Network and Data Security Standards

The risk of cyber attacks to schools has increased significantly in recent years, so having a clear strategy for your data and network security is critical to ensuring that you not only protect your school systems, but also meet your obligations under Safeguarding and GDPR.

As outlined in Planning and Management Guidance, you should have a clear strategy for ensuring that IT and digital are core parts of strategic planning, and that this also covers your obligations in terms of cyber security and data protection. You should have a clear strategy to govern your approach to data security and data protection and for managing the risks that you may face.

No matter how small or big, rural or urban a school is, it should have a network security strategy in place. The strategy should include items such as capturing the regularity of IT and network tests; the monitoring of the network; and identifying key information – such as pupil data and bank details – that could be at risk and the steps in place to manage the risk.

Schools with local authority support agreements in place can check with their local authority contacts to see how their school is integrated into the local authority network security strategy.

As outlined in Planning and Management Guidance, a school should have a clear strategy for ensuring that IT and digital are core parts of their strategic planning process, and that this also covers their obligations in terms of cyber security and data protection.

Schools should be clear in how they govern their approach to network and data security, and for managing the risks that they may face.

This could be a school’s own strategy, or one from their local authority (provided the school is part of the local authorities’ strategic IT and digital services).

An Information Asset register would be an ideal place for schools to start when assessing the security footprint of the data they control. They may wish to co-ordinate some of this effort with the data controller of the school (or alternatively their local authority).

Further information on cyber security and data can be found at the National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO).

The UK Government’s Cyber Essentials scheme is a useful and cost-effective first step in developing a cyber security strategy for your school.

There are two levels of Cyber Essentials accreditation.

The basic Cyber Essentials (CE) certification process includes a self-assessment questionnaire and an external vulnerability scan of your network that independently verifies your security status. The Cyber Essentials Plus (CE+) certification process includes an internal vulnerability scan of your network, PCs and mobile devices. CE+ is acknowledged as being more stringent than the initial CE certification.

Essentially there are five control measures that make up Cyber Essentials. They are as follows:

• Secure configuration – are computers and networks secure?
• Firewalls – are these and Internet gateways secure?
• Access controls and administrative privilege management – are user accounts adequately protected and do people have appropriate access levels?
• Patch management – is software on network devices and computers up to date and capable of resisting low-level cyber attacks?
• Malware protection – are computers and networks protected from malware?

For advice and help on Cyber Essentials, please speak to your local authority.

Although your school broadband and network provides you with access to the outside world via the Internet, it also means that the outside world can also potentially access your network systems and data.

It is therefore essential that you have in place appropriate and effective network security measures to defend and police the perimeter of your school network. This helps to protect you from external threats, as well as aids the safeguarding of your learners and users.

Your school also needs to be protected against internal threats being introduced from within your network, such as from the use of infected devices, removable media (like USB flash drives) and malicious or accidental actions by users.

Technical measures can include such things like firewalls.

Schools with local authority support agreements and Internet access provided through PSBA should check with their local authority contact to see how they are benefiting from the network security measures put in place on their behalf by the local authority and PSBA.

A school should have appropriate network and data security measures in place as part of their school management, governance and safeguarding obligations.

The network security measures are often provided as part of the network services offered from the Internet Service Provider (such as PSBA) and the relevant Education Technology Support Partner (such as a local authority). However, schools should ensure that they are content and satisfied by the network and data security measures put in place on their behalf, and tie them back into any relevant data and network security strategy for the school.

The PSBA network has a number of cyber security controls in place to specifically protect schools and school users. Please see Connectivity (Broadband) for more information.

The PSBA network also provides schools with a direct secure connection to allow them to use their respective local authority corporate services (e.g. SIMS, finance, ALN information) hosted at Civic Centre or County Hall sites.

If an alternative Internet Service Provider is used instead of PSBA, schools should implement a secure Virtual Private Network (VPN) connection from their school, across the Internet and back into local authority systems to ensure secure access is maintained. This is likely to incur additional costs and management overheads, as well as additional complexity to make sure that data traffic between the school and the local authority systems are secured. PSBA removes the need to do this, as it creates a secure ‘walled-garden’ network for all organisations – keeping traffic separated and segregated from other users.

It should also be noted that PSBA provides central Internet Watch Foundation protection for schools; this is a service that prevents schools from accessing illegal content elsewhere on the Internet. This is a standard service in addition to the PSBA Webfiltering service that your local authority may have opted into.

The PSBA Webfiltering service enhances internet safety by making sure users only have access to appropriate content. The service includes scanning to reduce the risk of infection by malware and viruses through web-browsing whilst allowing organisations to manage their own web filtering policies.

Local authorities will also have in place various network security measures (e.g. firewall provision) to provide their schools with an additional layer of security and protection. Local authorities will also be tied into guidance and alerts from NCSC. This means they will have tools and resources in place to support schools should your school become subject to a network security incident.

If schools choose to use an alternative Education Technology Support Partner instead of their local authority, they should ensure that these additional network security measures are included as part of their service provision. Many Education Technology Support Partners may charge additional fees for providing this enhanced level of service which is considered essential.

Your school will have various types of network connected devices such as tablets, laptops, or desktop PCs, which may all be used to varying degrees but are all ultimately intereconnected via the school network. This means that you should ensure that appropriate cyber defences have been considered and put in place across the board, as the exploitation of a security weakness in one technology can affect everything else.

Cyber attacks from threats such as viruses, malware, spyware and Trojan horses can impact on the ability of technology to function, and potentially lead to the theft or corruption of learner and financial data – this could ultimately result in a breach of your GDPR, financial and/or Safeguarding obligations.

Schools with local authority contracts can check with their local authority contact to see how they are benefiting from anti-malware defences put in place on their behalf from their local authority.

Furthermore, schools should plan for the replacement of outdated and obsolete hardware and software to ensure they remain security compliant; ensure availability of toolsets to maintain compliance; and having the resources to test and validate the defences over time.

Like all organisations making greater use of technology and the internet in their day to day business, it is vital that schools ensure that they have established cyber defences in place to protect themselves from all risks and threats.

Some of the most well known common threats that schools need to be aware of include:

• Distributed denial-of-service (DDoS) attack – this is when a cyber criminal uses a series of computers (usually controlled via botnets) to sabotage a specific website or service, through telling those computers to contact the website or service over and over again. The website or service is eventually overloaded and usually requires shutting down.
• Malware – is a collective term for malicious software that infects devices and networks. Depending on the type of malicious software, it can lead to the theft of data and personal information; files and documents being altered and/or deleted; hard drives being formatted; and loss of control of whole systems.
• Botnets – this is a collection of malicious software programs referred to as ‘bots’ which can lie undetected on your device or PC. Bots are a form of malware which may lay dormant on a system until activated remotely. The ‘bots’ can be controlled by criminals to steal data; launch attacks on other systems and spread to other devices or PCs in your school network.
• Ransomware – is a type of malware that restricts access to your device or your files and displays a message that demands payment in order for the restriction to be removed. These are becoming increasingly common and there are many reports of public sector organisations electing to pay the ‘ransom’ fees rather than risk their data becoming corrupted – which is quite commonly the threat that cyber-criminals use to encourage organisations to pay.
• Spyware – is a type of malware that collects personal information without you knowing, as well as infect your device with viruses. They often come in the form of a ‘free' downloads and installed automatically with or without your consent.
• Trojan horse – is a type of malware that is disguised as, or contained inside, legitimate software which will install itself and run automatically when the software is downloaded. The Trojan horse can watch users through web cams; control your device and files; record usernames and passwords and log keystrokes to steal personal information (e.g. credit card details).
• Viruses – are malicious computer programmes (as opposed to malicious software) that are often sent as an email attachment or link, that once opened infects your device, as well as the devices of your contacts. Viruses can steal data and personal information; disable security settings; hijack your network; and infect hard drives and USB keys so as to infect removable storage media (e.g. USB drives). Devices with viruses are often slow and unresponsive; takes longer to boot up and tends to restart on its own; programmes tend to freeze and crash; and internet pages are slower to load (to name but a few symptoms).
• Wi-Fi Eavesdropping – this involves the illegal “listening in” on information and data shared over an unsecure and unencrypted Wi-Fi network, which can lead to the illegal access of your devices and the threat of data and personal information.
• Worms – worms, unlike viruses, are introduced and work on their own without needing to be attached to files or programmes. They live in the memory of the infected device, and can spread to other devices across the network and beyond, eventually causing damage by shutting down systems.

Schools should ensure that all component parts of their technology hardware, especially their teaching and learning devices, are protected against all known cyber risks and threats.

Local authorities will have in place various security measures on technology, hardware and devices for their devices that they purchased and managed on behalf of their schools. This can include:

• Email screening – screening and blocking of malicious email and attachments so malware and viruses are removed before they reach users.
• Managing devices – this allows the local authority to monitor, configure and secure the devices against any potential risks and threats before they reach users; it will also ensure the latest security patches and the correct configuration is applied.
• Restricting access to malicious web services – preventing user access to known malicious and/or unsecured websites to limit the potential for introducing malware onto devices and the network, as well as disabling some plug-ins and blocking proxy URLs.
• Introducing two-factor authentication – for providing an extra added layer of protection for logging into devices based on two sets of information to authenticate a genuine user from a cyber criminal. The information could be knowledge based (such as username and password) coupled with something possession based (such as a Smartphone or a security token), or something inherence (such as a fingerprint or other biometric identifier).

If schools choose to use an alternative Education Technology Support Partner instead of their local authority, they should ensure that these (and other) security measures are appropriately deployed and paid for.

Your Education Technology Support Partner should monitor your network so that any suspicious activity (both external and internal) can be identified and addressed as quickly as possible. It is important you have visibility of any suspicious activity so as to be aware of any possible threats, as well as identifying if there are potential network vulnerabilities which need to be addressed.

To undertake your safeguarding duties, it is important to ensure your network has an appropriate filtering policy in place. This should enable you to manage what online content learners and staff can access, as well as monitor what learners may be accessing online. It is critical that filtering standards are fit for purpose for 21st Century teaching and learning, allowing the access schools require whilst still safeguarding children and young people.

Schools with local authority contracts can check with their local authority contact to see how the monitoring of their network is being carried out.

Schools should have in place a process for the proactive monitoring of their networks to ensure and enforce network security.

This should extend to being able to account for how the system is being used so that at risk behaviours are identified as early as possible.

Arrangements can include:

• Monitoring network traffic
• Monitoring user activity
• Collecting and collating the evidence found
• Analysis of that data.

The link between PSBA and your local authority in supporting your data network security will ensure that there is a joined up approach to your data security policies and processes and that you are getting the best advice possible. However, please remember that PSBA is not responsible for security of data traversing the network – that is the end-users/end-organisation responsibility.

As part of the service, bandwidth utilisation of your school’s connection onto the PSBA network is monitored. Unusual traffic patterns that could be symptomatic of unwanted or unauthorised activity are detected by PSBA and are notified to the relevant local authority for further investigation (provided the school is part of the PSBA network and part of the local authority managed services).

Should further assistance be necessary, PSBA can provide expert support to help identify the potential source of the problem, by looking at the types of traffic traversing the school connection onto PSBA and will work closely with local authorities to resolve any issues that arise.

If schools choose to use an alternative Internet Service Provider (rather than PSBA) and/or an alternative Education Technology Support Partner (instead of their local authority), they should ensure that they have in place active network monitoring arrangements, and the related processes for managing and responding to unusual network traffic patterns. It should also be noted that such services may be subject to additional cost.

This will help you to respond to network and data security incidents and give you confidence that you will know what to do, and who to contact.

The strategy should have in place protocols that will help you to contain, mitigate, and minimise the impact of any network and data security incidents if they do occur. This strategy should be a core part of your planning and management arrangements for your school.

Your Education Technology Support Partner should be able to advise you on the process and practices in support of this strategy.

Schools with local authority contracts in place can check with their local authority contacts to see how their school is integrated into the wider local authority network security strategy.

Schools should have a clear strategy for how they will respond to cyber attacks, and what mitigating steps are being taken to secure any data that may be at risk.

Such strategy may include steps for the:

• Response to an cyber security incident
• Reporting and responsibility lines in the event of an incident
• Written disaster recovery planning documents
• Remote wiping of mobile devices
• Re-setting credentials for network access.

The strategy and processes should be tested, and users should be made aware of the importance of highlighting issues where they believe there has been an cyber security incident. Staff within schools should be informed of the correct process for reporting incidents to members of the school’s Senior Team so that they can be investigated appropriately if necessary. This is an essential component of your safeguarding and cyber security responsibilities.

Your local authority or Education Technology Support Partner should be to help you with developing an incident response process, and may have resources to support staff with CPD in this area of safeguarding and cyber-security.

Software and operating system updates are essential to maintaining the security of your devices, and to protect the data held on them.

Developers and manufacturers are constantly at work to identify potential vulnerabilities in their applications and devices, deploying updates to fix security risks whenever they are found. Therefore, failure to regularly update your devices presents an opportunity for cyber criminals to break into your network and access learner data or potentially use your systems for criminal activity.

In addition to security fixes, updates can also include new or enhanced features, or improve compatibility with different devices or applications. They help to improve the stability of your software, remove outdated features and improve user experience.

All school devices should be configured to a specification that offer secure access to the network, ensures consistency, and are managed through appropriate network management tools.

This will ensure that all devices are protected by firewalls and anti-virus software, and have the benefit of regular updates to maintain their security. It ensures that all school devices are secure and fit for use in an educational setting.

Local authorities should have systems and processes in place for managing this; and to maintain the currency of operating system licences and updates that have been procured for educational use. Schools using an alternative Education Technology Support Partner should ensure that this is part of the service they receive from their partner, which may come at an added cost.

All school owned mobile devices should be managed with a Mobile Device Management (MDM) solution. This ensures devices have relevant updates applied and the right security settings and configurations.

MDM solutions also help to protect your devices and safeguard the data held on them.

All school owned mobile devices should be managed through a Mobile Device Management solution to ensure they are appropriately configured and have the security measures applied and updated regularly.

This will also ensure that the device remains up to date for security patches and updates, and can identify any potential malware that may have been introduced.

From a data security perspective this should include the capability to remotely lock and wipe devices to ensure that any data held on them can be protected from unauthorised access.

Please see Device Management Standards for more information.

Controlling and managing who has access to your network is imperative to meet your safeguarding and cyber security responsibilities.

Having separate virtual networks (channels) for learners, guests and staff can help ensure that users and their data are kept secure. It also means that people only have access to the information they need.

Access to these separate virtual networks should be carefully managed and secured through the enforcement of strong passwords and clear definition of user roles and privileges.

In addition, schools should ensure that only network staff or Education Technology Support Partners can install software and make changes to your system configurations. This supports the security of your network, and limits the potential of unknown threats being introduced from within the school environment.

Having separate virtual networks (channels) for learners, guests and staff can help you ensure that users and their data are kept secure. It also means that people only have access to the information they need.

Access to these separate virtual networks should be carefully managed and secured through the enforcement of strong passwords and clear definition of user roles and privileges.

In addition, schools should ensure that only network staff or IT support partners can install software and make changes to your system configurations. This supports the security of your network, and limits the potential of unknown threats being introduced from within the school environment.

Further information on the Standards for segregating networks can be found in Wireless Networking Standards.

Certificate based authentication where possible adds an additional security measure to this process, and is also referenced in Standard E5.

You need to meet your data security responsibilities as a school, and prevent transfer of malicious threats to your network that might come from allowing removable media (such as USB drives) to be used with devices on your network.

Additionally, where the use of removable media is permitted and may contain personal information, you should ensure that the data held on those devices is encrypted to protect it against theft or data loss.

Ideally, schools should use secure online means of data storage and transfer (such as Hwb) where the access to the data may be possible from a number of different locations and devices, but the location of the data remains static and secure.

Removable media devices can mean that data is at risk of loss or theft. Furthermore, these devices can introduce viruses and potential malware onto the school IT network.

Where personal data is stored or accessed through physical media, such as portable USB drives, these should be encrypted to ensure that access is only permitted to designated persons and that you remain compliant with guidance on GDPR.

Device management tools should also be capable of recording which devices are encrypted. Encryption and recording of which devices are encrypted should be undertaken in line with your school policies for data security and managed by your school Education Technology Support Partner.

Everyone has a role to play to ensure that your school network, and the data held on it, is safe and secure.

Staff should be aware of their own responsibilities for cyber security. This includes following the rules for managing data; dealing with removable media and following protocols for passwords and network use as outlined in your Acceptable Use Policy.

Senior leaders should ensure there are appropriate rules and policies in place (such as Acceptable Use Policies; Data Handing Policies; etc.) to guide and govern practice. Furthermore, senior leaders should be confident that their Education Technology Support Partner is putting in place relevant network and data security measures to protect their schools from external and internal threats.

Schools with local authority contracts in place can check with their local authority contacts to see how the local authority is managing network and data security on their behalf through the integration of the school into the wider local authority network security arrangements.

Schools should ensure that their staff are aware of their responsibilities for cyber security. This extends to:

• Having an understanding of cyber security and why it is important
• Having an understanding of GDPR and why it is important
• Understanding the regulations as they impact on reporting incidents and managing wider learner data
• Understanding the impact and importance of the Acceptable Use Policy
• Following protocols for password enforcement
• Having processes for reporting incidents and raising concerns
• Raising awareness of malware and the potential for attack via email so that personal conduct can be modified if needed.

Ensuring that there is an appropriate awareness for cyber security will also be vital to helping schools to meet their GDPR and safeguarding obligations.