Cybersecurity standards for schools and collegesThe cyber security standards have been updated to address tasks that should be completed by both the senior leadership team (SLT) and IT support. Cyber security is not something that IT teams can carry out alone, it is a shared responsibility between multiple roles and teams.
The new cyber security standards contain the same key information that the previous cyber security standards held, but the format of this has changed to make them more accessible to staff without cyber expertise.
The previous cyber security standards have been mapped to the new ones below, so that you can see where the previous information now lies.
1. 'Conduct a cyber risk assessment annually and review every term'. This new standard addresses:
- elements of the previous standard titled ‘Your business continuity and disaster recovery plan should include a regularly tested contingency plan in response to a cyber attack’
- the importance of risk assessments; helping users understand where they are now and where they need to go next to improve their cyber security
2. 'Create and implement a cyber awareness plan for students and staff'. This standard addresses:
- the previous standard titled 'Train all staff with access to school IT networks in the basics of cyber security'
- the importance of students and staff understanding the risk of cyber security as your first line of defence against cyber incidents and attacks - this includes both training students and staff, as well as developing and implementing an acceptable use policy
3. 'Secure digital technology and data with anti-malware and a firewall'. This standard addresses the previous standards titled:
- 'Protect all devices on every network with a properly configured boundary or software firewall'
- 'Network devices should be known and recorded with their security features enabled, correctly configured and kept up-to-date '
- 'You should use anti-malware software to protect all devices in the network, including cloud-based networks'
- 'An administrator should check the security of all applications downloaded onto a network'
4. 'Control and secure user accounts and access privileges'. This new standard addresses the previous standards titled:
- 'Accounts should only have the access they require to perform their role and should be authenticated to access data and service'
- 'You should protect accounts with access to personal or sensitive operational data and functions by multi-factor authentication'
This standard covers password security, multi-factor authentication and account management.
5. 'License digital technology and keep it up to date'. This new standard addresses the previous standard titled:
- 'All devices and software must be licensed for use and should be patched with the latest security updates'
6. 'Develop and implement a plan to backup your data and review this every year'. This new standard addresses:
- the previous standard titled 'You should have at least 3 backup copies of important data, on at least 2 separate devices, at least 1 must be offsite'
- the need to analyse what your current backup plan looks like
- the need to plan and action how to backup and restore your data
7. 'Report cyber attacks'. This new standard addresses:
- the previous standard titled 'Serious cyber attacks should be reported'
- reporting a cyber attack both internally within your school or college and to external bodies
In addition to the above changes, the DfE have also removed the below standards and have explained why.
'Your business continuity and disaster recovery plan should include a regularly tested contingency plan in response to a cyber attack'.
- This has been removed as it is now addressed in the DfE’s new digital leadership and governance standards under the title ‘Include digital technology within disaster recovery and business continuity plans’. It is also referenced throughout the new standards.
'You must conduct a Data Protection Impact Assessment (DPIA) by statute for personal data you hold as required by General Data Protection Regulation'. This has been removed because:
- this is included in the existing 'servers and storage' and 'cloud solution' standards
- DPIA is now mentioned throughout the new cyber security standards
'Network devices should be known and recorded with their security enabled, correctly configured and kept up-to-date'.
- The important content from this is now within the relevant sections in the new standards.