual cybersecurity awareness training for all employees. Insufficient training may lead to user error and compromise the integrity and security of the district attorneys’ computer network, which MDAA manages. The audit also recommended that MDAA retain records of training completion for each employee and follow the record retention requirements in its “Media and Records Policy.”
“As we publish yet another audit revealing a lack of cybersecurity training, we continue to see a pattern across the Commonwealth, as inadequate cybersecurity training practices put government agencies in a vulnerable position at this time of heightened cyber threats,” said State Auditor Suzanne M. Bump.
The Massachusetts District Attorneys Association (MDAA) was created by Section 20D of Chapter 12 of the Massachusetts General Laws. Its executive director is appointed by the 11 elected Massachusetts district attorneys. Each year, by majority, the district attorneys choose a president from among themselves. As of June 30, 2021, MDAA employed 10 people. Its office is at 1 Bulfinch Place, Suite 202, in Boston.
The OSA has placed an emphasis on examining cybersecurity awareness training at government agencies. Recently, Auditor Bump has released audits of the Office of the Attorney General, Division of Banks, and Office of the Inspector General, Massachusetts Office of Victim Assistance, and the Division of Capital Asset Management and Maintenance, most of which called on these agencies to improve their cybersecurity awareness training practices.