Cyber security standards for schools and colleges
Find out what standards your school or college should meet on cyber security and user accounts.
Cyber incidents and attacks have significant operational and financial impacts on schools and colleges. These incidents or attacks will often be an intentional and unauthorised attempt to access, change or damage data and digital technology. They could be made by a person, group, or organisation outside or inside the school or college and can lead to:
- safeguarding issues due to sensitive personal data being compromised
- impact on student outcomes
- a significant data breach
- significant and lasting disruption, including the risk of repeated future cyber incidents and attacks, including school or college closure
- financial loss
- reputational damage
Our standards on filtering and monitoring will help schools and colleges to reduce risks related to a cyber incident by preventing access to potentially malicious sites or resources.
Throughout these standards we refer to:
- hardware, software and digital services that are connected to the internet or network as digital technology
- in-house or third-party support as IT support
Visit our standards page for more details on how to use the standards to help your school or college meet their digital technology needs.
What is the difference between these standards and Cyber Essentials?
These standards are for all schools and colleges to help build their cyber resilience. They address the core principles of cyber governance, processes and strategy.
Cyber Essentials is a government-backed certification that happens on an annual basis. It provides a level of assurance to organisations across all sectors – not just the education sector – on the technical elements of their cyber security.
Whilst the Cyber Essentials certification is not a requirement, some schools and colleges may wish to complete it as part of their cyber security activities. These standards can help you work towards certification. However, it is for the senior leadership team (SLT) to decide whether Cyber Essentials is right for your school or college now, and in the future.
Why this standard is important
Those in schools and colleges need to know the risks associated with their hardware, software and data to properly mitigate and defend against any potential cyber incidents or attacks.
Assessing cyber risks means you can:
- understand how to keep students, staff and the wider school or college community safe
- understand how prepared the school or college is in response to a cyber incident or attack
- highlight weaknesses and put processes in place to help reduce risk
- secure systems to make sure they are more resilient to cyber incidents and attacks
- prepare a cyber response plan to be implemented quickly in the event of a serious incident to minimise any impact to the school or college
Not identifying and assessing risk, or preparing a response, could lead to:
- safeguarding issues if students’ safeguarding information is unavailable or if confidential data is accessed and misused
- lasting disruption to the operation of the school or college, including closure
- significant impact on student outcomes
- other schools or colleges on your broader organisational network – such as those within a multi-academy trust – being impacted by the same cyber incident or attack
- a significant data breach
- reputational damage
- significant unexpected spend and lost staff time to recover systems and data
Who needs to be involved
The senior leadership team (SLT) digital lead will be accountable for, and prioritise and coordinate activity relating to this standard. IT support (who may be an internal support person or external provider) will action this standard.
The SLT digital lead will work with:
- IT support to review the outcomes of discussions with key staff and action them within the risk assessment
- any IT leads in your broader organisation (if applicable) to find out if anything needs to be actioned or approved by them
- the data protection officer (DPO) who will give advice on any risk around data and processes to make sure personal and sensitive personal data in schools and colleges is secure
- facilities or estate management to identify any physical security risks that could create problems for core systems and data, such as a door that will not lock on a server room
- the headteacher or principal who will need to make decisions on actions suggested by the SLT digital lead and IT support
- the school, college or trust business professionals or the finance team who will help budget and plan for any changes needed, update the risk register, and buy in any additional services needed
- the governing body or board of trustees for oversight and strategic risk management – there are some questions governors and trustees can ask that will help them to understand the school or college’s IT estate
If you do not have the technical expertise in-house, you will need to get advice from an external support provider or consider training for your internal IT staff to make sure they have the skills needed.
If your IT support is outsourced, then you will need to discuss with them how they are meeting the requirements of this standard. This should include how they will mitigate against any cyber incidents or attacks on their own network impacting on your school or college’s network. As part of this, you may wish to consider asking them whether they are certified with Cyber Essentials or Cyber Essentials Plus.
How to meet this standard
This standard should be a part of your overall digital technology strategy.
Read the digital leadership and governance standards for more information on how to create a digital technology strategy.
