Cyber security policy - exams

Responsibilities and compliance

Purpose

To outline the measures InspireU takes to mitigate cyber threats and ensure the security of:

  • learner data
  • assessment records
  • digital assets

This policy applies to all InspireU staff, particularly those involved in exams and assessments, and covers the use of all digital systems, accounts, and devices.

Head of centre and senior leadership team 

  • ensure adherence to best practice in managing personal data and accounts.
  • oversee centre-wide cyber security, including:
    • robust password policy
    • multi-factor authentication (MFA) where applicable
    • software and systems update as directed by LCC
    • ensure all teams are following network security measures
    • complete information governance training annually
    • direct all staff to complete information governance training annually
    • immediate contact with awarding bodies in the event of a cyber-attack affecting learner data or assessment records

Exams officer

  • follow best practice in managing personal data and accounts
  • demonstrate awareness of cyber security best practice as defined by JCQ regulations/guidance
  • undertaking training on password security and social engineering/phishing awareness, through information governance training, plus further training identified by the head of centre.
  • report any concerns immediately to senior leads, awarding bodies and LCC information assurance teams.

Compliance with JCQ regulations

  • procedures are in place to maintain account security in line with JCQ General Regulations for Approved Centres (sections 3.20 and 3.21)
  • training for authorised staff on password security and account confidentiality
  • training on cyber security
  • enabling additional security settings wherever possible
  • prompt updating of exposed passwords
  • secure account recovery options
  • regular review and management of connected applications
  • monitoring and reviewing account access, including prompt removal of access when no longer required
  • secure access to awarding bodies’ online systems in line with JCQ and awarding body regulations
  • immediate reporting of any actual or suspected compromise of awarding body systems