IT Password
Purpose
This policy sets out the standards for password creation, management, and security at The Independent Grammar School: Durham (IGS: Durham). It ensures that all users protect school systems, data, and examination materials in line with UK GDPR, the Data Protection Act 2018, the school’s Cyber Security Policy, and the Joint Council for Qualifications (JCQ) regulations for the secure management of examination materials.
Scope
This policy applies to:
All staff (teaching, support, temporary, supply and peripatetic)
All students
Directors and volunteers with system access
Any third party granted access to school systems
All devices used to access school systems (school‑owned or personal)
Principals
Passwords are a critical security control and must be kept confidential.
Users are responsible for safeguarding their own credentials.
Passwords must never be shared, written down, or stored insecurely.
Additional controls apply to staff involved in the management of examinations, in line with JCQ requirements.
Password Reminders
Staff Password Requirements
All staff passwords must meet the following minimum standards:
Minimum length: 12 characters
Must include a mix of uppercase, lowercase, numbers, and symbols
Must not contain personal information (names, birthdays, pets, etc.)
Must not reuse passwords from other systems
Must be changed immediately if compromised or suspected compromised
Passwords must not be reused within the last 5 password cycles
Multi‑Factor Authentication (MFA)
MFA is mandatory for all staff accounts accessing school systems, cloud services, or examination‑related platforms.
Student Password Requirements
Students must use passwords that meet the following standards:
Minimum length: 8 characters
Must include at least three of the following: uppercase, lowercase, numbers, symbols
Must not share passwords with peers
Students must report suspected compromise immediately
Job-Specific Requirements
JCQ regulations require strict control of access to examination materials, systems, and communications. To comply:
Access to Examination Systems
Only authorised staff (e.g., Exams Officer, Head of Centre, designated invigilators) may access systems containing confidential exam materials.
Accounts used for JCQ‑related systems must have:
Unique credentials (no shared accounts)
Strong passwords meeting staff requirements
Mandatory MFA
Restricted permissions based on role
Secure Storage of Digital Examination Materials
Passwords for systems storing or transferring exam materials must never be shared verbally, written down, or stored in email.
Access logs must be monitored for unusual activity.
Passwords must be changed immediately after any suspected breach.
Handling of Electronic Question Papers (EQPs)
Where applicable:
EQPs must be downloaded only by authorised staff using secure, password‑protected systems.
Devices used must be encrypted and password‑protected.
Passwords for EQP access must not be disclosed to anyone other than the authorised user.
Password Management and Storage
Prohibited Practices
Users must not:
Write passwords on paper or store them in unsecured notes
Save passwords in browsers without encryption
Share passwords with colleagues, students, or IT staff
Use the same password for school and personal accounts
Use simple or guessable passwords (e.g., “Password123”)
Approved Storage
Staff may use the school‑approved password manager (soon to be acquired as at March 2026).
Passwords must never be stored in plain text.
Password Re-Set Procedures
Staff
Staff must contact IT Support for identity‑verified resets.
IT Support must confirm identity using at least two verification methods (e.g., known mobile number, in‑person confirmation, security questions).
Temporary passwords must:
Be unique
Expire on first login
Require immediate creation of a new password
Students
Students may request resets via their form tutor or admin support.
Temporary passwords must be changed immediately upon login.
Compromised Passwords
A password is considered compromised if:
The user suspects someone else knows it
The device used to access systems is lost or stolen
Unusual account activity is detected
A breach or attempted breach is identified
Actions:
The user must report immediately to IT Support.
IT will force a password reset and investigate.
For JCQ‑related accounts, the Exams Officer and Head of Centre must be notified.
Monitoring & Compliance
The IT Manager will conduct periodic audits of password strength, MFA compliance, and access logs.
Non‑compliance may result in disciplinary action.
JCQ compliance checks will be carried out before each exam series.
Review
This policy will be reviewed annually or sooner if:
JCQ regulations change
Cyber security guidance changes
A security incident requires policy revision
The Independent Grammar School: Durham
Reviewed: May 2026
Next Review: May 2028
Purpose
This policy sets out the standards for password creation, management, and security at The Independent Grammar School: Durham (IGS: Durham). It ensures that all users protect school systems, data, and examination materials in line with UK GDPR, the Data Protection Act 2018, the school’s Cyber Security Policy, and the Joint Council for Qualifications (JCQ) regulations for the secure management of examination materials.
