The Independent Grammar School: Durham

IT PASSWORD POLICY (INCLUDING JCQ REQUIREMENTS)

1.         Purpose

This policy sets out the standards for password creation, management, and security at The Independent Grammar School: Durham (IGS: Durham). It ensures that all users protect school systems, data, and examination materials in line with UK GDPR, the Data Protection Act 2018, the school’s Cyber Security Policy, and the Joint Council for Qualifications (JCQ) regulations for the secure management of examination materials.

2.         Scope

This policy applies to:

•           All staff (teaching, support, temporary, supply and peripatetic)

•           All students

•           Directors and volunteers with system access

•           Any third party granted access to school systems

•           All devices used to access school systems (school‑owned or personal)

3.         Principles

•           Passwords are a critical security control and must be kept confidential.

•           Users are responsible for safeguarding their own credentials.

•           Passwords must never be shared, written down, or stored insecurely.

•           Additional controls apply to staff involved in the management of examinations, in line with JCQ requirements.

4.         Password Requirements

4.1 Staff Password Requirements

All staff passwords must meet the following minimum standards:

•           Minimum length: 12 characters

•           Must include a mix of uppercase, lowercase, numbers, and symbols

•           Must not contain personal information (names, birthdays, pets, etc.)

•           Must not reuse passwords from other systems

•           Must be changed immediately if compromised or suspected compromised

•           Passwords must not be reused within the last 5 password cycles

Multi‑Factor Authentication (MFA)

•           MFA is mandatory for all staff accounts accessing school systems, cloud services, or examination‑related platforms.

4.2 Student Password Requirements

Students must use passwords that meet the following standards:

•           Minimum length: 8 characters

•           Must include at least three of the following: uppercase, lowercase, numbers, symbols

•           Must not share passwords with peers

Students must report suspected compromise immediately

5.         JCQ‑Specific Requirements

JCQ regulations require strict control of access to examination materials, systems, and communications. To comply:

5.1 Access to Examination Systems

•           Only authorised staff (e.g., Exams Officer, Head of Centre, designated invigilators) may access systems containing confidential exam materials.

Accounts used for JCQ‑related systems must have:

•           Unique credentials (no shared accounts)

•           Strong passwords meeting staff requirements

•           Mandatory MFA

•           Restricted permissions based on role

5.2 Secure Storage of Digital Examination Materials

•           Passwords for systems storing or transferring exam materials must never be shared verbally, written down, or stored in email.

•           Access logs must be monitored for unusual activity.

•           Passwords must be changed immediately after any suspected breach.

5.3 Handling of Electronic Question Papers (EQPs)

Where applicable:

•           EQPs must be downloaded only by authorised staff using secure, password‑protected systems.

•           Devices used must be encrypted and password‑protected.

•           Passwords for EQP access must not be disclosed to anyone other than the authorised user.

6. Password Management and Storage

6.1 Prohibited Practices

Users must not:

•           Write passwords on paper or store them in unsecured notes

•           Save passwords in browsers without encryption

•           Share passwords with colleagues, students, or IT staff

•           Use the same password for school and personal accounts

•           Use simple or guessable passwords (e.g., “Password123”)

6.2  Approved Storage

•           Staff may use the school‑approved password manager (soon to be acquired as at March 2026).

•           Passwords must never be stored in plain text.

7.         Password Reset Procedures

7.1 Staff

•           Staff must contact IT Support for identity‑verified resets.

•           IT Support must confirm identity using at least two verification methods (e.g., known mobile number, in‑person confirmation, security questions).

•           Temporary passwords must:

•           Be unique

•           Expire on first login

•           Require immediate creation of a new password

7.2 Students

•           Students may request resets via their form tutor or admin support.

•           Temporary passwords must be changed immediately upon login.

8.         Compromised Passwords

A password is considered compromised if:

•           The user suspects someone else knows it

•           The device used to access systems is lost or stolen

•           Unusual account activity is detected

•           A breach or attempted breach is identified

Actions:

•           The user must report immediately to IT Support.

•           IT will force a password reset and investigate.

•           For JCQ‑related accounts, the Exams Officer and Head of Centre must be notified.

9.         Monitoring and Compliance

•           The IT Manager will conduct periodic audits of password strength, MFA compliance, and access logs.

•           Non‑compliance may result in disciplinary action.

•           JCQ compliance checks will be carried out before each exam series.

10.       Review

This policy will be reviewed annually or sooner if:

•           JCQ regulations change

•           Cyber security guidance changes

•           A security incident requires policy revision

Next Review - no later than October 2027 (or earlier - see section 10 above)