Review assets
The SLT digital lead and your IT support will:
- review digital technology assets and any related cyber security risk
- check all digital technology is licensed, supported and updated – read our standard on ‘License digital technology and keep it up to date’
Check data processing, access and permissions
The SLT digital lead will work with the DPO to:
- complete a record of processing activities (ROPA) for all new and current systems storing or processing personal and sensitive personal data – you can use a template ROPA from the Information Commissioner’s Office (ICO)
- assess staff access and permissions to systems and data, and check password policies – read our standard on ‘Control and secure user accounts and access privileges’
- check that your email is set up to be secure and that it reduces the risk of third parties being able to send imitation emails – for more information, read our standard within this topic titled, ‘Secure digital technology and data with anti-malware and a firewall’
Understand your network
The SLT digital lead will oversee this work, but IT support will:
- keep documentation on your network up to date – this should include network diagrams, changes that are made, settings and IP addressing information
- discuss the level of logging required for your school or college’s network and systems which can help to identify the source of any cyber incident or attack and any network issues – to learn more about network logging, visit the National Cyber Security Centre (NCSC) guidance on logging and protective monitoring
Understand current risk
The SLT digital lead will be responsible for collecting the relevant information from all those listed in the ‘Who needs to be involved’ section of this standard. Together they will:
- understand what the greatest cyber risks are and establish the likelihood of these happening, along with the impact they may have on your school or college
- capture how many cyber incidents or attacks have already occurred and what they are so that you can understand common themes and know where you need to improve – you can test your cyber resilience using NCSC’s online tool
- identify any student or staff behaviour that may be seen as a risk and could expose the school or college to a cyber incident or attack – for example, downloading an application without the approval of IT support
Create a risk management process and cyber response plan
The SLT digital lead will work with the business professionals or the finance team, estate management and IT support to:
- create a simple reporting structure for cyber risks to be captured, escalated and actioned – cyber risks should be captured in the risk register and placed into a regularly tested business continuity plan
- maintain documentation and your business continuity plan in at least one or more (diverse) locations – for example, in the cloud or as a hard copy
- flag any risks or issues identified to the governors or trustees as part of the school or college’s risk management process
- put a cyber response plan in place – as well as this being a part of your business continuity plan, it is also a condition of cover if you have risk protection arrangement (RPA) cover
We recommend getting insurance cover to help minimise costs in the event of a cyber incident or attack. You could consider the Department for Education’s (DfE) RPA cover as an alternative to commercial insurance.
To help action this standard, you can also visit:
- our digital leadership and governance standards for information on a business continuity plan
- the DfE website for advice on risk management
- the free cyber secure tool from DfE and South West Grid for Learning to self-assess your cyber resilience and understand where you are in your cyber maturity journey
- the Education Data Hub for resources on cyber resilience
When to meet this standard
You should complete any risk assessments as soon as possible and repeat them every year or in the event of:
- significant technology or process changes
- an incident or attack impacting the school or college
These risk assessments should then be revisited every term by those listed in the ‘who needs to be involved’ section of this standard to see if anything has significantly changed. This will help highlight vulnerabilities and what actions you need to take to minimise them.
If you have outsourced IT support and they are not currently meeting this standard, then you will need to review how this can be done in future as part of your ongoing service reviews, and no later than your next renewal date.
Related standards
The following digital standards should also be considered when completing this standard.
Digital leadership and governance:
- Assign a senior leadership team (SLT) member to be responsible for digital technology
- Keep registers relating to hardware and systems up to date
- Include digital technology within disaster recovery and business continuity plans
Cloud solution:
Servers and storage:
Why this standard is important
Well-informed users are the best line of defence against cyber criminals. Many cyber incidents and attacks target common processes and human behaviours when using digital technology.
Raising awareness, and training students and staff on cyber security will:
- reduce the risk of cyber incidents and attacks
- help to keep students and staff safe
- help to create a culture where students and staff feel comfortable identifying and reporting risk
- help students and staff understand what acceptable use of digital technology looks like and the importance of cyber security – this can help inform behaviour policies
- make sure that cyber incidents, attacks and risks are reported quickly to stop them spreading
If students and staff do not understand the risks, this could lead to:
- safeguarding issues, particularly when data is breached
- cyber incidents and attacks that are costly and disruptive
Having an acceptable use policy and training in place will help to provide the foundations for a good cyber awareness plan.
Who needs to be involved
The headteacher or principal will be accountable for making sure this standard is met. They will work with the senior leadership team (SLT) digital lead, who will coordinate the delivery of an acceptable use policy and training for their school or college.
The SLT digital lead will need to work with:
- IT support to create and maintain the acceptable use policy and identify areas of training need from support calls
- any IT leads in your broader organisation (if applicable), such as a multi-academy trust or a local authority school to find out if anything needs to be actioned or approved by them
- the data protection officer (DPO), who will make sure that risks to data are identified and acted on, and will advise on any data protection training needed
- the designated safeguarding lead, who will make sure that any training and policies support the safety of students and staff
- the governing body or board of trustees to approve the acceptable use policy
If you do not have the technical expertise in-house, you will need to get advice from an external support provider or consider training for your internal IT staff to make sure they have the skills needed.
How to meet this standard
The SLT digital lead will work with IT support to make sure:
- an acceptable use policy is created and updated to meet their school or college’s needs
- regular and up to date training and awareness activities on cyber security are carried out
You should also consider how to raise the level of cyber awareness within families if digital technology is taken home or student work is completed online at home.
Create an acceptable use policy
An acceptable use policy describes what a person on the network can or cannot do when using digital technology.
Anyone who has access to the school or college network or data will need to be made aware of, and sign up to, the acceptable use policy. This will include guests and supply teachers who want to use the school or college network and wifi.
The SLT digital lead will work with IT support, the designated safeguarding lead and the DPO to create and update the acceptable use policy.
If you use a student contract, then this should include relevant sections of the acceptable use policy to make it clear how digital technology should be used within your educational setting. This will need to be carried out at the beginning of every academic year.
You can find examples of acceptable use policies on the Education Data Hub website:
Train students and staff
Training students and staff in cyber security is a vital step in maintaining safety and security. Cyber training should be given at least annually, or more regularly if there is a known cyber risk to those who use school or college digital technology.
The SLT digital lead will need to coordinate training with IT support, the DPO and the designated safeguarding lead. This training is for:
- students
- staff
- at least one current governor or trustee
- anyone else with a login (for example supply teachers or agency workers) who may need more focussed training using your own resources – this should happen as soon as it’s feasible
Training should be age-appropriate and suited to your school or college’s risks, but should generally include training on:
- methods hackers use for tricking people into disclosing personal information, including phishing
- password security
- online safety
- social engineering, including not using websites that host unsuitable material, and could also contain malware and viruses
- the physical security of devices, for example not leaving a laptop unlocked and unattended
- the risks of using removable storage media, such as USBs
- multi-factor authentication
- how to report a cyber incident or attack – read the standard on reporting a cyber risk within this standard topic
- how to report a personal data breach
- data protection for all staff, with staff who are exposed to higher risk data having more frequent training, such as administrative staff, management or agency workers with a login
If you have risk protection arrangement, you must evidence that the relevant users have undertaken the free National Cyber Security Centre (NCSC) training. This needs to be taken annually.
If you are looking for further support, the NCSC have downloadable copies of cyber security information cards for schools.
When to meet this standard
You should already have an acceptable use policy in place. If not, it should be updated towards the end of the academic year and shared with students, staff, and any cover or temporary staff at the beginning of the new academic year.
If you have not carried out cyber training in your school or college within the last 12 months, then you should plan to implement this as soon as possible.
Related standards
The following digital standards should also be considered when completing this standard.
Digital leadership and governance:
Laptops, desktops and tablets:
Creating and maintaining the security around your digital technology and data is a critical line of defence against a cyber incident or attack. Once a virus or hacker is in your system, they will look for a way to exploit other vulnerabilities.
To complete this standard, the senior leadership team (SLT) digital lead and IT support will first need to read and action the standard on how devices should be safe and secure.
Why this standard is important
Following this standard will help to make sure that:
- students, staff and their data are as safe and secure as they can be
- the risk of disruption to school or college operations is reduced
- there is no unauthorised access to systems or data
- vulnerabilities are more difficult to find
Not meeting this standard could lead to:
- lost learning or possible school or college closure
- not being able to access child protection data
- students and staff being exposed to inappropriate content
- a large financial cost
- a significant data breach
- the spread of viruses or malware throughout your network
- security weaknesses, which make cyber incidents or attacks easier against your network
Who needs to be involved
The SLT digital lead will be accountable for this standard but IT support will be responsible for actioning it.
IT support will need to work with:
- the designated safeguarding lead for advice on safeguarding requirements on systems and security
- any IT leads in your broader organisation (if applicable), such as a multi-academy trust or a local authority school to find out if anything needs to be actioned or approved by them
If you do not have the technical expertise in-house, you will need to get advice from an external support provider or consider training for your internal IT staff to make sure they have the skills needed.
How to meet this standard
The SLT digital lead will need to plan how the technical requirements section within this standard will be met with IT support.
IT support will need to:
- use a properly configured boundary firewall
- make sure devices are safe and secure – to learn more about this, visit the laptop, desktop and tablet standards
- install anti-malware software (this must include anti-virus) on all devices, this should be centrally managed, actively monitored and kept up to date – this should include installation on cloud-based servers that you are managing
- monitor digital technology for any potential cyber security incidents or attacks – the National Cyber Security Centre (NCSC) has a free early warning service for detecting malicious activity
- check the security of all applications downloaded or installed onto a network, this should include any cloud-based services
- configure the network to minimise the spread of malware to critical systems
If you are unsure about any data or applications, contact your IT support and they will be able to check the security of them.
Technical requirements
This section is for your IT support who may be an internal support team or an external provider. They will set up your network and digital technology to meet these minimum requirements.
