- Case studies
- The Rose Learning Trust Cyber Resilience Programme
The Rose Learning Trust Cyber Resilience Programme
Background
The Rose Learning Trust is a multi-academy trust that has been established since 2016, spanning two local authorities in South Yorkshire and Lincolnshire.
As a trust we have always taken risk management seriously and are eager to address emerging threats to ensure that our schools are safe and the education of our pupils is uninterrupted. We were increasingly aware of schools being targeted by cyber-crime and we wanted to know if we were prepared for a cyber incident.
We recognised that good cyber security is essential to protect the school's ability to function whilst allowing us to use the opportunities that technology brought to our staff and pupils. With the increasing risk of cyber-attack to schools and particularly multi-academy trusts we began to view cyber security as an emerging factor central to trust health and resilience.
Problem
As a UK Multi Academy we looked internally to evaluate the current risks. We identified these as:
- There was a real cyber security risk to schools as evidenced by the increasing number of cyber security incidents both reported internally and in the news - especially MATs.
- There was little trust attention given to specific cyber security risks within the trust Risk Register.
- The Board had minimal involvement with cyber security and risk mitigation.
- Cyber security CPD was minimal and not monitored centrally.
- Assurance reports to the board were not planned or systematic.
- Strategic action planning for cyber security had not yet been addressed and the trust lacked a cyber security specialist to support our journey forward.
- Existing trust policy covered GDPR, e-safety and IT acceptable use but cyber security- specific policy was lacking.
We scoped our search for an educationally attuned service provider and found that Secure Schools was unique in that they were the only cyber security company that provided services and resources solely to education as well as claimed to be intuitive to the demands placed on the school. We decided to have their best value service and solutions and began working with them.
Secure Schools provided our solution by addressing the following:
- Worked with us to provide a baseline audit and gap analysis against a government-recognised cyber security risk management framework (combining IASME Governance, Cyber Essentials, NCSC guidance, Academies Financial Handbook and School Governors Handbook)
- Produced an informed implementation plan for aligning with recognised frameworks, including prioritisation matrix highlighting quick-wins that were clear and easy to interpret and omitted cyber jargon.
- Provided us with technical cyber security assessments to measure the real risk level of cyberattack and inform risk assessments.
- Offered a range of resources and support to implement cyber security risk management at board-level as a standing agenda.
- Provided a sustainable programme that can continue autonomously.
- Provided independent assurance of the security measures implemented by IT service providers.
- Supported and re-defined our understanding of accountability and ownership of cyber security-specific risks from the accounting officer, Board, staff and to the IT provider.
Outcomes
The Trust has now embedded cyber security at board level. Termly cyber security posture reports are provided for boards that are easy to interpret from a range of contexts.
We have implemented the Secure School cyber security awareness training programme that is school friendly, accessed online and through low stakes quizzing assures us of staff engagement , so we are confident that all our staff are trained.
The cyber security section of the trust risk register and risk management process is now comprehensive and compliant with IASME Governance. The trust has successfully achieved its Cyber Essentials certification and is also aligned with the IASME Governance Standard.
Next Steps
The Rose Trust plans to continue to use the process of external, annual reviews of progress and implement the new guidance through Secure School’s provision. Also, we plan to complete the IASME Governance Gold Audited certification in the next academic year.
"All schools within our Multi Academy Trust use Secure Schools to ensure that they understand security risks, meet the IASME Governance information security standard which includes Cyber Essentials and comply with the GDPR as set by the ICO. They undertake cyber security internal audits, automated configuration checks and knowledge transfer by online training along with safe, controlled cyber-attack simulations. Secure Schools ensures that our schools are resilient to cyber threats by providing them with the essential cyber security training and tools. Also importantly to me - as DPO of our Multi Academy Trust - Secure Schools ensures that we are adhering to EU GDPR Article 32 - Security of processing."
Deborah Temperton, Chief Projects Officer at The Rose Learning Trust