a black and white photo of a clock tower

Do you have an updated firewall in place?

A) Yes, and it's routinely updated
B) Yes, but I'm not sure about its last update
C) No, we don't have a firewall

How often do you change your network passwords?

A) At least once a term
B) Once a year
C) Rarely or never

How do you manage student and staff access to the network?

A) We use role-based access control (RBAC)
B) Everyone has the same access level
C) We don’t manage it actively

Do you have an active and updated anti-virus and anti-malware solution in place?

A) Yes, we have both and they're updated regularly
B) We have one, but not sure about updates
C) We don’t use anti-virus or anti-malware

How do you handle security breaches or potential threats?

A) We have a dedicated IT team/individual and a response plan in place
B) We contact our MSP or external help when something happens
C) We don’t have a set protocol

Do you provide cybersecurity training or awareness programs for staff and students?

A) Yes, regularly
B) Occasionally
C) Never

Do you regularly backup your school's data and test the backups for integrity?

A) Yes, we backup frequently and test restores regularly
B) We backup occasionally, but don't test restores
C) We rarely or never backup

How do you handle personal devices (BYOD - Bring Your Own Device) connecting to the school's network?

A) We have a strict policy and secure guest network for personal devices
B) Personal devices can connect, but with some restrictions
C) Any device can connect without restrictions

Do you have multi-factor authentication (MFA) in place for accessing sensitive data or administrative controls?

A) Yes, MFA is a must for accessing critical systems
B) We use it for only a few platforms or systems
C) We don't use MFA

Do you have a documented cybersecurity policy that staff are made aware of?

A) Yes, and it's reviewed annually or after significant changes.
B) We have a policy, but it's not regularly communicated.
C) We don’t have a documented policy.

How do you manage software patches and updates on the school's systems and devices?

A) We have a system in place for automatic updates and regular manual checks.
B) We rely on manual checks occasionally.
C) We rarely or never update unless there's an issue.

Do you have encryption measures in place for data at rest and data in transit?

A) Yes, both types of data are encrypted.
B) Only some critical data is encrypted.
C) We don’t use encryption.

How do you manage physical access to servers or critical network equipment?

A) We have a secure, dedicated space with monitored access.
B) Our equipment is in a restricted area, but it's not always monitored.
C) Our equipment is accessible without strict restrictions.

Do you conduct regular vulnerability assessments or penetration tests on your network?

A) Yes, regularly, with both internal checks and third-party experts.
B) Occasionally, or when we suspect an issue.
C) We haven’t conducted any formal assessments or tests.

Do you have an incident response plan in place for potential cyber threats or breaches?

A) Yes, we have a detailed plan and everyone knows their role.
B) We have a basic plan, but it might not cover all scenarios.
C) We don’t have a plan.

Do you have controls in place to prevent the unauthorised installation of software on school devices?

A) Yes, strict controls prevent unauthorized installations.
B) There are some controls, but they can be bypassed.
C) There are no controls; users can install software freely.

How do you manage end-of-life hardware or storage devices that may contain sensitive data?

A) We follow a strict decommissioning and data destruction protocol.
B) We manually delete data but don’t always physically destroy devices.
C) We don’t have a set procedure for this.

Do you use any form of network segmentation to separate critical systems or data from general user access?

A) Yes, critical systems are isolated and protected.
B) There's minimal segmentation based on user roles.
C) We don’t segment our network.

Do you enforce strong password policies for all users and systems?

A) Yes, passwords must meet strict criteria and are changed regularly.
B) We recommend strong passwords but don't enforce policies.
C) We don’t have a password policy.

Do you conduct background checks on staff who have access to critical systems or sensitive data?

A) Yes, all relevant staff undergo thorough checks before being granted access.
B) Only for specific high-responsibility roles.
C) We don’t conduct background checks for IT access.

How do you handle retired or unused accounts that had access to your systems or data?

A) We have an automated process to identify and disable unused accounts.
B) We occasionally review and remove unused accounts manually.
C) We rarely review or remove old accounts.

How do you ensure that personal data of students and staff is processed in line with the principles of the UK GDPR?

A) We have a comprehensive data protection policy, conduct regular training, and conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.
B) We have some guidelines, but they might not be exhaustive or regularly reviewed.
C) We’re unsure of our compliance with UK GDPR principles.

Do you have a designated Data Protection Officer (DPO) or a person responsible for overseeing data protection practices within the school?

A) Yes, we have a designated DPO who is trained and aware of their responsibilities.
B) We have someone responsible, but they might not be fully trained in UK GDPR.
C) We don't have a designated person or officer for data protection.