Enhancing data security within your MIS and protecting against cyber threats

We asked all MIS providers: How does your MIS platform enhance data security and protect against the latest cyber threats, ensuring compliance with GDPR and other relevant regulations?  

As always, we asked all MIS providers the same question and reproduce below the answers we received. In order to ‘mix things up a bit’, we have this month listed the responses in reverse alphabetical order!

With our SaaS-based platform and with 99.9% uptime, any user with a browser and an internet connection can access 100% of their Veracross tools and data anywhere, anytime.     

 Our industry-leading security is strengthened by modern firewalls, DDoS protection, and built-in redundancies and protected with role-based access controls, single sign-on and multi-factor authentication. We perform regular penetration testing to ensure that our products are always protected and continue to develop in line with security best practices.  

 We are fully compliant with global data protection regulations, including GDPR, COPPA, FERPA and APP.  

Further information is available in the Veracross Trust Centre where we document the steps we take to safeguard data fully.  

The GO 4 Schools MIS is a cloud-based service, provided on a Software as a Service (SaaS) basis. The service is hosted within Microsoft’s Azure data centres in the UK.  

• The service is GDPR compliant. The service’s Privacy Policy can be found here: https://www.go4schools.com/privacypolicy 

• The service status is available to view on a separate service (Freshdesk), which is hosted separately to the GO 4 Schools MIS service. There is an SLA that offers credits should the system fail to meet the specific targets. Please see the Terms & Conditions document for details. 

Service Security 

• All network traffic to and from the service (apart from emails) is encrypted via 256-bit TLS 1.3 encryption. Service-management/maintenance traffic to the service is restricted to traffic from approved IP addresses. Access by users is restricted to those staff that need access to it, from known company devices after successful MFA 

• The web front to the service is protected via Microsoft’s Azure Firewall, Azure network security groups, ingress rules and a web application firewall. All traffic web application firewall/ingress is logged, and monitored for unusual patterns, including known web exploits and unexpected request rates, bandwidth and failed request rates.  Alerts are raised when key thresholds, such as failed-login attempt rates, are crossed. 

Data Security, Availability and Backups  

• All data and documents are encrypted at rest, and are accessible only from within our virtual network in Azure. Access to that virtual network is restricted to those staff that need access to it, from known company devices after successful MFA. 

• Data and document storage is replicated continuously across zones within the service’s main data centre and is backed up nightly to geographically separate storage within another Microsoft Azure data centre in the UK. There is a 60-day retention on backed-up files. 

• Microsoft SQL Server data is backup up every 15 minutes to a secondary Microsoft Azure data centre within the UK. From these backups, point-in-time restores are available for 7 days, and full daily restore points are available for 90 days. 

Service Monitoring 

• Logs are aggregated in real-time from service component into a central store, and are continuously monitored for suspicious activity. 

• Performance metrics such as CPU and memory usage for each service component are also collected in real-time and monitored for unusual patterns. 

• Alerts are triggered for investigation when thresholds are exceeded on key metrics related to logs and/or performance metrics. 

Disaster Recovery 

In the event of the Microsoft Data Centre used for hosting the service becoming unavailable, the service can be migrated to a different Microsoft Data Centre within the UK within 24 hours. 

Ed:gen and iSAMS are designed with robust data security measures that enhance protection against cyber threats and ensure compliance with GDPR and other relevant regulations. 

Data security enhancements: Both MIS platforms are hosted on Microsoft Azure, providing secure cloud storage that complies with GDPR and COPPA regulations in all operational countries.  

We go beyond industry norms by conducting external penetration testing four times a year, with strict deadlines to address any findings. Additionally, we regularly achieve third-party certifications like Cyber Essentials and ISO 27001, reflecting our commitment to high security standards.  
 
Ed:gen and iSAMS also offer comprehensive school-level security measures, including a dedicated Data Protection Manager module for managing consent registers and handling  Data Subject Access Requests. Built-in security permissions also allow leaders to set access levels for different staff members. 

