Passmores Cooperative Learning Community Cyber Security Programme

wire8 wire8

 

Background

The Passmores Co-Operative Learning Community (PCLC) is a successful and dynamic Multi-Academy Trust located in Harlow, Essex. In September 2013, PCLC was officially formed and consisted of three schools: Passmores Academy (Sponsor), Potter Street Academy and Purford Green Primary School. Then in September 2018 the Downs Primary School and Nursery joined the PCLC.

PCLC is a cooperative Trust, meaning that we adhere to the ten key principles of the cooperative movement, while retaining overall autonomy of our schools. With internal IT provision at the central Trust, we have the benefit of an in-house technical team who can serve all of our member schools. Although we were confident in our abilities and felt we had most of the basics covered with regards to cyber security, our governing body took the decision to address cyber security risk. We decided to commission an internal audit initially, as a way of verifying that our current processes were both suitable and robust. This service would also enable us to satisfy the board’s request to report on cyber security with independent assurance – they felt it important that we sought external validation to ensure that the audit was both comprehensive and solely in the best interests of the Trust.

Prior to the audit, the culture within the Trust around cyber security was already very positive and promoted a ‘no blame’ approach which we know is an important factor in ensuring staff feel both confident and comfortable in reporting any potential issues early so that they can be resolved as quickly as possible. The audit process enabled us to take this several steps further by providing us with tangible evidence and an action plan that we could share with board members to demonstrate our current status as well as supporting our ongoing progress and monitoring.

Problem

We identified a need to address ‘unknown unknowns’ – although our technical team felt confident in current policies, procedures and personnel, the governing body sought to put this to the test using an external provider with industry-specific expertise so that we could evidence and improve our cyber security posture. Without independent assurance, we did not have a transparent method by which to scrutinise or explain to the board how we were protecting our information assets.

With the capacity and capability provided to us by having an excellent in-house technical department, we did not wish to spend money or time unnecessarily on an area which we already felt was well established within the trust. As such, we were initially looking for a time-limited solution that gave us excellent value-for-money whilst satisfying the requirements set by the board.

Secure Schools Helped Us By:

  • Offering an affordable, time-limited audit process by which we could gain insight into our current level of resilience as well as receiving an action plan which – if we wanted to – we could implement at no further cost by our team completing the steps suggested
  • The way in which the audit was conducted - the unique framework which Secure Schools developed as the basis for this particular service makes the process non-judgemental throughout
  • Structuring the process so that there was space for us to question why we had some setups the way we did and consider whether there was a better, more secure way of doing it
  • Providing a process independent of other IT services that is not affiliated with any other vendor. This instilled confidence in us that the audit was solely for the benefit of increasing the cyber resilience of the Trust and allows us to determine for ourselves the correct products and solutions to mitigate cyber risks
  • Involving staff in differing positions across our Trust, regardless of role or technical ability, which in turn helped improve cyber security culture across our schools

Outcome

Firstly, our Trust expanded its internal scrutiny programme to include cyber security as a non-financial risk area. Through the audit process we have established a baseline by which we now measure and report annually. We were also able to expand cyber security from being primarily the responsibility of our IT department to a Trust-wide responsibility involving governance.

In addition, we have increased the resilience of our processes and policies – this helps to future-proof against changes in staffing and governance as cyber security is becoming firmly embedded within the culture of the Trust.

Finally, we have established a strategic relationship with cyber security specialists that we trust to augment and complement our internal team.

Next Steps

With the action plan in hand from what we felt was a highly successful audit process, we could have walked away and embarked on completing the actions ourselves. However, we were very impressed with the service offered and everything included in the subscription plan made it a no brainer for us to sign up and receive further help from Secure Schools.

As such, the Trust is now embarking on a long-term programme with Secure Schools to further embed the lessons learned into policy, procedure, and process. The unique platform which Secure Schools created enables us to easily implement elements such as training for staff and board members across all of our member schools with easy-to-understand reporting which we can now share with the board and use to identify areas of weakness that we can continually monitor and improve upon.

“Secure Schools has offered a professional, no judgement, approach to the cyber security process which in turn has helped us as a Multi-Academy Trust to develop our cyber security processes to ensure that we continue to work in a safe environment within the recommended government guidelines.

The support Secure Schools offer in an increasingly developing area of IT is vital and will help the department save time in the future by having ongoing support from experts within the field to develop our team. Secure Schools has changed the way we look at cyber security and enabled us to implement changes in our processes that we didn't realise were crucial. The knowledge and training that Secure School has passed on to staff is invaluable to our ongoing fight against cyber security threats.”

Ashley Alderson, IT Manager at Passmores Cooperative Learning Community

customer-avatar

"We’ve found the whole process very reassuring in supporting improvement in an area of weakness for the Trust. Paul and the team are excellent at sharing their knowledge with clear and concise communication with staff of differing levels of technical skills. The focus on improvement rather than inspection really helped make the process impactful.”

Mark Tait COO at The Three Rivers Learning Trust