Policy last updated
19 December 2023
Scope
- Schools
Policy
Policy
The purpose of this policy is to make sure that schools manage and share information appropriately and securely in order to meet information security obligations and to appropriately protect staff, students and their families.
Summary
- Information security aims to protect the confidentiality, integrity and availability of school information. This includes the consideration of privacy compliance when dealing with personal information. Refer to Privacy and Information Sharing Policy for more information about privacy and information sharing.
- Principals must establish appropriate practices to protect critical and sensitive information. All staff should consider:
- what information they have
- how sensitive the information is
- where it is stored
- who has access to it.
- Principals are to make sure that information security risks and issues are appropriately managed by seeking advice from the InfoSafe team.
Details
The following information provides an overview of the key practices schools must implement to protect the confidentiality, integrity and availability of school information.
For more detailed information on implementing these information security practices, refer to: Information Security (InfoSafe): Guidance for Victorian government schools (staff login required).
Behaviours – being InfoSafe
Schools must make sure that the protection of information is embedded in all aspects of school operations as outlined in this policy and accompanying Information Security Standards and guidance materials. The consequences of an information security breach can be far reaching, potentially affecting staff, students and families.
Priority actions
- Ensure that priority actions from this policy are considered in appropriate local school practices and IT Committees.
- Staff are encouraged to complete the Information Security for School Staff eLearning (staff login required) on an annual basis.
- Establish and maintain an InfoSafe culture by promoting this policy and through ongoing conversations.
Risks – understanding your information risks
Schools must adopt a risk-based approach to information security by periodically assessing themselves against a set of common, published risks and associated treatment plans. This will enable school treatment plans to be prioritised and actioned based on the extent of the risk.
Priority actions
- Consider the IT environment, online tools and the nature of the information at your school.
- Consider the most common school information security and privacy risks and their relevance at your school.
- Refer to the Pre-populated InfoSafe school risk document .
Access – identify the appropriate access for the information at your school
Schools must make sure that access to information is authorised for individuals based upon their role and function within the school environment. Failure to assign the right level of access to information to the right role may result in an information security or privacy breach.
Priority actions
- Identify who has access to sensitive information and who has privileged accounts at your school. Refer to Privacy and Information Sharing Policy for more information.
- Establish a process to capture and regularly review school and department staff, and third-party access, including parents, volunteers and contractors.
- Establish a process to enforce need-to-know access to sensitive information (revoke access in a timely manner).
Incidents – reporting incidents
Schools must report any potential or confirmed information security incidents as soon as possible by either:
- calling the Incident Support and Operations Centre (ISOC) on 1800 641 943
- using eduSafe Plus to self-report an IRIS incident (only for principals and their delegates authorised on eduSafe Plus)
- reporting a cyber security incident on the services portal.
Priority actions
- Make sure all staff know what constitutes an information security incident – refer to Definitions below.
- Reinforce the importance to all staff of reporting incidents.
- The principal must ensure that the incident is reported and then respond to the incident as advised by the department.
Networks – securing ICT networks
Schools must maintain a secure ICT network by following departmental requirements and adopting appropriate technical controls. Without these controls the school information and systems will be vulnerable to cyber-attacks.
Priority actions
- IT technicians in schools (whether engaged through the Technical Support to Schools Program or directly by the school) need to regularly review network configuration and anti-virus and patching arrangements as set out in the Tech (staff login required, access limited to department engaged technicians).
- Technicians need to confirm the school’s Internet Service Provider (ISP) arrangement meets the requirements of the DE standards.
Storage – identifying and storing your information appropriately
Schools must identify their critical and sensitive information and store it in approved and trusted locations.
Priority actions
- Identify and document assets holding sensitive and critical information. Refer to School Administration Systems policy (previously called CASES21 policy) for all mandated DET ICT school administration systems. Refer to the Pre-populated risk document to assist with documenting assets.
- For systems holding personal information, ensure you have completed a Privacy Impact Assessment. Refer to the Privacy and Information Sharing policy for information about Privacy Impact Assessments.
- Review school processes to identify where data is held long-term.
Physical – physical protection
Schools must protect information and ICT equipment by housing all ICT infrastructure (servers and network equipment) and personal computers, when not in use, in a locked and secured location with restricted access. Schools should also monitor visitor entry to the school premises and authorise entry into infrastructure and records storage locations.
Priority actions
- Ensure the school follows both their local visitors policy and the department’s Visitors in Schools policy.
- Make sure that sensitive information (digital and hard copy) and ICT equipment is housed in physically secured locations. Refer also to Records Management – School Records.
Awareness – training and awareness
Schools must encourage staff to be vigilant and aware of the ongoing need to protect sensitive school information and systems. Staff should complete theInformation Security for School Staff e-learning (staff login required). Schools should act on department information and directions about emerging cyber security threats.
Priority actions
- Continue to drive the completion rate of the Information Security for School Staff eLearning and encourage all staff to complete the module annually.
- Ensure the induction process for new staff, including contractors and casuals, includes the Information Security for School Staff eLearning module.
- Regularly communicate, affirm and review security obligations for staff (and target specific roles that have access to sensitive information).
Sharing – sharing information safely
Schools must follow department policies for sharing personal or sensitive information with other schools or anyone external to the school.
Priority actions
- Identify which personal and sensitive information is regularly shared or likely to be shared (typically personal data of staff or students, but potentially other categories of information, for example, financial, commercial). Refer to Requests for Information about Students and Privacy and Information Sharing.
- Make sure staff are aware of department policies and local procedures for sharing information. Refer to Privacy and Information Sharing and Requests for Information about Students.
- Use only approved tools to transmit sensitive data, closely manage distribution lists.
Suppliers – externally sourced systems security
Schools and the department must ensure the security of new systems and the suppliers who provide them.
Priority actions
- Seek advice from the InfoSafe team to ensure all new systems meet Information Security and ICT security requirements.
- For those systems holding personal information, conduct a Privacy Impact Assessment (PIA) which includes a security assessment for that system.
Definitions
Information security incident
Indicators of a potential or actual information security incident are:
- emails from unexpected or unidentifiable senders
- unexpected emails from people that you do know
- requests for information from unknown sources
- inability to access systems
- inability to access files or documents
- unusually slow systems or unexpected and strange behaviour of PCs and devices.
Personal information
Personal information is recorded information or opinion about an identifiable individual. It can be almost any information linked to an individual, including name, address, sex, age, financial details, marital status, education or employment history. De-identified information about individuals can also be personal information if it has the potential to be re-identified.
Sensitive information
For the purpose of this policy and associated guidance material, sensitive information in schools includes but is not limited to the following:
- student information including name address and date of birth
- student academic records, progress reports, assignments and assessments
- student health and medication information
- student information pertaining to family circumstances including Intervention Orders and Family Court decisions
- student class photographs and individual images
- parents’ names, address, phone number, email address and custody instructions
- teachers personal information
- parents’ banking and credit card information and hard-copy records
- school financial information
- tendering and procurement documents
- vendor invoices, contacts and accounts payable and receivables.
Related policies
- Enrolment
- Information Security Incident Management
- Privacy and Information Sharing
- Records Management – School Records
- Records Management – Employee Information
- Requests for Information about Students
- School Administration Systems Policy
- Victorian Protective Data Security
Relevant legislation
Guidance
Guidance
Information Security (InfoSafe): Guidance for Victorian government schools
The department has developed guidance on implementing the information security practices outlined in the Information Security – InfoSafe policy. Refer to Information Security (InfoSafe): Guidance for Victorian government schools (staff login required).
Resources
Resources
The following resources are available to support schools implement the Information Security – InfoSafe Policy and the Information Security (InfoSafe): Guidance for Victorian government schools.
Information security standards
Available standards
- Information Security Risk and Assurance Management Standard (staff login required)
- Information Security Incident Management Standard (staff login required)
- IT Network Security Standard (staff login required)
- IT Operations Security Standard (staff login required)
- Information Security Access Management Standard (staff login required)
- Third Party Supplier Assurance Standard (staff login required)
Standards under development
The following standards are under development and not yet available:
- Security Aspects of Information Management Standard
- Information Security IT Environment Security Standard
- Information Security Training and Awareness Standard
- Security Aspects of Information Management Standard
Contact the InfoSafe team on infosafe@education.vic.gov.au for further information about these standards.
Information security information sheets
- IT Security Incidents (staff login required)
- Leadership, Change and the InfoSafe Conversation (staff login required)
- Social Engineering (staff login required)
- How to become more InfoSafe (staff login required)
- Safe Internet Habits (staff login required)
- Social Networking (staff login required)
- Phishing scams – how to identify and report (factsheet) (staff login required)
- How to report phishing emails and scams (help guide) (staff login required)
- First response card – how to identify and report cyber incidents (poster) (staff login required)
- Cyber incident information form (staff login required)
Videos on information security at the Department and Victorian government schools
The following videos are available at the DET page (staff login required):
- Creating and InfoSafe Culture
- Being InfoSafe with Cyber Awareness
- Managing Risk to make us InfoSafe
- Top Tips to be InfoSafe for Schools and Corporate
- Understanding the Impact of Incidents
Pre-populated InfoSafe School Risk Document
- Pre-populated InfoSafe School Risk Document (staff login required)
Other resources and tools to support information security
- DET InfoSafe Program on a page (staff login required)
- InfoSafe Quiz Poster (staff login required)
- Password Policy (staff login required)
- eduSTAR Quick Guide: School integrated model (staff login required)
- Being InfoSafe Welcome and Introduction Pack (staff login required)
- Crossword: Being InfoSafe (staff login required)
- Choosing a (staff login required)
Reviewed 04 May 2023