Cyber security standards for schools and colleges
The importance of meeting the standard
Successful cyber attacks target user accounts with the widest access and highest privileges on a network.
You must limit the numbers and access of network and global administrative accounts.
If you prevent and limit the compromise of these accounts you prevent and limit successful cyber attacks.
How to meet the standard
Ask your IT service provider or network manager to set up accounts to meet the technical requirements. If a single staff member controls account access, another senior school staff member or governor should approve that staff member’s own account.
There must be a user account creation, approval and removal process. You should make this part of school joining and leaving protocols.
Your IT service provider may be a staff technician or an external service provider.
Remember that this standard may change over time with changing cyber threats.
Technical requirements to meet the standard
You must control user accounts and access privileges. Including accounts used by third parties, for example, support services or device management.
Only authorised people can have an account which allows them to access, alter, disclose or delete the held personal data. The data owner or controller, or the data protection officer, must identify and authorise these tasks.
Users should have a separate account for routine business, including internet access, if their main account:
is an administrative account
enables the execution of software that makes significant system or security changes
can make changes to the operating system
can create new accounts
can change the privileges of existing accounts
Users must be authenticated with unique credentials before they access devices or services. This can include using passwords.
You must enforce password strength at the system level.
If you use a deny list for automatic blocking of common passwords, use a password with at least 8 characters. If you do not use a deny list, use a password with at least 12 characters or a biometric test. The National Cyber Security Centre recommends using passwords made up of 3 random words. Enforce account lockouts after a number of failed attempts and require service provider or network manager permission to unlock.
The National Cyber Security Centre provides guidance on password administration for system owners.
You must immediately change any password that has been compromised or suspected of compromise.
You must remove unused accounts. This may include the accounts of users who have left their employment, or accounts that have not been used for a prolonged period of time. This is particularly important for accounts with administrator privileges. You should review this termly.
Unused role privileges must be removed or disabled.
No user’s account should have more access to devices than required to carry out their role.
Use different accounts with specific rights for different purposes or have IT service providers and administrators enable just-in-time access, giving individual users time-limited privileges as required. The National Cyber Security Centre provides detailed guidance on privileged access management.
For younger children or users with special educational needs:
consider using authentication methods other than passwords
consider using a separate account accessed by the teacher rather than the student
segment the network so such accounts cannot reach sensitive data
consider if the data or service being accessed requires authentication
The NCSC offers this guidance on alternatives to passwords.
You should not use global administrator accounts for routine business.
You should only use accounts requiring administrator privileges to complete the tasks that need it.
You should use service accounts for running system services and not user accounts.
When to meet the standard
You should implement this standard as soon as you can and with the introduction of each new account.
Responses