LRS data breach prompts update to security requirements!
Earlier this year the Learner Records Service (LRS) had a serious data breach via a training provider contracted through the ESFA, who allowed access to the data of 28 million children.
This was widely reported in the media including the Times and FE Week, the ICO is said to be investigating further.
On the back of this the ESFA “…have reviewed the requirements for data security in the Education and Skills Funding Agreements and will update them to support a progression route to the more robust controls.”as announced in the update on January 29 2020.
"For the 2020 to 2021 funding year, the requirement will be to meet the requirements for Cyber Essentials, with progression to Cyber Essentials Plus from the 2021 to 2022 funding year. The requirement for preparatory work towards ISO27001 will be introduced later and so does not need to be considered now."
I would expect the ESFA will now start to police this more effectively and run checks to ascertain that training providers have indeed Cyber Essentials certification as a minimum even though it’s been policy of direct government contracts for years.
What is Cyber Essentials?
"Cyber Essentials is a simple but effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks."
As from 1st April 2020 IASME Consortium takes over the delivery of the National Cyber Security Centre’s (NCSC) Cyber Essentials scheme so you will need to make sure your certification body is part of the IASME Consortium.
There are two levels of certification, Cyber Essentials and Cyber Essentials Plus.
Cyber Essentials costs £300 +VAT, is a self assessment and is required for the 2020-2021 funding year.
Cyber Essentials Plus has additional costs to cover the technical audit of your systems to verify the Cyber Essentials controls are in place, "As a rough estimate a Cyber Essentials Plus assessment for a small, simple company will cost in the region of £1,400" and this is required for the 2021-2022 funding year.
Why Cyber Security Credentials?
Making sure your organisation is Cyber Essentials certified goes a long way to prove that you're serious about cyber security and have controls in place to protect your staff and learner data.
If you check your contracts you'll probably find this has already been a requirement or many years, so if you're not certified yet I'd make it a priority before the start of the new funding year!
Having Cyber Essentials certification will set you up in a good mindset if and when ISO 27001 becomes mandatory, there's been discussions around this for a while and even if you're a micro organisation the costs involved are prohibitive for many as prices just for the audit itself start from around £4,000!
However, there's also the IASME Governance to consider which covers both Cyber Essentials and GDPR also with self assessment and audited options.
Cleverclogs Multimedia LTD will use the information you provide on this form to be in touch with you regarding new blog posts and updates to existing posts on cleverblogs. We will NEVER share your personal details and will only make contact with you via email for this specified purpose. Please see our GDPR compliant privacy notice for further information.
