GovWire

The importance of meeting the standard

Security systems are sometimes disabled to make very marginal improvements to user experience. This is an unjustifiable risk calculation in most circumstances.

Attackers scan for and exploit devices where the security features are not enabled. Using the security features that devices already have is the most basic form of cyber security.

Attackers who gain physical access to a network device can exploit a system much more easily, so this should be prevented.

Recording network devices helps schools keep networks up-to-date and speeds up recovery.

How to meet the standard

Network devices include routers, switches, access points, servers and similar items.

Ask your IT service provider to record and set up your devices and boot up systems to meet the technical requirements.

Agree with your IT service provider a system for recording and reviewing decisions made about network security features.

Your IT service provider may be a staff technician or an external service provider.

Remember that this standard may change over time with changing cyber threats.

The National Cyber Security Centre has published guidance on:

• managing deployed devices
• logging and protective monitoring

Technical requirements to meet the standard

To meet this standard you must:

• keep a register, list, or diagram of all the network devices
• avoid leaving network devices in unlocked or unattended locations
• remove or disable unused user accounts, including guest and unused administrator accounts
• change default device passwords
• require authentication for users to access sensitive school data or network data
• remove or disable all unnecessary software according to your organisational need
• disable any auto-run features that allow file execution
• set up filtering and monitoring services to work with the networks security features enabled
• immediately change passwords which have been compromised or suspected of compromise
• protect against a brute-force attack on all passwords by allowing no more than 10 guesses in 5 minutes, or locking devices after no more than 10 unsuccessful attempts

If network devices have conflicting security features, document the decisions you make on which security features have been enabled or disabled on your network. Review this document when you change these decisions.

To physically access switches and boot-up settings use a password or PIN of at least 6 characters. The password or PIN must only be used to access this device.

For all other devices, you must enforce password strength at the system level. If you use a deny list for automatic blocking of common passwords, use a password with at least 8 characters. If you do not use a deny list, use a password with at least 12 characters or a biometric test.

Password manager software is recommended.

The National Cyber Security Centre provides detailed guidance on:

• best practice
• password administration for system owners
• securing your devices
• the logic behind 3 random words
• password managers

Dependencies to the standard

See our standards on network switching.

When to meet the standard

You should already be meeting this standard.

The importance of meeting the standard

Successful cyber attacks target user accounts with the widest access and highest privileges on a network.

You must limit the numbers and access of network and global administrative accounts.

If you prevent and limit the compromise of these accounts you prevent and limit successful cyber attacks.

How to meet the standard

Ask your IT service provider or network manager to set up accounts to meet the technical requirements. If a single staff member controls account access, another senior school staff member or governor should approve that staff members own account.

There must be a user account creation, approval and removal process. You should make this part of school joining and leaving protocols.

Your IT service provider may be a

View the original news story