Protection against cyber threats: We take a proactive approach to cybersecurity by partnering with third-party companies for quarterly penetration testing – and we also ensure that we quickly address any risks. We also assess customer-reported security issues and provide regular updates on security measures. Notably, around 30-40% of our product development efforts focus on enhancing security, to stay ahead of new and emerging threats. 

Compliance with GDPR and other regulations: Our products are designed with security and privacy in mind. We utilise real-time threat monitoring tools, conduct regular internal testing and employ advanced encryption to protect student information. Further, iSAMS, encrypts all data both in transit and at rest, ensuring robust protection and compliance with strict privacy laws. Our correspondence tools ensure secure communication, reducing risks associated with email fraud. Additionally, we provide resources and tools to help schools strengthen their cybersecurity practices, including webinars, expert partnerships and a rich library of security-focused content. 

HUBmis is designed with data security as a top priority, providing a secure and compliant environment for managing school data. We have implemented a range of measures to protect against cyber threats and ensure compliance with GDPR and other regulations: 

• Future-Proofing: Our platform is hosted on AWS, known for its robust security infrastructure. This includes automated updates that ensure the system is always protected against the latest threats. 

• Encryption and Access Control: We employ strict encryption policies to safeguard data, alongside external access restrictions to prevent unauthorised access. 

• Penetration Testing: Regular penetration testing is conducted by third parties, to identify and address potential vulnerabilities, ensuring our system remains secure. 

• Data, Backup, and Disaster Recovery: Comprehensive data backup and disaster recovery plans are in place, ensuring that your data is always safe and recoverable in the event of any incident. 

These features combine to provide schools with peace of mind, knowing their data is secure with HUBmis. 

SchoolBase is a cloud based, secure and encrypted MIS which offers complete peace of mind when it comes to storing and accessing data.

All information fields, such as student details, are also compliant with the latest census and DfE requirements. Our MIS also includes 2FA and has a team of in-house cyber security experts constantly monitoring everything.  

Furlong is also owned by technology giants Volaris further demonstrating the access we have to resources which enhance data security and protection. 

Cyber threat protection 

We have a dedicated team of 12 cyber experts who monitor our systems 365 days a year on a 24/7 basis to ensure that our platforms and the school data stored within them are secure.  

This commitment goes beyond just compliance and certification; we are committed to investing in the specialist security resources needed to proactively keep our infrastructure ready to deal with both current and emerging threats facing schools, parents, and students.   

We have ensured our platforms, infrastructure and products are protected by leading technologies that give us comprehensive breadth and depth of security. 

ParentPay Group has all these critical certifications for security and compliance:  

• ISO 27001 Certified (certified by a UKAS accredited certification body – most firms do not use UKAS accredited body because they can’t meet this standard).  

• Payment Card Industry Digital Security Standard (PCI-DSS Level 1) (the highest level of certification)  

• Cyber Essentials Plus Certified (enhanced level of certification not commonly achieved) 

Our cyber security suite covers a huge range including:  

• Dark web monitoring 

• Stealer-as-a-service monitoring 

• 24/7 365 SIEM and threat hunting detection and response 

• Endpoint management 

• Training and awareness including phishing simulations 

• Vulnerability scanning 

• Crypto-ransomware protection 

• Intrusion detection 

We are one of the only edtech suppliers to achieve an ‘A’ rating from independent verifiers Black Kite, as well as the Cyber Essentials Plus certification. 

Data protection 

We also have specialists in our team focused on privacy and data protection across the Group. In addition to our Data Protection Officer, we have experts who ensure our systems and business processes comply with data protection principles.  

This team has over 40 years collective specialist data protection experience.   

Our products and services have been subject to Data Protection Impact Assessments (DPIA), and the team are on hand to support our customers (typically Data Controllers) with their own obligations, and to service any requests we receive from customers or users.   

Privacy is designed into our products and services.  We ensure customers can meet their privacy commitments, and users receive a fully transparent, unintrusive and secure service. 

