Cyber security standards for schools and[...]
Microsoft Word document [60.9 KB]
|
Standard |
The importance of meeting the standard |
How to meet the standard |
Technical requirements to meet the standard |
Dependencies to the standard |
When to meet the standard |
Achieved/ evidence |
|
Protect all devices on every network with a properly installed firewall |
Properly configured firewalls prevent many attacks. They also make scanning for suitable hacking targets much harder. |
Ask your IT service provider to set up your devices to meet the standards described in the technical requirements. Agree with your IT service provider a system for monitoring logs and documenting decisions made on inbound traffic. Your IT service provider may be a staff technician or an external service provider. Remember that this standard may change over time with changing cyber threats. You are free to choose any suitable firewall.
|
|
https://www.gov.uk/guidance/meeting-digital-and-technology-standards-in-schools-and-colleges/broadband-internet-standards-for-schools-and-colleges |
You should already be meeting this standard for the security of your networks. If you are not already meeting this standard you should make it a priority to review each device in your network. |
All PC’s/Laptops are fully protected with ESET anti virus and firewall. Any detection of attacks will be repelled by the software. Two factor authentication is in place for every member of staff inbuilt into Microsoft Office 365. TFA is now mandatory to be be able to access Sharepoint and other office programs. The main school and RHISE has a dedicated cloud based firewall operated via Rawstream networks which has category based and direct URL whitelisting and blacklisting. The cloud based software has a list of all internet traffic access and is carefully audited at least twice a week for any unauthorised web access. Staff are requested to ask the IT manager for any requests to unblock specific website URL’s and only after careful consideration of legitimacy of the need for access is access granted. Any use of VPN browsers or extensions is monitored and blocked immediately by the cloud based software or on rare occasions after the IT manager finds something has got through directly URL blacklisted. All wifi networks are password protected and staff are under strict instructions never to share a WIFI ssid with anyone else. Categories that are permanently and automatically block by the cloud based firewall include Social media sites eg Facebook/Twitter, Media streaming ie Netflix/Amazon Prime, Adult sites,public discussion forums and web advertisement spam sites. |
|
Network devices should be known and recorded with their security features enabled, correctly configured and kept up-to-date |
Security systems are sometimes disabled to make very marginal improvements to user experience. This is an unjustifiable risk calculation in most circumstances. Attackers scan for and exploit devices where the security features are not enabled. Using the security features that devices already have is the most basic form of cyber security. Attackers who gain physical access to a network device can exploit a system much more easily, so this should be prevented. Recording network devices helps schools keep networks up-to-date and speeds up recovery
|
Network devices include routers, switches, access points, servers and similar items. Ask your IT service provider to record and set up your devices and boot up systems to meet the technical requirements. Agree with your IT service provider a system for recording and reviewing decisions made about network security features. Your IT service provider may be a staff technician or an external service provider. Remember that this standard may change over time with changing cyber threats. The National Cyber Security Centre has published guidance on:
|
To meet this standard you must:
If network devices have conflicting security features, document the decisions you make on which security features have been enabled or disabled on your network. Review this document when you change these decisions. To physically access switches and boot-up settings use a password or PIN of at least 6 characters. The password or PIN must only be used to access this device. For all other devices, you must enforce password strength at the system level. If you use a deny list for automatic blocking of common passwords, use a password with at least 8 characters. If you do not use a deny list, use a password with at least 12 characters or a biometric test. Password manager software is recommended. The National Cyber Security Centre provides detailed guidance on: |
See our standards on network switching. |
You should already be meeting this standard for the security of your networks. If you are not already meeting this standard you should make it a priority to review each device in your network. |
Every item of IT equipment is recorded in an Excel spreadsheet with details of device name/serial number/date of last software updates.ESET antivirus is set to auto update and a weekly AV scan is scheduled on every laptop and workstation. Regular checks that the scans are being performed as required are promptly done.Staff have instructions never to reveal or share their access passwords for either Office 365 or the main school server network. The school server network has a once monthly password reset requirement and staff are prompted to change their passwords from any initial password set by the IT manager.Users on the main school server only have access to relevant folders/file according to their work needs and job status. Any unauthorised software installation is prevented by a System administrator password prompt which only the IT manager has access to. |
|
Accounts should only have the access they require to perform their role and should be authenticated to access data and services |
Successful cyber attacks target user accounts with the widest access and highest privileges on a network. You must limit the numbers and access of network and global administrative accounts. If you prevent and limit the compromise of these accounts you prevent and limit successful cyber attacks.
