Broadband and so much more:      Get connected with LGfL

DfE Cyber Security Standards Support - Updated for 2024

Maintaining a secure digital environment for students and staff is paramount, and navigating the complexities of DfE cyber security standards can be demanding. Each section below breaks down the standards highlighting how our products and services can be used to improve your security posture.

    Conduct a cyber risk assessment annually and review every term

    This standard should be a part of your overall digital technology strategy. 

      DfE Requirement - Review assets

      The SLT digital lead and your IT support will:

      •    review digital technology assets and any related cyber security risk 
      •    check all digital technology is licensed, supported and updated – read the DfE standard on ‘License digital technology and keep it up to date’ 

      How LGfL Helps

      LGfL includes Sophos Central, ThreatDown (powered by Malwarebytes) and Meraki MDM within its bundle. Each of these can be used to provide information about the assets that are in use in schools, and their security.

      LGfL includes various software licences for schools, ensuring that products do not go out of support and can continue to receive security updates.

      DfE Requirement - Check data processing, access and permissions

      The SLT digital lead will work with the DPO to:

      •    complete a record of processing activities (ROPA) for all new and current systems storing or processing personal and sensitive personal data – you can use a template ROPA from the Information Commissioner’s Office (ICO) 
      •    assess staff access and permissions to systems and data, and check password policies
      •    check that your email is set up to be secure and that it reduces the risk of third parties being able to send imitation emails

      How LGfL Helps

      At LGfL we have various systems that your users can access. When you're reviewing the permissions that your staff have don't forget to check the services that are available from us. If you need help accessing any of them please feel free to contact us via our support site.

      DfE Requirement - Understand your network

      The SLT digital lead will oversee this work, but IT support will:

      •    keep documentation on your network up to date – this should include network diagrams, changes that are made, settings and IP addressing information 
      •    discuss the level of logging required for your school or college’s network and systems which can help to identify the source of any cyber incident or attack and any network issues – to learn more about network logging, visit the National Cyber Security Centre (NCSC) guidance on logging and protective monitoring

      How LGfL Helps

      Having logs when things go wrong can be really beneficial. Knowing what to look for in logs can be confusing though. This is why, alongside the NCSC guidance on logging, we would recommend looking into Police Cyber Alarm. This can be setup to collect logs from your schools firewall, which are then sent to the police for them to review and highlight any suspicious activity to you.

      DfE Requirement - Understand current

      The SLT digital lead will be responsible for collecting the relevant information from all those listed in the ‘Who needs to be involved’ section of this standard. Together they will:

      •    understand what the greatest cyber risks are and establish the likelihood of these happening, along with the impact they may have on your school or college 
      •    capture how many cyber incidents or attacks have already occurred and what they are so that you can understand common themes and know where you need to improve – you can test your cyber resilience using NCSC’s online tool 
      •    identify any student or staff behaviour that may be seen as a risk and could expose the school or college to a cyber incident or attack – for example, downloading an application without the approval of IT support

      How LGfL Helps

      Once you're aware of the current risks to your school we would recommend managing them via a risk register, if you don't already have one available as part of our Elevate Cybersecurity Toolkit. This also includes a reporting template that you can use to demonstrate to Governors how you're managing cybersecurity risks.

      DfE Requirement - Create a risk management process and cyber response plan

      The SLT digital lead will work with the business professionals or the finance team, estate management and IT support to:

      •    create a simple reporting structure for cyber risks to be captured, escalated and actioned – cyber risks should be captured in the risk register and placed into a regularly tested business continuity plan 
      •    maintain documentation and your business continuity plan in at least one or more (diverse) locations – for example, in the cloud or as a hard copy 
      •    flag any risks or issues identified to the governors or trustees as part of the school or college’s risk management process 
      •    put a cyber response plan in place – as well as this being a part of your business continuity plan, it is also a condition of cover if you have risk protection arrangement (RPA) cover 

      How LGfL Helps

      We have developed the Elevate Cybersecurity Toolkit t has templates to help schools meet all of these requirements.

      Create and implement a cyber awareness plan for students and staff

      The SLT digital lead will work with IT support to make sure:

         an acceptable use policy is created and updated to meet the school or college’s needs 
         regular and up-to-date training and awareness activities on cyber security are carried out 

      You should also consider how to raise the level of cyber awareness within families if digital technology is taken home or student work is completed online at home. 

        DfE Requirement - Create an acceptable use policy

        An acceptable use policy describes what a person on the network can or cannot do when using digital technology.  

        Anyone who has access to the school or college network or data will need to be made aware of, and sign up to, the acceptable use policy. This will include guests and supply teachers who want to use the school or college network and wifi.

        The SLT digital lead will work with IT support, the designated safeguarding lead and the DPO to create and update the acceptable use policy.

        If you use a student contract, then this should include relevant sections of the acceptable use policy to make it clear how digital technology should be used within your educational setting. This will need to be carried out at the beginning of every academic year.

        You can find examples of acceptable use policies on the Education Data Hub website:

        •    staff acceptable use policy
        •    student acceptable use policy
        •    visitor acceptable use policy

        How LGfL Helps

        At LGfL we have years of experience in developing 'Acceptable Use Policies' that are used in schools. Like the Education Data Hub website, we have templates that you can download and customise to your needs.

        Staff, Governors & Volunteers
        KS1 Pupils
        KS2 Pupils
        KS3 & KS4 Pupils
        AUP in symbols for pupils with SEND
        Visitors & Contractors


        DfE Requirement - Train students and staff 

        Training students and staff in cyber security is a vital step in maintaining safety and security. Cyber training should be given at least annually, or more regularly if there is a known cyber risk to those who use school or college digital technology.

        The SLT digital lead will need to coordinate training with IT support, the DPO and the designated safeguarding lead. This training is for:

        •   students 
        •   staff 
        •   at least one current governor or trustee 
        •   anyone else with a login (for example supply teachers or agency workers) who may need more focussed training using your own resources – this should happen as soon as it’s feasible  

        Training should be age-appropriate and suited to your school or college’s risks, but should generally include training on:

        •   methods hackers use to trick people into disclosing personal information, including phishing 
        •   password security 
        •   online safety 
        •   social engineering, including not using websites that host unsuitable material, and could also contain malware and viruses 
        •   the physical security of devices, for example not leaving a laptop unlocked and unattended 
        •   the risks of using removable storage media, such as USBs 
        •   multi-factor authentication 
        •   how to report a cyber incident or attack – read the standard on reporting a cyber risk within this standard topic
        •   how to report a personal data breach 
        •   data protection for all staff, with staff who are exposed to higher risk data having more frequent training, such as administrative staff, management or agency workers with a login 

        If you have a risk protection arrangement, you must provide evidence that the relevant users have undertaken the free National Cyber Security Centre (NCSC) training. This needs to be taken annually.  

        If you are looking for further support, the NCSC have downloadable copies of cyber security information cards for schools

        How LGfL Helps

        At LGfL we have a range of different training available to support schools:

        •    Sophos Phish Threat can be used to send simulated phishing attacks to staff, which then links to training courses for those that need it.
        •    We have an extensive range of online safety training which covers a multitude of online safety topics.
        •    We also deliver the NCSC Cyber Security Training for School Staff which we have completed with references to how LGfL's services support cybersecurity for our schools.
        •    We have also developed Cyber Security Training for School Governors which is available for free for any school governor.

        Secure digital technology and data with anti-malware and a firewall

        The SLT digital lead will need to plan how the technical requirements section within this standard will be met with IT support.

        IT support will need to:

        •    use a properly configured boundary firewall  
        •    make sure devices are safe and secure – to learn more about this, visit the laptop, desktop and tablet standards 
        •    install anti-malware software (this must include anti-virus) on all devices, this should be centrally managed, actively monitored and kept up to date – this should include installation on cloud-based servers that you are managing
        •    monitor digital technology for any potential cyber security incidents or attacks – the National Cyber Security Centre (NCSC) has a free early warning service for detecting malicious activity 
        •    check the security of all applications downloaded or installed onto a network, this should include any cloud-based services 
        •    configure the network to minimise the spread of malware to critical systems

        If you are unsure about any data or applications, contact your IT support and they will be able to check the security of them.  

        Technical requirements

        This section is for your IT support who may be an internal support team or an external provider. They will set up your network and digital technology to meet these minimum requirements.

          DfE Requirement - Firewall

          Many schools and colleges will be provided with a firewall as part of their broadband connection. If this applies to you, then you will need to discuss these technical requirements with your broadband provider.

          If your broadband provider does not include a firewall, then IT support will need to source one and set it up securely.

          To meet this standard, IT support must:

          •    protect digital technology with a correctly configured boundary firewall or software firewall, this should include protection against denial of service attacks 
          •    keep boundary firewall firmware up to date, and on supported versions – this should be checked termly 
          •    make sure all external connections to the network run through the firewall 
          •    change the default administrator password and restrict remote access on the firewall to only those who need to access it for maintenance purposes  
          •    protect access to the firewall’s administrative interface with multi-factor authentication, where available, and prevent access from the internet, except to those who need to maintain the firewall 
          •    actively monitor firewall traffic and switch on firewall alerts to help detect suspicious activity – firewall logs can help you with both of these tasks 
          •    block inbound unauthenticated connections by default 
          •    document and review why inbound traffic has been permitted through the firewall – this should be done on a termly basis at a minimum and should be signed off by the SLT digital lead 
          •    keep firewall rules to an absolute minimum, with each rule being documented and subject to a risk assessment 
          •    enable a software firewall for digital technology that is used outside of the school or college, such as at home or on public wifi 
          •    consider a virtual private network (VPN) to encrypt data sent and received by a device 

          How LGfL Helps

          •    Every LGfL site has a correctly configured boundary firewall.
          •    This firewall always has the default administrator password changed before it starts being used.
          •    Access to the firewall's administrative interface is restricted to a small specified IP-allow list and is not available from the internet.
          •    Keeps the firewall firmware up to date.
          •    Subscribe to Jisc's protection which actively highlights suspicious activity.
          •    Block inbound unauthenticated connections by default.
          •    Require all changes that enable inbound traffic to be submitted via a Request for Change that is logged in the service desk.

          DfE Requirement - Anti-malware software

          Anti-malware software needs to be kept up to date with the latest updates. This should be reviewed termly to check that it is meeting your school or college’s needs. This software must:

          •    scan web pages as they are being used  
          •    have a centralised monitoring console to allow IT support to intervene should anti-malware software fail or not update 
          •    scan files and applications upon access, when downloaded or opened locally or from a network folder 
          •    scan attachments on incoming and outgoing emails for malware 
          •    send malware alerts to IT support who will then investigate the issue – this could result in removing the malware or isolating the device 
          •    prevent access to potentially malicious websites

          The NCSC provide further guidance on how to select, configure and use anti-virus and other security software.

          To help prevent malware from infecting digital technology from an external device, IT support should prohibit the use of USB storage devices by default, unless for a specific need – for example, if the examination board require this.

          If USB storage devices are permitted in specific use cases, the anti-malware software should scan the USB drive before it is made available to the student or staff member.

          How LGfL Helps

          LGfL includes Sophos Intercept X Advance for its customers which can be configured to meet all the requirements of this standard.

          Although Sophos Intercept X Advanced can meet all of the requirements in this standard it is still important to check that it is setup and working as needed.

          At a minimum, you should
          •    Ensure that all devices in the school have Sophos installed and working
          •    Check that Sophos' recommended settings are configured
          •    Check that alerts are set, and someone is monitoring them
          •    Click here to find out more about Sophos best-practice settings

          DfE Requirement - Security checks 

          IT support should:

          •    check downloads for malware before an individual can store or install them on their device – this should be in line with your school or college strategy
          •    check and approve all current and future applications to make sure they do not pose a security risk 
          •    maintain a current list of approved applications on your contracts register 
          •    remove unnecessary software according to your organisational need 
          •    only install applications that can be verified as coming from a known supplier 
          •    document how digital technology is set up, which security features have been enabled or disabled, and whether they have conflicting security features 
          •    review and manage browser settings to make sure the highest form of protection is enabled and that users are unable to change browser settings to install browser extensions or bypass security features 
          •    check that your email is set up to be secure and that it reduces the risk of third parties being able to send imitation emails

          The NCSC has a tool that can assist you with email security configuration and reporting.

          How LGfL Helps

          The majority of this element of the standard is the responsibility of the school to achieve. LGfL can help in some areas though. Sophos Intercept X will automatically check every download for malware before it is run. We also have a Software Asset Register template within the Elevate Cybersecurity Toolkit for Schools that can be used to record approved applications. If your school uses email provided by LGfL you can also benefit from MailProtect, to protect you from spoof emails. We can also help you configure appropriate anti-spoofing controls like SPF and DMARC.

          Control and secure user accounts and access privileges

          The SLT digital lead will need to plan how the technical requirements section within this standard will be met with IT support and how they will:

          •    agree on who should have access to what  
          •    set up password policies 
          •    set up security features for staff, such as multi-factor authentication (MFA), where needed

          IT support should make sure that users only have the network and data access they need, and that their account is secure.

          To help action this standard, you can also visit:

          •    the National Cyber Security Centre (NCSC) website for more guidance on how to use passwords to protect your data 
          •    the Information Commissioners Office (ICO) website to download a DPIA template

          Technical requirements

          This section is for your IT support who may be an internal support team or an external provider. They will set up users so that they only have the access they need by following these minimum requirements.

          If you have external IT support that will carry out the activities within this standard, make sure that your contract with them is compliant with General Data Protection Regulation (GDPR). 

            DfE Requirement - Passwords

            Users must be authenticated with unique credentials before they access devices or services. This can include using passwords.

            IT support will need to:

            •    enforce password strength at the system level – the NCSC suggest using machine-generated passwords or a three-random word system 
            •    immediately change any passwords that have been compromised or are suspected of compromise 
            •    protect all passwords – for example, by allowing no more than 10 guesses in 5 minutes, or locking devices after no more than 10 unsuccessful attempts

            On networking devices and servers, IT support should:

            •    use a password or PIN of at least 6 characters to physically access network switches and boot-up settings – the password or PIN must only be used to access this device 
            •    agree on a process with the SLT for securing access to key system passwords and PINs in the event of an emergency, or if IT support is unavailable

            For younger children, users with special educational needs or disabilities, or for those with English as an additional language, consider using:

            •    other means of logging on, other than passwords – for example, using a PIN code 
            •    a separate account accessed by the teacher using the student’s login so that the student can still be identified – this should follow the filtering and monitoring standards

            Visit the NCSC website to learn more about setting up password policies

            How LGfL Helps

            The majority of the elements in this standard relate to services that are managed by schools. 

            LGfL helps by ensuring that all of its services are protected with appropriate password controls. All USO accounts benefit from automatic delays to protect them from brute force attacks and can be configured with multi-factor authentication.

            DfE Requirement - Multi-factor authentication (MFA)

            MFA secures your account by asking the user to provide 2 or more pieces of evidence to verify their identity. This could include a password and a login through another device.

            MFA may not be accessible for those with special educational needs and disabilities. In these circumstances, you will need to discuss alternatives or extra support when logging in.

            Senior leaders, and staff (including internal and external IT support staff) working with confidential, financial, and personal and sensitive personal data must use MFA.

            If appropriate for your school or college, you may also wish to explore:

            •    MFA for all cloud or online services  
            •    MFA for all staff accounts 
            •    MFA for students where the verification does not need to be completed on a mobile phone in keeping with the Department for Education’s (DfE) guidance on prohibiting the use of mobile phones for students throughout the school day

            MFA should include at least 2 of the following:

            •    a password 
            •    a text message which will send a code to a mobile device, this is for staff only 
            •    an automated phone call to a given phone number that reads out a code (as an alternative to a text message) 
            •    a secure portable device, such as a mobile phone or tablet for staff 
            •    a security key or device, used to authenticate logins – the school or college may need to pay for this if staff do not have access to a secure mobile phone 
            •    a known or trusted account, where a second party authenticates another’s credentials 
            •    a biometric test, for example, face identification – this may need careful consideration as it might require a biometric policy depending on how the data is stored

            Where MFA is not available, a more complex password should be used following the recommended guidance around password security in this standard.

            The NCSC has some further guidance on:

            •    setting up 2-step verification 
            •    MFA for online services

            If staff access a number of systems, you should consider using a single sign-on solution, which allows you to sign on once and access all applications. 

            How LGfL Helps

            All accounts used by Nominated Contacts (accounts with permission to make administrative changes, or request system changes) are configured to use multi-factor authentication.

            DfE Requirement - Account management

            IT support needs to control user accounts and access privileges by:

            •    disabling accounts as soon as someone leaves 
            •    creating and managing a process with human resources and your business professionals or the finance team to deal with joiners, leavers, and those moving roles

            IT support should consider using tools that link to the management information system (MIS) to automatically create or delete user accounts which will make this process easier to manage.

            IT support will also:

            •    make sure that accounts are set up so that students and staff only have access to the data and systems they need 
            •    make sure that MFA is applied to any accounts and cloud-based applications for staff working away from the school or college, or remotely accessing the network  
            •    make sure that remote access is disabled when not required, and enabled only by a member of authorised school or college staff 
            •    make sure that enhanced security, such as MFA, is always used where staff are handling confidential, personal or sensitive personal data – your data protection officer can advise which systems and data need this 
            •    review accounts with your business professionals or the finance team every term to identify changes that might have been missed – this should include changing access levels and rights, and suspending or deleting accounts which are no longer in use 
            •    make sure that global or administrative accounts are not used for routine business and that instead, dedicated accounts (not used for day-to-day email and work) have enhanced privileges – this helps limit any damage and track issues in the event of an incident or attack 
            •    agree a process for handling administrative accounts so that a member of SLT or a trustee approves any changes to access levels or privileges before IT support can action the change 
            •    make sure SLT have access to a dedicated administrative account – this will only be needed in an emergency where IT support is unavailable

            The NCSC has detailed guidance on privileged access management. 

            How LGfL Helps

            At LGfL we have various systems that your users can access. When you're reviewing the permissions that your staff have don't forget to check the services that are available from us. If you need help accessing any of them please feel free to contact us via our support site.

            Licence digital technology and keep it up-to-date

            The SLT digital lead will plan how the technical requirements section within this standard will be met with IT support.

            IT support will need to check all digital technology is licenced, supported and set up to meet the technical requirements in the next section. The end-of-support dates for each device’s operating system should be recorded in the asset register and your mobile device management system, if you have one.

            At the end of every term, IT support and the business professionals or the finance team should review the contracts register and inform the SLT when digital technology:

            •    has become unsupported  
            •    is due to become unsupported

            You can find out more about the contract and asset registers by visiting our standards on digital leadership and governance.

            An alternative to licencing software is to use a cloud service. These are usually subscription-based, and the responsibility is on the supplier to licence and update the software. You should ask your DPO to undertake a DPIA if you choose to do this where it is storing or processing personal or sensitive personal data. Visit the Department for Education (DfE) website for more information on data protection policies and procedures.

            If you are using open-source software or operating systems, you must abide by their licensing terms.

            Occasionally, the DfE may issue instructions on security updates through the Education and Skills Funding Agency (ESFA) bulletin. The SLT digital lead will need to inform IT support. IT support should then apply these updates within 5 working days of notification.

            Technical requirements 

            This section is for your IT support who may be an internal support team or an external provider. They will set up your digital technology to meet these requirements. 

              DfE Requirement - Licencing

              All software needs to be licenced and eligible for security updates. You should remove unlicensed software or take steps to licence it.  

              IT support will need to check that:

              •    operating systems and firmware on digital technology are kept up to date 
              •    updates are issued in a timely manner that does not impact on teaching and learning 
              •    licence expiry dates are recorded in the contracts register by the business professionals or the finance team, and that any unlicened software is removed from devices 
              •    your business professionals or the finance team have been informed about licence end dates so that they can budget for any renewal costs 
              •    digital technology end-of-support dates are captured in the asset register 

              How LGfL Helps

              LGfL includes licences for the following software within our services. 
              •    Sophos Intercept X Advanced
              •    Sophos Intercept X Advanced for Servers
              •    ThreatDown Incident Response
              •    Meraki Mobile Device Management
              •    Adobe Creative Cloud

              DfE Requirement - Security updates

              IT support must complete security updates (known as patching) to operating systems, applications and firmware, including configuration changes, within 14 days of the release of the patch where the vulnerability is:

              •    described as high risk or worse 
              •    has a Common Vulnerability Scoring System (CVSSv3) score of 7 or above – you should also triage and prioritise updates for other scores when it is possible to do so

              The CVSSv3 is the security industry standard for measuring the danger of a vulnerability. The score is a number from 1 to 10 where 10 means it is the most easily exploitable. There is a more detailed explanation of CVSSv3 on the National Vulnerability Database website.

              IT support will also need to:

              •    make sure security updates are applied on time – you may wish to consider using a supported third-party patch management tool to automate this process 
              •    isolate devices where high-risk patches are unavailable – this could mean removing the device from the network or separating it from higher-risk systems and data

              The NCSC has further guidance on the problems with patching

              How LGfL Helps

              Unfortunately, LGfL can't help you install security updates to your devices. One of the key things with updates is knowing what you have that needs to be kept up to date. This is where we can help. Sophos Central, ThreatDown Incident Response and Meraki MDM each have a management console that can tell you which devices are in your school and when they were last acti.

              Develop and implement a plan to backup your data and review this every year

              Your backup plan should feed into your business continuity plan and disaster recovery plan. The backup plan should be:

              •    kept up to date 
              •    tested termly to make sure it works, or more often if there is a significant service change – speak to your IT support for further advice on how to do this 
              •    reviewed on an annual basis, or when there is a major change to the systems or data

              Read our standards on digital leadership and governance for more details on business continuity plans. 

                DfE Requirement - Analyse where you are now 

                It is useful to understand what your current backup plan looks like so that you can assess if it needs improvement.

                The SLT digital lead should ask IT support:

                •    what data is currently being backed up, how often, how old it is and how it is being backed up, this includes data stored on all your cloud services – this information should be stored in your information asset register 
                •    what information is not being backed up
                •    how often they test data that has been restored to check the backups are successful 
                •    how long a restoration will take and when the last test restoration was completed 
                •    how many copies are being kept and where they are located 
                •    how your backups may be affected in the event of an incident or attack

                If you do not have internal IT support, ask your service provider to explain what they are doing to help you achieve this standard. 

                How LGfL Helps

                There's not a lot we can do to help with this element of the standards. We are however, developing a template that schools will be able to use to review their current backup methodology and then report on it to senior leaders or governors.

                DfE Requirement - Plan and action on how to backup and restore data in the future

                The SLT digital lead will work with your business professionals or the finance team, designated safeguarding lead, data protection officer and IT support to identify:

                •    what data you backup, including what critical data and systems are needed to function as a school or college in a disaster situation 
                •    how long can you go without specific systems and data and how up to date they need to be to find out the priority of recovery  
                •    a process for students and staff to delete or archive data on an annual basis – this will speed up recovery times by getting rid of data you no longer need  
                •    how long you will keep data for – this should align with statutory duties and retention policies so that you only backup what you need 
                •    how you will deal with any statutory requirements, such as a freedom of information request or a data subject access request 
                •    how and where you will backup your data

                IT support should:

                •    have at least 3 backup copies of important data, on at least 2 separate devices – at least one of these copies must be off-site (on large sites, these copies should be far enough away to avoid dangers from fire, flood, theft and similar risks)  
                •    make sure that backups are immutable, this means that they cannot be changed once they have been created – this helps prevent data loss and reduces the risk of malware or ransomware being introduced into your systems when restoring data 
                •    choose backup methods you will use based on your school or college’s budget and the identified needs in your backup plan 
                •    test and log your backups termly or if there is a significant change, this should include the ability to recover and restore from backups – the NCSC has an online tool that will help you practice your response to an incident 
                •    have a policy on how frequently restorations should take place to test the backup and how this will be reported to evidence success 
                •    make sure, wherever possible, that restoring data is not device-specific and can be recovered to a wide range of hardware

                You should not take any physical backups offsite unless they are encrypted and stored in a secure location. Regardless of whether they are encrypted, backups should never be taken to anyone’s home. 

                How LGfL Helps

                LGfL schools that are eligible can benefit from access to Gridstore, LGfL's cloud-based backup solution which meets all of the requirements for one of your backup devices. This will provide 50GB free of charge to primary and special schools and 100GB to secondary schools. This is an excellent way to protect your most critical data such as your MIS or Single Central Record.

                For details about this, and how to get more storage please check here.

                Report cyber attacks

                All students and staff have a responsibility to report cyber risk or a potential incident or attack to IT support and the SLT digital lead.  

                The SLT digital lead will need to make sure that all students and staff understand how to report a potential incident or attack and that they feel safe and comfortable to do so.

                To help action this standard, you can also visit:

                •    the Department for Education (DfE) website for information on managing a data breach  
                •    the National Cyber Security Centre (NCSC) website for advice on cyber incident response processes 

                  DfE Requirement - Report a cyber incident or attack internally 

                  As soon as IT support and the SLT digital lead have been alerted by a student or member of staff to a potential incident or attack they will need to:

                  •    action their cyber incident response plan which is a part of their business continuity and disaster recovery plans 
                  •    contain the risk and make sure systems are safe and secure 
                  •    notify those in the ‘who needs to be involved’ section of this standard and in line with their business continuity plan 
                  •    capture information on the risk 
                  •    investigate the risk and decide on the next course of action 
                  •    report the potential incident or attack to the governing body or trustees

                  Any incidents, attacks or near misses should be recorded in an internal incident report or system. 

                  How LGfL Helps

                  Sorry, there's not a lot we can do to help with reporting internal cyber incidents or attacks. 

                  If it becomes clear that an incident is part of a serious attack we help in other ways. We can perform health checks for your public-facing services and Sophos anti-malware protection, running vulnerability scans of internal systems, assisting with recovery from Gridstore or provide guidance.

                  There may be occasions where we're aware of a cyber incident before you are. If this is the case we'll always get in touch with you as soon as we can to let you know what the alert is, and to provide help in resolving it.

                  DfE Requirement - Report a cyber incident or attack to external bodies

                  Incidents or attacks where any security breaches may have taken place or other damage was caused, should be reported to an external body.

                  The SLT digital lead will be responsible for assigning someone to report any suspicious cyber incidents or attacks. This person will need to report this to:

                  •    Action Fraud on 0300 123 2040, or the Action Fraud website 
                  •    the DfE sector cyber team at

                  You may also need to report to:

                  •    the NCSC website if the incident or attack causes long-term school closure, the closure of more than one school, or serious financial damage 
                  •    the ICO website within 72 hours, where a high-risk data breach has or may have occurred 
                  •    your local Education and Skills Funding Agency (ESFA) contact, if you are part of an academy trust 
                  •    your cyber insurance provider (if you have one), such as risk protection arrangement (RPA) 
                  •    Jisc, if you are a part of a further education institution

                  You must act in accordance with:

                  •    Action Fraud guidance for reporting fraud and cybercrime 
                  •    ESFA Academy Trust Handbook Part 6, if you are part of an academy trust 
                  •    ICO requirements for reporting personal data breaches

                  Police investigations may find out if any compromised data has been published or sold and identify the perpetrator. 

                  How LGfL Helps

                  In a similar way to reporting internally there's not a lot we can do to help with external reporting of cyber incidents or attacks. 

                  We would recommend that you check with any cyber insurance policy that you have as soon as your aware of an incident. Many of them includes terms of cover that require immediate reporting in order for you to receive their support. It's also worth making this a key part of your Cyber Response Planning - so it's clear to anyone involved that this is a key part of the cyber response.

                  We would also ask that you let us know. There are a variety of things that we can do to support you and specialist cyber response companies in the event of an active attack, and to expedite the  recovery of services.

                  Save more than you spend and keep children safe

                  © Copyright LGfL  >  Privacy Notice and Policies  >  Accessibility

                  Registered Address: ​9th Floor, 10 Exchange Square, Primrose Street, London, EC2A 2BR. London Grid for Learning Trust - a charity whose mission is the advancement of Education. A company limited by guarantee registered in England no 4205579 Reg charity no 1090412.