Hot on the heels of the Meeting digital and technology standards in schools and colleges discussed in an earlier blog post series, the Department for Education have also now added Cyber Security standards for schools and colleges, with a new document published on the 10th October 2022.
The document sets out standards for all schools and colleges for cyber security, user accounts and data protection. They are broken down into the following twelve categories:
- Protect all devices on every network with a properly configured boundary or software firewall
- Network devices should be known and recorded with their security features enabled, correctly configured and kept up-to-date
- Accounts should only have the access they require to perform their role and should be authenticated to access data and services
- You should protect accounts with access to personal or sensitive operational data and functions by multi-factor authentication
- You should use anti-malware software to protect all devices in the network, including cloud-based networks
- An administrator should check the security of all applications downloaded onto the network
- All online devices and software must be licensed for use and should be patched with the latest security updates
- You should have at least 3 backup copies of important data, on at least 2 separate devices, at least 1 must be off-site
- Your business continuity and disaster recovery plan should include a regularly tested contingency plan in response to a cyber attack
- Serious cyber attacks should be reported
- You must conduct a Data Protection Impact Assessment by statute for personal data you hold as required by General Data Protection Regulation
- Train all staff with access to school IT networks in the basics of cyber security
This is quite a list of areas and there is a lot of detail behind each element that we will break down in later articles.
Although there is nothing here that would be a surprise to anyone familiar with schemes such as Cyber Essentials (although interestingly that scheme isn’t part of the requirements) what is worth noting for schools and colleges is that each element has a timescale associated with it for ensuring that the measures for compliance are implemented.
Several of them are set as should already be in place. Most of the rest are as soon as possible. The only measure with a timeframe is the final one on training which must be within 12 months.
What is clear is that the expectation from this set of standards is that schools and colleges should be treating cyber threats as a priority and should be meeting the detailed requirements behind each area as quickly as they possibly can.
It is not yet clear how the Department intend to check compliance although several elements (such as Disaster Recovery and Business Continuity) do link through to pre-existing audit areas.
The immediate question for schools and colleges would be how do we currently measure up to the requirements? What does our IT Risk Register tell us about what our priorities should be in terms of getting the measures we don’t meet implemented? Do we have an IT Risk Register?
Tackling Cyber security issues is, or should be, a multi-layered project and as we break down each of the standards there are elements of technology, process, policy and monitoring. Each element is important to the overall effectiveness of the measure.
If you need any help with this please get in touch, we’d be happy to get involved at any stage of the process.