|
Ask your IT service provider or network manager to set up accounts to meet the technical requirements. If a single staff member controls account access, another senior school staff member or governor should approve that staff member’s own account. There must be a user account creation, approval and removal process. You should make this part of school joining and leaving protocols. Your IT service provider may be a staff technician or an external service provider. Remember that this standard may change over time with changing cyber threats.
|
You must control user accounts and access privileges. Including accounts used by third parties, for example, support services or device management. Only authorised people can have an account which allows them to access, alter, disclose or delete the held personal data. The data owner or controller, or the data protection officer, must identify and authorise these tasks. Users should have a separate account for routine business, including internet access, if their main account:
Users must be authenticated with unique credentials before they access devices or services. This can include using passwords. You must enforce password strength at the system level. If you use a deny list for automatic blocking of common passwords, use a password with at least 8 characters. If you do not use a deny list, use a password with at least 12 characters or a biometric test. The National Cyber Security Centre recommends using passwords made up of 3 random words. Enforce account lockouts after a number of failed attempts and require service provider or network manager permission to unlock. The National Cyber Security Centre provides guidance on password administration for system owners. You must immediately change any password that has been compromised or suspected of compromise. You must remove unused accounts. This may include the accounts of users who have left their employment, or accounts that have not been used for a prolonged period of time. This is particularly important for accounts with administrator privileges. You should review this termly. Unused role privileges must be removed or disabled. No user’s account should have more access to devices than required to carry out their role. Use different accounts with specific rights for different purposes or have IT service providers and administrators enable just-in-time access, giving individual users time-limited privileges as required. The National Cyber Security Centre provides detailed guidance on privileged access management. For younger children or users with special educational needs:
The NCSC offers this guidance on alternatives to passwords. You should not use global administrator accounts for routine business. You should only use accounts requiring administrator privileges to complete the tasks that need it. You should use service accounts for running system services and not user accounts. |
|
You should implement this standard as soon as you can and with the introduction of each new account. |
All staff have an appropriate level of access to the school's networked resources and these are assigned by the IT manager on completion of their initial probationary working period. Access is given to the shared folder directories relevant to their location and school role. Only the IT manager is enabled to give out network access and Office 365 usernames and passwords. 365 access is initially set up via our external network provider IT247NW a well established local technology company, all usernames and passwords are communicated via secure email of which only the IT manager has access to. Initial passwords are issued to the users with strict instructions to regularly change their passwords and not share them with anyone. Password credential protocols are strictly enforced by both the main school network server and MIcrosoft Office 365.All staff have their accounts deleted and data (including emails) wiped within 30 days of leaving their role |
|
You should protect accounts with access to personal or sensitive operational data and functions by multi-factor authentication |
Multi-factor authentication only allows access to a service when you present 2 or more different forms of authentication. It reduces the possibility of an attacker compromising an account. This is especially important if an account has access to sensitive or personal data. In this context, sensitive or personal data is all data that if lost or compromised, would have a serious impact on the establishment, staff or students. The Information Commissioner’s Office explains what personal data is.
|
Ask your IT service provider to set up the applicable users with the multi-factor authentication methods which meet the technical requirements. You should provide training to users unfamiliar with multi-factor authentication. The National Cyber Security Centre provides detailed guidance on:
Your IT service provider may be a staff technician or an external service provider. Remember that this standard may change over time with changing cyber threats.
|
Where practical, you must enable multi-factor authentication. This should always include cloud services for non-teaching staff. All staff are strongly encouraged to use multi-factor authentication. Ask users for a second authentication factor when accessing sensitive data. For example, when moving from a lesson plan to financial or personal data. Multi-factor authentication should include at least 2 of the following:
|
|
You should implement this standard as soon as you can. |
In the last year Microsoft Office 365 has enforced Two factor authentication onto every user account with no exceptions. Implementation as by and large been successful. Users have to download the authenticator app on their Apple or Android smartphone which acts as the facilitator for this process. Every time a user accesses their 365 account on a new item of equipment they are instructed to authorise the use with two factor authorisation. |
|
You should use anti-malware software to protect all devices in the network including cloud-based networks |
Up-to-date anti-malware and anti-virus software reduces the risk from many forms of cyber attack. Some applications protect against viruses and general malware, some against one only. You need to protect against both.
|
Ask your IT service provider to set up your devices to meet the technical requirements. The National Cyber Security Centre publishes advice on antivirus and other security software. Your IT service provider may be a staff technician or an external service provider. Your school or college must organise the responsibilities and processes for risk-assessment, authorisation and documentation for any access to potentially malicious websites. Remember that this standard may change over time with changing cyber threats.
|
You must make sure anti-malware software and associated files and databases are kept up to date. Make sure the anti-malware software:
Do not run applications or access data which has been identified as malware. Use the anti-malware software to eliminate the problem. |
|
You should meet this standard as soon as you can. |
Both Roselyn House School main site and RHISE implements an industry leading Anti-Virus and Anti Malware software on each item of IT workstation or laptop. ESET Anti Virus and Malware comes recommended via our third party IT partners IT 24NW and it has been used by the organisation for over 7 years.Every workstation has inbuilt automatic protection against virus and cyber threats and each device is set to run a weekly anti virus/malware check and staff are iinstructed to report any instances of virus/malware detection to the IT manager for further investigation. All office 365 email /outlook accounts are protected by the ESET AV checker and it is implemented into any Outlook Application that is installed on any device. |
|
An administrator should check the security of all applications downloaded onto a network |
Applications can insert malware onto a network or have unintentional security weaknesses. This makes attacks easier to execute against a network. Users should not download applications. The IT service provider should check them first.
|
Ask your IT service provider to set up your devices to meet the technical requirements. Agree how this will be done with your IT service provider and document how you have met the requirements. The National Cyber Security Centre provides guidance on:
Your IT service provider may be a staff technician or an external service provider. Remember that this standard may change over time with changing cyber threats.
|
The IT service provider should approve all code and applications that are deployed and make sure they do not pose a security risk. They should do this in the best way possible given available resources. Best practice is to maintain a current list of approved applications. Applications with invalid or no digital signatures should not be installed or used. You could search the internet to check the reputation of the application and the hosting site, or run unknown applications or code within a sandbox environment. Make sure the network’s anti-malware service is scanning all downloaded applications. |
|
You should meet this standard as soon as possible. |
All workstations and laptops are regularly checked for any unauthorised software/application installations. All staff are instructed to keep a strict watch as to what students are doing on their PC’s/Workstations and will advise the IT manager of any infractions.ESET anti virus and malware warns and stops the installation installation of any suspicious applications. |
|
All online devices and software must be licensed for use and should be patched with the latest security updates |
Hackers try to identify and exploit the vulnerability that each new security update addresses. They try to do this before users are able to update their systems. In the last year, several attacks on educational establishments have taken advantage of this. Unsupported software does not receive security updates and over time it becomes:
You must not use unlicensed hardware or software. Unlicensed software may not be a legitimate copy, or it may not be updatable to the latest secure standards. You must avoid or replace unpatched or unsupported hardware or software, including operating systems. These devices are the most popular targets for successful cyber attacks. If this is not possible, then these devices and software must not be accessible from the internet - so that scanning tools cannot find weaknesses.
