Learn more about the measures all schools and colleges needs to implement to meet DfE digital standards and KCSIE

Schools and colleges have complex IT infrastructures, providing numerous opportunities for cyber attacks and security incidents.

To help schools keep up to date, the Department for Education (DfE) have published several standards that schools and colleges must meet for cyber security baselines and protecting user accounts.

Much like the Cyber Essentials standard for businesses, the DfE standards are designed for schools to address the risks associated with their hardware, software and data. By reviewing and addressing these risks, schools can understand how to keep students, staff and information safe.

Many schools are unaware of their requirements to meet these standards. We frequently have conversations with school leaders, SLT / SMT to raise awareness of their responsibilities and to prepare roadmaps to implement solutions to meet DfE requirements.

The requirements are wide-reaching, and include many topic areas. We’re focusing on just a few of the more common areas below.

Filtering and monitoring standards

In addition to the DfE digital standards, there is a statutory responsibility within the Keeping Children Safe In Education Act (KCSIE) to keep children safe online. Schools must have appropriate filtering and monitoring systems in place at all times on school devices and school networks. Filtering is preventative, while monitoring is reactive.

Note: these responsibilities also need to be in place for school-owned devices taken offsite, such as laptops given to students.

Identifying roles and responsibilities for managing filtering and monitoring

Schools must ensure their designated safeguarding lead (DSL) works closely with the SLT / SMT and IT support to make informed decisions regarding management and monitoring of systems. Appropriately trained staff need to be appointed to oversee the day-to-day filtering and monitoring.

Filtering systems should be active, up to date and applied to all:

• school or college-managed devices, including those taken offsite
• unmanaged devices under a bring your own device (BYOD) scheme
• guests who have access to the school internet

Devices that are not school or college managed should be on a separate virtual network.

Filtering systems should allow you to identify, as a minimum:

• device name or ID, IP address, and wherever possible, the individual or user
• the time and date of the attempted access
• the search time or content being blocked

Make sure that:

• users are identifiable to the school, so concerns can be traced back to an individual, including guest accounts where possible
• monitoring data is received in a format that your staff can understand

Laptop, desktop and tablet standards

The standard required by the DfE state ‘Devices should be safe and secure.‘ To meet this requirement, all school-owned devices need to be centrally managed and meet the needs of those using them. This includes devices that are taken offsite.

Central device management ensures the devices are kept safe and minimises the risk of cyber security incidents and data breaches. IT teams should work with your DSL to ensure all devices are configured and securely correctly.

Additionally, IT teams need to ensure devices have the following in place:

• a protective firewall
• managed antivirus and anti-malware software
• a supported operating system, with up to date security patches
• asset or inventory tagging to uniquely identify a device
• accessibility features that are not blocked by security features

The full list of DfE Digital and Technology Standards can be seen here: Meeting digital and technology standards in schools and colleges – Guidance – GOV.UK

Our managed IT service plans help schools meet or exceed the DfE standards. Get in touch with us at any time to explore the options available to you.