DfE Cyber Security Standards Support
Maintaining a secure digital environment for students and staff is paramount, and navigating the complexities of DfE cybersecurity standards can be demanding. Each section below breaks down the standards highlighting how our products and services can be used to improve your security posture.
Protect all devices on every network with a properly configured boundary or software firewall
Technical requirements to meet the standard
To meet this standard you must:
- protect every device with a correctly configured boundary, software firewall, or a device that performs the same function
- change the default administrator password, or disable remote access on each firewall
- protect access to the firewall’s administrative interface with multi-factor authentication (MFA), or a small specified IP-allow list combined with a managed password, or prevent access from the internet entirely
- keep firewall firmware up to date
- check monitoring logs as they can be useful in detecting suspicious activity
- block inbound unauthenticated connections by default
- document reasons why particular inbound traffic has been permitted through the firewall
- review reasons why particular inbound traffic has been permitted through the firewall often, change the rules when access is no longer needed
- enable a software firewall for devices used on untrusted networks, like public wi-fi
What LGfL does for you
-
Every LGfL site has a correctly configured boundary firewall.
-
This firewall always has the default administrator password changed before it starts being used.
-
Access to the firewall's administrative interface is restricted to a small specified IP-allow list and is not available from the internet.
-
Keeps the firewall firmware up to date.
-
Subscribe to Jisc's protection which actively highlights suspicious activity.
-
Block inbound unauthenticated connections by default.
-
Require all changes that enable inbound traffic to be submitted via a Request for Change that is logged in the service desk.
What isn't covered by LGfL
-
Enabling a software firewall for devices on untrusted networks cannot be done by LGfL.
However, you can manage the software firewall for Windows devices with Sophos Intercept X Advanced which is included as part of the LGfL subscription. For further details please check Sophos' website.
Network devices should be known and recorded with their security features enabled, correctly configured and kept up-to-date
Technical requirements to meet the standard
To meet this standard you must:
-
keep a register, list, or diagram of all the network devices
-
avoid leaving network devices in unlocked or unattended locations
-
remove or disable unused user accounts, including guest and unused administrator accounts
-
change default device passwords
-
require authentication for users to access sensitive school data or network data
-
remove or disable all unnecessary software according to your organisational need
-
disable any auto-run features that allow file execution
-
set up filtering and monitoring services to work with the network’s security features enabled
-
immediately change passwords which have been compromised or suspected of compromise
-
protect against a brute-force attack on all passwords by allowing no more than 10 guesses in 5 minutes, or locking devices after no more than 10 unsuccessful attempts
If network devices have conflicting security features, document the decisions you make on which security features have been enabled or disabled on your network. Review this document when you change these decisions.
To physically access switches and boot-up settings use a password or PIN of at least 6 characters. The password or PIN must only be used to access this device.
For all other devices, you must enforce password strength at the system level. If you use a deny list for automatic blocking of common passwords, use a password with at least 8 characters. If you do not use a deny list, use a password with at least 12 characters or a biometric test.
Password manager software is recommended.
How LGfL can help
LGfL provides the Elevate Cybersecurity Toolkit which includes template hardware and software asset registers. You can use these to record of the devices you have in your school.
Using Application Policies within Sophos Intercept X Advanced you can prevent any unnecessary software from being able to run.
All LGfL school's internet connections are filtered using LGfL's Webscreen solution (unless a school has opted out of this service), they also benefit from Jisc's threat monitoring services which provide proactive alerts for malicious traffic.
LGfL change the default device passwords for all equipment that they provide as part of school's connection to the internet.
What isn't covered by LGfL
All other requirements of this standard cannot be met by LGfL as they do not comprise part of the LGfL service.
Accounts should only have the access they require to perform their role and should be authenticated to access data and services
Technical requirements to meet the standard
You must control user accounts and access privileges. Including accounts used by third parties, for example, support services or device management.
Only authorised people can have an account which allows them to access, alter, disclose or delete the held personal data. The data owner or controller, or the data protection officer, must identify and authorise these tasks.
Users should have a separate account for routine business, including internet access if their main account:
-
is an administrative account
-
enables the execution of software that makes significant system or security changes
-
can make changes to the operating system
-
can create new accounts
-
can change the privileges of existing accounts
Users must be authenticated with unique credentials before they access devices or services. This can include using passwords.
You must enforce password strength at the system level.
