Recent changes to Ofsted covering online safety provision in schools place the emphasis on allowing pupils to access online services and that when doing so, they are safe from cyber threats. In turn, this means that during an inspection, Ofsted will examine how the school protects and educates not only pupils in its use of technology but also the staff, and what measures are in place to intervene and support in the event of an incident or cyber breach.
Many schools will have effective policies and systems in place, but those that don’t will have to revise their priorities to make sure online safety is top of the agenda – parents need to reassured that their children are safe and confident when they access internet and email services during school time.
The new Ofsted Common Inspection Framework (CIF) details changes to online safety. The first point emerging from this is realising that ‘Online Safety’ replaces the term e-Safety – a fundamental shift reflecting a widening range of issues associated with technology and users’ access to content, their contact with others and behavioural issues when online. The term cyber bullying has also gone, to be replaced with ‘Online Bullying’.
Online Safety references are no longer simply statements that are inserted, but now occupy significant areas of the new ‘Inspecting safeguarding in Early Years, education and skills settings’ guidance. Ofsted highlights that ‘online safety’ is one of the broader aspects of care and education as “safeguarding is not just about protecting children, learners and vulnerable adults from deliberate harm, neglect and failure to act”.
This highlights clearly that online safety has rapidly moved on and is now an increasing priority for inspectors, reflecting the new social and technological mores of the 21st century classroom – an edifying, modern e-Learning environment populated with an array of sophisticated technology and BYOD devices. And this is exactly where it should be; shifting the emphasis away from online safety being an IT only issue to one that all involved in the school have responsibility for.
We are increasingly seeing schools migrating to powerful enterprise grade networks to ensure they have the capability and capacity to run the new high performance technologies used by pupils. However, keeping school networks safe and secure is a complex challenge, presenting new risks and threats almost on a daily basis. New initiatives such as bring your own device (BYOD), where personally owned devices such as smartphones and tablets are allowed to connect to a school’s network, can provide many benefits, but can create a plethora of security issues and incidents if not implemented properly.
There are a number of issues for schools to think about but good network security depends not only on technical measures but also on having the appropriate policies and procedures in place along with staff that understand the issues at hand and possess a reasonable degree of understanding and competency. It is important to consider the physical security of network equipment (facilities and buildings) alongside mobile device security and management – encryption of sensitive data, antivirus to prevent the spread of malicious code and software.
Consider also network and internet security and press your provider about connectivity options. For instance, what network-level monitoring is in place to detect malicious software such as viruses, worms and Trojans that can exploit vulnerabilities in a user’s operating system and/or other software?
What measures are in place to protect the school’s network from intrusion and attack? And how and when will the security and configuration of network equipment (for example, switches, routers, firewalls) reviewed and maintained? Security features, service levels and management requirements of all network services should be identified and included in any network services agreement, whether they are provided in-house or outsourced.
Check where responsibility for network administration resides while effective network management and control should ensure the security of information in networks and the protection of connected services from unauthorised access. Consider also what support is provided for user and account management?
Authentication and password policies will need to be developed and maintained locally if not selected as part of an RBC- or local authority-provided service. Filtering and monitoring to protect against malicious or undesirable web and email content (drive-by downloads, spam, phishing attacks) will also need to be available.