The Independent Grammar School: Durham

Cyber Security Policy

1.         Purpose

The Independent Grammar School: Durham (IGS: Durham) is committed to protecting its digital systems, safeguarding sensitive information, and ensuring the secure delivery of teaching, learning, and examinations. This policy sets out the standards and behaviours required to maintain a secure cyber environment and comply with statutory obligations including the Data Protection Act 2018, UK GDPR, NCSC guidance, and JCQ exam regulations.

2.         Scope 

This policy applies to: 

·       All staff, students, directors, volunteers, contractors, and third‑party providers

·       All school‑owned devices, networks, cloud services, and digital platforms

·       Personal devices used for school purposes

·       All digital data, including student records, safeguarding information, exam materials, and operational data

3.         Roles and Responsibilities

3.1 Principal

The Principal is Head of Centre and has overall responsibility for the implementation of this policy

3.2 All Staff

·       Follow this policy and all related procedures

·       Protect passwords, devices, and sensitive data

·       Report suspicious activity immediately

3.3 Students

·       Use school systems responsibly

·       Follow digital safety rules and exam‑related cyber‑security requirements

·       Report concerns to a member of staff

4.         Cyber Security Principles

4.1 Access Control

·       Strong passwords must be used on all accounts

·       Multi‑factor authentication (MFA) is required where available

·       Access to sensitive data is granted on a “least privilege” basis

·       Staff must lock screens when leaving devices unattended

4.2 Device Security

·       All school devices must use approved antivirus and endpoint protection

·       Personal devices used for school work must meet minimum security standards

·       Unauthorised software installations are prohibited

·       USB storage devices are restricted and encrypted where permitted

4.3 Network Security

·       The school network is monitored for unusual activity

·       Firewalls and filtering systems must remain active at all times

·       Remote access is permitted only through secure, approved methods

4.4 Data Protection

·       Sensitive data must be stored in secure, approved systems

·       Emailing personal or confidential data must use encryption or secure transfer

·       Data must not be stored on unencrypted personal devices

·       Staff must follow the school’s Data Protection Policy

5. Cyber Security in Examinations (JCQ‑Aligned)

5.1 Secure Storage of Digital Exam Materials

·       Digital exam papers, audio files, and computer‑based assessments must be stored in encrypted, access‑restricted locations

·       Only authorised exam officers and designated staff may access digital exam content

·       Downloading exam materials onto personal devices is strictly prohibited

5.2 Computer‑Based Examinations

·       Exam workstations must be isolated from the internet unless explicitly permitted by the awarding body

·       Devices must be checked for malware, unauthorised software, and connectivity risks before each exam session

·       Students must use school‑provided accounts configured for exam conditions

·       Auto‑save and secure backup systems must be enabled to prevent data loss

5.3 Preventing Malpractice

·       Students must not access messaging apps, cloud storage, or unauthorised software during exams

·       Staff must ensure no digital devices (phones, smartwatches, earbuds) are brought into exam rooms

·       Any attempt to access restricted materials or communicate digitally during exams will be treated as malpractice

5.4 Handling Exam Scripts and Files

·       Digital scripts must be uploaded using secure awarding‑body portals

·       Staff must not store exam scripts on personal devices or email accounts

·       All digital exam files must be deleted securely after submission

5.5 Cyber‑Security During Exam Emergencies

In the event of:

·       Network failure

·       Device malfunction

·       Cyber‑attack

·       Power outage

The Exams Officer will implement the Exam Contingency Plan, ensuring:

·       Immediate safeguarding of student work

·       Secure transfer or recovery of files

·       Communication with awarding bodies

6. Staff Training and Awareness

All staff must complete annual cyber‑security training covering:

·       Phishing and social engineering

·       Password hygiene

·       Safe data handling

·       Secure exam administration

·       Incident reporting procedures

7. Incident Reporting and Response

7.1 Reporting

All suspected cyber incidents must be reported immediately to the Head of Centre, including:

·       Phishing attempts

·       Unauthorised access

·       Lost or stolen devices

·       Malware infections

·       Exam‑related digital breaches

7.2 Response

The school will:

·       Contain the incident

·       Preserve evidence

·       Notify affected individuals where required

·       Report to external agencies (e.g., ICO, Police) when appropriate

·       Review and strengthen controls

8. Third‑Party Services and Cloud Platforms

·       Only approved platforms may be used for storing or processing school data

·       Contracts must include data‑processing and breach‑notification clauses

9. Monitoring and Review

·       The school monitors network activity, system logs, and security alerts

·       This policy is reviewed annually or following a significant incident

·       Findings from audits or incidents will inform future improvements

10. Related Policies

·       Data Protection Policy

·       Online Safety Policy

·       Exam Contingency Plan

·       Safeguarding and Child Protection Policy

·       Mobile Phone Policy

 

 

 

 

IGS: Durham 

 

March 2026 (next review following 2026 exam series)