If you use a deny list for automatic blocking of common passwords, use a password with at least 8 characters. If you do not use a deny list, use a password with at least 12 characters or a biometric test. The National Cyber Security Centre recommends using passwords made up of 3 random words. Enforce account lockouts after a number of failed attempts and require service provider or network manager permission to unlock.
The National Cyber Security Centre provides guidance on password administration for system owners.
You must immediately change any password that has been compromised or suspected of compromise.
You must remove unused accounts. This may include the accounts of users who have left their employment, or accounts that have not been used for a prolonged period of time. This is particularly important for accounts with administrator privileges. You should review this termly.
Unused role privileges must be removed or disabled.
No user’s account should have more access to devices than required to carry out their role.
Use different accounts with specific rights for different purposes or have IT service providers and administrators enable just-in-time access, giving individual users time-limited privileges as required. The National Cyber Security Centre provides detailed guidance on privileged access management.
For younger children or users with special educational needs:
-
consider using authentication methods other than passwords
-
consider using a separate account accessed by the teacher rather than the student
-
segment the network so such accounts cannot reach sensitive data
-
consider if the data or service being accessed requires authentication
The NCSC offers this guidance on alternatives to passwords.
You should not use global administrator accounts for routine business.
You should only use accounts requiring administrator privileges to complete the tasks that need it.
You should use service accounts for running system services and not user accounts.
How LGfL can help
The LGfL support site has been implemented with the least privilege and role-based access controls. This ensures that only authorised members of staff can access the information they need to manage their services with us.
What isn't covered by LGfL
As this requirement covers how different systems are configured, it falls to the person/team in each school who is responsible for managing each of them to ensure that it is meeting this standard.
You should protect accounts with access to personal or sensitive operational data and functions by multi-factor authentication
Technical requirements to meet the standard
Where practical, you must enable multi-factor authentication. This should always include cloud services for non-teaching staff. All staff are strongly encouraged to use multi-factor authentication.
Ask users for a second authentication factor when accessing sensitive data. For example, when moving from a lesson plan to financial or personal data.
Multi-factor authentication should include at least 2 of the following:
- passwords constructed in the formats described earlier in Standard 3
- a managed device, that may belong to the organisation
- an application on a trusted device
- a device with a trusted network IP address, you should not use this in MFA for accounts with administrator rights or for accessing sensitive data
- a physically separate token
- a known/trusted account, where a second party authenticates another’s credentials
- a biometric test
How LGfL can help
LGfL has a variety of different services that may have access to personal or sensitive operational data. All of the systems in the list below either have multi-factor authentication turned on by default, or can be configured to enable it.
- The LGfL support site & Webscreen
- Sophos Central
- Malwarebytes
- Meraki
- Adobe Creative Cloud
- Egress
- Gridstore
What isn't covered by LGfL
It will be the responsibility of the person/team in each school who is responsible for managing each system to ensure that it is meeting this standard.
You should use anti-malware software to protect all devices in the network, including cloud-based networks
Technical requirements to meet the standard
You must make sure anti-malware software and associated files and databases are kept up to date.
Make sure the anti-malware software:
- is set up to scan files upon access, when downloaded, opened, or accessed from a network folder
- scans web pages as they are accessed
- prevents access to potentially malicious websites, unless risk-assessed, authorised and documented against a specific business requirement
Do not run applications or access data which has been identified as malware. Use the anti-malware software to eliminate the problem.
How LGfL can help
LGfL includes Sophos Intercept X Advanced which can be configured to meet all the requirements of this standard.
What isn't covered by LGfL
Although Sophos Intercept X Advanced can meet all of the requirements in this standard it is still important to check that it is setup and working as needed.
At a minimum, you should
- Ensure that all devices in the school have Sophos installed and working
- Check that Sophos' recommended settings are configured
- Check that alerts are setup, and someone is monitoring them
Click here to find out more about Sophos best-practice settings.
An administrator should check the security of all applications downloaded onto a network
Technical requirements to meet the standard
The IT service provider should approve all code and applications that are deployed and make sure they do not pose a security risk. They should do this in the best way possible given available resources.
Best practice is to maintain a current list of approved applications. Applications with invalid or no digital signatures should not be installed or used.
You could search the internet to check the reputation of the application and the hosting site, or run unknown applications or code within a sandbox environment.
Make sure the network’s anti-malware service is scanning all downloaded applications.
How LGfL can help
The LGfL Elevate Cybersecurity Toolkit includes a template software asset inventory which can be used to record approved applications.
With Sophos Intercept X Advanced it is possible to implement Application Control policies which will prevent unauthorised software from running.
What isn't covered by LGfL
To meet this standard it will be the school's responsibility to ensure that Sophos Intercept X Advanced has been configured properly.
The school will also need to check the applications before they're approved to be installed and used on the school network.
All online devices and software must be licensed for use and should be patched with the latest security updates
Technical requirements to meet the standard
All software must be currently licensed.
The licensing of most modern software can be checked through the software itself. Software which successfully updates can be presumed to be licensed. Older software may have to be researched.
You should remove unsupported software. If this is not possible then you must only use the software on parts of the network which prevent all traffic to and from the internet. Support does not have to come from the original manufacturer and can come from third parties as long as this does not invalidate a licence.
Unsupported devices must only access segmented areas of the network which do not grant access to sensitive data.
You must enable automatic updates.
You must complete manual updates to hardware or software, including configuration changes, within 14 days of the release of the patch where the vulnerability is:
-
described as high risk or worse
-
has a Common Vulnerability Scoring System (CVSSv3) score of 7 or above
The Common Vulnerability Scoring System is the security industry standard for measuring the danger of a vulnerability. The score is a number from 1 to 10 where 10 is the most dangerous. There is a more detailed explanation of CVSSv3 on the NVD website.
When notified by the Department for Education (DfE), patches should be applied within 3 days of notification. This will only be done in instances of dangerous zero-day attacks where institutions are at immediate risk and there is a suitable patch available.
How LGfL can help
The LGfL Elevate Cybersecurity Toolkit includes a template software asset inventory which can be used to track approved software.
Further to this LGfL includes Malwarebytes Incident Response in the Let's Get Digital subscription. Incident Response can be used to audit the version of currently installed software making it easier to ensure that unsupported software is removed and that updates are installed within 14 days.
The LGfL Security School Report (a service which is available for free for all schools) can let you know if your publicly facing services have known vulnerabilities which have security updates available for them.
You should have at least 3 backup copies of important data, on at least 2 separate devices, at least 1 must be off-site
Technical requirements to meet the standard
You should have at least 3 backup copies of important data, on at least 2 separate devices. At least 1 of these copies must be off-site (on large sites, these copies should be far enough away to avoid dangers from fire, flood, theft and similar risks).
Remember, you need 3 backup copies, you do not need 3 storage locations or 3 storage devices. For example, 2 backups taken at different times on the same device (as long as they do not overwrite each other) will count as 2 of the 3 backup copies.
You should schedule backups regularly. How often you need to create backups depends on:
- how often the data changes
- how difficult the information would be to replace if the backups failed
At least 1 of the backups must be offline at all times. An offline backup is sometimes known as a cold backup.
A cloud backup is an off-site backup. Cloud data held in separated cloud services are held in separate devices.
If the offline backup is in the cloud, access must be:
- by a secure account identity
- impossible from any device unless an authorised user has logged on in person
Remember, off-site means in an alternative physical or digital location, offline means that is not connected to the network
The number of devices with these access permissions must be kept to an absolute minimum.
A secure account identity is defined as a specified account secured with a username and multi-factor authentication.
A device which cannot access the backup is defined as a device that has no valid credentials.
Where the cloud services allow it, set up the controls to:
- only allow authorised devices to create new or appended backups
- deny connection requests when backup is not in use
Regularly check that the backups work.
How LGfL can help
LGfL schools that are eligible can benefit from access to Gridstore, LGfL's cloud-based backup solution which meets all of the requirements for one of your backup devices. This will provide 50GB free of charge to primary and special schools and 100GB to secondary schools. This is an excellent way to protect your most critical data such as your MIS or Single Central Record.
For details about this, and how to get more storage please check here.
What isn't covered by LGfL
You'll need to make sure you have the right backup solutions in place and that they're configured properly. If your backup uses an encryption key make sure it is in a safe place – that can be accessed if you are prevented from using any IT systems.
We still hear of schools impacted by ransomware going to their backups to start recovering them, and finding that they have been encrypted or wiped. This is why it is so important to have an offsite/offline/air-gapped backup.
You will also need to check that your backups have the right servers and data included on them and that they're running effectively. It's really important to check that you can recover from your backups, this can be as simple as scheduling a reminder to restore a file once a month. Completing a test run of Disaster Recovery plans is a great way to know how effective your backup solution is, and how long it can take to recover operations.