|
Ask your IT service provider to make sure all devices and software are licensed, supported and set up to meet the technical requirements. Subscribing to services rather than buying items can be a way to help achieve this. This is known as Software as a Service (SaaS). So that appropriate risk assessment and mitigation can take place, your IT service provider should tell leadership and governors at the school or college and alter the network accordingly when devices or software:
Your IT service provider may be a staff technician or an external service provider. Remember that this standard may change over time with changing cyber threats. The National Cyber Security Centre provides guidance on:
|
All software must be currently licensed. The licensing of most modern software can be checked through the software itself. Software which successfully updates can be presumed to be licensed. Older software may have to be researched. You should remove unsupported software. If this is not possible then you must only use the software on parts of the network which prevent all traffic to and from the internet. Support does not have to come from the original manufacturer and can come from third parties as long as this does not invalidate a licence. Unsupported devices must only access segmented areas of the network which do not grant access to sensitive data. You must enable automatic updates. You must complete manual updates to hardware or software, including configuration changes, within 14 days of the release of the patch where the vulnerability is:
The Common Vulnerability Scoring System is the security industry standard for measuring the danger of a vulnerability. The score is a number from 1 to 10 where 10 is the most dangerous. There is a more detailed explanation of CVSSv3 on the NVD website. When notified by the Department for Education (DfE), patches should be applied within 3 days of notification. This will only be done in instances of dangerous zero-day attacks where institutions are at immediate risk and there is a suitable patch |
See our standards on network switching. |
You should meet this standard as soon as possible. |
All software licenses are legitimately sourced and purchased. ESET anti virus and malware software is paid via an annual subscription on a per devices basis via our external IT partners IT247NW. Rawstream cloud based web filtering software is also paid for annually on a per user basis. Microsoft Office 365 is paid for monthly via our external IT providers also on a per user basis. Automatic Updates for Windows 10/11 are enabled with a proviso that the PC installs the updates at the close of play each day to avoid disruption. Office 365 Application software is also set to automatically update. Anti virus software is also set to auto update and regular checks are made by the IT manager that the software has successfully updated to the latest version. |
|
You should have at least 3 backup copies of important data, on at least 2 separate devices, at least 1 must be off-site |
A backup is an additional copy of data, held in a different location, in case the original data is lost or damaged. If all copies were held in the same location, they would all be at risk from natural disasters and criminal damage. Backups of important data are crucial for quick recovery in the event of disaster. The safest way to achieve this is to have a pattern of backing up on a rolling schedule. You should keep these backups off the network when not in use and check them regularly.
|
Ask your IT service provider to install and configure your devices to meet the standards described in the technical requirements. If your IT service provider is an external contractor, the scope of this should be included in your service agreement. Be prepared to ask your service provider to explain what they are doing to help you achieve this standard. Including where the backups are located, how often they are done, how often they are checked and how long a restoration will take. A school itself must determine which of its data is important to its operations but it is likely to include personal, financial, management and network data as a minimum. The National Cyber Security Centre has published detailed guidance on:
Your IT service provider may be a staff technician or an external service provider. Remember that this standard may change over time with changing cyber threats.
|
You should have at least 3 backup copies of important data, on at least 2 separate devices. At least 1 of these copies must be off-site (on large sites, these copies should be far enough away to avoid dangers from fire, flood, theft and similar risks). Remember, you need 3 backup copies, you do not need 3 storage locations or 3 storage devices. For example, 2 backups taken at different times on the same device (as long as they do not overwrite each other) will count as 2 of the 3 backup copies. You should schedule backups regularly. How often you need to create backups depends on:
At least 1 of the backups must be offline at all times. An offline backup is sometimes known as a cold backup. A cloud backup is an off-site backup. Cloud data held in separated cloud services are held in separate devices. If the offline backup is in the cloud, access must be:
Remember, off-site means in an alternative physical or digital location, offline means that is not connected to the network The number of devices with these access permissions must be kept to an absolute minimum. A secure account identity is defined as a specified account secured with a username and multi-factor authentication. A device which cannot access the backup is defined as a device that has no valid credentials. Where the cloud services allow it, set up the controls to:
Regularly check that the backups work. |
|
You should implement this standard as soon as you can |
Files on the legacy school server are regularly backed up on a hard drive kept offsite. The majority of school files/folders are now on office 365 cloud based servers and are kept backed up via Microsoft's vast array of servers. The original school server is being gradually replaced by Office 365 storage and is mainly used for network access in the main school for students & staff. |
|
Your business continuity and disaster recovery plan should include a regularly tested contingency plan in response to a cyber attack |
Being unprepared for a cyber attack can lead to poor decisions, slow recovery and expensive mistakes. A good response plan made ahead of time will speed up your response, reduce stress levels and confusion. Effective response will reduce the material, reputational and safeguarding damage from ransomware attacks.
|
Talk to your IT service provider and make sure you have a cyber attack contingency plan. The plan must be part of your business continuity and disaster recovery plan. The school’s governors should ensure the creation and testing of these plans. In multi-academy trusts, oversight might happen at trust level. The National Cyber Security Centre provides advice on contingency planning: To help with testing, they also provide an exercise kit. As part of the Risk Protection Arrangement there is a template cyber response plan. Your IT service provider may be a staff technician or an external service provider. Remember that this standard may change over time with changing cyber threats.
|
All schools and colleges must include a contingency plan for loss of some or all IT systems in their business continuity and disaster recovery plan. This is required by the schools financial value standard. This plan must include:
Keep hard copies of key information in case of total system failure. Test and review these plans regularly. |
|
You should meet this standard as soon as possible. |
See Security Policy and Business Continuity Plan which details recovery and contingency for Cyber attack. |
|
Serious cyber attacks should be reported |
Cyber attacks are crimes against a school that need to be investigated so perpetrators can be found and counter-measures identified. A cyber attack is defined as an intentional and unauthorised attempt to access or compromise the data, hardware or software on a computer network or system. An attack could be made by a person outside or inside the school. The National Cyber Security Centre define what a cyber incident is. This compromise of data might include:
You should report any suspicious cyber incident to Action Fraud on 0300 123 2040 or on the Action Fraud website. Police investigations may find out if any compromised data has been published or sold and identify the perpetrator. |
Ask your IT service provider to notify the school leadership team of all cyber attacks. Appropriate action and information-sharing must be carried out in accordance with the General Data Protection Regulation (GDPR). Where a data breach has or may have occurred, report to the Information Commissioner’s Office (ICO). These incidents should also be reported to the DfE sector cyber team at Sector.Incidentreporting@education.gov.uk. Academy trusts have to report these attacks to ESFA. Exercise judgement in reporting. Incidents where any compromise may have taken place or other damage was caused should be reported. But receipt of a phishing email alone, for example, does not require reporting to DfE but can be reported to Action Fraud at report@phishing.gov.uk. Where the incident causes long term school closure, the closure of more than 1 school or serious financial damage, you should also inform the National Cyber Security Centre.
|
Schools and colleges must report cyber attacks to:
Where applicable schools and colleges must report cyber attacks to ICO. You must act in accordance with:
|
|
You should implement this standard as soon as you can. |
Any cyber attack will be promptly reported to senior school staff/ICO and to Action Fraud & DfE. |
|
You must conduct a Data Protection Impact Assessment by statute for personal data you hold as required by General Data Protection Regulation |
The protection of sensitive and personal data is vital to:
|
You should control access to data in consultation with your IT service provider and the Data Protection Officer. This is to safeguard staff and students as required by the General Data Protection Regulation (GDPR). To meet the standard, you must:
There is DfE guidance on:
|
Academy trusts should incorporate the risk assessment into the risk register. If you rely upon encryption to protect data, this should be:
The ICO provides advice on how data encryption should be used. The ICO also provides a template for DPIA. Additional protection or password protection should meet the technical requirements in the account access standard. You should limit access to those staff with a specific need. Do this by specific content area, and not blanket permissions. By achieving all the cyber standards you can meet the additional requirements for:
|
|
You should already be meeting this standard in accordance with GDPR |
DPIAs completed when introducing new processes as advised by Judicium, our GDPR Consultants.
Annual Audit by Judicium to ensure GDPR compliance.
Data Mapping Process undertaken March 2023 to show data stored and how its used. Approved by Judicium as our GDPR Consultant. |
|
Train all staff with access to school IT networks in the basics of cyber security |
The most common forms of cyber attack rely on mistakes by staff members to be successful. Avoiding these mistakes prevents the attacks. Basic cyber security knowledge amongst staff and governors is vital in promoting a more risk aware school culture.
|
Staff with access to your IT network must take basic cyber security training every year. At least one member of the governing body should complete the training. Remember that the training may change over time with changing cyber threats.
|
Staff who require access to your IT network must take basic cyber security training every year. The training should be part of the induction training for new staff This training should focus on:
The National Cyber Security Centre has published suitable training materials: At least one current governor must complete the same basic cyber security training. These governors should read the NCSC publication school cyber security questions for governors. |
|
You should be looking to implement this standard as soon as you can but within 12 months as a minimum |
All staff have undertaken the following training at May Twilight INSET.
This training now forms part of staff induction.
CYBER SAFETY Via National Cyber Security Center cyber security training for school staff
|
D.Somers
R.Smith
June 2023
Print 