Scope
This policy applies to:
All staff (teaching, support, temporary, supply and peripatetic)
All students
Directors and volunteers with system access
Any third party granted access to school systems
All devices used to access school systems (school‑owned or personal)
Principals
Passwords are a critical security control and must be kept confidential.
Users are responsible for safeguarding their own credentials.
Passwords must never be shared, written down, or stored insecurely.
Additional controls apply to staff involved in the management of examinations, in line with JCQ requirements.
Password Reminders
Staff Password Requirements
All staff passwords must meet the following minimum standards:
Minimum length: 12 characters
Must include a mix of uppercase, lowercase, numbers, and symbols
Must not contain personal information (names, birthdays, pets, etc.)
Must not reuse passwords from other systems
Must be changed immediately if compromised or suspected compromised
Passwords must not be reused within the last 5 password cycles
Multi‑Factor Authentication (MFA)
MFA is mandatory for all staff accounts accessing school systems, cloud services, or examination‑related platforms.
Student Password Requirements
Students must use passwords that meet the following standards:
Minimum length: 8 characters
Must include at least three of the following: uppercase, lowercase, numbers, symbols
Must not share passwords with peers
Students must report suspected compromise immediately
Job-Specific Requirements
JCQ regulations require strict control of access to examination materials, systems, and communications. To comply:
Access to Examination Systems
Only authorised staff (e.g., Exams Officer, Head of Centre, designated invigilators) may access systems containing confidential exam materials.
Accounts used for JCQ‑related systems must have:
Unique credentials (no shared accounts)
Strong passwords meeting staff requirements
Mandatory MFA
Restricted permissions based on role
Secure Storage of Digital Examination Materials
Passwords for systems storing or transferring exam materials must never be shared verbally, written down, or stored in email.
Access logs must be monitored for unusual activity.
Passwords must be changed immediately after any suspected breach.
Handling of Electronic Question Papers (EQPs)
Where applicable:
EQPs must be downloaded only by authorised staff using secure, password‑protected systems.
Devices used must be encrypted and password‑protected.
Passwords for EQP access must not be disclosed to anyone other than the authorised user.
Password Management and Storage
Prohibited Practices
Users must not:
Write passwords on paper or store them in unsecured notes
Save passwords in browsers without encryption
Share passwords with colleagues, students, or IT staff
Use the same password for school and personal accounts
Use simple or guessable passwords (e.g., “Password123”)
Approved Storage
Staff may use the school‑approved password manager (soon to be acquired as at March 2026).
Passwords must never be stored in plain text.
Password Re-Set Procedures
Staff
Staff must contact IT Support for identity‑verified resets.
IT Support must confirm identity using at least two verification methods (e.g., known mobile number, in‑person confirmation, security questions).
Temporary passwords must:
Be unique
Expire on first login
Require immediate creation of a new password
Students
Students may request resets via their form tutor or admin support.
Temporary passwords must be changed immediately upon login.
Compromised Passwords
A password is considered compromised if:
The user suspects someone else knows it
The device used to access systems is lost or stolen
Unusual account activity is detected
A breach or attempted breach is identified
Actions:
The user must report immediately to IT Support.
IT will force a password reset and investigate.
For JCQ‑related accounts, the Exams Officer and Head of Centre must be notified.
Monitoring & Compliance
The IT Manager will conduct periodic audits of password strength, MFA compliance, and access logs.
Non‑compliance may result in disciplinary action.
JCQ compliance checks will be carried out before each exam series.
Review
This policy will be reviewed annually or sooner if:
JCQ regulations change
Cyber security guidance changes
A security incident requires policy revision
The Independent Grammar School: Durham
Reviewed: May 2026
Next Review: May 2028
Discover more
If you would like to know more about life at IGS, or to book an in-person visit, contact us now.
Discover more
If you would like to know more about life at IGS, or to book an in-person visit, contact us now.