A state audit of the Steamship Authority completed this week is calling for improved cybersecurity training for its employees and a tighter policy for the practice of providing free ferry rides to staff and their families.
The Office of the State Auditor conducted the performance audit of the Steamship Authority for the period between Jan. 1, 2020 through the end of 2021. The review also looked closely at the Steamship’s spending of COVID-19 relief funds and found that it had utilized them appropriately, and followed the federal guidelines for spending the CARES Act money.
However, auditor Diana DiZoglio issued a formal finding related to the Steamship Authority’s training program for cybersecurity.
“The Steamship Authority does not have a formal, documented cybersecurity awareness training program and does not monitor the assignment and completion of cybersecurity awareness training courses,” the audit concluded. It offered a series of four recommendations to remedy the situation, including formal documentation of its training program.
The Steamship Authority’s general manager Bob Davis said the boat line had already begun to implement changes based on those recommendations.
“We appreciate the time and effort the Auditor’s Office took to produce this detailed report, which will aid the Steamship Authority to improve cybersecurity awareness across its operations,” Davis said in a prepared statement. “The Authority has thoroughly reviewed the audit and concurs with its findings. I am pleased that the Auditor’s Office noted that we have properly spent more than $9.8 million in Coronavirus Aid, Relief, and Economic Security funds that were distributed by the federal government. We have already begun to take corrective action on its recommendations for improvement, most notably enhancing the Authority’s cybersecurity preparedness and training programs.”
While stopping short of issuing a formal finding regarding the Steamship’s policy for providing free ferry rides to its employees and their immediate families, the Auditor’s Office addressed the boat line’s policy in the “other matters” section of its report.
The Steamship Authority’s current policy allows current and retired employees, along with their spouses, “annual passes” that provide free transportation to and from Nantucket and Martha’s Vineyard. The benefit is extended to their dependent children who are allowed to obtain “trip passes,” along with temporary and seasonal employees.
“We conclude that, although some employee passage and ticket agent policies exist, Steamship Authority employees do not always follow these established policies to issue trip passes to current, retired, temporary, or seasonal employees and eligible nonemployees,” the audit concluded. “We further conclude that control weaknesses exist in the areas of badges permitting access to facilities and free rides, the absence of travel logs in five of the seven facilities, and the capture of inconsistent information when granting trip passes.”
The Steamship responded by stating it would review and update its “Employee Policies and Procedures Manual” to more clearly define the benefits to which employees are entitled, as well as replace all employee ID badges, deactivate old badges, include credentials on the new ID badges, and require them to be presented and scanned before allowing access to Steamship vessels.