Hi, my name is Mark and I’ve worked in IT for almost 20 years,

I’ve worked in both the private and public sectors. I have

worked in education for the last 15 years. I have written for
the independent about cyber security and VPN’s. I have also
written Windows 11 Ultimate Guide published by Leaf
Publishing. You can find me writing over on medium
@m.oldham about tech or on LinkedIn Mark Oldham |
LinkedIn.

Did you know that the Cyber Security Breaches Survey 2023
reports Six in Ten of the higher education institutions that
identified any breaches or attacks report losing money or data,
or having compromised accounts used for illicit purposes.

Also from the same survey over three quarters (785) of UK

schools have experienced at least one type of cyber-incident.
(Link)

1|Page
Introduction

Purpose

This playbook is designed to update the cybersecurity posture

of UK educational institutions to align with the Cyber
Assessment Framework (CAF). The objective is to establish an
environment that robustly supports the institution's
pedagogical and research endeavours. The guidance within
these pages is structured to steer the crafting, enactment, and
maintenance of cybersecurity measures. These measures are
not only defensive against extant cyber threats but are also
adaptable to counter future vulnerabilities.

Scope

The remit of this playbook extends across the digital

infrastructure of educational institutions, which incorporates:

The network infrastructure, embracing both the wired and

wireless configurations that facilitate connectivity across the
campus.

The computing devices, spanning the spectrum from

centralised servers and desktop computers to portable laptops
and the smartphones of teaching staff and students.

Data in various forms, whether it's personal information of the

students and staff, academic research, or the intellectual
property of the institution.

2|Page
User interactions that span across email, learning
management systems, and other communication platforms.

The strategies and actions within this playbook take into

account the diversity of technology use within the educational
sector, addressing the unique vulnerabilities and requirements
of these environments.

Audience

This playbook is tailored for a varied audience within the

educational sector. The primary users include:

IT Staff: Who will implement and oversee the cybersecurity

infrastructure, respond to incidents, and ensure ongoing
compliance with the CAF.

Educators: Who require an understanding of best practices for

cybersecurity to not only protect their digital resources but
also to educate their students on good practices.

Administrative Personnel: Who manage sensitive information

and need to understand their role in maintaining the
institution’s cybersecurity posture.

3|Page
Managing Security Risk

Governance

The foundation of effective cybersecurity in educational

settings is a well-structured governance model. Schools and
colleges should establish a hierarchy of roles and
responsibilities that are clearly defined and communicated
across the institution. This structure should:

• Identify a cybersecurity leader, responsible for the

overall strategy and enforcement of cybersecurity
policies.
• Define specific roles for staff members who will handle
routine cybersecurity tasks, incident response, and
compliance with data protection laws.
• Set up a governance committee that includes
representatives from IT, administration, and teaching
staff to ensure a multi-disciplinary approach to
cybersecurity decisions and policies.
• This governance model should be documented and
made accessible to all staff members to ensure a clear
understanding of their roles in upholding the
institution's cybersecurity.

Asset Management

A comprehensive asset management system is crucial for

safeguarding the digital resources of an educational
institution. This system should:

4|Page
 • Catalogue every digital asset, from hardware like
servers and laptops to software applications and the
data they process.
• Maintain records of where these assets are located,
who has access to them, and the security measures in
place.
• Classify assets based on their sensitivity and value to
the institution, prioritising them accordingly for risk
management purposes.
• Use a consistent tagging system for assets to aid in
tracking and managing them throughout their
lifecycle.

Regular updates and audits of the asset inventory are

necessary to ensure that new assets are accounted for and
decommissioned assets are removed.

Risk Management

Developing a risk management protocol tailored to the unique

environment of the educational sector involves:

• Conducting thorough risk assessments to identify

potential vulnerabilities in the handling of student
data, research materials, and intellectual property.
• Understanding the specific cybersecurity threats that
educational institutions face, such as phishing attacks
aimed at stealing credentials or ransomware that
could lock down essential teaching materials.
• Implementing mitigation strategies for identified risks,
such as encryption for sensitive data, access controls

5|Page
 for research materials, and anti-malware defences for
endpoints.
• Regularly reviewing and updating the risk
management plan to adapt to new threats, changes in
the institution's digital assets, or shifts in regulatory
requirements.

Policy and Process

• Crafting comprehensive policies and procedures that

underpin the institution's cybersecurity measures is
vital.

These policies should

• Reflect a balance between the open nature of

educational institutions and the need to protect
against cyber threats.
• Be clear, concise, and accessible, ensuring that all
members of the institution understand their
responsibilities regarding cybersecurity.
• Include acceptable use policies for technology and
internet use, outlining the do's and don'ts for staff and
students.
• Establish protocols for updating and reviewing the
cybersecurity policies regularly, ensuring they remain
relevant in the face of new threats.
• The procedures should guide the practical
implementation of these policies, providing step-by-
step instructions for everyday cybersecurity tasks and
responses to different types of cyber incidents.

6|Page
Identity and Access Control

An effective identity and access management (IAM) system

must:

• Cater to the diverse user base of an educational

institution, including students, faculty, and external
partners.
• Ensure that users have access only to the resources
necessary for their roles, applying the principle of least
privilege.
• Manage user identities from initial account creation,
through role changes, to eventual account
deactivation.
• Integrate multi-factor authentication (MFA) to bolster
the security of user credentials.
• This IAM system should be regularly audited to ensure
that access rights remain aligned with users' current
roles and responsibilities.

Data Security

Implementing robust data security measures includes:

• Encrypting sensitive data to protect it from

unauthorised access.
• Applying access controls to ensure that only
authorised individuals can view or manipulate
sensitive data.
• Conducting regular audits and data security
assessments to identify potential vulnerabilities and to
ensure compliance with data protection laws like the
UK GDPR.

7|Page
 • Establishing clear protocols for data handling, storage,
and sharing, including guidelines on how to safely use
cloud services.

A robust data security strategy will also include incident

response plans specifically for data breaches, ensuring a quick
and coordinated response to mitigate any damage.

System Security

Maintaining the security of the institution’s systems and

networks involves:

• Implementing firewalls, intrusion detection systems

(IDS), and intrusion prevention systems (IPS) to
monitor and protect network traffic.
• Ensuring that all systems, not just desktops and
laptops are regularly updated with the latest security
patches and software updates.
• Employing endpoint protection to safeguard against
malware and other malicious software.
• Providing secure, virtual learning environments that
allow students and staff to access resources remotely
without compromising security.
• System security should be seen as an ongoing process,
with continuous monitoring, assessment, and
enhancement to keep pace with evolving cyber
threats. This ensures that the institution can maintain
its educational objectives while protecting its digital
resources

8|Page
Detecting Cyber Security Events

Security Monitoring

• A robust security monitoring strategy is critical for UK

educational institutions to detect and manage cyber
threats effectively. This strategy includes:

Deployment of Advanced Monitoring Tools:

• Use monitoring solutions that provide real-time

surveillance of the institution’s network, detecting
potential cyber threats as they emerge.
• Ensure these systems have the capability to perform
deep packet inspection and behavioural analysis to
identify suspicious activities.

Configuration and Customisation:

• Tailor the monitoring tools to understand the

difference between normal educational-related
network activities and potential cyber threats.
• Regularly refine the configuration to prevent an
overload of false positive alerts, which can lead to
critical alerts being overlooked.

Privacy and Compliance:

• Align monitoring activities with UK data protection

laws, specifically the UK General Data Protection
Regulation (UK GDPR) and the Data Protection Act.
• Develop clear policies on data handling and ensure
these are communicated to all network users to
maintain transparency.

9|Page
Staff Training and Awareness:

• Conduct regular training sessions for IT staff to

recognise the early indicators of cybersecurity
incidents.
• Develop clear procedures for staff to follow when a
potential security event is detected, ensuring a
prompt and coordinated response.

Regular Reviews and Testing:

• Schedule periodic reviews of the security monitoring

strategy to assess its effectiveness and ensure it
evolves in line with emerging cyber threats.
• Conduct mock drills and simulations to test the
institution’s response to different cyber threat
scenarios.

10 | P a g e
Minimising the Impact of Cyber Security Incidents

Response and Recovery Planning

• It's crucial for UK schools and colleges to have a

comprehensive response and recovery plan that
minimises the impact of cyber security incidents on
educational activities. This plan should:

Outline Specific Response Protocols:

• Detail actions to be taken in the event of various cyber

incidents, from data breaches to malware infections.
• Include clear lines of communication and establish
roles for response team members to ensure
coordinated action.

Prioritise Educational Continuity:

• Develop contingency plans that enable teaching and

learning to continue with minimal interruption, such
as through alternative online platforms if physical
systems are compromised.
• Ensure that backup systems are in place and can be
quickly activated to restore access to critical
educational materials and platforms.

Regular Updates and Testing:

• Keep the plan up-to-date with the latest threats and

recovery techniques, ensuring all protocols are still
relevant and effective.
• Test the plan regularly through drills and simulations,
adapting it based on the outcomes of these exercises.

11 | P a g e
Incident Response

For incident response, UK educational institutions need to:

Establish a Tiered Response Framework:

• Create a structured response framework that

categorises incidents by severity and dictates the
response accordingly.
• Include checklists and flowcharts to help response
teams navigate the steps required for each incident
type.

Quick Incident Classification and Escalation:

• Implement procedures for the rapid assessment and

classification of incidents to ensure swift action.
• Detail escalation paths for incidents that exceed the
in-house team's capabilities or require notification of
authorities.

Communication Strategy:

• Develop a communication strategy that includes

templates and protocols for notifying affected parties
and external stakeholders.
• Train staff in the importance of maintaining clear and
controlled messaging during an incident to avoid panic
and misinformation.

12 | P a g e
Lessons Learned after an incident

Post-incident reviews are vital to the improvement of security

posture. The process should:

Document and Analyse Incidents:

• Thoroughly document all incidents and conduct post-

incident reviews to extract lessons learned.
• Analyse both the technical aspects and the human
factors involved in the incident.

Update Policies and Training:

• Use the findings from incident reviews to update

policies, procedures, and security measures.
• Incorporate lessons learned into regular training
sessions for staff, improving their ability to prevent
and respond to future incidents.

Continuous Improvement Loop:

• Establish a continuous improvement loop where the

insights from reviews lead to strengthened security
measures and better preparedness.
• Engage with broader educational and security
communities to share knowledge and learn from the
experiences of others.

13 | P a g e
Performance Review: In UK schools and colleges, a structured
approach to reviewing cybersecurity performance is essential
to maintain alignment with educational objectives and legal
compliance.

Establish Review Cycles: Set up regular intervals for reviewing

cybersecurity measures. These should be frequent enough to
keep pace with the rapid evolution of cyber threats but also
allow for meaningful data collection between reviews.

Benchmarking and Metrics: Define clear metrics and

benchmarks for performance reviews. Metrics may include
incident response times, user compliance with security
policies, and the number of detected threats that were
successfully neutralised.

Stakeholder Feedback: Gather and incorporate feedback from

all stakeholders, including staff, student council, and third
parties, to gain a comprehensive view of the cybersecurity
posture and its impact on the educational environment.

Educational Objectives Alignment: Ensure that cybersecurity

measures support educational objectives. For instance,
security protocols should not unduly restrict access to learning
materials or impede research activities.

Technology and Threat Review: Stay up to date with emerging

technologies and evolving threats by incorporating threat
intelligence reports and industry news into the review process.

Reporting and Documentation: Maintain detailed records of

performance reviews, including findings and
recommendations. This documentation will support

14 | P a g e
accountability and trace the evolution of the cybersecurity
strategy.

Improvement Plan: An improvement plan is a living document

that outlines strategies for enhancing cybersecurity measures
in response to insights gained from performance reviews and
changes in the cyber threat landscape.

Actionable Insights: Translate findings from performance

reviews into actionable insights. Each insight should be
accompanied by a set of proposed actions, responsible parties,
and timelines.

Risk Management Enhancements: Update risk management

strategies to address new threats or vulnerabilities identified
during performance reviews. This might include adopting new
security technologies or revising existing protocols.

Policy Updates: Modify policies and procedures to reflect

lessons learned. This can involve changing password policies,
updating access controls, or introducing new data handling
practices.

Training and Awareness Programmes: Use insights from

performance reviews to update training programmes,
ensuring they address current threats and compliance
requirements effectively.

Feedback Loop: Establish a feedback loop where the

effectiveness of implemented improvements is monitored and
fed back into the next cycle of performance review.

15 | P a g e
Technology Investments: Based on the reviews, identify areas
where investment in new technologies or infrastructure
upgrades is needed to bolster the institution’s cybersecurity
defences. Consider implementing a rolling 5-year ICT plan.

Continuous Monitoring and Adjustment: Regularly monitor

the implementation of the improvement plan and adjust as
necessary to ensure it remains relevant and effective.

Operational Procedures: Documented operational

procedures are vital to ensure a coordinated response to cyber
incidents, with a focus on maintaining the continuity of
educational services.

Incident Identification and Assessment: Provide clear

guidelines for the identification and initial assessment of a
cyber incident. This includes establishing criteria for what
constitutes an incident and thresholds for escalation.

Incident Response Team: Detail the composition of the

incident response team, including roles and responsibilities.
Ensure that team members are trained and prepared to act
according to the operational procedures.

Communication Protocols: Develop communication protocols

that detail how to inform internal and external stakeholders
during an incident. This should include predefined templates
for notifications and updates.

Containment Strategies: Provide step-by-step containment

strategies to limit the spread and impact of a cyber incident.
This may involve isolating affected systems, revoking access,
or restoring from back-ups.

16 | P a g e
Recovery Plans: Include plans for the recovery of services and
systems following an incident. This could involve restoring
from backups, rebuilding systems, and verifying the integrity
of data.

Business Continuity: Ensure that operational procedures

account for business continuity, enabling educational activities
to proceed using alternative means if necessary.

Post-Incident Analysis: After an incident, follow a structured

process to analyse what happened, what was done to respond,
and what can be improved. Document these findings and use
them to update the response playbook.

Regular Drills and Simulations: Schedule regular drills and

simulation exercises to test the operational procedures. Adjust
the procedures based on the outcomes of these tests to
improve readiness

17 | P a g e
Ransomware example:

Scenario: A school discovers it’s been hit with ransomware,

the phone lines are down, cannot access the internet or any
data.

Phase Action Description

The IT team
identifies
ransomware
indicators—
encrypted files and
service outages. The
Incident
Immediate communication plan
Identification and
Response is activated, alerting
Communication
staff, educators, and
administrators
through alternative
channels since email
and phones are
compromised.

Systems are
isolated from the
network to stop the
Containment ransomware spread,
safeguarding
unaffected areas and
backup systems.

18 | P a g e
 The pre-defined
playbook recovery
strategies are
initiated to maintain
educational
Activation of the
operations in an
Recovery Plan
offline mode where
possible. The school
have policies in place
for the loss of
phones and internet.

The IT team
evaluates the scope
of the attack,
Assessment determining which
Damage
and data and systems
Assessment
Mitigation are affected and
how school
operations are
impacted.

19 | P a g e
 The school
informs the
Information
Commissioner’s
Legal and
Office (ICO) within
Regulatory
the mandated 72-
Compliance
hour window about
the data breach
under GDPR
regulations.

Law enforcement
and the National
Cyber Security
Centre (NCSC) are
Engaging with
contacted for
Authorities
assistance, following
the playbook’s
emergency
procedures.

Students, parents,
and staff receive
regular updates
Communicating
through unaffected
with Stakeholders
channels like social
media or physical
notices.

20 | P a g e
 Following the
playbook’s guidance,
the IT team begins
restoring services
Recovery and
System from backups—
Business
Restoration especially cloud
Continuity
backups, which
remain uninfected
thanks to the 3-2-1
backup strategy.

The school
implements its
business continuity
Business
measures, which
Continuity
could include using
paper records or
relocating classes

A detailed
investigation
uncovers the attack
vector, frequently
Forensic Analysis
found to be a
phishing email that
led to account
compromise.

21 | P a g e
 The IT team
conducts an
Long-term exhaustive review to
Response Review and document the
and Lessons Learned incident’s timeline,
Adaptation response
effectiveness, and
improvement areas.
Cybersecurity
policies are revised
to strengthen
Policy and
defences, informed
Training Updates
by the insights
gained during the
incident.
A deep dive into
the incident helps
pinpoint exactly how
the breach occurred,
Root Cause
focusing on
Analysis
enhancing
protections against
similar attack
vectors.

22 | P a g e
 An educational
program is rolled
out, heightening
Staff and Student awareness around
Training cybersecurity,
particularly in
recognising and
reporting phishing

23 | P a g e
Microsoft and Google products for cyber security

Microsoft:

Governance: Microsoft 365 Compliance Center provides a

centralised location to view and manage compliance and risk
management data, simplifying compliance tasks and reducing
risk.

Asset Management: Microsoft Intune allows for

comprehensive mobile device and application management,
helping institutions maintain an inventory of all devices and
applications in use.

Risk Management: Microsoft’s Compliance Manager helps

organisations simplify compliance and reduce risk by
providing risk assessments, actionable insights, and a
compliance score.

Policy and Process: Microsoft 365 includes Advanced Data

Governance, which uses machine learning to help
organisations find and retain important data while
eliminating redundant, obsolete, and trivial data.

Identity and Access Control: Azure Active Directory provides

identity and access management solutions, ensuring that only
authorised individuals can access your institution’s resources.

Data Security: Microsoft Information Protection helps ensure

that sensitive data is protected no matter where it lives or
travels.

24 | P a g e
System Security: Microsoft Defender for Endpoint offers
preventative protection, post-breach detection, automated
investigation, and response capabilities.

Security Monitoring: Microsoft 365’s Advanced Threat

Protection offers rich reporting and URL trace capabilities
that give admins insight into the kind of attacks happening in
your organisation.

Anomaly Detection: Azure Sentinel is a scalable, cloud-native,

security information event management (SIEM) and security
orchestration automated response (SOAR) solution that
detects threats across the institution.

Incident Response: Microsoft 365 includes an incident

response dashboard and automated investigation capabilities
to help institutions respond swiftly and efficiently to threats.

Admin Portal: The Microsoft 365 Admin Portal allows

administrators to manage users, devices, and data in one
place. It provides a centralised location to view and manage
compliance and risk management data.

Identity and Access Management (IAM): Microsoft Azure

Active Directory provides identity and access management
solutions, ensuring that only authorised individuals can
access your institution’s resources.

Microsoft Intune: allows for comprehensive mobile device

and application management, helping institutions maintain
an inventory of all devices and applications in use.

Privileged Access Management (PAM): Microsoft’s Privileged

Identity Management (PIM) is a service in Azure Active

25 | P a g e
Directory (Azure AD) that enables you to manage, control,
and monitor access to important resources in your
organisation.

Secure Score: Microsoft Secure Score is a measurement of an

organisation’s security posture, with a higher number
indicating more recommended actions taken. It can be found
at Microsoft Secure Score in the Microsoft 365 Defender
portal.

Secure Score helps organisations to gain a deeper

understanding and improve their security position against
any possible threats

26 | P a g e
Google:

Governance: Google Workspace offers a Security Centre that

provides a centralised location to view and manage
compliance and risk management data, simplifying
compliance tasks and reducing risk.

Asset Management: Google Workspace has Mobile

Management which allows for comprehensive mobile device
and application management, helping institutions maintain
an inventory of all devices and applications in use.

Risk Management: Google Cloud provides Risk Manager

which helps you understand and act on your cloud risks.

Policy and Process: Google Workspace includes Data Loss

Prevention (DLP) for Gmail and Google Drive.

Identity and Access Control: Google Cloud offers Identity and

Access Management (IAM) which lets you authorise who can
take action on specific resources.

Data Security: Google Cloud provides Data Loss Prevention

(DLP) which helps you manage sensitive data.

System Security: Google Workspace offers Advanced

Protection Program which provides Google's strongest
security for those who are at an elevated risk of attack.

Security Monitoring: Google Cloud's Security Command

Centre provides security and data risk insights for Google
Cloud resources.

27 | P a g e
Anomaly Detection: Google Cloud's Security Command
Centre helps identify anomalies and maintain insights across
your Google Cloud resources.

Incident Response: Google Cloud's Incident Response Guide

provides best practices and procedures for responding to
security incidents.

Admin Portal: Google Workspace has an Admin Console

which provides a single place to manage all your Google
services.

Identity and Access Management (IAM): Google Cloud offers

Identity and Access Management (IAM) which lets you
authorise who can take action on specific resources.

Privileged Access Management (PAM): Google Cloud

provides Access Context Manager which allows you to define
fine-grained, attribute-based access control for projects and
resources.

Security Health: Google Workspace has a Security Health

page in the security centre that provides a security health
analysis and recommendations to improve security.

28 | P a g e