Information Security

The Information security risk register template will be available soon.

Policy

This policy supports schools to manage and share information appropriately and securely to meet all protective data security requirements to protect staff, student and family information.

Summary

Schools must:

• assess and document information security risks including the effectiveness of controls, once per term in the pre-populated Information security school risk register in accordance with the Risk Management – Schools policy
• include information security controls in emergency management and disaster recovery practices
• implement information access controls (for example, access to school systems, key management, swipe card access, visitor processes) and review at least once per term to ensure that access is appropriately authorised and updated to only those who need information for their role
• encourage staff to complete information security awareness training upon engagement and repeat annually thereafter (available on LearnED)
• immediately report all potential or confirmed information security incidents to the department using the processes outlined in the Managing and Reporting School Incidents (Including Emergencies) policy
• when engaging third parties, ensure they securely manage school information and return or delete this information when it is no longer needed, in accordance with the Records Management policy
• complete annual information security reports required by the department. Schools will be advised when they will be included in the department’s annual reporting program as part of their transition to using department-provided technologies
• conduct pre-employment screening and ongoing eligibility checks for staff, volunteers and contractors
• ensure all school ICT assets are tracked and managed across their lifecycle
• implement and maintain physical security measures to protect school information and school ICT equipment and systems, both within and outside school premises. This includes the maintenance, repairs and secure disposal of ICT equipment, door locks, secure storage, bins and filing cabinets.

The Guidance tab provides advice to schools on the information security controls they are required to implement.

Details

The consequences of an information security breach can be far-reaching and potentially affect staff, students, families, school reputation, and confidence in the education system.

Schools must protect and share information in accordance with department information security policies and guidelines, which align with Victorian Protective Data Security Standards (VPDSS), published by the Office of the Victorian Information Commissioner (OVIC).

Schools must implement control measures to protect the confidentiality, integrity and availability of school information and the safety of their staff, students, and the community. These controls include 5 key security areas: Governance, Information, Personnel, Information and Communication Technology (ICT), and Physical.

By implementing the security controls outlined in the Guidance tab, schools can effectively protect school information and maintain a secure education environment in support of Child Safe Standards.

Available support

To report cyber security incidents:

• call the Incident Support and Operations Centre (ISOC) on 1800 126 126 to log an incident and request department support
• log a ticket on the Services Portal

For enquiries about the VPDSS reporting process:

• call: 03 7022 0002
• email: vpdss.attestation@education.vic.gov.au

Definitions

Centrally attested school
A school that has transitioned to department-provided ICT services and platforms to enable the department to attest on their behalf for the majority of VPDSS controls. Centrally attested schools complete a streamlined annual information security compliance activity as part of the department's central attestation process. By 2028, all Victorian government schools will transition to this reporting process and will be considered centrally attested schools.

Cyber security incident
An unwanted or unexpected cyber security event, or a series of such events, that has either compromised school operations or has a significant probability of compromising school operations. Cyber security incidents are considered information security incidents.

Contracted service provider
A person or organisation (public or private) that provides services under a contract. These may also be referred to as outsourced service or third-party providers.

Controls
Measures that schools use to maintain the confidentiality, integrity and availability of school ICT systems. The strength of the controls applied to a particular document or ICT system depends on the consequences of that document or ICT system being compromised.

Information security
The protection of school information through systematic application of controls (procedural, physical and personnel) to protect the confidentiality, integrity and availability of school information from a diverse range of threats from bushfires to sophisticated hackers.

Information security incident
An information security incident is any event that compromises the confidentiality, integrity, or availability of school information or school ICT systems. This can include:

• unauthorised access to school information
• data loss from both external and internal threats
• computer viruses or ransomware attacks (malicious software)
• improper sharing, accidental disclosure or changing of data.

School assets
Physical and digital resources that process, store, or transmit school information in any form. This includes workstations, filing cabinets, storage facilities, network devices and removable media.

School ICT systems
The integrated hardware, software, and network infrastructure used to securely process and store school information while maintaining confidentiality, integrity, and availability.

School information
Any information that schools create, collect, store, or use to support school operations and teaching activities. This includes digital records (such as emails, websites and electronic documents) and physical records (such as paper files and printed materials), managed by schools or third parties. While all school information must be protected, not all information is considered sensitive information – for example, publicly available timetables versus confidential student records. School information can also be referred to as school data.

Personnel security
The process of managing staff, volunteers, and third parties’ access to information and school ICT systems across the following phases:

• pre-engagement checks for suitability and eligibility before hiring
• ongoing monitoring during employment and re-engagement
• off-boarding procedures when someone separates from the school.

Physical security
Physical protection controls designed to prevent unauthorised access or compromise of school ICT systems and school assets. Includes securing critical ICT systems, equipment, and planning for emergencies.

Sensitive information
A subset of all school information that, if compromised, could potentially cause adverse effects on school operations, assets, staff, students, families and community safety. Access to sensitive information should be limited to authorised persons based on the information needed for their role.

Sensitive information for this policy and guidance in schools includes, but is not limited to the following:

• student data, including name, address and date of birth
• student academic records, progress reports, assignments and assessments
• student health and medication information
• student information pertaining to family circumstances, including Intervention Orders and Family Court decisions
• student class photographs and individual images
• parents’ names, address, phone number, email address and custody instructions
• teachers’ personal information
• parents’ banking and credit card information (including hard-copy records)
• school financial information
• tendering and procurement documents
• vendor invoices, contracts, accounts payable and receivables.

Note: The use of the term ‘sensitive information’ in this Information Security policy is distinct from the definition of ‘sensitive information’ as defined in the Privacy and Data Protection Act 2014 (Vic). Refer to the Privacy and Information Sharing policy for a definition of ‘sensitive information’ from a privacy perspective, as regulated by Part 3 of the Privacy and Data Protection Act 2014.

Related policies

• Acceptable Use Policy for ICT Resources
• Child Safe Standards
• Crime Prevention in Schools
• CCTV in Schools – Installation and Management
• Digital Learning
• Digital Technologies – Responsible Use
• Emergency and Critical Incident Management Planning
• Finance Manual – Financial Management for Schools
• Generative Artificial Intelligence
• Managing and Reporting School Incidents (Including Emergencies)
• Philanthropic Partnerships
• Privacy and Information Sharing
• Procurement – Schools
• Records Management
• Records Management – Employee Information
• Recruitment in Schools
• Requests for Information about Students
• Risk Management – Schools
• Software and Administration Systems
• Suitability for Employment Checks
• Sponsorship
• Technologies and ICT Services
• Visitors in Schools
• Volunteers in Schools
• Working with Children Checks and Other Suitability Checks for School Volunteers and Visitors

Relevant standards

• Victorian Protective Data Security Standards (VPDSS)

Relevant legislation

• Child Wellbeing and Safety Act 2005 (Vic)
• Copyright Act 1968 (Cth)
• Education Training and Reform Act 2006 (Vic)
• Electronic Transaction Act 2000 (Vic)
• Evidence Act 2008 (Vic)
• Financial Management Act 1994 (Vic)
• Freedom of Information Act 1982 (Vic)
• Health Records Act 2001 (Vic)
• Privacy and Data Protection Act 2014 (Vic)
• Public Administration Act 2004 (Vic)
• Public Records Act 1973 (Vic)
• Victorian Data Sharing Act 2017 (Vic)

Guidance

This guidance provides chapters to help schools manage information securely and comply with the Victorian Protection Data Security Standards (VPDSS) issued by the Office of the Victorian Information Commissioner (OVIC).

1. Information security risk management
2. Information access
3. Information training and staff awareness requirements
4. Information security incidents
5. Emergency management and disaster recovery planning
6. Third-party arrangements
7. Annual reporting requirements to OVIC
8. Personnel security
9. Information communications technology security
10. Physical security

1. Information security risk management

All school staff must take reasonable steps to ensure that any school information they create, handle or have responsibility for is securely stored and protected from loss, unauthorised access, modification, inaccessibility, disclosure or destruction. This includes when information is being transmitted, transported, migrated or converted.

Schools must consider information security risks as part of standard risk management practices. While security incidents cannot be eliminated, risks can be significantly reduced through informed decision making and effective operating controls.

When assessing information security risks, schools must:

• consider the type and sensitivity of school information and consequences of a breach on school assets and the school operating environment
• consider all locations where information is stored (for example, systems, media, facilities)
• document information security risks and treatments in the pre-populated Information security school risk register template (available soon) in accordance with the risk management processes found in the Risk Management – Schools policy.

In addition, schools must include the results of the school risk register in the school’s emergency and critical incident response plan following the Emergency and Critical Incident Management Planning policy.

2. Information access

Schools must implement access controls to information (for example, access to school systems, key management, swipe card access, visitor processes) and review these procedures at least annually.

To ensure that access is appropriately authorised and updated when needed, timeframes relating to the specific access controls activities are detailed in the following sections.

ICT access

Individuals must only have access to information that is necessary to perform their role or they otherwise have a right to access. Failure to assign the right level of access to the right role may result in an information security or privacy breach.

Schools can effectively manage access to information by:

• establishing role-based access for school information and information and communications technology (ICT) systems
• strictly controlling all system administrator accounts and restricting access to ICT systems and equipment to authorised staff and specialist technicians.

ICT access – review and update

Schools should review and update access to their physical and ICT systems, as part of their offboarding processes, including:

• updating, suspending or removing physical and digital access to school information, for example, key and swipe card access, ICT systems and applications
• requesting return of keys and swipe cards if not needed to perform new role, or the individual is no longer engaged by the school.

The end of all term checklist (staff login required) outlines that schools should review and update access to their physical and ICT systems, ideally at the end of each term, including validating the need for system administrator access.

Schools are strongly encouraged to document access changes to physical and ICT systems, as a result of personnel departures and change of role, in an access rights change register (DOCX) or a similar document.

Storage

• Store electronic information in secure department-managed and authorised ICT systems in line with the Technologies and ICT Services and Software and Administration Systems policies.
• Identify secure storage locations with appropriate access controls for school information (both digital and physical), for example, lockable filing cabinets and access-controlled storage areas.
• Store hardcopy information in secure locations, for example, lockable filing cabinet or storage area with restricted access.
• Use key and swipe card systems and issue visitor passes.

Information sharing

• Use school or department-approved tools and software for sharing school information by following the Technologies and ICT Services policy.
• Follow department policies when sharing information externally, for example, Requests for Information about Students.

eduPass

The department has implemented eduPass to manage access to department information and communications technology (ICT) systems used by schools such as CASES21, eduPay, Career ePortfolio, Adobe Creative Cloud, Webex, and department-managed Microsoft 365 and Google Workspace for Education.

Schools are strongly encouraged to use eduPass to manage access to ICT systems and seek department support for implementing multi-factor authentication.
Where a school has elected not to use eduPass for controlling access to school ICT systems, the solution the school uses must conform to the following requirements:

• access must be fully compliant with this policy
• delegations of authority for managing access controls must be equivalent to those implemented with eduPass, as documented in the section ‘eduPass – Delegations of authority’ outlined below
• the access control solution is kept both current and patched in a timely manner, to minimise known vulnerabilities
• where the access control solution has fallen out of vendor support, it must be upgraded or replaced.

Future implementations of centrally provided applications will use eduPass for identity and access management.

For advice and support for migrating an existing solution to eduPass, log a request through the department’s Services Portal (staff login required).

eduPass – delegations of authority

Principals are responsible for using eduPass to manage staff and student accounts. They may delegate the management of staff and student accounts to another member of staff.

Principals or their delegate use eduPass to manage staff accounts, including to:

• reset passwords
• unlock accounts
• add and remove staff from the school email distribution list.

Principals or their delegate use eduPass to manage student accounts, including to:

• create student accounts
• reset student passwords
• enable and disable accounts
• unlock student accounts
• manage student usernames.

Staff use eduPass to:

• manage their password
• set-up and manage remote access.

School staff are expected to take reasonable steps to securely manage the use of staff and student passwords in accordance with the Acceptable Use Policy for ICT Resources.

Changing a student’s eduPass identity

The change of a student’s eduPass identity can be requested by a parent, carer or mature minor student, or requested by teachers where there is a concern for the student’s safety or wellbeing.

Principals or their delegates may change a student’s eduPass identity to protect a student’s safety or wellbeing.

Acceptable reasons for changing a student eduPass identity include:

• misspelling of the student’s name
• change of the student’s legal name
• change of the student’s family circumstances
• change of the student’s gender identity
• online harassment, cyberbullying or grooming
• compromise of the student’s eduPass identity by a third party
• any other concern for the student’s safety or wellbeing (for example, family violence)
• any other reason as approved by the school principal.

Principals or their delegates may reject a request to change a student eduPass identity if they have not been provided with an acceptable reason to do so.

A principal or their delegate must:

• treat the student’s safety and welfare as the prime objective when assessing the need to change a student eduPass identity
• consider factors such as the impact on the student’s learning, safety and wellbeing, and their individual family situation
• use discretion when advising parents or carers of any change of a student eduPass identity, depending on the circumstances of the student, where advising the parent or carer of the change may adversely impact on the safety or wellbeing of the student.

Where parents or carers seek to make changes to a student’s eduPass identity due to changes in family circumstances, or disputes arise between separated parents or carers about the student’s identity, principals must act in the best interests of the student in deciding how a student should be identified. Principals should also be aware that whenever faced with disputes between parents or carers, principals must try to avoid becoming involved, avoid attempting to determine the dispute and act neutrally and not adopt sides. Further information can be found in the Decision Making Responsibilities for Students policy.

If the request to change a student’s eduPass identity is accompanied by a request to change the student’s enrolment name, staff should also refer to the following:

• CASES21 User Guide – Chapter 02 Enrolment – Manual Entry (PDF) (refer to page 75 ‘Modify a student’s name’)
• Enrolment policy guidance – Processing enrolment forms and supporting documentation (refer to heading ‘Changing enrolment name’).

The name used for a student eduPass identity must not be:

• obscene or offensive
• impractical (for example, a name that is not supported by the department’s systems due to length or other factors, or contains symbols, special characters or accented letters).

Any request to change a student's eduPass identity must be accompanied by appropriate evidence, as determined by the principal or their delegate. This evidence is used to assess the need to change a student eduPass identity.

Example scenario

The following scenario is an example of when a student’s eduPass identity might need to be changed.

The widowed mother of Student A has remarried and has asked the principal to change Student A’s eduPass identity to reflect the change in the family’s surname. Student A has assured the principal that they are supportive of the change. After consideration of the facts, including a legally changed birth certificate, the principal has agreed that Student A’s eduPass identity should be changed.

On consulting with Student A’s teachers and considering that a substantial proportion of the school year has already passed, the principal has determined that changing the eduPass identity may disrupt Student A’s learning this year due to potential loss of progress data in a critical learning system.

The principal advises the mother of this concern and suggests that the change could be deferred until the end of the school year, after all assessment tasks have been completed. Subsequently, the mother agrees that the change in Student A’s eduPass identity can be deferred until the end of the school year.

As agreed, the principal changes Student A’s eduPass identity at the end of the school year.

Impact of the change on school systems

A student’s eduPass identity provides access to a wide range of online applications and resources. Changing a student’s eduPass identity may:

• require the re-registration of the student in CASES21 and other administrative systems at the school such as student management, timetabling
• not be supported in some third-party applications that rely on a username or email address. Consequently, some previous data may not be accessible by the new identity. In these circumstances it is recommended that the school extracts data if possible and a new account created to match the new student identity, reloading the extracted data as required
• result in the loss of individual achievement or progression data (for example, progress through a learning sequence in a third-party online application)
• result in the loss of current or historical files stored online (for example, files stored on Microsoft OneDrive or Google Drive)
• require the school and/or the student to create new user profiles for learning applications used by the school (for example, Google Suite, Microsoft 365, Adobe).

It is the responsibility of the school to manage data and access to third-party applications not provided by the department. Where data must be extracted or backed up, it is recommended that the school system administrators work with the student to extract any data required prior to a change in a student’s eduPass identity.

Multi-Factor Authentication for student management systems

In certain applications and circumstances, Multi-Factor Authentication (MFA) is an important strategy for protecting personal information and student safety. MFA provides added security beyond username and password, by requiring staff to also login each day with an access code sent via the Microsoft Authenticator app or text message.

Schools are strongly recommended to activate MFA for student management systems (for example, Compass, Xuno and Sentral). Once activated, staff will be required to use MFA once a day when logging into their school’s student management system, whether using a personal or school provided device. This only applies to staff (not students or families), and only when they use student management systems.

How to activate MFA for the student management system

School technology leaders seeking to activate MFA for the student management system in their school should discuss an activation plan with the Securing Connected Learners Program (staff login required) who will then work with the school.

How to set up MFA

In preparation for MFA being activated in their school, staff must follow these steps to setup MFA on their device:

1. On mobile phone: download and install the Microsoft Authenticator app
2. On laptop visit https://mysignins.microsoft.com/security-info
3. Select ‘+Add Method’
4. Select method, for example: phone (text), Authenticator App
5. Click next and follow the prompts to completion.

MFA exemptions

Currently, MFA options for school staff are limited to personal mobile phones. This MFA approach also only applies to student management systems configured for staff to log in using their eduPass credentials (single sign-on). Individuals exempt from MFA include students, short-term casual relief teachers, pre-service teachers, parents, guardians, and staff without access to a mobile phone. Over time, MFA solutions will be developed to accommodate all staff users of all student management systems.

As of December 2024, work is underway to provide MFA options that do not rely on personal mobile phones. Staff members who are unable or unwilling to use a personal mobile phone for MFA can request a temporary exemption by completing the online MFA exemption form or calling the Service Desk (1800 641 943).

Where to get help with MFA

Initially, speak to your school specialist technician or other technology staff. Additional support is available through the Services Portal online MFA support form or by calling the Service Desk on 1800 641 943.

3. Information training and staff awareness requirements

Schools are encouraged to ensure that staff with access to sensitive school information complete relevant security training to enable them to understand and comply with information security obligations.

Department provided materials are available for staff (with DE identities) and it is recommended that information security and awareness training is undertaken upon engagement and repeated annually thereafter where possible. LearnED modules are available including the Information Security for School Staff e-learning module (staff login required).

It is best practice to embed information security training as a regular component of staff training. Department provided resources include the Identifying and Reporting Phishing guide (DOCX).

4. Information security incidents

An information security incident is any event that compromises the confidentiality, integrity, or availability of school information or school ICT systems. This includes both cyber and non-cyber related incidents and can include:

• authorised access to school information (both digital and physical)
• accidental data loss from both external and internal threats
• computer viruses or ransomware attacks (for example, malicious software)
• improper sharing, accidental disclosure or changing of data (whether digital or physical).

In the event of an information security incident, schools must follow the process outlined in the First response card (PDF) when reporting cyber incidents:

• call ISOC on 1800 126 126 or log a ticket on the Services Portal
• call 000 only while an incident is in progress and needs an emergency services response
• immediately notify the principal and other school leadership of any information security incidents, regardless of their nature or severity.

Once reported, manage information security incidents according to the process outlined in the Managing and Reporting School Incidents (Including Emergencies) policy.

The following categories represent common information security and cyber incidents that require immediate reporting in line with the department’s security incidents reporting procedures.

Data and access incidents

• Unauthorised access to sensitive school information
• Account/credential compromise
• Identity theft of school credentials
• Physical break ins and theft of school assets
• Improper sharing of sensitive school records
• Lost or stolen school devices containing sensitive information
• Accidental disclosure (email errors, misaddressed communications)

System and network security

• Ransomware attacks on school ICT systems
• Malware affecting school networks
• School system outages/unavailability
• Website defacement
• Lost access to sensitive school information
• Compromised school devices
• Degraded ICT system performance

Social engineering scams and malicious attacks

• Phishing targeting school staff
• Scam communications impersonating school officials
• Unauthorised requests for sensitive information
• QR code phishing (Qishing)
• Data-stealing malware targeting student records

Physical and behavioural security

• Unauthorised facility access and tailgating where sensitive information is kept
• Improper handling of sensitive information
• Incorrect disposal of sensitive information
• Unauthorised recording/photography in a school environment
• Criminal activity and fraud
• Anti-social behaviour (for example, online bullying)
  

5. Emergency management and disaster recovery planning

As outlined in the Emergency and Critical Incident Management Planning policy, schools must plan to securely continue operations during disruptions impacting ICT systems and be able to recover information and systems in the event of a disaster.

Schools are recommended to:

• incorporate information security into their Emergency Management Plan, which includes their Business Continuity Plan, and describe:
  • how they will respond to potential disruptions to school critical ICT systems and data access
  • specific contingencies and disaster recovery processes for securing school information stored on-site (both digital and hard copies) and managing school information shared with third parties (such as Compass for student data)
• complete testing of the Business Continuity Plan with the support of the TSSP resource
• obtain reports from any locally engaged contracted service providers, confirming that the providers’ business continuity measures are in place, to prevent interruption to school operations, including:
  • automated backup systems
  • data backups sufficiently isolated from production systems to enable data recovery in the event of a ransomware attack which may seek to destroy or maliciously encrypt the backup data
  • data retention requirements (including a confirmation of minimum data retention – all backups must be retained for at least 3 months)
  • documented disaster recovery strategies that are tested at least annually.

For additional details on annual planning requirements and processes, refer to the Technologies and ICT Services and Emergency and Critical Incident Management Planning policies.

6. Third-party arrangements

Schools must effectively manage their relationships with locally engaged third parties to protect school information and systems and take steps to ensure school information is secure when facilities or ICT equipment are maintained or repaired.

When considering using a contract supplied by a service provider, schools must seek advice from the department’s Legal Division to ensure the contract includes adequate provisions for recordkeeping, privacy and information security.

When adopting new software or administration systems that are not provided by the department, schools are required to use the Safer Technologies 4 Schools (ST4S) risk assessment reports as per the Software and Administration Systems policy. In addition, schools are required to maintain an inventory of all third-party arrangements where a provider has access to school information and systems, using the software inventory template (DOCX).

When developing local level policies and procedures for managing visitors, schools must follow the Visitors in Schools policy and ensure these include:

• a process for granting, modifying, monitoring and revoking third-party access rights for school information and systems
• a process for securely storing paper records in accordance with the Records Management policy
• measures to protect data during maintenance and repair activities, including:
  • ensuring ICT devices are locked when not in use
  • limiting physical access to required areas only
  • removing school information from equipment before off-site repairs
• a process for maintaining logs of all maintenance and repair activities, including:
  • the date and time of the activity
  • the nature of the work performed
  • the individuals involved.

For additional details on entering and managing third-party arrangements, refer to the Technologies and ICT Services and Records Management policies.

Decommissioning systems or completing contracts with third-party suppliers

Upon system decommissioning or completion of a contract with locally engaged suppliers, schools must confirm that clauses relating to the following items have been actioned:

• ‘Time-expired’ records are destroyed by the supplier, in accordance with minimum record retention requirements, set out in the School records retention guide (XLSX) (staff login required)
• records that have not yet reached their minimum retention period are transferred to the school, in long-term sustainable formats, along with their associated metadata
• the supplier does not retain any copies of school records and data once records have been successfully migrated to their new location.

Example: A school contracts an external IT company for equipment maintenance

To protect school information and systems, schools are recommended to ensure:

• on-site technicians are appropriately supervised with access limited to essential areas only, with sensitive school information (for example, student records) out of view
• they remove or encrypt confidential data on devices before off-site repairs.

7. Annual reporting requirements

Centrally attested schools must provide reports to the department demonstrating overall progress on compliance to the Victorian Protective Data Security Standards (VPDSS), published by the Office of the Victorian Information Commissioner (OVIC).

Reporting scope

• Centrally attested schools must report annually on the controls they are expected to operate as part of the department’s central VPDSS attestation process.
• The department will attest on the remaining controls the department operates on behalf of centrally attested schools. The department is able to report on these controls based on the department-provided ICT systems and services that the schools have adopted, as well as information the school has provided as part of other compliance activities.
• Schools that are not yet centrally attested must continue to follow the VPDSS as outlined in this policy, however they are not required to report to OVIC until they become a centrally attested school.
• School principals will be notified when their school qualifies as a centrally attested school for the next reporting period:
  • from 2024 to 2028, the department is implementing a stepped approach to onboard schools into the central VPDSS attestation process
  • by 2028, all schools will be centrally attested for the purposes of VPDSS reporting.
• The requirement that all schools become centrally attested aligns with the timeline for transitioning schools to department-provided ICT services and systems by 2028, as required by the Technologies and ICT Services policy.

VPDSS attestation process

Detailed instructions will be provided to schools regarding the attestation process, including how to respond to the school VPDSS school questionnaire and complete the Protective Data Security Plan at the time of the attestation.

8. Personnel security

Schools must validate the identity and suitability of staff, volunteers, and other persons who will have access to school information when they start with the school and revalidate and manage changes as required.

Pre-employment and engagement checks must be performed for:

• staff, as per the Suitability for Employment Checks policy
• volunteers and contractors, as per the Volunteers in Schools and Working with Children Checks and other Suitability Checks for School Volunteers and Visitors policies.

When validating personal information, prior to appointment or engagement, schools must:

• use the Employment hire/rehire checklist (DOCX) and the Employment in a government school – validation of personal information form (PDF) for any new employee
• ensure mandatory documentation is provided to confirm the personal information.

In addition, schools are required to:

• retain and dispose of identify verification records as per the School records retention guide (XLSX) (staff login required)
• have local off-boarding procedures in place for personnel leaving the school commensurate with their security obligations and risk profile including for locally acquired systems
• follow the personal security processes outlined in the Recruitment in Schools policy, when managing personal security.

9. Information communications technology security

Schools must have processes in place to ensure the security of all school-managed ICT assets throughout their lifecycle. This must include:

• managing the security of ICT equipment (for example, laptops, hard drives, USB drives) and replacing them when necessary
• managing electronic records on storage media to ensure their authenticity, security, reliability, and accessibility
• securely decommissioning school-managed computer equipment and storage media including hard drives and USB devices
• adopting and regularly reviewing appropriate technical controls such as network configuration and anti-virus and patching arrangements.

Asset management

• Schools must maintain an up-to-date inventory of all school-managed ICT assets, including both hardware and software. This inventory should be comprehensive and include details such as asset type, location, and status.
• Schools should implement a system for tracking assets throughout their entire lifecycle, from initial acquisition to final disposal. This tracking should cover both on-site and off-site assets, in accordance with Section 13 Asset and Inventory Management of the Finance Manual – Financial Management for Schools policy.
• By 2028, schools must transition to department-provided technologies where available. The department will contact schools about the migration process.
• The Securing Connected Learners (SCL) Program supports schools in the transition to department-provided technologies including the decommissioning of school-managed technologies and identities. Further information is provided in the Technologies and ICT Services policy.

Secure disposal of computer equipment

Schools must properly dispose of all computer equipment to protect school and personal information from unauthorised access, such as exposure to the public.

Computer equipment includes any computerised equipment that stores school or personal information. Devices defined as computer equipment include laptops, desktop computers, media storage devices (for example, hard drives and USB drives), printers, faxes, security systems and network devices. The equipment may be owned or leased by the school or may be staff-owned devices used for school purposes.

As part of the disposal process:

• all data must be removed or destroyed from the equipment
• the equipment must be de-identified
• appropriate approvals and documentation completed and retained.

It is also essential that the Records Management and Software and Administration Systems policies are followed as part of the disposal process.

Secure disposal of the computer equipment can be done by technical staff at the school by following this guidance. If a school lacks the expertise or resources to do this, the school may engage a certified third-party supplier who specialises in disposal of computer equipment.

Reasons for disposal

• End of economic life – equipment is no longer fit for purpose or economical to run
• Faulty – equipment has a fault that is uneconomical to repair and the cost of the repair is greater than the straight-line depreciated value of the equipment or a repair cannot be made due to unavailability of parts
• Damaged – equipment has been damaged due to negligent or deliberate action, or through accidental causes such as fire, flood or electrical overload and it is uneconomic to repair because the cost of the repair is greater than the straight-line depreciated value of the equipment or a repair cannot be made due to unavailability of parts
• Obsolete – equipment no longer able to perform required task effectively or at all
• In excess of entitlement – no longer required as it no longer has, or is likely to have, a business function
• End of lease – the lease period of a equipment has expired, or a lease has been terminated
• Donated to another government school
• Transferred to school student – equipment is transferred to a student as part of a general school program to provide student equipment on an equitable basis
• Donated as foreign aid
• Donated to charitable cause

Disposal process

The process for secure disposal is the same regardless of the reason for disposal. Schools must take the following steps.

1. Obtain approval to dispose of the equipment from the principal or their delegate, as per 'Approval to dispose' below.
2. Prior to sanitising the equipment, any electronic records it contains:
   • that are yet to serve their minimum required retention periods must be exported to another secure storage location or transferred to the department’s relevant system of record
   • that 'time-expired' records, require principal approval to destroy as per the Records Management policy.
3. Sanitise the equipment as per 'Sanitising, destroying and de-identifying computer equipment' below.
4. If there is a significant volume of equipment or the school lacks the expertise to securely dispose of the equipment, a specialist disposal firm can be engaged. If this occurs, the use of a DE contract template is strongly recommended as it will contain key recordkeeping, privacy and information security clauses to help schools comply with related legislation.
5. Remove all identifying labels, writing and markings from the equipment.
6. Document the disposal details and the approval to dispose of the equipment. The Computer equipment disposal form (DOCX) can be used for this.
7. Update the asset register in CASES21 if the equipment is listed there, otherwise keep a log of equipment that has been disposed.
8. Dispose of the equipment using the method described in the approval for disposal.
9. Ensure records of disposal activities are retained for 7 years, as per requirements of the Records Management policy.

Agreements for leasing computer equipment must contain provision for sanitising the equipment by the lessor or their agent on the return of the equipment to the lessor.

If a school finds or suspects that equipment has been disposed of incorrectly and school or personal information may be exposed, they must contact the Service Desk via the Service Portal. A ticket for the matter will then be raised for the Information Security Branch who will provide the school with support and coordinate additional advice from other teams as may be necessary.

Approval to dispose

Disposing of computer equipment requires some form of official approval and record keeping. This is required to ensure disposal is handled correctly in relation to information security, asset management, records management, procurement requirements and integrity considerations.

Approval must be from the principal or delegate in writing and include:

• school name
• details for all equipment being disposed of, including type, make/model and serial number
• reason for disposal
• date of approval and disposal
• disposal agent (if being used).

The Computer equipment disposal form (DOCX)can be used for this approval and documenting the disposal.

The principal may delegate the authority to approve disposal however it must not be to the person managing the disposal process.

The approver must ensure that there is a valid reason for the disposal and that the disposal process is followed, including any additional requirements that may be relevant when the equipment is being disposed of by donation.

Donating equipment

If the computer equipment will be disposed of by donation, this must be done in accordance with the Gifts, Benefits and Hospitality policy.

No current or former staff members, contractors, consultants, school volunteers, or school council representatives, including their family members or associates, shall gain financial or reputational advantages through the disposal of computer equipment – whether directly through payment or indirectly through retention of the equipment for personal or other use – except where such disposal is to school students as part of a general school program providing student equipment on an equitable basis.

Sanitising, destroying and de-identifying computer equipment

Sanitising or destroying

Sanitising computer equipment is the process of removing data from the equipment.

Free and widely used software programs can be used for wiping almost any equipment which stores data and are most commonly used to wipe laptop and desktop hard drives, removeable hard drives, and printers. These programs can also be used to wipe newer solid-state drives, however these drives often have reset keys which can be used instead. The programs can also be used to confirm if data wiping has been successful. A magnetic degausser can be used to wipe equipment that uses magnetic storage instead of using software to do the wiping.

If the wiping processes fail and data is still present, then the storage drive of the equipment needs to be destroyed by removing it and drilling or cutting the drive to destroy the storage area. If equipment is at end of life and will be disposed of in hard rubbish, then physical destruction of storage media and drives is always recommended.

Monitors, keyboards and mice typically do not store data. These can be disposed of without sanitising.

If there is any doubt in the sanitising process or the equipment has been used for very sensitive information the media should be physically destroyed.

De-identifying

An important step schools must take is to ensure the equipment has no markings, labels or stickers which identify the school or previous user. This reduces the risk of disposed equipment becoming a target for closer attention or associated with other individuals or organisations that may cause reputational damage to the school, department, students and staff.

Advice for common computer equipment

Typical equipment that requires this disposal process includes the following.

Computers including laptops, iPads, desktop computers and servers

Sanitise the equipment by removal and destruction of memory and drives using degaussing and or overwriting the data (degaussing is a method of using strong magnetic fields to erase data which is stored using magnetic information, often found in all old-style hard drives).

Computer equipment containing media, memory and hard drives can be sanitised by removing the media from the equipment or by sanitising the media while in the equipment.

Reset iPads back to factory settings after data wiping of memory and storage areas.

Printers and multi-function equipment

Sanitise by removing the printer cartridge or MFD print drum in addition to the removal or sanitisation of any media. If the drum and cartridge are to be retained, then multiple pages of random text in each of the colours should be printed. Any paper jammed in the paper path must destroyed.

Network equipment

As network equipment can store network configuration data or credentials in their memory, the memory should be sanitised prior to the disposal of the equipment. The correct method to sanitise network equipment will depend on their configuration and the type of memory they use. As such, equipment-specific guidance provided by the maker of the equipment, or vendor sanitisation guidance, should be consulted to determine the most appropriate method to sanitise memory in network equipment.

Fax machines

As fax machines can store pages that are ready for transmission in their memory, the memory should be sanitised prior to disposal of the machines. This can be achieved by removing the paper tray, transmitting a fax message with a minimum length of four pages, then re-installing the paper tray and allowing a fax summary page to be printed. In addition, any paper that becomes trapped in the paper path must be removed prior to disposal.

Security measures and maintenance

For school managed ICT networks and infrastructure:

• schools must maintain a secure ICT network by following department policies and requirements, and by adopting appropriate technical controls and consistent management processes. This includes understanding the DE school network model, which consists of an administration network for school business functionality and a curriculum network for the teaching and learning environment
• schools should ensure that the separation between these networks is not breached by unauthorised alterations. Regular software updates (patching) are essential to maintain the security of devices and applications. Schools should pay particular attention to the security challenges facing the curriculum network, including adherence to network and server equipment standards, local network configuration, and management of security controls
• it is crucial that schools ensure their IT support technicians regularly perform risk-prioritised patching or vulnerability management for all systems, infrastructure and software applications under the school's responsibility
• the Technical Support to Schools Program (TSSP) provides specialist technicians to deliver on-site scheduled support for schools, which can assist in this process. Refer to the Technologies and ICT Services policy for further information.

Managing donated ICT equipment and software

Schools must manage donated ICT equipment and software according to department policies to ensure it benefits the school, maintains information security, avoids financial liability, and upholds ethical standards.

Depending on the donor and the nature of the offer, donated ICT equipment or software may be seen as a form of sponsorship or may be part of a philanthropic partnership.

Donors offering ICT equipment and software are likely to be a school supplier and the Gifts, Benefits and Hospitality policy strictly limits when school staff can accept offers from suppliers.

For more information, refer to the Gifts, Benefits and Hospitality, Sponsorship and Philanthropic Partnerships policies.

Donated ICT equipment

Before accepting donated ICT equipment, schools must ensure:

• they obtain documented evidence of equipment ownership from the donor
• they avoid accepting donated equipment where it could be perceived as endorsing an organisation or product
• they are likely to use the equipment being donated
• it is electrically tested and tagged according to the Australian AS/NZS 3760 standard; equipment that fails this test must be refused or discarded
• there are no contingent future hardware maintenance payments to the donor or associated entities
• all data storage is enterprise-wiped to remove previous data
• all pre-installed software, including operating systems, are replaced with licensed software from the department or school.

Donated network equipment (for example, routers, modems, switches) cannot be accepted.

Donated software

Schools must ensure that before software is accepted and used that it complies with the Technologies and ICT Services policy.

As software licenses are not always transferrable, software donations are not permitted unless the donor is an authorised agent of the software vendor or copyright holder.

Donors offering software are likely to be a school supplier. The Gifts, Benefits and Hospitality policy strictly limits when school staff can accept offers from suppliers.

Schools should seek advice from the departments’ legal, procurement and gifts, benefits and hospitality teams before accepting offers of donated software.

10. Physical security

Schools must implement physical security measures to protect school information and school ICT equipment and systems throughout their lifecycle, both within and outside school premises. This includes:

• securing ICT school systems, personal computers, and sensitive hardcopy information in locked locations with restricted access
• monitoring and controlling visitor entry to school premises, especially in areas with ICT infrastructure and records storage
• implementing secure printing processes requiring user authorisation
• encouraging staff to practice secure behaviours (locking devices, clearing desks, wearing identity badges)
• establishing processes for implanting and managing physical security measures including the maintenance and repairs of door locks, secure storage (bins, filing cabinets) and fire extinguishers.

When handling information outside the school premises, schools must ensure staff, volunteers and other parties understand their information security obligations including when working remotely, travelling and sharing information with third parties.

In addition to this Information Security policy, when managing physical access to school information and ICT systems, schools must follow the:

• Records Management policy
• Visitors in Schools policy
• Crime Prevention in Schools policy.

Resources

• Access rights change register (DOCX)
• Arc Software Catalogue (staff login required)
• Computer equipment disposal form (DOCX)
• First Response Card (PDF) (staff login required)
• Information Security School Risk Register template (available soon)
• Identify and report phishing(PPTX) - presentation to support school staff to identify and report phishing emails.

Training

• Information Security for School Staff e-learning module (staff login required) - LearnED module providing an introduction to the principles, key responsibilities, practical advice and where to go for advice regarding information security
• Phishing for Business Managers e-learning module (staff login required) - LearnED module for business managers to identify and report phishing emails.

Useful links

• Office of the Victorian Information Commissioner (OVIC) – provides guidance in understanding and implementing the Victorian Protective Data and Security Standards.