Cyber Security

Purpose

The Independent Grammar School: Durham (IGS: Durham) is committed to protecting its digital systems, safeguarding sensitive information, and ensuring the secure delivery of teaching, learning, and examinations. This policy sets out the standards and behaviours required to maintain a secure cyber environment and comply with statutory obligations including the Data Protection Act 2018, UK GDPR, NCSC guidance, and JCQ exam regulations.

Scope 

This policy applies to: 

• All staff, students, directors, volunteers, contractors, and third‑party providers

• All school‑owned devices, networks, cloud services, and digital platforms

• Personal devices used for school purposes 

• All digital data, including student records, safeguarding information, exam materials, and operational data

Roles and Responsibilities

• Principal

The Principal is Head of Centre and has overall responsibility for the implementation of this policy

• All Staff

  
  

• Follow this policy and all related procedures

• Protect passwords, devices, and sensitive data

• Report suspicious activity immediately

• Students

  
  

• Use school systems responsibly

• Follow digital safety rules and exam‑related cyber‑security requirements

• Report concerns to a member of staff

Cyber Security Principles

• Access Control

  
  

• Strong passwords must be used on all accounts

• Multi‑factor authentication (MFA) is required where available

• Access to sensitive data is granted on a “least privilege” basis

• Staff must lock screens when leaving devices unattended

• Device Security

  
  

• All school devices must use approved antivirus and endpoint protection

• Personal devices used for school work must meet minimum security standards

• Unauthorised software installations are prohibited

• USB storage devices are restricted and encrypted where permitted

• Network Security

  
  

• The school network is monitored for unusual activity

• Firewalls and filtering systems must remain active at all times

• Remote access is permitted only through secure, approved methods

• Data Protection

  
  

• Sensitive data must be stored in secure, approved systems

• Emailing personal or confidential data must use encryption or secure transfer

• Data must not be stored on unencrypted personal devices

• Staff must follow the school’s Data Protection Policy

Cyber Security in Examinations (JCQ‑Aligned)

• Secure Storage of Digital Exam Materials

  
  

• Digital exam papers, audio files, and computer‑based assessments must be stored in encrypted, access‑restricted locations

• Only authorised exam officers and designated staff may access digital exam content

• Downloading exam materials onto personal devices is strictly prohibited

• Computer‑Based Examinations

  
  

• Exam workstations must be isolated from the internet unless explicitly permitted by the awarding body

• Devices must be checked for malware, unauthorised software, and connectivity risks before each exam session

• Students must use school‑provided accounts configured for exam conditions

• Auto‑save and secure backup systems must be enabled to prevent data loss

• Preventing Malpractice

  
  

• Students must not access messaging apps, cloud storage, or unauthorised software during exams

• Staff must ensure no digital devices (phones, smartwatches, earbuds) are brought into exam rooms

• Any attempt to access restricted materials or communicate digitally during exams will be treated as malpractice

• Handling Exam Scripts and Files

  
  

• Digital scripts must be uploaded using secure awarding‑body portals

• Staff must not store exam scripts on personal devices or email accounts

• All digital exam files must be deleted securely after submission

• Cyber‑Security During Exam Emergencies

In the event of:

• Network failure

• Device malfunction

• Cyber‑attack

• Power outage

The Exams Officer will implement the Exam Contingency Plan, ensuring:

• Immediate safeguarding of student work

• Secure transfer or recovery of files

• Communication with awarding bodies

Staff Training and Awareness

All staff must complete annual cyber‑security training covering:

• Phishing and social engineering

• Password hygiene

• Safe data handling

• Secure exam administration

• Incident reporting procedures

Incident Reporting and Response

• Reporting

All suspected cyber incidents must be reported immediately to the Head of Centre, including:

• Phishing attempts

• Unauthorised access

• Lost or stolen devices

• Malware infections

• Exam‑related digital breaches

• Response

The school will:

• Contain the incident

• Preserve evidence

• Notify affected individuals where required

• Report to external agencies (e.g., ICO, Police) when appropriate

• Review and strengthen controls

Third‑Party Services and Cloud Platforms

• Only approved platforms may be used for storing or processing school data

• Contracts must include data‑processing and breach‑notification clauses

Monitoring and Review

• The school monitors network activity, system logs, and security alerts

• This policy is reviewed annually or following a significant incident

• Findings from audits or incidents will inform future improvements

Related Policies

• Data Protection Policy

• Online Safety Policy

• Exam Contingency Plan

• Safeguarding and Child Protection Policy

• Mobile Phone Policy

The Independent Grammar School: Durham

Reviewed: May 2026

Next Review: May 2028