Teach Secondary 13.8

CYBERSECURITY THIS WAY! LGfL’s Gareth Jelley discusses the elements that ought to form the foundations of every school’s cybersecurity policy What should be the starting point for a school’s cybersecurity policy? Much of it comes down to setting expectations. A cybersecurity policy needs to set out the roles of different parties within the school and what’s expected from each, before going into more detail regarding expectations around cloud services and user account standards. The latter might include things like setting password policies that require a certain level of password complexity, mandating multi-factor authentication wherever possible, establishing the need for regular data backups, and generally defining the things everyone assumes will already be in place (while checking that they actually are). How large should a school’s technical team typically be? This can vary significantly depending on the school’s approach to technology. An average-sized secondary school will likely have between two and four people – one appointed as a network manager, and others in technical or supporting roles. A network manager’s responsibilities will include carrying out regular replacements of IT kit based on a 3- to 5-year lifecycle and overseeing the school’s IT network as a whole, ensuring all devices are protected with appropriate antivirus measures, that servers are frequently backed up, and so forth. Since network managers are less likely to be tasked with everyday troubleshooting, they should have the capacity to monitor this bigger picture, and attend to the strategic planning that will be needed if a school’s cybersecurity measures are to work effectively. What attributes should school leaders be looking for when appointing staff to those roles? Besides obviously needing someone who’s technically competent, you’ll want a capable communicator with good organisational and strategic planning skills. There’s nothing worse than a network manager who rarely leaves the office to talk with staff, as they’ll be the last ones to discover that, for example, all staff have started using a third-party piece of software that the school’s data has been exposed to. What does best practice for logging IT management activity look like? There should be an IT risk register to help you plan the replacement of items falling out of support. What schools can often overlook, however, is the importance of keeping good IT asset registers to track things like security certificates, which operating systems run on what devices and the software being used in school – crucial details for keeping your school’s IT secure. Where’s the dividing line between a school’s day-to-day management of their cybersecurity, and any policies/ measures set by their governance structure? Matters of decision-making and how budgets should be allocated from available funds are largely delegated to schools themselves. WithinMATs, however,there can be huge variations between smaller trusts made of several local schools and those that operate nationally with a far more centralised approach to doing things. The latter will usually have strong core IT teams in place that essentially dictate what their schools need to be doing. They’ll often invest in skilled central teams, and appoint individuals to central roles with cybersecurity oversight spanning multiple schools as one of their key responsibilities. Schools left to manage cybersecurity matters for themselves will mainly refer to guidance passed down from the DfE. The department’s Cyber Security Standards for Schools and Colleges (see tiny.cc/ts138-HT1 ) are now starting to drive improvements in how schools see and focus on cybersecurity issues. Is there a core list of cybersecurity tools andmeasures that no school should be without? The DfE cyber security standards is a good place to start. Among others, they mention the requirement for good backup solutions and state that schools need to have enterprise-grade antivirus solutions in place. However, since they are standards, as opposed to regulations, it’s advice schools can choose to take on board, or decide is less of a priority compared to other areas. There is, however, a clear bridge from there to issues of safeguarding – and with Ofsted as Sort your DATA RETENTION | TECHNOLOGY | SAFEGUARDING School improvement advice for headteachers and SLT 73 teachwire.net/secondary L E A D E R S H I P

RkJQdWJsaXNoZXIy OTgwNDE2