Why this standard is important
Protecting user accounts and related data is a critical line of defence against cyber incidents and attacks.
Following this standard will make sure that:
- personal data and digital technology are as safe and secure as they can be
- students, staff and third parties only have access to the things they need
Not meeting this standard could lead to:
- schools and colleges being exposed to external and internal threats
- a significant data breach
- students and staff being exposed to inappropriate content
- a disruptive and costly ransomware attack, which is a type of malware which prevents access to your data or device unless a ransom payment is made
- not being covered by your insurer for cyber attacks and incidents
Who needs to be involved
The senior leadership team (SLT) digital lead will be accountable for this standard but IT support will be responsible for actioning it.
IT support will work with:
- any digital technology suppliers to make sure they are also compliant with this standard
- the data protection officer (DPO) who will, if needed, undertake a data protection impact assessment (DPIA) and provide advice on data protection legislation compliance
- human resources and your business professionals or the finance team to set up a process for movers, joiners and leavers
- any IT leads in your broader organisation (if applicable), such as a multi-academy trust or a local authority school to find out if anything needs to be actioned or approved by them
If you do not have the technical expertise in-house, you will need to get advice from an external support provider or consider training for your internal IT staff to make sure they have the skills needed.
How to meet this standard
The SLT digital lead will need to plan how the technical requirements section within this standard will be met with IT support and how they will:
IT support should make sure that users only have the network and data access they need, and that their account is secure.
To help action this standard, you can also visit:
Technical requirements
This section is for your IT support who may be an internal support team or an external provider. They will set up users so that they only have the access they need by following these minimum requirements.
If you have external IT support that will carry out the activities within this standard, make sure that your contract with them is compliant with General Data Protection Regulation (GDPR).
Passwords
Users must be authenticated with unique credentials before they access devices or services. This can include using passwords.
IT support will need to:
On networking devices and servers, IT support should:
- use a password or PIN of at least 6 characters to physically access network switches and boot-up settings – the password or PIN must only be used to access this device
- agree a process with the SLT on securing access to key system passwords and PINs in the event of an emergency, or if IT support are unavailable
For younger children, users with special educational needs or disabilities, or for those with English as an additional language, consider using:
- other means of logging on, other than passwords – for example, using a PIN code
- a separate account accessed by the teacher using the student’s login so that the student can still be identified – this should follow the filtering and monitoring standards
Visit the NCSC website to learn more about setting up password policies.
Multi-factor authentication (MFA)
MFA secures your account by asking the user to provide 2 or more pieces of evidence to verify their identity. This could include a password and a login through another device.
MFA may not be accessible for those with special educational needs and disabilities. In these circumstances you will need to discuss alternatives or extra support when logging in.
Senior leaders, and staff (including internal and external IT support staff) working with confidential, financial, and personal and sensitive personal data must use MFA.
If appropriate for your school or college, you may also wish to explore:
MFA should include at least 2 of the following:
- a password
- a text message which will send a code to a mobile device, this is for staff only
- an automated phone call to a given phone number that reads out a code (as an alternative to a text message)
- a secure portable device, such as a mobile phone or tablet for staff
- a security key or device, used to authenticate logins – the school or college may need to pay for this if staff do not have access to a secure mobile phone
- a known or trusted account, where a second party authenticates another’s credentials
- a biometric test, for example face identification – this may need careful consideration as it might require a biometric policy depending on how the data is stored
Where MFA is not available, a more complex password should be used following the recommended guidance around password security in this standard.
The NCSC has some further guidance on:
If staff access a number of systems, you should consider using a single sign on solution, which allows you to sign on once and access all applications.
Account management
IT support need to control user accounts and access privileges by:
- disabling accounts as soon as someone leaves
- creating and managing a process with human resources and your business professionals or the finance team to deal with joiners, leavers, and those moving roles
IT support should consider using tools that link to the management information system (MIS) to automatically create or delete user accounts which will make this process easier to manage.
IT support will also:
- make sure that accounts are set up so that students and staff only have access to the data and systems they need
- make sure that MFA is applied to any accounts and cloud-based applications for staff working away from the school or college, or remotely accessing the network
- make sure that remote access is disabled when not required, and enabled only by a member of authorised school or college staff
- make sure that enhanced security, such as MFAis always used where staff are handling confidential, personal or sensitive personal data – your data protection officer can advise which systems and data need this
- review accounts with your business professionals or the finance team every term to identify changes that might have been missed – this should include changing access levels and rights, and suspending or deleting accounts which are no longer in use
- make sure that global or administrative accounts are not used for routine business and that instead, dedicated accounts (not used for day-to-day email and work) have enhanced privileges – this helps limit any damage and track issues in the event of an incident or attack
- agree a process for handling administrative accounts so that a member of SLT or a trustee approves any changes to access levels or privileges before IT support can action the change
- make sure SLT have access to a dedicated administrative account – this will only be needed in an emergency where IT support is unavailable
The NCSC has detailed guidance on privileged access management.
When to meet this standard
You should already be meeting this standard. This will make sure that your data and digital technology is best protected against cyber threats.
If you are not already meeting this standard, then you should implement this as soon as possible through a structured, well managed rollout plan.
Related standards
The following digital standards should also be considered when completing this standard.
Cloud solutions:
Servers and storage:
Laptops, desktops and tablets:
Network switching:
Wireless network:
Broadband:
