Access control and user permissions are fundamental components of cyber security. They help protect sensitive data and ensure that only authorised individuals have access to systems and data.

• Protection of sensitive information - access control restricts who can view or access systems and data.
• Minimisation of risk - by giving access to only what is needed for someone's job role, organisations reduce the potential attack surface for cyber criminals and helps prevent data breaches.
• Mitigating internal risks - a lot of cyber attacks come from the 'insider threat'. Access control policies help ensure that employees only have access to the information necessary, which reduces the likelihood of intentional or accidental misuse.
• Regulatory compliance - many industries are governed by regulations that mandate strict access control measure to protect data. The ICO, as part of the UK GDPR, says you must have appropriate security controls in place to protect data.
• Data integrity - user permissions ensure that only authorised personnel can modify, delete or manage critical data and system configurations. This helps maintain the integrity of data, ensuring it remains accurate.
• Role based control - implementing role-based access control allows organisations to assign permissions based on roles rather than to individuals. This simplifies the management of permissions. Principle of least privilege means giving users the minimum level of access necessary to perform their job function.
• Prevention of unauthorised software installation - by controlling who can install software or run certain applications, organisations can prevent the introduction of malware and harmful changes.
• Supporting remote work - as remote work becomes more common, access control ensures that employees working outside the office can only access the resources they need and that the connections are secure.

By implementing robust access controls, organisations can significantly reduce their risk of cyber incidents and ensure that their data and systems remain secure and operational. Consider what business procedures you have in place to authorise access control.

Knowledge Bank Best Practice

Related best practice areas:

Backups ensure that data and systems can be recovered in the event of data loss due to cyber attacks, hardware failures or accidental deletions.

1. Regular backup schedule - backups should be done regularly to minimise data loss. The frequency depends on the organisation and should be a business decision. Automated backups reduce the risk of human error and ensure consistency.
2. Data coverage - not all data will need to be backed up, so ensure you identify and prioritise critical data that should be backed up. There should be a combination of full backups which capture all data and incremental backups which capture changes since the last backup.
3. Offsite and offline backups - backups should be stored in a separate physical location to the main systems of an organisation or to a secure cloud environment to protect against site-specific incidents. Offline backups help protect against ransomware and other cyber threats.
4. Encryption - backup data and data during transmission should be encrypted, with strong key management practices to securely store and manage encryption keys.
5. Data integrity - backups should be regularly tested to ensure data can be successfully retrieved and that data integrity is maintained.
6. Access control - only authorised personnel should have access to backup systems. Access and actions should be monitored to detect any suspicious activity.
7. Retention policy - backup data should still come under your data retention policy. And remember, is still part of a subject access request.
8. Disaster recovery - any backups should be included in any disaster recovery and business continuity plans to ensure rapid recovery of essential systems and data after an incident. The business should decide the optimum recovery time.
9. Regulatory compliance - your backups should comply with data protection regulations.

By implementing a robust backup strategy that includes regular scheduling, offsite storage, encryption, access control, and alignment with disaster recovery plans, organisations can mitigate the risks associated with data loss and maintain business continuity in the face of cyber threats.

Knowledge Bank Best Practice

Related best practice areas:

Cybersecurity compliance in the UK involves adhering to a range of laws, regulations, and standards designed to protect data, ensure privacy, and safeguard against cyber threats. Organisations operating in the UK must navigate these requirements to avoid legal penalties, protect sensitive information, and maintain trust with customers and stakeholders. Here's an overview of the key regulations and standards related to cybersecurity compliance in the UK:

1. General Data Protection Regulation (UK GDPR)

Key Requirements:

·       Data Protection Principles: Organisations must process personal data lawfully, transparently, and for a specific purpose. Data should be kept accurate, secure, and only as long as necessary.

·       Rights of Individuals: Individuals have rights over their data, including the right to access, rectify, erase, and restrict processing.

·       Data Breach Notification: Organisations must report certain types of personal data breaches to the relevant supervisory authority within 72 hours.

·       Data Protection Impact Assessments (DPIAs): Required for processing activities that pose a high risk to individuals' rights and freedoms.

·       Appointment of a Data Protection Officer (DPO): Mandatory for public authorities and organisations engaging in large-scale processing of sensitive data.

2. Network and Information Systems (NIS) Regulations

Overview: The NIS Regulations 2018 are the UK's implementation of the EU NIS Directive. They focus on improving the security of network and information systems that are critical to the country's essential services, such as energy, transport, health, and water.

Key Requirements:

·       Security Measures: Organisations must implement appropriate and proportionate technical and organisational measures to manage risks posed to the security of network and information systems.

·       Incident Reporting: Organisations are required to report significant incidents that affect the continuity of essential services to the relevant competent authority.

·       Supervision and Enforcement: Competent authorities oversee compliance and can impose fines for non-compliance.

3. The Data Protection Act 2018

Overview: The Data Protection Act 2018 complements UK GDPR, providing a framework for data protection and privacy.

Key Requirements:

·       Compliance with GDPR: The act enforces GDPR principles and provides guidance.

·       Special Categories of Data: Additional safeguards for processing sensitive data categories, such as health, ethnicity, and criminal records.

·       Exemptions and Derogations: Specific exemptions and modifications to GDPR rules, particularly for law enforcement, national security, and academic research.

4. The Payment Card Industry Data Security Standard (PCI DSS)

Overview: PCI DSS is a global standard that applies to organisations handling payment card information. While not a law, compliance is often required by contracts with payment processors and banks.

Key Requirements:

·       Secure Cardholder Data: Protecting stored cardholder data and encrypting data transmitted across open networks.

·       Access Control: Implementing strong access control measures, including unique IDs for users and physical access restrictions.

·       Regular Monitoring and Testing: Regularly monitoring networks and testing security systems and processes.

·       Information Security Policies: Maintaining a policy that addresses information security for all personnel.

5. ISO/IEC 27001

Overview: ISO/IEC 27001 is an international standard for information security management systems (ISMS). While not legally mandatory, it is widely recognised and often required for certain industries or contracts.

Key Requirements:

·       ISMS Implementation: Establishing, implementing, maintaining, and continually improving an ISMS that is aligned with the organisation's needs.

·       Risk Assessment and Treatment: Identifying security risks and implementing controls to mitigate them.

·       Compliance and Auditing: Regularly auditing and reviewing the ISMS to ensure it remains effective and compliant with the standard.

6. Cyber Essentials

Overview: Cyber Essentials is a UK government-backed certification scheme designed to help organisations protect themselves against common cyber threats.

Key Requirements:

·       Basic Security Controls: Implementing five basic security controls: firewalls, secure configuration, access control, malware protection, and patch management.

·       Self-Assessment or Certification: Organisations can either self-assess to gain certification or undergo a more rigorous assessment for Cyber Essentials Plus certification.

·       Public Sector Contracts: Often required for organisations bidding for government contracts involving the handling of sensitive and personal data.

7. The Computer Misuse Act 1990

Overview: The Computer Misuse Act 1990 makes it a criminal offense to access or modify data on a computer without permission. It underpins legal actions against cybercrimes in the UK.

Key Requirements:

·       Unauthorised Access: Illegal to gain unauthorised access to computer systems, which includes hacking.

·       Intent to Commit Further Offenses: Illegal to access computer systems with the intent to commit further crimes.

·       Data Modification: Illegal to modify or delete data without authorisation, including spreading malware or viruses.

8. DfE Digital Standards - although not a law is a set of standards provided by the government to help schools and colleges make more informed decisions about technology leading to safer, more cost-efficient practices.

Cybersecurity compliance in the UK involves navigating a complex landscape of regulations and standards designed to protect personal data, ensure the security of critical infrastructure, and mitigate cyber threats. Organisations must implement the necessary technical, organisational, and legal measures to comply with these regulations, which not only protect them from legal penalties but also enhance their overall cybersecurity posture. Regular reviews and updates to compliance practices are essential to keeping pace with evolving threats and regulatory changes.

Knowledge Bank Best Practice

Related best practice areas:

Data encryption is used to protect sensitive information by converting it into an unreadable format, which ensures that only authorised parties can access it.

Purpose of Encryption:

1. Confidentiality - protects the data from unauthorised access.
2. Integrity - ensures data has not been altered.
3. Authentication - verifies the identity of the person accessing the data.

Types of Encryption

• Symmetric Encryption - uses the same key for encryption and decryption.
• Asymmetric Encryption - uses a pair of keys. A public key for encryption then a private key for decryption.
• Hahsing - converts data into a fixed-length hash which cannot be reversed.

When should I use encryption?

Encryption should be used whenever you need to ensure the confidentiality, integrity and security of the information being transmitted. This might includedsending personal data, financial data, health information and confidential business information.

If there is application in use for sharing information, such as parental comms app in schools, then it would be preferential to use this rather than using an encrypted email.

Knowledge Bank Best Practice

Related best practice areas:

Email is one of the easiest ways for a hacker to launch a cyber attack on an organisation, making email security a critical component of an organisation's cyber security strategy. Phishing is a real threat that leverages email to deceive users into divulging sensitive information or installing malware.

1. Phishing - involves fraudulent attempts to obtain sensitive information such as usernames, passwords, or financial details by masquerading as a trustworthy entity in electronic communications. Phishing emails often appear to come from legitimate sources like banks, social media platforms, or internal corporate departments.
2. Email Security - Use spam filters to identify and block unwanted or suspicious emails, so they don't reach a user's inbox. Make use of email authentication protocols, encryption, and multi factor authentication.
3. User awareness and training - train staff regularly to keep up with the evolving threats. Try simulated phishing exercises with follow up training.
4. Incident response - have email security solutions that monitor for phishing attacks, quarantine and contain suspicious emails. Ensure that staff know how to report suspicious emails.
5. Technology solutions - consider secure email gateways, endpoint detection and email archiving and backup. Don't forget records management and data retention requirements.
6. Regulatory compliance - your email system and data should meet data protection regulations now.

Email security is a vital aspect of cybersecurity, given the high volume of phishing attacks that target organisations and individuals. By implementing robust email security measures, training users to recognise and respond to phishing attempts, and integrating incident response plans, organisations can significantly reduce the risk of falling victim to these attacks and protect their sensitive information and systems.

Knowledge Bank Best Practice

Related best practice areas:

Human error is a major cyber security risk:

• Phishing attacks - many cyber attacks exploit human vulnerabilities, such as phishing. Training helps employees recognise and avoid these threats.
• Weak passwords - using weak or reused passwords make it easier for attackers to gain access to systems.
• Evolving landscape - cyber threats are constantly evolving, with new types of malware, social engineering tactics and vulnerabilities emerging regularly. Continuous training ensures that individuals remain aware of the latest threats and best practices to counter them.
• Compliance and Regulatory Requirements - many industries have specific cyber security regulations and standards that organisations must comply with such as the Data Protection Act 2018 and the UK GDPR. This includes some insurance providers that provide cyber security cover.
• Protecting sensitive data - awareness of cyber security best practices help protect sensitive data. Those staff members that handle large volumes of data, especially when it's sensitive should have more training.
• Incident response - in the event of a security breach, well-trained staff can respond more effectively which will help contain and mitigate the impact of the incident.

By educating employees regularly it helps to embed a culture of security within the organisation. Employees understand that cyber security is everyone's responsibility, not just IT support.

Knowledge Bank Best Practice

Related best practice areas:

Incident response planning involves preparing for and managing the aftermath of a cyber attack or data breach. It's purpose is to minimise damage, recover quickly, and prevent future incidents.

1. Preparation - develop and document an incident response plan which includes defining roles and responsibilities. Ensure communication channels are set up and protocols established for responding to different types of incidents. Train employees regularly on the plan and conduct test drills.
2. Identify - detect and identify potential security incidents as quickly as possible using monitoring tools, alerts and reports from users or systems. Assess and verify an incident to determine its nature, scope and potential impact.
3. Containment - implement short-term containment measures to limit the spread of the incident, such as isolating affected systems. Plan for long-term containment while investigating further. Try to preserve evidence.
4. Eradication - once the root cause of the incident is identified, remove the threat from the environment. Ensure that all traces of the incident are removed to prevent reccurence.
5. Recovery - restore affected systems and data to resume normal operations, after you have made sure they are free from vulnerabilities. Continue to monitor systems closely.
6. Lessons learned - once the incident is resolved, conduct a review to analyse what happened and how it could be improved for the future, updating the incident response plan accordingly.
7. Documentation and reporting - document every step of the incident response process, including actions taken and decisions made and any outcomes. Ensure you report the incident to relevant stakeholders, customers, and regulatory bodies. Remember if there is a cyber incident you should report it to your DPO to help you assess any data breach significance.

By having a well-defined plan and regularly updating it based on experiences and emerging threats, organisations can minimise the impact of cyber attacks and improve their cyber resilience. Do you have a cyber incident and business continuity plan?

Knowledge Bank Best Practice

Related best practice areas:

Mobile device management (MDM) is a crucial aspect of cyber security. Most businesses will use some form of mobile device for every day business tasks. MDM solutions help organisations secure, monitor, manage and support mobile devices such as smartphones, tablets and laptops.

1. Data Security - it's important to ensure that data is secure on mobile devices. An MDM can enforce encryption on mobile devices, ensuring that corporate data is protected. If a device is lost or stolen an MDM can help prevent a data breach by remotely controlling or wiping the device.
2. Security policies - an organisation is able to enforce strong password policies on all managed devices, which reduces the risk of unauthorised access. It also ensures that mobile devices receive the latest updates, security patches and antivirus software, further improving an organisation's cyber resilience. Administrators can remotely configure devices and push updates out.
3. Application management - app installation is controlled, only allowing trusted and approved applications and blocking potentially harmful ones.
4. Monitoring and reporting - helps monitor device usage, which will detect and report any unusual or suspicious activity which might indicate a security threat. It also helps meet regulatory compliance, such as data protection law.
5. Bring your own device - consider whether you will allow a BYOD policy.
6. Threat detection - an MDM solution will detect threats such as malware or phishing attacks and respond in real-time by isolating the device and alerting IT support.
7. Geofencing and geolocation - an MDM allows organisations to track the location of mobile devices, which can be used for the retrieval of lost devices. An organisation can also set geographic boundaries.

Other considerations with mobile devices and cyber security are:

1. Security - ensure strong passwords, PIN's or biometrics are used for authentication. Ensure they lock automatically.
2. Encryption - enable encryption on devices to protect data stored locally, although uploading to the cloud is recommended.
3. App security - regularly remove and manage apps, security, updates and only allow downloads from trusted sources.
4. Operating system update -ensure there is a policy for regular system updates.
5. Network security - discourage the use of public Wi-Fi and use VPN's where possible.
6. Phishing - ensure staff are trained in recognising phishing attacks.
7. Lost or stolen devices - have a procedure to remotely wipe data on a device. Utilise any built-in tracking procedures.

Mobile devices are powerful tools, but they also introduce significant cybersecurity risks if not managed properly. By considering and implementing these security measures, individuals and organisations can protect sensitive data, reduce the risk of cyber attacks, and ensure secure mobile device usage.

Consider booking a 'Making the Rounds', data walk, with your school consultant when they will ask questions about your mobile devices.

Knowledge Bank Best Practice

Related best practice areas:

Multi-factor authentication (MFA) is an additional layer of security used to protection online accounts beyond just a username and password. It requires users to provide two or more verification factors to gain access, making it much harder for unauthorised users to gain access.

How MFA Works:

MFA usually involves combining two or more of the following types of authentication:

1. Something You Know: i.e. your password or PIN.
2. Something You Have: such as a physical device, i.e. receiving a special code via a text message to your phone.
3. Something You Are: biometric verification, i.e. fingerprint, facial recognition etc.

Knowledge Bank Best Practice Areas

You should also review the following best practice areas:

Effective network security protects the network, systems and data from unauthorised access.

Network security:

1. Confidentiality - ensures that information is only accessible to those that are authorised to view it.
2. Integrity - protects data from being altered. Consider 'one version of the truth', for example, when there are multiple copies of the same document how do you verify integrity of the document?
3. Availability - ensures that information and resources are available to users when needed.

There are various components to network security:

1. Firewalls
2. Intrusion detection systems
3. Virtual Private Networks
4. Anti-virus and Anti-Malware
5. Encryption

Access Control

1. Authentication - verifying the identity of users or devices before allowing access to the network.
2. Authorisation - determines what resources and services users are permitted to access. There should be an procedure to authorised this in the organisation.
3. Least privilege - users should only be given access to what they require in order to perform their tasks

Network Segmentation

If you are a large organisation you may need to segment your network to provide the appropriate access. All organisations should provide a specific guest area which has limited systems and resources.

Monitoring

The network should be regularly monitored and checked. It should be scanned for vulnerabilities regularly.

User Awareness and Training

Staff should be educated on security best practices and know how to recognise phishing attacks. Strong passwords should be used and devices should be kept secure. Regular training is needed to move with the ever-changing cyber landscape.

Knowledge Bank Best Practice

Related best practice areas:

Consider the following password best practice:

1. Length and complexity.
2. Unique passwords - don't re-use passwords.
3. Password managers- they can generate long, unique passwords and store them securely.
4. Enable multi-factor authentication because this adds an additional layer of security. You may need to speak to your IT support to enable this.
5. Regularly update your password, especially for sensitive accounts.
6. Don't share passwords or write them down.
7. Beware of phishing attacks that may try to steal your password.

Knowledge Bank Best Practice

Related best practice areas:

Physical security is an often forgotten element of cyber security and cyber resilience. Physical security measures help to protect the physical infrastructure that underpins the network and systems. Considerations:

1. Access Control - have secure entry points with control systems such as keycards, biometric scanners or PIN codes to sensitive areas like offices and server rooms. Consider the use of visitor management sign in systems to monitor and control access for non-employees.
2. Surveillance - installing CCTV at strategic locations will help to monitor unauthorised access and suspicious activities.
3. Environmental controls - review what the climate requirements are for IT equipment to prevent hardware damage or failure.
4. Physical barriers - lock cabinets, doors and windows to prevent unauthorised access. Review who might have access to an area when staff have gone home.
5. Data destruction - secure disposal of old and decommissioned hardware should follow regulatory compliance. Destruction of paper documents show follow the ICO's confidential waste guidance.
6. Audit logs - consider the use of audit logs when sensitive areas are visited.
7. Device security - lock up mobile devices and secure USB ports to prevent unauthorised data transfer or malware installs.

Physical security helps to protect the physical assets and infrastructure that supports cyber security, ensuring sensitive data and systems remain secure from both digital and physical threats. By implementing a layered approach to physical security, organisation can significantly reduce the risk of breaches.

Book a 'Making the Rounds', data walk, with your school consultant who will help you look at your physical security of data and systems.

Knowledge Bank Best Practice

Related best practice areas:

Software patch management and updates is about managing the process of testing and installing updates (patches) for software applications and systems. Patch management is crucial for maintaining security, improving performance and ensuring compliance.

Patches are released often to fix vulnerabilities that are already known to hackers, as well as fixing bugs or improving functionality.

As an organisation, it is important to establish a good patch management policy that ensures there is ownership of the process.

Speak to your IT support to understand how patch management work in your organisation if you are responsible for cyber security strategy.

Knowledge Bank Best Practice

Related best practice areas:

Organisations are increasingly relying on third party suppliers to conduct business. While these relationships are often cirtical for operations, they also introduce additional risks.

1. Expanded attack surface - third party suppliers will often require access to an organisation's systems, data or networks to perform their services. This access can become a potential entry point for cyber criminals if not properly managed and secured. With the number of increased third parties, so does the complexity of the organisation's overall security landscape.
2. Data breach risks - thid party suppliers may handle sensitive or confidential data on behalf of the organisation. As part of data protection regulatory compliance, you should check that the supplier you are passing data to (the processor) has robust technical measures in place.
3. Supply chain attacks - third party suppliers are often targets to gain access to a larger organisation's network. These supply chain attacks can be highly sophisticated and difficult to detect, as they exploit the trust between an organisation and its third parties.
4. Regulatory compliance - data protection compliance requires transparency of any processing of data by a third party. An organisation should conduct due diligence on any third party suppliers. This information should also be communicated via privacy notices. The due diligence should be completed before engaging with any third party, and only necessary data should be shared.

As your data protection officer, we can conduct due diligence on a third party supplier on your behalf. Email dpo@dataprotection.education with the third party information.

Check our generic third party list for any completed due diligence:

Knowledge Bank Best Practice

Related best practice areas: