Security Controls
-
- Part of:
- Trust Centre
Suggested audience: Hwb administrators in schools and other organisations, ICT co-ordinators, Network Managers, local authority technical teams.
Overview
This document describes the controls available across the range of digital tools in the Hwb Platform and how these tools can be used to enable organisations to maintain the security of the information they use.
Government Security Classifications
The Government Security Classifications cover three levels: OFFICIAL, SECRET and TOP SECRET.
The levels are defined as follows:
The majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened profile.
Very sensitive information that justifies heightened protective measures to defend against determined and capable threat actors. For example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime.
HMG’s most sensitive information requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.
_______________
Information processed within the school environment will be at the OFFICIAL level.
For OFFICIAL data, information security controls should:
- Protect against deliberate compromise by automated or opportunistic attack
- Aim to detect actual or attempted compromise and respond
Full details are available in the associated Cabinet Office documentation.
Hwb Security Controls
For Hwb, security controls are referred to as standard and enhanced, only some aspects of Hwb have enhanced controls available.
Standard controls are intended to be suitable for the majority of Hwb users and to provide appropriate protection for low sensitivity personal data and OFFICIAL information.
Control Selection
For personal data the decision about what controls to use lies with the data controller (in schools this will normally be the headteacher).
In addition to the proposed approach for Hwb, formal advice is available on the ICO website to assist data controllers to decide what level of control is necessary.
The following table illustrates typical usage scenarios, however there are likely to be legitimate reasons to deviate from this model depending on a organisation’s specific circumstances; any such deviation is a local risk management decision.
Please refer to the control selection flowcharts applicable to each aspect of Hwb for further clarification.
Scenarios | Hwb Standard Controls Suitable? | Hwb Enhanced Controls Suitable? |
General school information including attainment data from the MIS (e.g. SIMS, Teacher Centre), which does not include sensitive information. | Yes | Yes |
Pupil information from the MIS, for example for use on school trips. SEN data can often include sensitive information; a local decision should be made based on the context and content of the data to determine whether enhanced controls are justified. | Not recommended | Yes - recommended |
Child safety investigations tend to be sensitive in nature and require confidentiality; this will normally necessitate enhanced controls. | No | Yes - essential |
Multi-Factor Authentication (MFA)
Authentication is the term used to describe the process of checking someone is who they claim to be.
Most people are familiar with username and password or a fingerprint for authentication and for a long time relying on these was adequate for preventing hackers gaining access to someone’s account.
The different ways of authenticating someone is based on three properties or factors:
- Something you know – this is the most common property used for authentication and usually takes the form of a password or PIN (personal identification number).
- Something you have – must be a physical ‘thing’ like a smartphone and often will involve submitting a code to confirm that you currently have the item in your possession.
- Something you are – this relies on biometrics like a fingerprint or facial recognition.
In isolation each factor is susceptible to attack, but when combined they can be difficult to defeat. A combination of more than one type of factor is often referred to as 2-step verification (2SV), but is also known as two-factor authentication (2FA) or multi-factor authentication (MFA).
Given the increasing incidence and sophistication of phishing attacks for online systems such as Hwb, the use of an additional factor is a very effective way to ensure that a leaked password does not provide full access to a user’s account and all the information it contains.
The use of MFA is strongly encouraged due to the benefit it has for preventing unauthorised access to information, particularly if it protects personal data of a sensitive nature. MFA is an important security feature both for organisations and users’ own personal online accounts.
MFA on Hwb (enhanced control)
MFA is enabled on the accounts of all non-learners.
MFA requires both a password and submission of a time-limited code which is generated by the Microsoft Authenticator app. Therefore, non-learner account holders must download and install the app on a smartphone or other internet enabled mobile device and link it to their Hwb account. Guidance is available in the Support Centre.
After the Microsoft Authenticator app has been installed and setup, if an account holder logs in to Hwb outside the trusted network of their school or organisation they must enter their username, password and a code generated by the app. A Hwb account can only be linked with one instance of the Microsoft Authenticator app i.e. linked to the app on only one smartphone or other internet enabled mobile device. The app does not need an ‘always on’ internet connection after installation, so it will still work in places with weak or no network coverage. More information about the Authenticator app is available from Microsoft.
For MFA to be effective non-learner Hwb account holders must not share their smartphone or device with others or leave it unattended and unlocked.
If you have any queries or need help, please contact your IT support provider in school or local authority first. Advice and guidance are also available from the Hwb Service Desk: email support@hwbcymru.net or phone 03000 25 25 25.
Collaboration
Hwb has defined recommended combinations of controls applicable to collaboration areas.
The standard controls are anticipated to be the most suitable configuration for most of the collaborative working undertaken by Hwb users.
Azure Multi-Factor Authentication (MFA) and Azure Rights Management (RMS), described in more detail below, are Enhanced controls, they are recommended wherever there is a need to work collaboratively with sensitive data.
Local risk decisions and guidelines should be followed whenever working with personal data, however the anticipated usage scenarios for the different levels are:
- Enhanced- Suitable for sensitive information
- Level 1 – recommended to ensure that documents remain secure by having controls that ‘travel’ with the document.
- This control level may also be suitable where there is an identified need to collaborate with large numbers of external users and confidentiality of low sensitivity information is important.
- Level 2 – recommended only for small groups of users; there is a reliance on users’ awareness and vigilance with respect to information security.
- Level 1 – recommended to ensure that documents remain secure by having controls that ‘travel’ with the document.
- Standard– Suitable for every day working and collaboration, which may include identifiable data, but will normally be unsuitable for more sensitive information
It is recommended that external sharing is constrained to small groups of users due to the lack of knowledge of how third parties manage information security.
Level | MFA | RMS | External Sharing | Expected Number of Users |
Enhanced level 1 | Yes | Yes | No | Many |
Enhanced level 2 | Yes | No | No | Few |
Standard | No | No | No | Many |
No | No | Yes | Few |
Files stored on Google Workspace for Education are protected by encryption during upload / download and when stored on Google Workspace for Education servers, but there is no option for explicitly encrypting files directly i.e. if a file is downloaded from Google Workspace for Education it will not be encrypted on the destination device.
Google Workspace for Education is appropriate for processing personal data, but where sharing of files containing personal data is required the controls available in Office 365 should be utilised.
Team Drive File Restrictions
Google Workspace for Education Team Drives can be configured to restrict how users can interact with files. The following setting can be configured:
Prevent commenters and viewers from downloading, copying, and printing files in this Team Drive
This configuration option will prevent uncontrolled copies of files being downloaded by any people with the commenter or viewer role. Depending on the collaboration scenario this may be an appropriate level of control for sharing content with external users.
Any users with edit access (contributors, content managers and managers) will be able to download copies of any files.
Rights Management – Enhanced Control
Azure Rights Management (RMS) is a form of digital rights management that provides additional control for file access, that ‘travels’ with the file.
In Hwb the use of RMS is currently constrained to supplementing the existing network access controls for SharePoint libraries containing sensitive data. Microsoft Office files stored in these secured libraries will automatically have RMS applied and will only be accessible by the users with access to the library.
A file that has had RMS applied will require a user to provide credentials for access to the file, even when they are accessing it outside the online environment. Encryption is used to prevent anyone without permission from accessing the contents of the file.
Applying RMS to a document will help ensure that irrespective of who has access to the file only pre-authorised people can view its contents.
Please contact your local SharePoint administrator for more information.
Personal Files
Multi-Factor Authentication (MFA) – Enhanced Control
Personal cloud storage drives can benefit from MFA being applied to a user’s personal account, in the same way as other services.
File level Password Protection - Enhanced Control
Microsoft Office’s native password protection can be used to protect files containing sensitive data, though this does introduce some restrictions on the access methods for the document (summarised below).
The Google Workspace for Education online applications for files do not directly support password protection.
Service | Is password protection available? | Can you save to online Drive? | Can you view protected file contents online? | Can you edit protected file contents online? |
Google Workspace Education | No | Yes | Yes | No |
Office 365 online | No | Yes | No | No |
Office 365 desktop | Yes | Yes | No | Yes |
If you have any queries or need help, please contact your IT support provider in school or local authority first. Advice and guidance are also available from the Hwb Service Desk: email support@hwbcymru.net or phone 03000 25 25 25.