Your business continuity and disaster recovery plan should include a regularly tested contingency plan in response to a cyber attack
Technical requirements to meet the standard
All schools and colleges must include a contingency plan for the loss of some or all IT systems in their business continuity and disaster recovery plan. This is required by the schools financial value standard.
This plan must include:
- staff responsibilities
- out of hours contacts and procedures
- internal and external reporting and communications plans
- priorities for service restoration
- the minimum operational IT requirements
- where you can find additional help and resources
Keep hard copies of key information in case of total system failure.
Test and review these plans regularly.
How LGfL can help
LGfL have a template Incident Response Plan available in the Elevate Cybersecurity Toolkit for Schools that can be used as a basis for you a business continuity or disaster recovery plan. The kit also includes templates asset registers that can help with the school's financial value standard.
What isn't covered by LGfL
Don’t forget to store your backup encryption keys in a location that is accessible in the event of a total system failure.
We would recommend that you complete one of the NCSC’s Exercises in a Box to test how effective your disaster recovery plans are.
Serious cyber attacks should be reported
Technical requirements to meet the standard
Schools and colleges must report cyber attacks to:
- Action Fraud
- DfE
Where applicable schools and colleges must report cyber attacks to ICO.
You must act in accordance with:
- Action Fraud guidance for reporting fraud and cybercrime
- ESFA Academy Trust Handbook Part 6
- ICO requirements for reporting personal data breaches
How LGfL can help
Sorry, we can’t help you report a serious cyber attack.
If you are the victim of an attack we can help in other ways. From performing health checks for your public-facing services and Sophos antivirus protection, assisting with recovery from Gridstore to providing guidance.
You must conduct a Data Protection Impact Assessment by statute for personal data you hold as required by General Data Protection Regulation
How to meet the standard
You should control access to data in consultation with your IT service provider and the Data Protection Officer. This is to safeguard staff and students as required by the General Data Protection Regulation (GDPR).
To meet the standard, you must:
- understand the definition of personal data
- assess the risk of compromise, and the degree of damage caused by a security compromise, to work out the resources required to protect the data
There is DfE guidance on:
academy trust risk management data protection for schools
- pseudonymise or encrypt any personal data while stored and in transit to a third-party
- ensure the confidentiality, integrity and availability of the data and systems processing them
- restore complete and accurate data after an incident in a timely fashion
- design and apply processes for testing and assessing the effectiveness of all measures used to safeguard data and its use
Technical requirements to meet the standard
Academy trusts should incorporate the risk assessment into the risk register.
If you rely upon encryption to protect data, this should be:
-
strong encryption
-
using encryption systems that are still supported
-
with a life appropriate to the sensitivity of the data being stored
The ICO provides advice on how data encryption should be used.
The ICO also provides a template for DPIA.
Additional protection or password protection should meet the technical requirements in the account access standard.
You should limit access to those staff with a specific need. Do this by specific content area, and not blanket permissions.
By achieving all the cyber standards you can meet the additional requirements for:
-
confidentiality
-
integrity
-
availability
-
restoration
What LGfL does for you
In accordance with the General Data Protection Regulation (GDPR), LGfL, as a data processor, conducts regular Data Protection Impact Assessments (DPIAs) for the services it provides to schools. These DPIAs are a rigorous process that helps us to identify and assess the risks associated with our data processing activities, and to implement appropriate measures to mitigate those risks.
We are committed to protecting the privacy of the personal data that we process on behalf of schools. Our DPIAs are an essential part of this commitment, and they help us to ensure that we are meeting all of the requirements of the GDPR.
Train all staff with access to school IT networks in the basics of Cyber Security
Technical requirements to meet the standard
Staff who require access to your IT network must take basic cyber security training every year. The training should be part of the induction training for new staff
This training should focus on:
-
phishing
-
password security
-
social engineering
-
the dangers of removable storage media
The National Cyber Security Centre has published suitable training materials:
At least one current governor must complete the same basic cyber security training. These governors should read the NCSC publication school cyber security questions for governors.
How LGfL can help
LGfL deliver the NCSC’s Cybersecurity Training for School Staff which covers each of the requirements listed. This can be used as an introduction to the course, with the opportunity to ask our experts any questions you may have. You can book here.
This should empower you to then use the NCSC's training material to deliver the same course to all your staff. Further details about the training and resources you can download are available here.