Firewall
Many schools and colleges will be provided with a firewall as part of their broadband connection. If this applies to you, then you will need to discuss these technical requirements with your broadband provider.
If your broadband provider does not include a firewall, then IT support will need to source one and set it up securely.
To meet this standard, IT support must:
- protect digital technology with a correctly configured boundary firewall or software firewall, this should include protection against denial of service attacks
- keep boundary firewall firmware up to date, and on supported versions – this should be checked termly
- make sure all external connections to the network run through the firewall
- change the default administrator password and restrict remote access on the firewall to only those who need to access it for maintenance purposes
- protect access to the firewall’s administrative interface with multi-factor authentication, where available, and prevent access from the internet, except to those who need to maintain the firewall
- actively monitor firewall traffic and switch on firewall alerts to help detect suspicious activity – firewall logs can help you with both of these tasks
- block inbound unauthenticated connections by default
- document and review why inbound traffic has been permitted through the firewall – this should be done on a termly basis at a minimum and should be signed off by the SLT digital lead
- keep firewall rules to an absolute minimum, with each rule being documented and subject to a risk assessment
- enable a software firewall for digital technology that is used outside of the school or college, such as at home or on public wifi
- consider a virtual private network (VPN) to encrypt data sent and received by a device
Anti-malware software
Anti-malware software needs to be kept up to date with the latest updates. This should be reviewed termly to check that it is meeting your school or college’s needs. This software must:
- scan web pages as they are being used
- have a centralised monitoring console to allow IT support to intervene should anti-malware software fail or not update
- scan files and applications upon access, when downloaded or opened locally or from a network folder
- scan attachments on incoming and outgoing emails for malware
- send malware alerts to IT support who will then investigate the issue – this could result in removing the malware or isolating the device
- prevent access to potentially malicious websites
The NCSC provide further guidance on how to select, configure and use anti-virus and other security software.
To help prevent malware infecting digital technology from an external device, IT support should prohibit the use of USB storage devices by default, unless for a specific need – for example, if the examination board require this.
If USB storage devices are permitted in specific use cases, the anti-malware software should scan the USB drive before it is made available to the student or staff member.
Security checks
IT support should:
- check downloads for malware before an individual can store or install them on their device – this should be in line with your school or college strategy
- check and approve all current and future applications to make sure they do not pose a security risk
- maintain a current list of approved applications on your contracts register
- remove unnecessary software according to your organisational need
- only install applications that can be verified as coming from a known supplier
- document how digital technology is set up, which security features have been enabled or disabled, and whether they have conflicting security features
- review and manage browser settings to make sure the highest form of protection is enabled and that users are unable to change browser settings to install browser extensions or bypass security features
- check that your email is setup to be secure and that it reduces the risk of third parties being able to send imitation emails
The NCSC has a tool that can assist you with email security configuration and reporting.
When to meet the standard
This standard should already be in place for the security of your network.
Completing the standard in this topic titled ‘Conduct a cyber risk assessment annually and revisit every term to review if anything has changed’ will help to inform this process.
Related standards
The following digital standards should also be considered when completing this standard.
Servers and storage:
- Servers and related storage platforms must be secure and follow data protection legislation
- All server and related storage platforms should be kept and used in an appropriate physical environment
Cloud solution:
Wireless network:
Network switching:
Digital leadership and governance:
- Keep registers relating to hardware and systems up to date
- Include digital technology within disaster recovery and business continuity plans
Laptops, desktops and tablets:
Broadband:
Why this standard is important
Protecting user accounts and related data is a critical line of defence against cyber incidents and attacks.
Following this standard will make sure that:
- personal data and digital technology are as safe and secure as they can be
- students, staff and third parties only have access to the things they need
Not meeting this standard could lead to:
- schools and colleges being exposed to external and internal threats
- a significant data breach
- students and staff being exposed to inappropriate content
- a disruptive and costly ransomware attack, which is a type of malware which prevents access to your data or device unless a ransom payment is made
- not being covered by your insurer for cyber attacks and incidents
Who needs to be involved
The senior leadership team (SLT) digital lead will be accountable for this standard but IT support will be responsible for actioning it.
IT support will work with:
- any digital technology suppliers to make sure they are also compliant with this standard
- the data protection officer (DPO) who will, if needed, undertake a data protection impact assessment (DPIA) and provide advice on data protection legislation compliance
- human resources and your business professionals or the finance team to set up a process for movers, joiners and leavers
- any IT leads in your broader organisation (if applicable), such as a multi-academy trust or a local authority school to find out if anything needs to be actioned or approved by them
If you do not have the technical expertise in-house, you will need to get advice from an external support provider or consider training for your internal IT staff to make sure they have the skills needed.
