In a recent Education Executive article, we delved into the Department for Education’s latest advice designed to support schools in meeting internet connection and usage standards. Now, we take a closer look at the cyber security standards guidance for schools
When we think the term ‘cyber security’ our thoughts might instantly turn to either the idea of data security or the world of hackers. While both these things are vital considerations, there is much more to ensuring the optimal cyber security for your school and meeting the standards set out by the DfE will necessitate close collaboration and communication with your IT provider.
Setting up boundaries and firewalls
To prevent hacking, information leaks, and scams, it’s essential for your school to have a properly configured firewall. Additionally, your provider should collaborate with you to establish a system for monitoring inbound traffic into your school systems. While schools have the freedom to choose any firewall, school business leaders should thoroughly research different options before making a decision. To meet standards, each firewall must have a unique administrator password and protect access to the firewall’s administrative interface with multi-factor authentication or a small, specified IP allow-list combined with managed password protection. All changes to approved traffic passing through the firewall should be documented.
Keeping a record
All network devices should be documented, including configuration details, and kept up to date. Recording network devices helps schools maintain current networks and facilitates faster recovery in the event of an issue. Schools should collaborate with IT providers to document and configure devices and boot up systems to meet technical requirements. Additionally, it’s important to establish a system for recording and reviewing decisions regarding network security features, including any future changes.
Limiting access
Enhance your cyber security by ensuring that individuals only have access to features and systems necessary for their job roles. It’s recommended to limit the number of network and global administrator accounts to meet standards. The school should maintain control over all accounts and access privileges, including those used by third parties such as support services or device management. Users should be authenticated with unique credentials before accessing devices or services, which may include passwords. Schools must document any instances of account removal, such as when individuals leave roles, and review these regularly, along with assessing any unused features or role privileges.
Further steps that schools must take to meet the standards include:
Using multi-factor authentication to limit access to accounts with sensitive data
Using anti-malware software
Checking the security of downloaded applications, updating licenses and security features Keeping backups of important data
Having an up-to-date business continuity plan
Reporting cyber attacks
Training all staff in cyber security
The above information offers a brief glimpse into the standards; however, we strongly encourage school business leaders to visit the gov.uk website for a thorough examination of the standards in detail.
In the upcoming article within this series, we look at digital accessibility standards.
Be the first to comment