Latest News

DfE Updates to Cyber Security Standards

The cyber security standards have been updated to address tasks that should be completed by both the senior leadership team (SLT) and IT support. Cyber security is not something that IT teams can carry out alone, it is a shared responsibility between multiple roles and teams.

The new cyber security standards contain the same key information that the previous cyber security standards held, but the format of this has changed to make them more accessible to staff without cyber expertise.

The changes made are as follows:

1. ‘Conduct a cyber risk assessment annually and review every term’. This new standard addresses:

– elements of the previous standard titled ‘Your business continuity and disaster recovery plan should include a regularly tested contingency plan in response to a cyber attack’ 

– the importance of risk assessments; helping users understand where they are now and where they need to go next to improve their cyber security

2. ‘Create and implement a cyber awareness plan for students and staff’. This standard addresses:

– the previous standard titled ‘Train all staff with access to school IT networks in the basics of cyber security’

– the importance of students and staff understanding the risk of cyber security as your first line of defence against cyber incidents and attacks – this includes both training students and staff, as well as developing and implementing an acceptable use policy

3. ‘Secure digital technology and data with anti-malware and a firewall’. This standard addresses the previous standards titled:

– ‘Protect all devices on every network with a properly configured boundary or software firewall’

– ‘Network devices should be known and recorded with their security features enabled, correctly configured and kept up-to-date ‘

– ‘You should use anti-malware software to protect all devices in the network, including cloud-based networks’ 

– ‘An administrator should check the security of all applications downloaded onto a network’ 

4. ‘Control and secure user accounts and access privileges’. This new standard addresses the previous standards titled:

– ‘Accounts should only have the access they require to perform their role and should be authenticated to access data and service’

– ‘You should protect accounts with access to personal or sensitive operational data and functions by multi-factor authentication’

This standard covers password security, multi-factor authentication and account management.

5. ‘License digital technology and keep it up to date’. This new standard addresses the previous standard titled:

– ‘All devices and software must be licensed for use and should be patched with the latest security updates’

6. ‘Develop and implement a plan to backup your data and review this every year’. This new standard addresses: 

– the previous standard titled ‘You should have at least 3 backup copies of important data, on at least 2 separate devices, at least 1 must be offsite’

– the need to analyse what your current backup plan looks like

– the need to plan and action how to backup and restore your data

7. ‘Report cyber attacks’. This new standard addresses:

–  the previous standard titled ‘Serious cyber attacks should be reported’

– reporting a cyber attack both internally within your school or college and to external bodies

To arrange a call to help you meet the latest standard updates email

A full list of the standards is available here.