Suggested audience: learners, school staff, school digital champions, local authority Hwb administrators, regional education consortia Hwb administrators.
The guidance provided is generic in nature but reflects a typical school’s usage based on information from stakeholders including teachers, support staff and local authorities.
All users should follow basic general security rules; these are generally applicable to any IT system and include:
- Never let anyone else use your Hwb account
- Never use someone else’s Hwb account
- Do not create generic/shared accounts
- Follow good password guidelines (see Hwb Security Guidance)
- Be mindful when using your Hwb account in a public place - ensure that your usage cannot be observed, especially when entering your password
- Don’t use your Hwb account for purposes other than related to education business
- Always check e-mail recipient details are correct before sending
- Always report concerns about inappropriate usage - local procedures should be followed as necessary
- Avoid use of public, shared or personal devices / systems for sensitive or personal data
The use of personal devices, often referred to as ‘Bring Your Own Device’ (BYOD), will almost certainly introduce risks to the information processed on them, this is each organisation’s risk management decision.
The ICO has published specific guidance with respect to BYOD and data protection.
Hwb is not currently configured to control or check the devices accessing Hwb, instead there is a reliance on users following the local policies that are applicable to them.
The intention of information security is to preserve the following properties:
- Confidentiality – ensuring information remains secret
- Integrity – ensuring the accuracy of information
- Availability – ensuring information can be accessed when required
In addition to these key attributes, there will be scenarios in which other properties will be of importance for example, accountability, non-repudiation and reliability.
Information about identifiable individuals is personal data, the General Data Protection Regulations (GDPR) define the legal requirements applicable to the use of personal data.
The UK’s Data Protection Act was revised in 2018 and enacts the GDPR requirements in UK law.
The revised definition of personal data is included in the Privacy Notice.
The precautions that should be taken are applicable irrespective of media type. For example, each of the following can require security measures if they contain personal data:
- electronic documents
- hand written notes
This guidance is limited to controls applicable to electronic formats of data, if information is printed out it still needs to be protected, procedures should be consistent with those applicable to electronic documents.
The Information Commissioner’s Office (ICO) publishes guidance and codes of practice applicable to data protection and personal data on their website.
Hwb has been designed primarily to store educational content that can be shared with any other Hwb user.
Hwb has standard controls as default, so it is suitable for the basic personal data required for day to day use of the system.
Enhanced controls are available. For more information please visit Security Controls.
User Management Portal (UMP)
The UMP is a bespoke solution that provides Hwb users with access to account management facilities.
For the majority of users standard controls in the UMP will be appropriate but for some levels of access, enhanced controls are recommended or required.
G Suite for Education and Office 365
Hwb provides users with access to both Google G Suite for Education and Microsoft Office 365 (learners require consent). Both services have a range of controls suitable for processing personal data and OFFICIAL information, which makes them the most appropriate Hwb services for working on and storing such data.
A summary of the relevant underlying governance information applicable to G Suite for Education and Office 365, as managed by Google and Microsoft respectively, is included in Data Compliance.
For the majority of Hwb users the default configuration of G Suite for Education and Office 365 will provide them with security appropriate information they have access to.
Where Hwb users access or exchange sensitive information there may be a need for a greater level of protection; therefore, optional additional controls are available.
Office 365 is the e-mail system provided for all users of Hwb (learners require consent). It is a standards-based e-mail system that benefits from a number of configuration options that can provide robust security.
The default configuration of Office 365 provides a secure way of sending e-mail between Hwb users as well as some partner organisations. The link to the current list of verified partner organisations is here; Trusted Domains.
The list of partner organisations that are configured to receive secure e-mail from Hwb is established in conjunction with local authorities and regional education consortia.
Note: Until a partner organisation has been verified it should be assumed that e-mails will not be secure and enhanced controls considered.
Office 365 has additional options for encrypting sensitive e-mail. Further guidance should be sought from your headteacher or local authority information security officer as required. For more information please visit Security Controls.
The following flowchart provides a graphical representation of the recommended decision process for deciding the appropriate encryption method for e-mails containing personal data and a similar process can be applied to other sensitive data.
G Suite for Education and Office 365 both have options for working collaboratively:
G Suite for Education:
- Team Drives
(incorporates both directory and site functionality)
With a potentially large number of users with access to shared working areas, care should be taken when storing sensitive data in these areas.
Specific areas for securely collaborating with sensitive data can be configured to help ensure:
- access is constrained to those with a need to know the information
- enhanced protection for documents to reduce the risk of accidental release of information
For more information please visit Security Controls.
Note: The enhanced level of protection for documents can necessitate the use of the desktop version of Microsoft Office for creating and editing documents.
For staff with regular access to the most sensitive data additional security controls are available and should be considered (to help prevent password-based attacks).
Hwb provides each user with access to Google Drive and Microsoft OneDrive.
Note: Password protection is available in desktop versions of Microsoft Office.
Password protection of individual files containing sensitive data can be an effective way of ensuring only those with the password can access the contents if confidentiality is a concern.
In such situations advice should be sought about password complexity, length and distribution. Password guidance is available below.
For IT systems, and in particular cloud services such as Office 365 and G Suite for Education, passwords are a necessary inconvenience and probably will be for the foreseeable future. They are currently the most appropriate option for ensuring that only you have access to your account.
To try and make it simpler for Hwb users to manage their passwords, the Hwb Platform has been designed so that you only need one password across the platform, this is called Single Sign-On or SSO.
An associated implication of having one password for access to multiple systems is that if someone gains access to your password they can potentially access a wide range of information. For this reason it is important to understand what you can do to ensure your password is not susceptible.
This guidance is intended to help ensure your Hwb account remains secure, but it is equally applicable to passwords you use for personal accounts, for example online banking.
There are many desirable properties for passwords, but this guidance will focus primarily on the properties that are effective for preventing hackers. An effective password would be:
- Difficult to guess
Other desirable properties of passwords sometimes conflict with these, for example ideally a password is easy to remember, but this often results in passwords that are easy to guess or are not unique (an alternative option to easily remembered passwords is recommended below).
There are two main ways hackers can try to gain access to passwords:
- Hacking password systems
If a website is hacked, the hackers might be able to gain access to the password system and copy all the passwords used on the site. They can use these passwords to takeover individual accounts.
- Phishing attacks
Phishing attacks will usually only compromise one password at a time, but they do not require hacking into a system first.
If hackers are able to match a password to your identity, for example via your registered e-mail address or a username, they will try to use the password to access other systems.
For example, if your social media password is the same as your online banking password and a hacker accesses the passwords used on social media they may be able to access your online banking as well.
While having unique passwords will not help prevent an initial attack being successful, it will prevent subsequent attacks against other systems that you use.
- Hacking password systems
Some hacking attacks are based on someone trying to access an account by trying to guess passwords, usually this type of attack is based on hackers having a list of passwords that they can use in automated attacks. The lists can be based on combinations of the following information:
- Keyboard patterns, for example ‘1q2w3e4r’
- Common passwords observed from hacked systems, for example ‘sunshine’
- Names of sports, films, singers or other popular themes
Most systems, including Hwb, have controls to slow down online password guessing attacks, but it is not possible to completely eliminate them.
One of the desirable properties for passwords is that they are easy to remember, but for most people this is not practical without either:
- Selecting common words as passwords
- Recycling passwords across systems
- Using a repeatable and predictable format
None of the above options results in a password that will reliably resist hacking attacks.
One alternative to trying to remember multiple passwords is to use a password manager, this is an application that will store all your passwords so that you do not need to remember them. Using a password manager means you can use:
- Impossible to guess passwords that are highly resistant to brute-force attacks
- A different password for every site you register on
Many password managers can be synchronised across devices or backed up online to avoid single points of failure.
Using a password manager is highly recommended.