The process of becoming an e-safe school involves time, effort, and commitment. This is no less true for effective technical measures. The e-safety mark standards for infrastructure ‘reflect the importance of having effective systems in place to ensure the security of the school’s computer systems, system users and personal data.’
A word of caution: simply having a secure technical infrastructure does not ensure staff and students will behave safely! Education and training must go alongside any technical solutions. Having said that, here are four aspects of e-security every school should get right.
An effective password policy ensures users have access to all the IT systems, software and data they need, and no more. For a start, all users should log in with their own personal username and password, and shared accounts should not be used. Passwords should be age- and ability-appropriate, so very young or SEN users can have a simple password, which should be more complex for older or more able students.
Passwords should be regularly changed; the frequency of this will again depend on the users and the level of risk if their passwords are compromised. So you should enforce a more rigorous password policy with teachers than with students, since teachers have access to personal data of students.
It is also important to have a clear policy for the provision of new accounts, and for control and use of admin-level accounts.
Connectivity & Filtering
This is potentially complex area but in practice most schools use an ISP that has committed to meeting agreed standards for education. Essentially this means internet access should be filtered for all users, using an educational filtering solution. Usually this will be from a regional broadband consortium or a reputable commercial ISP specialising in education. Filtering policies should be consistent across the range of devices used in school, including personal mobile devices if allowed.
Human monitoring is an essential component – there is no such thing as a ‘set it and forget it’ internet filter. You should have a clear policy for frequently monitoring internet use and for dealing with breaches or misuse. Changes to allow or deny access to particular web sites should be managed through a formalised change request process, with changes authorised by a member of SLT.
Many schools find an additional system for monitoring the use of ICT extremely valuable. Systems such as Securus and Impero will monitor users’ keystrokes, comparing text entered against a list of key words and logging any violations. This can reduce the risk of cyber bullying, online grooming, explicit images and harmful sites such as those promoting suicide and anorexia.
Any school which has suffered from a virus or malware attack knows the importance of e-security! Your school needs effective policies for:
- anti-virus & anti-malware systems
- email spam filters
- software patches and updates
- removable media (USB drives, etc.)
- network monitoring
- recording and reporting of e-security incidents
- remote access to school networks
Don’t try to go it alone in this vital area. Local authorities and academy chains will have e-security technical requirements for schools, and the National Education Network (NEN) provides checklists and guidance sheets.
Make sure there is clear oversight for e-security from SLT and governors, and that there are regular reviews and audits of the safety and security of school computer systems. Education also plays a vital part! Make sure everyone knows the risks and their part in protecting the security of school systems.
Does your school have a data policy? And do your staff follow it?
The school and all users of data must adhere to the Data Protection Act. All staff need to understand the need to ensure the safe keeping of personal data, and know how to minimise the risk of its loss or misuse. Your policy should cover the use of data on paper as well as ICT systems; personal data should be stored and processed securely no matter what format it is in.
Ensure your policy covers staff taking home personal student data, for example, consider the use of encrypted laptops and USB drives.
However good your policy, users have to follow it! Through training and education, ensure all staff and students understand the risks and how to work safely and securely with personal data.
Don’t forget that parents and carers, and students over the age of 16, should be informed about their rights and about the use of personal data through the Privacy Notice (formerly Fair Processing Notice).
Need Further Help?
I can help you develop your e-safety policy, provide training for staff, pupils or parents, or help you achieve the e-safety mark. If you’d like to discuss how I can help or book an e-safety audit, get in touch here.
E-safety mark: http://www.360safe.org.uk/