At the core of our platform’s security are robust multi-tier architectures and a blend of public and private cloud services.  

We prioritise security across various operational layers which exemplify our commitment to maintaining the highest standards of data protection and privacy for our users.  

For example: 

• Comprehensive Security Measures: Our network is fortified with Web Application Firewalls, intrusion detection systems, and is complemented by active monitoring to swiftly identify and mitigate threats. 

• Proactive Anomaly Detection: We have a specialised security sub-layer designed to detect anomalies, allowing us to proactively prevent malicious activities and promptly alert our security team. 

• Regular Independent Reviews: To ensure our defences remain top-notch, we conduct biannual third-party penetration tests and twelve additional security assessments yearly, beyond our obligations under PCI DSS and ISO/IEC27001 standards. 

• Data Encryption and Backup: All customer data is encrypted in transit and at rest using TLS 1.2 and AES 128-bit encryption. We also perform frequent backups of customer data, storing these offsite in an encrypted, immutable format for enhanced data integrity. 

• Local Geography Variation: We tailor our data handling and storage solutions based on the geographic location of users to optimise performance and compliance. This means adjusting data session handling to align with local data protection regulations and latency considerations 

As a cloud-based MIS vendor, Compass surpasses all requirements for Cloud solution standards and Cyber security standards contained in the DfE’s Digital and Technology Standards. In the provision of its cloud-based MIS solution, Compass is Cyber Essentials certified, holds PCI-DSS Level 1 certification at a global level, and is working towards completing ISO27001 accreditation following the successful accreditation of our Parent Company in late 2023. 

These certifications ensure that we always implement the highest standards of data protection, cyber security, information security and information security management, above and beyond that which is contained in the DfE standards. Additionally, we work closely with our schools to help them implement and comply with the elements of the standards that are managed client-side, such as Multi-Factor Authentication. 

Bromcom has held ISO 27001 certification for information security for the past four years.  

This holds us to high information security standards which are audited both internally and externally on a yearly basis to ensure processes policies and procedures are understood and followed by all staff.  

This is reflected in the company’s commitment to high standards of information security, transparency, and privacy, placing a high priority on protecting and managing data in accordance with accepted standards.  

The company complies with the GDPR and continually seeks to ensure the confidentiality, integrity, and availability (to authorised persons) of the personal data it stores or processes. It maintains appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure, or access. 

Bromcom is deeply committed to its MIS cyber security protection. Bromcom MIS has a single URL for access (https://cloudmis.bromcom.com).  

This is made available to users over the web only via encrypted SSL port 443. Using the HTTPS Protocol ensures that data is encrypted in transit at 128-bit level (the same as used for internet banking) and not cached on the local PC.   

Bromcom MIS has the facility to implement extensive login security including two-factor authentication, memorable information, password policy, and active directory integration. In addition, for roles and permissions, a single role will be applied to all students in the system which will govern what information students can access.  

This role can be edited allowing control of what data is shared with students. 

Other security measures have been put in place, such as sign-in authentication processes in line with the school’s password policy.   

The login process will automatically authenticate against the active directory details and link to the Bromcom MIS accounts. 

The Bromcom MIS also utilises the firewall capabilities offered by the Microsoft Azure platform and locks access to the solution down to two entry points, via the HTTPS web frontend to the MIS solution and the dedicated access to the backend for support purposes.  

This connection is locked down to only accept traffic from Bromcom’s head office and uses a non-standard port for access.  

The solution’s internal network also utilises firewall protection to ensure only necessary communication between servers is allowed. 

Other security measures include audit logs showing logins and changes to the system ensuring traceability and changes to the system, data encryption, automated patching of systems, built in redundancy with no single point of failure, and secure equipment disposal. 

From the responses we have received above, it seems clear that all MIS providers take seriously both data security and the danger from cyber threats.

At WhichMIS, we are pleased to see evidence that the personal and sensitive data held within school MIS platforms is being stored and processed securely.