7 JCQ Cyber Security Regulations
(c) Enabling additional security settings wherever possible Enhance account security by enabling advanced protection measures such as multi-factor authentication (MFA), IP-based restrictions, and time-limited access controls. These settings create additional defence layers, significantly reducing the risk of unauthorised access. Regularly review available security features for all platforms and services in use, enabling updates and enhancements where applicable. Provide staff training on the importance of these settings and how they contribute to system security.
(d) Updating any passwords that may have been exposed Compromised passwords must be immediately replaced with strong, unique alternatives. Encourage the use of password management tools to generate and store secure passwords, reducing risks from reuse or weak credentials. Implement a regular password update schedule, and use monitoring tools to detect potential breaches early. Educate staff on recognising signs of password compromise and responding swiftly to prevent further unauthorised access.
(e) Setting up secure account recovery options Establish robust account recovery processes to ensure secure access restoration if credentials are lost or compromised. Use methods like backup codes, secure email verification, and identity confirmation to reduce risks during recovery. Ensure recovery options are updated and verified regularly to prevent exploitation by attackers. Provide clear guidance for staff to follow recovery procedures securely, minimising vulnerabilities that could arise during these processes.
(f) Reviewing and managing connected applications Regularly audit third-party applications linked to systems, removing unnecessary integrations and ensuring compliance with security policies. Unchecked applications can introduce vulnerabilities or act as attack vectors for breaches. Limit access to essential apps and verify their data handling practices. Educate staff about the risks posed by unauthorised or insecure applications and establish a review process to maintain an up-to-date list of authorised integrations.
(g) Monitoring accounts and regularly reviewing access Implement continuous account monitoring to identify suspicious activity, such as unusual login patterns or unauthorised data access. Regularly review and update access permissions, ensuring users retain only the minimum privileges required for their roles. Automate alerts for anomalies, such as failed login attempts, and schedule periodic access reviews to identify inactive accounts and revoke access when necessary. These practices enhance system integrity and minimise insider threats.
(h) Secure access to awarding bodies’ online systems Authorised staff must access awarding bodies’ systems securely, adhering to their regulations and JCQ cyber security guidelines. Ensure devices meet technical standards, including compliance with multi-factor authentication (MFA) requirements, and utilise encrypted connections to protect data during transmission. Limit access to approved personnel, regularly review permissions, and provide secure devices for system access. Conduct regular training on proper access procedures to maintain security.
(i) Reporting actual or suspected compromise Develop clear procedures for reporting suspected or actual compromises of awarding body systems. Staff should report incidents immediately to the awarding body, isolating affected systems to prevent further damage. Document all actions taken during and after the event, maintaining detailed records to aid in investigations. Establish communication channels for timely updates and ensure staff are trained to respond to security incidents promptly and effectively.