Security Guidance from Connect Childcare
In the news this week, you may have seen that the Government has published the first cybersecurity guidance specifically aimed at nurseries, pre-schools and childminders.
The National Cyber Security Centre (NCSC) — part of GCHQ — has produced practical advice for early years settings with tips on how to keep data and devices secure to protect themselves, children and families from cyber incidents.
In a world of increasing cyber threats, in quantity, complexity and variety, the role of security within IT is more important than ever. As a key provider of nursery management software, we at Connect Childcare, are committed to ensuring that all child data is protected against unauthorised disclosure or modification. Our dedicated Security and Infrastructure team have pulled together the below advice and checklist for our customers to use.
Advice for our Customers
As your business will be connecting to our infrastructure, we have a duty to ensure that all systems are as secure as possible. In addition to this, the implementation of data protection legislation (such as the GDPR and Data Protection Act 2018) has mandated the consideration of security when handling any personal data. This is especially important with regards to child data, due to the stricter controls the legislation has bought forward.
Use the checklist to audit your security processes. It will help in keeping security incidents or data breaches, from both sides to a minimum.
Security Baseline Checklist
Ensure your systems and data is stored in a physically secure area
If you are using hardware such as laptops, PC’s, tablets or even server infrastructure, ensure you are keeping these in a secure physical location. Laptops and PC’s can be physically secured using devices such as Kensington locks. Also, ensure your IT room is physically secure using locks and strong doors and managing who has access to it.
All endpoints and servers that deal with data have Anti-Virus running
Anti-Virus software is usually the last line of defence for your asset against malware/viruses so ensure that you are using one. Although they are not 100% foolproof, they can prevent the more common malware/viruses from entering. There is a number of reputable AV software available, both paid and free, that will work depending on your needs.
All assets are accounted for and tracked
One of the biggest reasons data breaches occur is due to untracked assets (e.g. laptops, tablets, USBs) with personal data stored on them. Therefore, it is an essential task that your business tracks these assets and they are reported lost/stolen as soon as possible so that remediation actions can be completed.
A clear policy on usage of removable media in respect to data
Following on from the previous point, one way you can completely avoid this is to forbid any storing of data on removable media such as USBs. Also, you may want to consider implementing a policy on what data can be stored on a laptop / PC hard drive (e.g. no personal data allowed).
Patching policy in place for all servers, tablets, systems and endpoints
Some of the common attacks used by cybercriminals are via unpatched systems such as unpatched laptops, tablets and servers. Patches usually contain fixes to security vulnerabilities that may be used by cybercriminals. It may be worth scheduling a ‘patching day’ with your IT team, where you bring systems down for a set time to update software or the operating systems e.g. Windows updates.
Encryption policy in place for all systems
If you require personal data stored in a physical location such as on laptops or servers, it may be worth encrypting the data held within to prevent unauthorised disclosure or modification. If a laptop with personal data goes missing and the laptop hard drive was encrypted, criminals will be unable to access the data without the encryption key.
Firewalls in place (whether soft or hard) on key assets
Firewalls can come either software or hardware-based but they essentially function the same way. They control network access to devices or servers with a configured set of rules. They are key components when securing any system. If you do not employ any firewalls, strongly consider using one (either soft or hard) and ensure you are consistently reviewing the rules on it. Speak to your IT team if you are unsure about this.
Security incident management/data breach management in place
Security incidents/data breaches are unfortunate occurrences but if managed properly, can provide essential information. Not only are they key requirements in data protection legislation, but they can also help pinpoint gaps where security can be weak.
All staff are adequately trained regarding security/data protection
The biggest weakness in any system is always human error, whether that be as a result of misconfiguration of systems or a staff member being duped by a phishing email. The training of your staff can reduce security incidents/data breaches dramatically. There are a number of free resources available online that can be leveraged for this.
Implement policies around account/password management
All accounts, especially with access to child data, should be assigned to a single user only. This is so that any actions completed by an account is tracked to a single user. If the account is being shared between people, it becomes difficult to track who is changing what. On a related note, ensure you are constantly reviewing which accounts are being used and if a staff member leaves your business, ensure that their account is removed or disabled.
Further Considerations
The above checklist is intended to be as simple as possible, securing data as efficiently as possible without too much effect on your business. However, they do not cover all areas and there is a breadth of information available on further fine-tuning of any system if you wish to protect your system further.
Security Baseline Checklist
We also have this checklist in PDF format so you can forward to your relevant colleagues.
