Jisc provides clarity for further education sector on mandatory annual IT Health Checks
FE colleges can use CREST-approved testing partners to mitigate cyber security risks.
With annual IT Health Checks now a requirement for FE institutions as part of their Education and Skills Funding Agency (ESFA) funding agreements, colleges are looking for guidance on choosing a provider.
In response to members’ questions, Jisc has confirmed with the Department for Education (DfE) that FE colleges are free to use CREST-approved organisations to conduct their mandatory annual IT Health Check (ITHC).
David Batho, director of security at Jisc, says:
“The recent reclassification by the ONS of 228 college corporations and designated institutions in England into central government created some uncertainty as to whether FE colleges should now operate in the same way as other central government organisations and only use testing partners who are part of the NCSC’s CHECK scheme.
“On behalf of our FE members, we have clarified with the DfE that there is no obligation on colleges to use a CHECK-accredited supplier. Jisc already provides cyber security services to colleges as part of their membership, so they can now choose Jisc to conduct their ITHC as well.”
As a CREST-approved provider of penetration testing and also endorsed by NCSC to CIR L2 for cyber services to education, public and private sector and local authorities, Jisc has a long and successful track record of helping members identify vulnerabilities and take corrective action.
During an ITHC, Jisc carries out controlled vulnerability scans and security control checks designed to identify, expose and address security vulnerabilities in an institution’s IT systems, both internal and external. Assessors mimic real-world attacks on an application, system or network to identify vulnerabilities that could, without mitigation, be exploited.
As well as being a funding body requirement, an annual ITHC allows institutions to demonstrate good security controls and governance to protect their staff, students and data, and gives assurance to suppliers and customers that controls are implemented and working correctly.
The ITHC features in frameworks such as Crown Commercial Services Dynamic Purchasing Systems, through which Jisc already offers cyber services to members and customers.