How to meet this standard
The SLT digital lead will need to plan how the technical requirements section within this standard will be met with IT support and how they will:
- agree who should have access to what
- set up password policies
- set up security features for staff, such as multi-factor authentication (MFA), where needed
IT support should make sure that users only have the network and data access they need, and that their account is secure.
To help action this standard, you can also visit:
- the National Cyber Security Centre (NCSC) website for more guidance on how to use passwords to protect your data
- the Information Commissioners Office (ICO) website to download a DPIA template
Technical requirements
This section is for your IT support who may be an internal support team or an external provider. They will set up users so that they only have the access they need by following these minimum requirements.
If you have external IT support that will carry out the activities within this standard, make sure that your contract with them is compliant with General Data Protection Regulation (GDPR).
Passwords
Users must be authenticated with unique credentials before they access devices or services. This can include using passwords.
IT support will need to:
- enforce password strength at the system level – the NCSC suggest using machine generated passwords or a three random word system
- immediately change any passwords that have been compromised or are suspected of compromise
- protect all passwords – for example, by allowing no more than 10 guesses in 5 minutes, or locking devices after no more than 10 unsuccessful attempts
On networking devices and servers, IT support should:
- use a password or PIN of at least 6 characters to physically access network switches and boot-up settings – the password or PIN must only be used to access this device
- agree a process with the SLT on securing access to key system passwords and PINs in the event of an emergency, or if IT support are unavailable
For younger children, users with special educational needs or disabilities, or for those with English as an additional language, consider using:
- other means of logging on, other than passwords – for example, using a PIN code
- a separate account accessed by the teacher using the student’s login so that the student can still be identified – this should follow the filtering and monitoring standards
Visit the NCSC website to learn more about setting up password policies.
Multi-factor authentication (MFA)
MFA secures your account by asking the user to provide 2 or more pieces of evidence to verify their identity. This could include a password and a login through another device.
MFA may not be accessible for those with special educational needs and disabilities. In these circumstances you will need to discuss alternatives or extra support when logging in.
Senior leaders, and staff (including internal and external IT support staff) working with confidential, financial, and personal and sensitive personal data must use MFA.
If appropriate for your school or college, you may also wish to explore:
- MFA for all cloud or online services
- MFA for all staff accounts
- MFA for students where the verification does not need to be completed on a mobile phone in keeping with the Department for Education’s (DfE) guidance on prohibiting the use of mobile phones for students throughout the school day
MFA should include at least 2 of the following:
- a password
- a text message which will send a code to a mobile device, this is for staff only
- an automated phone call to a given phone number that reads out a code (as an alternative to a text message)
- a secure portable device, such as a mobile phone or tablet for staff
- a security key or device, used to authenticate logins – the school or college may need to pay for this if staff do not have access to a secure mobile phone
- a known or trusted account, where a second party authenticates another’s credentials
- a biometric test, for example face identification – this may need careful consideration as it might require a biometric policy depending on how the data is stored
Where MFA is not available, a more complex password should be used following the recommended guidance around password security in this standard.
The NCSC has some further guidance on:
If staff access a number of systems, you should consider using a single sign on solution, which allows you to sign on once and access all applications.
Account management
IT support need to control user accounts and access privileges by:
- disabling accounts as soon as someone leaves
- creating and managing a process with human resources and your business professionals or the finance team to deal with joiners, leavers, and those moving roles
IT support should consider using tools that link to the management information system (MIS) to automatically create or delete user accounts which will make this process easier to manage.
IT support will also:
- make sure that accounts are set up so that students and staff only have access to the data and systems they need
- make sure that MFA is applied to any accounts and cloud-based applications for staff working away from the school or college, or remotely accessing the network
- make sure that remote access is disabled when not required, and enabled only by a member of authorised school or college staff
- make sure that enhanced security, such as MFA, is always used where staff are handling confidential, personal or sensitive personal data – your data protection officer can advise which systems and data need this
- review accounts with your business professionals or the finance team every term to identify changes that might have been missed – this should include changing access levels and rights, and suspending or deleting accounts which are no longer in use
- make sure that global or administrative accounts are not used for routine business and that instead, dedicated accounts (not used for day-to-day email and work) have enhanced privileges – this helps limit any damage and track issues in the event of an incident or attack
- agree a process for handling administrative accounts so that a member of SLT or a trustee approves any changes to access levels or privileges before IT support can action the change
- make sure SLT have access to a dedicated administrative account – this will only be needed in an emergency where IT support is unavailable
The NCSC has detailed guidance on privileged access management.
When to meet this standard
You should already be meeting this standard. This will make sure that your data and digital technology is best protected against cyber threats.
If you are not already meeting this standard, then you should implement this as soon as possible through a structured, well managed rollout plan.
Related standards
The following digital standards should also be considered when completing this standard.
Cloud solutions:
- Cloud solutions should use ID and access management tools
- Cloud solutions must follow data protection legislation
Servers and storage:
Laptops, desktops and tablets:
Network switching:
Wireless network:
Broadband:
Why this standard is important
All digital technology must be licensed. Digital technology includes software programmes, operating systems and applications running on devices and servers, or online cloud services.
These must be licensed so that you can:
- receive updates and upgrades which enhance your use of digital technology
- receive bug-fixes and enhancements
- get support if you need it where this is provided through your license agreement
Not licensing or updating digital technology could lead to:
- devices being vulnerable to viruses, malware and hackers – some unlicensed and unauthorised software may contain malware, especially if downloaded from untrusted sources
- reputational damage for your school or college
- sudden unexpected costs from having to replace digital technology
- operating systems that have reached end-of-life or are not providing critical security updates
- software or applications not being able to run, which could lead to disrupting teaching and learning
- a breach of your licensing agreement, which could lead to fines or action from the supplier
Who needs to be involved
The senior leadership team (SLT) digital lead will be accountable for this standard, with IT support responsible for actioning it.
The governing body or board of trustees should check that the digital technology is fully licensed as part of their normal compliance review.
Your internal or external IT support will work with:
- business professionals or the finance team who will give information on when licenses are due to expire from the contracts register
- the data protection officer (DPO) who will provide advice on data protection legislation and undertake a data protection impact assessment (DPIA), where relevant – if there is a licensing issue that could threaten the data, the DPO will need to escalate this to the SLT digital lead and IT support
- third-party cloud suppliers to check that they are also meeting these standards by performing supplier assessments – this needs to be carried out when procuring new contracts
- any IT leads in your broader organisation (if applicable), such as a multi-academy trust or a local authority school to find out if anything needs to be actioned or approved by them
If you do not have the technical expertise in-house, you will need to get advice from an external support provider or consider training for your internal IT staff to make sure they have the skills needed.
How to meet this standard
The SLT digital lead will plan how the technical requirements section within this standard will be met with IT support.
IT support will need to check all digital technology is licensed, supported and set up to meet the technical requirements in the next section. The end of support dates for each device’s operating system should be recorded in the asset register and your mobile device management system, if you have one.
At the end of every term, IT support and the business professionals or the finance team should review the contracts register and inform the SLT when digital technology:
- has become unsupported
- is due to become unsupported
An alternative to licensing software is to use a cloud service. These are usually subscription based, and the responsibility is on the supplier to license and update the software. You should ask your DPO to undertake a DPIA if you choose to do this where it is storing or processing personal or sensitive personal data. Visit the Department for Education (DfE) website for more information on data protection policies and procedures.
If you are using open-source software or operating systems, you must abide by their licensing terms.
Occasionally, the DfE may issue instructions on security updates through the Education and Skills Funding Agency (ESFA) bulletin. The SLT digital lead will need to inform IT support. IT support should then apply these updates within 5 working days of notification.
Technical requirements
This section is for your IT support who may be an internal support team or an external provider. They will set up your digital technology to meet these requirements.
Licensing
All software needs to be licensed and eligible for security updates. You should remove unlicensed software or take steps to license it.
IT support will need to check that:
- operating systems and firmware on digital technology are kept up to date
- updates are issued in a timely manner that does not impact on teaching and learning
- license expiry dates are recorded in the contracts register by the business professionals or the finance team, and that any unlicensed software is removed from devices
- your business professionals or the finance team have been informed about licence end dates so that they can budget for any renewal costs
- digital technology end-of-support dates are captured in the asset register
Security updates
IT support must complete security updates (known as patching) to operating systems, applications and firmware, including configuration changes, within 14 days of the release of the patch where the vulnerability is:
- described as high risk or worse
- has a Common Vulnerability Scoring System (CVSSv3) score of 7 or above – you should also triage and prioritise updates for other scores when it is possible to do so
The CVSSv3 is the security industry standard for measuring the danger of a vulnerability. The score is a number from 1 to 10 where 10 means it is the most easily exploitable. There is a more detailed explanation of CVSSv3 on the National Vulnerability Database website.
IT support will also need to:
- make sure security updates are applied on time – you may wish to consider using a supported third-party patch management tool to automate this process
- isolate devices where high risk patches are unavailable – this could mean removing the device from the network or separating it from higher risk systems and data
The NCSC has further guidance on the problems with patching.
When to meet this standard
You should already be meeting this standard with existing digital technology within the school or college. When buying new digital technology (including cloud-based services), you will need to check that it meets this standard.
Related standards
The following digital standards should also be considered when completing this standard.
