MIS functionality: Platform Security

In our last post we featured Timetabling – today we are focusing on MIS online platform security, which is a huge and important area that is often in the news.

When UK schools contemplate transitioning to or replacing an online Management Information System (MIS), they should be vigilant about several critical data security concerns. Here are the key considerations:

Data breaches and leaks:

• Recent incidents have highlighted the vulnerability of educational institutions. For instance, confidential data from 14 UK schools was leaked online by hackers in 2022.
• The compromised information included children’s Special Educational Needs (SEN) details, pupils’ passport scans, staff pay scales and contact information.
• These leaks occurred after the impacted schools refused to pay ransom demands.
• Schools must prioritise robust security measures to prevent unauthorised access and data breaches.

Ransomware attacks:

• The education sector has been heavily targeted by ransomware.
• A Sophos report revealed that 56% of lower education institutions and 64% of higher education bodies experienced ransomware attacks in the previous 12 months.
• Schools and universities are often viewed as ‘soft targets’ due to factors such as inadequate cyber security investment along with the large number of devices connected to their systems.

Authentication and Access Control:

• An MIS contains sensitive data about students, parents, teachers and other personnel.
• Robust authentication procedures are essential before granting access to any part of the system.
• Strict business rules should control the specific data items that users can access.

See: UK Schools Hit by Mass Leak of Confidential Data – Infosecurity Magazine (infosecurity-magazine.com)

1. Data Protection Compliance: Ensure that your MIS system complies with the UK Data Protection Act and the General Data Protection Regulation (GDPR). This includes provisions for data encryption, data access controls, and data retention policies.

2. Data Encryption: Data should be encrypted both in transit and at rest to prevent unauthorized access. Encryption protocols should be robust and up-to-date to protect sensitive information such as student records, grades, and personal data.

3. Access Control: Implement strong access controls to limit access to sensitive data to authorized personnel only. This involves user authentication mechanisms such as passwords, multi-factor authentication, and role-based access controls.

4. Data Backup and Recovery: Ensure that your MIS system has robust data backup and recovery mechanisms in place to prevent data loss in case of system failures, cyber attacks, or other unforeseen events.

5. Vendor Security: Assess the security measures implemented by the vendor providing the MIS system. This includes their security certifications, track record in handling sensitive data, and adherence to industry best practices.

6. User Training and Awareness: Educate school staff about data security best practices and the importance of safeguarding sensitive information. This can help prevent data breaches caused by human error or negligence.

7. Data Minimization: Only collect and store data that is necessary for the functioning of the MIS system. Minimizing the amount of data reduces the risk exposure in case of a security breach.

8. Regular Security Audits and Penetration Testing: Conduct regular security audits and penetration testing to identify and address any vulnerabilities in your MIS system. This helps ensure that the system remains secure against evolving cyber threats.

9. Secure Integration with Third-Party Systems: If the MIS system integrates with other third-party systems or applications, ensure that data exchange is done securely and that proper security measures are in place to protect against data breaches through integration points.

10. Incident Response Plan: Develop a comprehensive incident response plan outlining the steps to be taken in case of a security breach or data incident. This includes procedures for containment, investigation, notification, and remediation.

In summary, UK schools must proactively address these security considerations when evaluating or adopting an online MIS system to safeguard sensitive data and maintain educational continuity.

As always, we asked all MIS providers the same questions, being:

1)     Is your platform hosted on AWS / MS Azure / Google Cloud / Other (Please specify)?

2)     How regularly to you run external penetration tests?

3)     Without listing your privacy policy, what do you offer schools / academies by way of protection against cyber attacks?

4)    How often do you update your advice?

As usual, we’ve listed the MIS’s in alphabetical order:

Arbor & ScholarPack are hosted on AWS, and Integris and Arbor Finance are hosted on Microsoft Azure

Penetration tests are run annually for each product, using unauthenticated and authenticated tests utilising the CREST framework. 

The penetration tests form part of a robust schedule of testing activities, supporting the audit and certification of all products against ISO27001, ISO9001, and Cyber Essentials. 

Alongside external penetration tests, all products are also scanned weekly by a threat scanner, as well as Security Incident Event Management (SIEM) systems that actively detect threats and anomalies. 

Arbor goes beyond just technical penetration tests and performs external and internal social engineering tests to understand and fix any weaknesses in processes and people that may arise. This is particularly important given most cyber attacks as social rather than technical.

The Arbor platform is also PCI-DSS compliant, and as such has quarterly ASV scans completed, and a full level 1 PCI audit annually.

Arbor meets and exceeds the requirements of GDPR, protecting the data we store with a comprehensive Information Security Management System which the International Organisation for Standardisation (ISO) audits annually.

This system is governed by our Information Security Management Committee, which consists of senior management across various business areas.

• Physical security is maintained by formal security inspections, risk assessments and access control at every Arbor office.
• Access to Arbor locations is restricted with secure keys, CCTV, 24/7 security personnel and secure perimeter doors.
• Digital security is maintained not only by our staff’s awareness training and personal vigilance, but by a number of digital safeguards.
• Staff passwords are changed regularly and wherever possible all our business systems require two-factor authentication.
• Data is kept on our central system rather than any individual device, so you can give and revoke permissions to different users.

Through hosting via AWS and Microsoft Azure, Arbor, ScholarPack and Integris benefit from best-in-class security, bank-grade physical access controls, as well as robust network and infrastructure level security.

Both Microsoft Azure and AWS maintain a significant number of compliance and security related certifications, including ISO, SOC, PCI and more.

Through partnerships with both providers, Arbor also benefits from external solution reviews and audits, such as AWS’s Well-Architected framework, and AWS’s Security Foundations

All our architecture is housed in a private firewalled network to reduce external access and increase security.

The school MIS operates a single-tenanted database model – this means that school data is segregated from other customers in our database and persistence layers. Instances are recycled daily to reduce the risk of data being compromised, and all servers are patched continuously to reduce security vulnerabilities.

Encryption in transit is through bank grade 256-bit SSL.

All server operating systems are automatically patched with the latest security fixes every night.

All software libraries are upgraded to the latest version, incorporating security fixes, upon every new release of our software (this happens at least once per working day).

An internal security committee assesses our software and infrastructure every month for possible vulnerabilities, and plans fixes for any they find.

External penetration testing is also conducted annually.

Arbor maintains back-to-back contracts with our subcontractors so that all data security policies and responsibilities flow down to them, meaning all school data is kept secure. These standards are renewed every year, keeping protection up-to-date.

Authentication can be enhanced via Single Sign On, using Google or Microsoft credentials, allowing for the inclusion of additional user management and provisioning in external systems.

Customers can also enable 2 Factor authentication using an authenticator app, as well as enable IP whitelisting to only allow access from certain locations (e.g. within the school grounds)

Password security is configurable by customers, and password complexity can be set to provide additional protection.

In order to ensure best practice at minimum, password complexity cannot be lowered to unsafe standards.

Customers can also choose to disable logins by both students and guardians if they deem this necessary. 

Arbor provides functionality to both control and report on user logins and access patterns, including a user login history, and a full audit log showing actions completed by each user. Authorisation of users is handled via Role Based Access Control (RBAC), giving customers the ability to control the actions permitted by users on a role basis. 

Arbor goes beyond just technical penetration tests and performs external and internal social engineering tests to understand and fix any weaknesses in processes and people that may arise. This is particularly important given most cyber attacks as social rather than technical.

Arbor actively maintains a  public-facing guide for how we protect school’s data, as well as a Data Protection Impact Assessment template which schools can view and fill in to ensure they comply with Data Protection Guidelines.

We list all our data security guidance and advice for schools in detail on our Helpcentre as well as having an external DPO who schools can contact with any questions, ensuring that schools are kept up-to-date with all the latest information.

Bromcom MIS is hosted on Microsoft Azure to provide a reliable, safe, and efficient service that can be accessed anywhere.

Some of the benefits of Azure hosting include scalability, improved data security, and compliance-oriented frameworks, providing best-in-class security, bank-grade physical access controls, and infrastructure level security. 

As per our ISO 27001 certification, our processes and procedures specify external penetration (pen) testing is completed yearly. 

Our penetration tests are run annually in May, utilising the CREST framework for both unauthenticated and authenticated tests, all of which are CHECK compliant. 

These tests form part of a robust schedule of testing activities, supporting the audit and certification of all products against ISO27001, ISO9001, and Cyber Essentials. 

For penetration testing we use Pentest People, who offer ongoing managed scanning with dark-web monitoring and the latest symbiote security scanners to negate APTs (advanced persistent threats) with 24/7 around the clock monitoring. 

Pentest People also use a range of custom-built tools alongside experienced CREST & Check Team Leaders to detect vulnerabilities in our systems. 

Weekly Threat/Vulnerability Scans happens on all our platforms, and automated social engineering tests are executed periodically (i.e. phishing simulations).

While we do not offer protection to schools’ devices directly, we have protections in place to process the data held in our platforms. We follow ISO27001 and CyberEssentials Certifications, which include yearly internal and external audits of our business and practices. We also uphold the following internal best practices: 

• Staff are required to regularly complete compulsory training on cyber security, data handing, data protection, identifying spam, and other e-learning.  
• Staff are not permitted to store personal or shared passwords on paper or their local machines. Instead, we use 1Password to store and maintain all internal credentials. 
• Stringent password policies are in place to ensure passwords are both effective and secure. 
• Two-factor authentication is enforced across the company. 
• When storing documents and sending internal or external emails, security classifications must be selected depending on the sensitivity of the content.  
• Managed Access to Servers and Critical Infrastructure.  
• Firewalls setup with principle of least privilege applied 
• Careful management and maintenance of configurations. 
• Stringent Patch management processes 
• Elimination of unnecessary Software, Services and Applications. 
• Enterprise level monitoring and alerting software 

Within our MIS itself, there are several policies, settings, and configurations available which allows schools to further enhance the already significant security we provide. These include but are not limited to: 

• Location-based Access Controls – Schools have the ability to block access to the MIS from computers outside of a specified or permitted IP address, preventing staff from accessing school or student data when offsite should the need arise. 
• Time-based Access Control – Schools can also configure time-based restrictions to prevent staff from using the MIS beyond a certain time every day. 
• Password Policies – Schools can create their own password policies, where they can dictate the required password strength, which special characters are required, how often they need to be reset, how many incorrect attempts are allowed before being locked out, and more. 
• Roles and Permissions – Our MIS and the data accessible within it, are entirely controlled by bespoke roles and permissions, which the schools are free to control as they see fit. Virtually every button, feature, or page within our MIS requires specific permissions to be granted to users for them to access, edit, or add data.  
• Single Sign-On – By enabling single sign-on, schools are able to create bespoke Office365 or Google accounts for staff, allowing them to log in securely and utilise our two-factor authentication functionality.  
• User, Error, and Security logs – Our MIS keeps a continuous log of not only user activity, but also error and security logs, all of which can be exported and accessed at any time by users with relevant permissions.  
• Register Audit – We go one step beyond activity logs. We also provide a built in Register Audit report, which schools can use to track changes made to student attendance, including exact timings and staff usernames for full accountability.  
• Biometric authentication – Alongside our MIS, we also offer 3 applications – MyChildAtSchool, Student Portal and Teacher App, all of which are free for iOS and Android devices. User account creation for each of these 3 applications require thorough work within the schools, and each app also offers biometric authentication for the strongest possible security. These applications also go through significant security and penetration testing to ensure their safety and reliability. 

As part of our ISO Certification and Continual improvement cycles, our policies, processes, and procedures are reviewed and updated at least yearly, with our GDPR compliance statement, information security policy statement, and privacy statement all readily available on our website. 

Compass utilises a mix of public and private cloud providers to deliver its platform.

Security is a key consideration built into many different layers of our operations and also into the platform itself.

We conduct a minimum of 2 third party penetration tests each year, with over 12 additional third party security assessments.

This is all in addition to maintaining our obligations as an ISO27001 certified Level 1 PCI DSS SaaS provider.”

Currently, the solution is hosted primarily with Xneelo South Africa, but we are already migrating the Xneelo portion to AWS over the next 3 months.

We utilise Hakware for real-time automated penetration testing and vulnerability assessment.

We initiate manual black-box penetration tests on an ad-hoc basis whenever large-scale or framework/security-related product or infrastructure changes are introduced. Our current provider of choice is Three6Five

We have ongoing manual vulnerability assessments done by an independent third-party security researcher on all publicly exposed interfaces.

In addition to the above-automated vulnerability scanning, some of our security and resilience measures are posted on our Trust Centre. 

We also provide ongoing training to our staff to mitigate the risk of user-related errors, phishing, and social engineering attacks. 

Occasionally, we host security and privacy webinars to upskill our clients and create awareness.

We engage several independent security and privacy consultancies and update our security measures, privacy activities, training and advice on an ongoing basis as anything new comes to light. 

Last year we moved HUBmis to the AWS platform from GCP, highlighting our dedication to innovation, security and user experience.

The AWS platform allows us to benefit from more services, features, and emerging technologies than other providers, which means we can pass on these benefits to our HUBmis schools, keeping them ahead of the technology curve. In addition, the AWS platform allows us to provision database shards in specific countries across the globe, so that we can meet local data residency requirements that schools are required to follow.

We’ve expanded on this in a recent blog: https://www.wcbs.co.uk/hubmis-safeguarding-school-data/

We’re committed to running at least annual penetration tests on our software, and even more frequently where appropriate.

This helps further protect our schools from ransomware attacks so that we are always in a position to mitigate threats as they emerge.

A review of the “attack surface” of HUB is also regularly carried out to ensure it remains as small as possible & security covers the latest developments within industry.

We take our schools’ cyber security very seriously; it’s considered in every decision made, and this is supported by our Cyber Essentials Certificate; a government backed scheme that protects against cyber attacks.

We implement careful encryption policies and external access restrictions to protect our schools against cyber attacks, as well as automated updates and backups, and strong disaster recovery to mitigate any impact, should the worst happen.

Encryption

The HUB platform is accessible only via HTTPS, utilising 256-bit encrypted communication between client browser & the service.

Customer files, database data & associated backups are stored with 256-bit encryption (AES256) but also encrypted whilst data is within the AWS infrastructure platform.

Our schools’ data is encrypted whilst at rest, and in transit, both outside and inside our infrastructure.

External access restrictions

All access is logged, and access is only given on a need basis.

Policies & processes exist to ensure delivery happens correctly, safely & efficiently.

Use of external services are reviewed to ensure they meet our requirements & that they uphold a level of security.

In addition, customer data is physically partitioned between schools, reducing the risk of unprivileged access to other school’s data.

Automated updates

All infrastructure is provisioned within a firewalled private network automatically updated by AWS.

Containers we host are security scanned & regularly checked for latest updates.

The code that is developed & deployed has various automated tooling to ensure vulnerabilities are removed.

Data, Backup & Disaster Recovery

Database, uploaded files & associated backups are within AWS Storage, designed for 99.999999999% (11 9s) annual durability, provided through redundantly storing data across multiple devices located in multiple regions.

The HUB platform utilises high-availability relational database systems with point in time recovery enabled up to 7 days.

Customer databases are backed up daily, & backups are retained for at least 30 days for platform disaster recovery purposes only. Stored emails are accessible up to 30 days after the fact.

We update our advice as regularly as it is required, and often send out preventative information to our schools when we hear about new threats. Although we know HUB is as secure as possible, we hope any advice we share can be helpful across all their EdTech provisions.

Our two Management Information Systems (MIS), Ed:gen and iSAMS, are hosted on Microsoft Azure. All data is securely stored in our cloud systems and complies with GDPR and COPPA regulations in every operational country.

Across our MIS’, we run external penetration testing four times per year, surpassing the industry standard of twice per year. And, once we have the findings, we have strict response deadlines to ensure they are acted upon.

We also regularly conduct thorough internal testing and regularly achieve 3rd party verified certifications, including Cyber Essentials and ISO 27001.

All of our products, modules and portals ensure security and privacy, by design. We stand by these principles as we develop our products, and as we constantly monitor the landscape for any potential threats, cyber-fraud and attacks. We employ a variety of sophisticated tools:

Available as bespoke solutions or commercially, these sophisticated monitoring tools proactively protects our platforms and alerts us in real-time if there are any risks we can mitigate.

Internal testing: Additionally, we use advanced in-house technology to regularly test our environments and act on these outputs in a timely manner.

Encryption: IRIS products like iSAMS encrypt all data to ensure robust protection of student information and compliance with strict privacy laws. All data is encrypted both in transit and at rest.

Supporting active learning: For more than two decades, we’ve worked closely with customers to implement strong privacy and security controls. We encourage schools to utilise portals and tools in our software to minimise email communications between staff and stakeholders, especially those that send bills or ask for payment, thus reducing the risk of email fraud, as well as offering a multitude of tools to alleviate the burden of admin for schools where detailed audit logs and such are concerned.

Active learning is essential to maintaining a high level of security, and we encourage education leaders to prioritise cyber-security through our regular webinars and events hosted by our teams, often in partnership with industry experts. Our huge catalogue of in-depth content such as articles and blogs also keep security at the top of schools’ minds.

Our security advice is updated quarterly as standard, but we’re aware that in our ever-evolving threat landscape, we must remain vigilant and adaptable to keep learning safe and secure. For instance, with iSAMS, 30-40% of our development efforts go to maintaining security. We are diligent about staying on top of threats, making updates to our cloud software to keep it secure, and continuing to communicate proactively with schools.

At ParentPay Group we maintain the highest standards of cybersecurity.

Our continued efforts have distinguished us as leaders in cybersecurity within the education sector. 

We continuously monitor ourselves and all key education suppliers for their cyber posture on an ongoing basis across 20 risk categories – including security headers, HTTPS security, information leakage, breached credentials, attack surface, email security, patching efficacy, and ransomware susceptibility.

ParentPay and SIMS lead these categories across all competitors by a wide margin.  

As an example, we’re rated A+ by Security Headers.  

Our platforms are hosted on MS Azure and premier Tier 3 UK data centres from 6Degrees and CAE.

We conduct approximately 80 annual penetration tests, supplemented by Red Team exercises, and each product is tested at least once per year.

We perform weekly vulnerability scans across all network assets, with servers and workstations monitored in near-real-time. 

We further ensure customer and platform security through advanced measures such as dark web monitoring and account takeover protections, alongside top-tier web application firewalls and denial of service mitigation systems.

Our dedicated team of 12 cyber specialists collaborates with leading industry partners to deliver 24/7 cutting-edge security.

We actively monitor and update our cybersecurity tactics based on the latest threat intelligence in the education sector.

Our recent acquisition of GDPRiS significantly enhances our compliance capabilities.  

It is important to note that while in some cases we continue to support legacy systems for customer continuity purposes, including those using TLS1.0 due to their integration in older technologies, we are actively working towards phasing out these older protocols within the next six months.

We mitigate risks through stringent cipher configurations and support for modern protocols in all browser access, ensuring that legacy vulnerabilities are tightly controlled. 

Our security guidelines are continually refreshed to align with product updates, compliance standards, and the evolving threat landscape, ensuring our stakeholders are well-informed with the latest cybersecurity practices.

This proactive approach ensures that educational institutions can focus on their core activities, confident in the security of their data. 

As usual, if we receive any further information on this issue we will update this post accordingly.