We use some essential cookies to make this website work.
We’d like to set additional cookies to understand how you use GOV.UK, remember your settings and improve government services.
We also use cookies set by other sites to help us deliver content from their services.
You can change your cookie settings at any time.
Departments, agencies and public bodies
News stories, speeches, letters and notices
Detailed guidance, regulations and rules
Reports, analysis and official statistics
Consultations and strategy
Data, Freedom of Information releases and corporate reports
Find out what standards your school or college should meet on cyber security, user accounts and data protection.
Properly configured firewalls prevent many attacks. They also make scanning for suitable hacking targets much harder.
Ask your IT service provider to set up your devices to meet the standards described in the technical requirements.
Agree with your IT service provider a system for monitoring logs and documenting decisions made on inbound traffic.
Your IT service provider may be a staff technician or an external service provider.
Remember that this standard may change over time with changing cyber threats.
You are free to choose any suitable firewall.
To meet this standard you must:
See our broadband internet standards.
You should already be meeting this standard for the security of your networks. If you are not already meeting this standard you should make it a priority to review each device in your network.
Security systems are sometimes disabled to make very marginal improvements to user experience. This is an unjustifiable risk calculation in most circumstances.
Attackers scan for and exploit devices where the security features are not enabled. Using the security features that devices already have is the most basic form of cyber security.
Attackers who gain physical access to a network device can exploit a system much more easily, so this should be prevented.
Recording network devices helps schools keep networks up-to-date and speeds up recovery.
Network devices include routers, switches, access points, servers and similar items.
Ask your IT service provider to record and set up your devices and boot up systems to meet the technical requirements.
Agree with your IT service provider a system for recording and reviewing decisions made about network security features.
Your IT service provider may be a staff technician or an external service provider.
Remember that this standard may change over time with changing cyber threats.
The National Cyber Security Centre has published guidance on:
To meet this standard you must:
If network devices have conflicting security features, document the decisions you make on which security features have been enabled or disabled on your network. Review this document when you change these decisions.
To physically access switches and boot-up settings use a password or PIN of at least 6 characters. The password or PIN must only be used to access this device.
For all other devices, you must enforce password strength at the system level. If you use a deny list for automatic blocking of common passwords, use a password with at least 8 characters. If you do not use a deny list, use a password with at least 12 characters or a biometric test.
Password manager software is recommended.
The National Cyber Security Centre provides detailed guidance on:
See our standards on network switching.
You should already be meeting this standard.
Successful cyber attacks target user accounts with the widest access and highest privileges on a network.
You must limit the numbers and access of network and global administrative accounts.
If you prevent and limit the compromise of these accounts you prevent and limit successful cyber attacks.
Ask your IT service provider or network manager to set up accounts to meet the technical requirements. If a single staff member controls account access, another senior school staff member or governor should approve that staff member’s own account.
There must be a user account creation, approval and removal process. You should make this part of school joining and leaving protocols.
Your IT service provider may be a staff technician or an external service provider.
Remember that this standard may change over time with changing cyber threats.
You must control user accounts and access privileges. Including accounts used by third parties, for example, support services or device management.
Only authorised people can have an account which allows them to access, alter, disclose or delete the held personal data. The data owner or controller, or the data protection officer, must identify and authorise these tasks.
Users should have a separate account for routine business, including internet access, if their main account:
Users must be authenticated with unique credentials before they access devices or services. This can include using passwords.
You must enforce password strength at the system level.
If you use a deny list for automatic blocking of common passwords, use a password with at least 8 characters. If you do not use a deny list, use a password with at least 12 characters or a biometric test. The National Cyber Security Centre recommends using passwords made up of 3 random words. Enforce account lockouts after a number of failed attempts and require service provider or network manager permission to unlock.
The National Cyber Security Centre provides guidance on password administration for system owners.
You must immediately change any password that has been compromised or suspected of compromise.
You must remove unused accounts. This may include the accounts of users who have left their employment, or accounts that have not been used for a prolonged period of time. This is particularly important for accounts with administrator privileges. You should review this termly.
Unused role privileges must be removed or disabled.
No user’s account should have more access to devices than required to carry out their role.
Use different accounts with specific rights for different purposes or have IT service providers and administrators enable just-in-time access, giving individual users time-limited privileges as required. The National Cyber Security Centre provides detailed guidance on privileged access management.
For younger children or users with special educational needs:
The NCSC offers this guidance on alternatives to passwords.
You should not use global administrator accounts for routine business.
You should only use accounts requiring administrator privileges to complete the tasks that need it.
You should use service accounts for running system services and not user accounts.
You should implement this standard as soon as you can and with the introduction of each new account.
Multi-factor authentication only allows access to a service when you present 2 or more different forms of authentication. It reduces the possibility of an attacker compromising an account. This is especially important if an account has access to sensitive or personal data.
In this context, sensitive or personal data is all data that if lost or compromised, would have a serious impact on the establishment, staff or students.
The Information Commissioner’s Office explains what personal data is.
Ask your IT service provider to set up the applicable users with the multi-factor authentication methods which meet the technical requirements.
You should provide training to users unfamiliar with multi-factor authentication.
The National Cyber Security Centre provides detailed guidance on:
Your IT service provider may be a staff technician or an external service provider.
Remember that this standard may change over time with changing cyber threats.
Where practical, you must enable multi-factor authentication. This should always include cloud services for non-teaching staff. All staff are strongly encouraged to use multi-factor authentication.
Ask users for a second authentication factor when accessing sensitive data. For example, when moving from a lesson plan to financial or personal data.
Multi-factor authentication should include at least 2 of the following:
You should implement this standard as soon as you can.
Up-to-date anti-malware and anti-virus software reduces the risk from many forms of cyber attack.
Some applications protect against viruses and general malware, some against one only. You need to protect against both.
Ask your IT service provider to set up your devices to meet the technical requirements.
The National Cyber Security Centre publishes advice on antivirus and other security software.
Your IT service provider may be a staff technician or an external service provider.
Your school or college must organise the responsibilities and processes for risk-assessment, authorisation and documentation for any access to potentially malicious websites.
Remember that this standard may change over time with changing cyber threats.
You must make sure anti-malware software and associated files and databases are kept up to date.
Make sure the anti-malware software:
Do not run applications or access data which has been identified as malware. Use the anti-malware software to eliminate the problem.
You should meet this standard as soon as you can.
Applications can insert malware onto a network or have unintentional security weaknesses. This makes attacks easier to execute against a network.
Users should not download applications. The IT service provider should check them first.
Ask your IT service provider to set up your devices to meet the technical requirements. Agree how this will be done with your IT service provider and document how you have met the requirements.
The National Cyber Security Centre provides guidance on:
Your IT service provider may be a staff technician or an external service provider.
Remember that this standard may change over time with changing cyber threats.
The IT service provider should approve all code and applications that are deployed and make sure they do not pose a security risk. They should do this in the best way possible given available resources.
Best practice is to maintain a current list of approved applications. Applications with invalid or no digital signatures should not be installed or used.
You could search the internet to check the reputation of the application and the hosting site, or run unknown applications or code within a sandbox environment.
Make sure the network’s anti-malware service is scanning all downloaded applications.
You should meet this standard as soon as possible.
Hackers try to identify and exploit the vulnerability that each new security update addresses. They try to do this before users are able to update their systems. In the last year, several attacks on educational establishments have taken advantage of this.
Unsupported software does not receive security updates and over time it becomes:
You must not use unlicensed hardware or software.
Unlicensed software may not be a legitimate copy, or it may not be updatable to the latest secure standards.
You must avoid or replace unpatched or unsupported hardware or software, including operating systems. These devices are the most popular targets for successful cyber attacks. If this is not possible, then these devices and software must not be accessible from the internet – so that scanning tools cannot find weaknesses.
Ask your IT service provider to make sure all devices and software are licensed, supported and set up to meet the technical requirements.
Subscribing to services rather than buying items can be a way to help achieve this. This is known as Software as a Service (SaaS).
So that appropriate risk assessment and mitigation can take place, your IT service provider should tell leadership and governors at the school or college and alter the network accordingly when devices or software:
Your IT service provider may be a staff technician or an external service provider.
Remember that this standard may change over time with changing cyber threats.
The National Cyber Security Centre provides guidance on:
All software must be currently licensed.
The licensing of most modern software can be checked through the software itself. Software which successfully updates can be presumed to be licensed. Older software may have to be researched.
You should remove unsupported software. If this is not possible then you must only use the software on parts of the network which prevent all traffic to and from the internet. Support does not have to come from the original manufacturer and can come from third parties as long as this does not invalidate a licence.
Unsupported devices must only access segmented areas of the network which do not grant access to sensitive data.
You must enable automatic updates.
You must complete manual updates to hardware or software, including configuration changes, within 14 days of the release of the patch where the vulnerability is:
The Common Vulnerability Scoring System is the security industry standard for measuring the danger of a vulnerability. The score is a number from 1 to 10 where 10 is the most dangerous. There is a more detailed explanation of CVSSv3 on the NVD website.
When notified by the Department for Education (DfE), patches should be applied within 3 days of notification. This will only be done in instances of dangerous zero-day attacks where institutions are at immediate risk and there is a suitable patch available.
See our standards on network switching.
You should meet this standard as soon as possible.
A backup is an additional copy of data, held in a different location, in case the original data is lost or damaged. If all copies were held in the same location, they would all be at risk from natural disasters and criminal damage.
Backups of important data are crucial for quick recovery in the event of disaster. The safest way to achieve this is to have a pattern of backing up on a rolling schedule. You should keep these backups off the network when not in use and check them regularly.
Ask your IT service provider to install and configure your devices to meet the standards described in the technical requirements. If your IT service provider is an external contractor, the scope of this should be included in your service agreement.
Be prepared to ask your service provider to explain what they are doing to help you achieve this standard. Including where the backups are located, how often they are done, how often they are checked and how long a restoration will take.
A school itself must determine which of its data is important to its operations but it is likely to include personal, financial, management and network data as a minimum.
The National Cyber Security Centre has published detailed guidance on:
Your IT service provider may be a staff technician or an external service provider.
Remember that this standard may change over time with changing cyber threats.
You should have at least 3 backup copies of important data, on at least 2 separate devices. At least 1 of these copies must be off-site (on large sites, these copies should be far enough away to avoid dangers from fire, flood, theft and similar risks).
Remember, you need 3 backup copies, you do not need 3 storage locations or 3 storage devices. For example, 2 backups taken at different times on the same device (as long as they do not overwrite each other) will count as 2 of the 3 backup copies.
You should schedule backups regularly. How often you need to create backups depends on:
At least 1 of the backups must be offline at all times. An offline backup is sometimes known as a cold backup.
A cloud backup is an off-site backup. Cloud data held in separated cloud services are held in separate devices.
If the offline backup is in the cloud, access must be:
Remember, off-site means in an alternative physical or digital location, offline means that is not connected to the network
The number of devices with these access permissions must be kept to an absolute minimum.
A secure account identity is defined as a specified account secured with a username and multi-factor authentication.
A device which cannot access the backup is defined as a device that has no valid credentials.
Where the cloud services allow it, set up the controls to:
Regularly check that the backups work.
You should implement this standard as soon as you can.
Being unprepared for a cyber attack can lead to poor decisions, slow recovery and expensive mistakes.
A good response plan made ahead of time will speed up your response, reduce stress levels and confusion.
Effective response will reduce the material, reputational and safeguarding damage from ransomware attacks.
Talk to your IT service provider and make sure you have a cyber attack contingency plan. The plan must be part of your business continuity and disaster recovery plan.
The school’s governors should ensure the creation and testing of these plans. In multi-academy trusts, oversight might happen at trust level.
The National Cyber Security Centre provides advice on contingency planning:
To help with testing, they also provide an exercise kit.
As part of the Risk Protection Arrangement there is a template cyber response plan.
Your IT service provider may be a staff technician or an external service provider.
Remember that this standard may change over time with changing cyber threats.
All schools and colleges must include a contingency plan for loss of some or all IT systems in their business continuity and disaster recovery plan. This is required by the schools financial value standard.
This plan must include:
Keep hard copies of key information in case of total system failure.
Test and review these plans regularly.
You should meet this standard as soon as possible.
Cyber attacks are crimes against a school that need to be investigated so perpetrators can be found and counter-measures identified.
A cyber attack is defined as an intentional and unauthorised attempt to access or compromise the data, hardware or software on a computer network or system. An attack could be made by a person outside or inside the school.
The National Cyber Security Centre define what a cyber incident is.
This compromise of data might include:
You should report any suspicious cyber incident to Action Fraud on 0300 123 2040 or on the Action Fraud website.
Police investigations may find out if any compromised data has been published or sold and identify the perpetrator.
Ask your IT service provider to notify the school leadership team of all cyber attacks. Appropriate action and information-sharing must be carried out in accordance with the General Data Protection Regulation (GDPR).
Where a data breach has or may have occurred, report to the Information Commissioner’s Office (ICO).
These incidents should also be reported to the DfE sector cyber team at [email protected].
Academy trusts have to report these attacks to ESFA.
Exercise judgement in reporting. Incidents where any compromise may have taken place or other damage was caused should be reported. But receipt of a phishing email alone, for example, does not require reporting to DfE but can be reported to Action Fraud at [email protected].
Where the incident causes long term school closure, the closure of more than 1 school or serious financial damage, you should also inform the National Cyber Security Centre.
Schools and colleges must report cyber attacks to:
Where applicable schools and colleges must report cyber attacks to ICO.
You must act in accordance with:
You should implement this standard as soon as you can.
The protection of sensitive and personal data is vital to:
You should control access to data in consultation with your IT service provider and the Data Protection Officer. This is to safeguard staff and students as required by the General Data Protection Regulation (GDPR).
To meet the standard, you must:
There is DfE guidance on:
Academy trusts should incorporate the risk assessment into the risk register.
If you rely upon encryption to protect data, this should be:
The ICO provides advice on how data encryption should be used.
The ICO also provides a template for DPIA.
Additional protection or password protection should meet the technical requirements in the account access standard.
You should limit access to those staff with a specific need. Do this by specific content area, and not blanket permissions.
By achieving all the cyber standards you can meet the additional requirements for:
You should already be meeting this standard in accordance with GDPR.
The most common forms of cyber attack rely on mistakes by staff members to be successful. Avoiding these mistakes prevents the attacks.
Basic cyber security knowledge amongst staff and governors is vital in promoting a more risk aware school culture.
Staff with access to your IT network must take basic cyber security training every year.
At least one member of the governing body should complete the training.
Remember that the training may change over time with changing cyber threats.
Staff who require access to your IT network must take basic cyber security training every year. The training should be part of the induction training for new staff
This training should focus on:
The National Cyber Security Centre has published suitable training materials:
At least one current governor must complete the same basic cyber security training. These governors should read the NCSC publication school cyber security questions for governors.
You should be looking to implement this standard as soon as you can but within 12 months as a minimum.
Don’t include personal or financial information like your National Insurance number or credit card details.
To help us improve GOV.UK, we’d like to know more about your visit today. We’ll send you a link to a feedback form. It will take only 2 minutes to fill in. Don’t worry we won’t send you spam or share your email address with anyone.
Meeting digital and technology standards in schools and colleges … – GOV.UK
Add A Comment