Digital leadership and governance:
- Keep registers relating to hardware and systems up to date
- Include digital technology within disaster recovery and business continuity plans
Laptops, desktops and tablets:
Cloud solution:
- Cloud solutions must follow data protection legislation
- Use cloud solutions as an alternative to locally-hosted systems, including servers
Servers and storage:
Broadband:
Network switching:
Wireless network:
A backup is an additional copy of data, held in a different physical location (which could include being on the cloud), in case the original data is lost or damaged. If all copies were held in the same physical location, they would all be at risk from natural disasters, criminal damage or a malware attack.
The physical location for your backup will need careful consideration to make sure that, in the event of a disaster situation, it is not impacted by the same incident or attack.
Follow the National Cyber Security Centre (NCSC) advice on backing up 3 copies of your data, 2 of which are on separate devices and one of which is offsite which could include a cloud backup service. Members of the risk protection arrangement (RPA) should refer to their terms for making a claim, as backing up to this level is currently a condition of cover.
The Education Data Hub has further guidance on backing up your data.
Why this standard is important
Schools and colleges are now more reliant on digital technology and data being stored in different locations (such as cloud services). Not all of these will be backed up to meet the needs of the school or college (for example, cloud services will only backup your data for a limited time period), so you need to have a backup plan to meet your diverse needs.
This standard will help your school or college to:
- recover important data and systems to continue teaching and resume normal business operations in the event of a cyber incident or attack
- manage recovery of damaged or lost files
- be compliant with data protection legislation
Not meeting this standard could lead to:
- operational impacts on the school or college due to systems and data being unavailable
- the loss of student work which may impact on the school or college’s results
- critical systems that support safeguarding not being available or potentially storing out of date data
- lost, misused or damaged data
- a breach of data protection legislation
- unexpected costs from bringing in specialists to help recover your systems and data
Who needs to be involved
The senior leadership team (SLT) digital lead will own the backup plan and work with IT support to make sure backups are being done correctly.
IT support will action the backup plan and will communicate this with any IT leads in your broader organisation (if applicable), such as a multi-academy trust or a local authority school, to find out if anything needs to be actioned or approved by them.
The SLT need to prioritise which data areas would need to be recovered first in the event of a cyber incident or attack.
The SLT digital lead and IT support will identify risks and priorities by speaking to:
- the business professionals or the finance team
- the designated safeguarding lead
- the data protection officer
If you do not have the technical expertise in-house, you will need to get advice from an external support provider or consider training for your internal IT staff to make sure they have the skills needed.
How to meet this standard
Your backup plan should feed into your business continuity plan and disaster recovery plan. The backup plan should be:
- kept up to date
- tested termly to make sure it works, or more often if there is a significant service change – speak to your IT support for further advice on how to do this
- reviewed on an annual basis, or when there is a major change to the systems or data
Read our standards on digital leadership and governance for more details on business continuity plans.
Analyse where you are now
It is useful to understand what your current backup plan looks like so that you can assess if it needs improvement.
The SLT digital lead should ask IT support:
- what data is currently being backed up, how often, how old it is and how it is being backed up, this includes data stored on all your cloud services – this information should be stored in your information asset register
- what information is not being backed up
- how often they test data that has been restored to check the backups are successful
- how long a restoration will take and when the last test restoration was completed
- how many copies are being kept and where they are located
- how your backups may be affected in the event of an incident or attack
If you do not have internal IT support, ask your service provider to explain what they are doing to help you achieve this standard.
Plan and action how to backup and restore data in the future
The SLT digital lead will work with your business professionals or the finance team, designated safeguarding lead, data protection officer and IT support to identify:
- what data you backup, including what critical data and systems are needed to function as a school or college in a disaster situation
- how long you can go without specific systems and data and how up to date they need to be to find out the priority of recovery
- a process for students and staff to delete or archive data on an annual basis – this will speed up recovery times by getting rid of data you no longer need
- how long you will keep data for – this should align with statutory duties and retention policies so that you only backup what you need
- how you will deal with any statutory requirements, such as a freedom of information request or a data subject access request
- how and where you will backup your data
IT support should:
- have at least 3 backup copies of important data, on at least 2 separate devices – at least one of these copies must be off-site (on large sites, these copies should be far enough away to avoid dangers from fire, flood, theft and similar risks)
- make sure that backups are immutable, this means that they cannot be changed once they have been created – this helps prevent data loss and reduces the risk of malware or ransomware being introduced into your systems when restoring data
- choose backup methods you will use based on your school or college’s budget and the identified needs in your backup plan
- test and log your backups termly or if there is a significant change, this should include the ability to recover and restore from backups – the NCSC has an online tool that will help you practice your response to an incident
- have a policy on how frequently restorations should take place to test the backup and how this will be reported on to evidence success
- make sure, wherever possible, that restoring data is not device specific and can be recovered to a wide range of hardware
You should not take any physical backups offsite unless they are encrypted and stored in a secure location. Regardless of whether they are encrypted, backups should never be taken to anyone’s home.
