Updates: Meeting digital and technology standards in schools and colleges

2024

6 November 2024 published amendments

Broadband internet standards for schools and colleges

Added a link to the guidance 'Compare types of broadband for schools and colleges'.

Digital leadership and governance standards

Added a link to DfE contracts register template, asset register template and information asset register template.

22 October 2024 published amendments

Filtering and monitoring standards for schools and colleges

1. Identify and assign roles and responsibilities to manage your filtering and monitoring systems.

Updates include:

- emphasis on the responsibility of governing bodies and proprietors to make sure appropriate systems are in place
- outlining Keeping children safe in education (KCSIE) requirements in relation to online safety and how the standards can help you meet those requirements

2. Review your filtering and monitoring provision at least annually.

We have added a more comprehensive assessment of student risk profiles, including the use of generative artificial intelligence.

3. Filtering systems should block harmful and inappropriate content, without unreasonably impacting teaching and learning.

Updates to this standard include:

- using safe search in browsers or search engines
- establishing clear expectations for the use of devices without functioning filtering and monitoring
- ensuring that bring your own devices (BYOD) have adequate filtering and monitoring measures in place
- awareness of new technologies that reduce the effectiveness of filtering measures

4. Have effective monitoring strategies that meet the safeguarding needs of your school or college.

Updates to this standard include:

- clarification on the role of in-person monitoring
- new information added to 'The technical requirements to meet the standard'
- new information added to the technical requirements to meet the standard, regarding school managed device, monitoring reports and incident response, stating schools should have a policy for incident response in relation to monitoring incidents

20 May 2024 published amendments

Cyber security standards for schools and colleges

The cyber security standards have been updated to address tasks that should be completed by both the senior leadership team (SLT) and IT support. Cyber security is not something that IT teams can carry out alone, it is a shared responsibility between multiple roles and teams.

The new cyber security standards contain the same key information that the previous cyber security standards held, but the format of this has changed to make them more accessible to staff without cyber expertise.

The previous cyber security standards have been mapped to the new ones below, so that you can see where the previous information now lies.

1. 'Conduct a cyber risk assessment annually and review every term'. This new standard addresses:

- elements of the previous standard titled ‘Your business continuity and disaster recovery plan should include a regularly tested contingency plan in response to a cyber attack’ 
- the importance of risk assessments; helping users understand where they are now and where they need to go next to improve their cyber security

2. 'Create and implement a cyber awareness plan for students and staff'. This standard addresses:

- the previous standard titled 'Train all staff with access to school IT networks in the basics of cyber security'
- the importance of students and staff understanding the risk of cyber security as your first line of defence against cyber incidents and attacks - this includes both training students and staff, as well as developing and implementing an acceptable use policy

3. 'Secure digital technology and data with anti-malware and a firewall'. This standard addresses the previous standards titled:

- 'Protect all devices on every network with a properly configured boundary or software firewall'
- 'Network devices should be known and recorded with their security features enabled, correctly configured and kept up-to-date '
- 'You should use anti-malware software to protect all devices in the network, including cloud-based networks' 
- 'An administrator should check the security of all applications downloaded onto a network' 

4. 'Control and secure user accounts and access privileges'. This new standard addresses the previous standards titled:

- 'Accounts should only have the access they require to perform their role and should be authenticated to access data and service'
- 'You should protect accounts with access to personal or sensitive operational data and functions by multi-factor authentication'

This standard covers password security, multi-factor authentication and account management.

5. 'License digital technology and keep it up to date'. This new standard addresses the previous standard titled:

- 'All devices and software must be licensed for use and should be patched with the latest security updates'

6. 'Develop and implement a plan to backup your data and review this every year'. This new standard addresses: 

- the previous standard titled 'You should have at least 3 backup copies of important data, on at least 2 separate devices, at least 1 must be offsite'
- the need to analyse what your current backup plan looks like
- the need to plan and action how to backup and restore your data

7. 'Report cyber attacks'. This new standard addresses:

-  the previous standard titled 'Serious cyber attacks should be reported'
- reporting a cyber attack both internally within your school or college and to external bodies

In addition to the above changes, the DfE have also removed the below standards and have explained why.

'Your business continuity and disaster recovery plan should include a regularly tested contingency plan in response to a cyber attack'. 

- This has been removed as it is now addressed in the DfE’s new digital leadership and governance standards under the title ‘Include digital technology within disaster recovery and business continuity plans’. It is also referenced throughout the new standards. 

'You must conduct a Data Protection Impact Assessment (DPIA) by statute for personal data you hold as required by General Data Protection Regulation'. This has been removed because:

- this is included in the existing 'servers and storage' and 'cloud solution' standards
- DPIA is now mentioned throughout the new cyber security standards

'Network devices should be known and recorded with their security enabled, correctly configured and kept up-to-date'. 

- The important content from this is now within the relevant sections in the new standards.