When to meet this standard
You must backup your data now. If you have not yet done so, you should develop a backup plan as soon as possible to allow you to respond quicker in a disaster situation.
Related standards
The following digital standards should also be considered when completing this standard.
Digital leadership and governance:
- Include digital technology within disaster recovery and business continuity plans
- Keep registers relating to hardware and systems up to date
Cloud solution:
Servers and storage:
Why this standard is important
A cyber incident or attack will often be an intentional and unauthorised attempt to access, change or damage data and digital technology. They could be made by a person, group, or organisation outside or inside the school or college.
Everyone is responsible for and should report a cyber incident or attack to their IT support and senior leadership (SLT) digital lead.
Following this standard means that:
- an investigation can begin immediately which will help inform what actions a school or college need to take to deal with an incident or attack
- the damage to data and digital technology can be limited
- issues can be identified and resolved quickly
- appropriate people, such as the police or IT support, can be brought in to respond to the incident or attack
Failure to report and act quickly could lead to:
- an increase in severity and spread of a cyber incident or attack
- damage to data and systems
- a data breach which may need to be reported to the Information Commissioner’s Office (ICO)
- other schools or colleges on your broader organisational network being impacted by the same cyber incident or attack
- time spent wiping devices and servers to return to a previous safe state
Who needs to be involved
Cyber incidents or attacks can be reported by anyone to their IT support and SLT digital lead who will work closely with the data protection officer (DPO) to identify any data protection issues.
Any formal reporting to external bodies (such as Action Fraud) will need to be done by someone appointed by the SLT digital lead and involve the:
- SLT and headteacher or principal, who will approve a formal report and outline any impact on school or college activity
- IT support team, who will investigate and resolve the issue
- DPO, who will establish whether a data breach has occurred
- designated safeguarding lead, who will review whether there are any safeguarding issues and related actions
- governors and trustees, who will need to be informed on the risk and the actions the school or college are taking to resolve it
If you do not have the technical expertise in-house, you will need to get advice from an external support provider or consider training for your internal IT staff to make sure they have the skills needed.
How to meet this standard
All students and staff have a responsibility to report cyber risk or a potential incident or attack to IT support and the SLT digital lead.
The SLT digital lead will need to make sure that all students and staff understand how to report a potential incident or attack and that they feel safe and comfortable to do so.
To help action this standard, you can also visit:
- the Department for Education (DfE) website for information on managing a data breach
- the National Cyber Security Centre (NCSC) website for advice on cyber incident response processes
Report a cyber incident or attack internally
As soon as IT support and the SLT digital lead have been alerted by a student or member of staff to a potential incident or attack they will need to:
- action their cyber incident response plan which is a part of their business continuity and disaster recovery plans
- contain the risk and make sure systems are safe and secure
- notify those in the ‘who needs to be involved’ section of this standard and in line with their business continuity plan
- capture information on the risk
- investigate the risk and decide on the next course of action
- report the potential incident or attack to the governing body or trustees
Any incidents, attacks or near misses should be recorded in an internal incident report or system.
Report a cyber incident or attack to external bodies
Incidents or attacks where any security breaches may have taken place, or other damage was caused, should be reported to an external body.
The SLT digital lead will be responsible for assigning someone to report any suspicious cyber incidents or attacks. This person will need to report this to:
- Action Fraud on 0300 123 2040, or the Action Fraud website
- the DfE sector cyber team at [email protected]
You may also need to report to:
- the NCSC website if the incident or attack causes long term school closure, the closure of more than one school, or serious financial damage
- the ICO website within 72 hours, where a high risk data breach has or may have occurred
- your local Education and Skills Funding Agency (ESFA) contact, if you are part of an academy trust
- your cyber insurance provider (if you have one), such as risk protection arrangement (RPA)
-
Jisc, if you are a part of a further education institution You must act in accordance with:
- Action Fraud guidance for reporting fraud and cyber crime
- ESFA Academy Trust Handbook Part 6, if you are part of an academy trust
- ICO requirements for reporting personal data breaches
Police investigations may find out if any compromised data has been published or sold and identify the perpetrator.
When to meet this standard
You should already be meeting this standard. If you do not have these procedures in place, then you should implement them as soon as possible.
Related standards
The following digital standards should also be considered when completing this standard.
Digital leadership and governance:
- Assign a senior leadership team (SLT) member to be responsible for digital technology
- Include digital technology within disaster recovery and business continuity plans
- Keep registers relating to hardware and systems up to date
Cloud solution:
Servers and storage: