Use of Generic Supply Accounts for IT Systems
Use of Generic Supply Accounts for IT Systems
Purpose
Being able to reliably identify an individual user on our computer systems is a core requirement of Cyber Essentials, and is emphasised by the DfE’s digital guidance, the Safer Internet Centre, and in the Keeping Children Safe in Education (KCSIE) guidance for schools.
The preferred and most straightforward way to achieve this is by giving a named account to any person who we have already carried out the relevant employment checks on, or have been reliably assured of those checks, e.g. via an agency service.
For supply staff working for a lengthy period of time, it is the recommendation of IT Services to set up a named computer account for these people.
However, there is a recurring need to use supply staff with short notice, and they need access to computer resources. To meet this need in our schools, we issue a controlled system of shared ‘generic’ computer accounts for supply staff.
Controls
To reliably meet the requirement for identification of users, and to meet our security and safeguarding obligations as above, we must put other processes or controls in place.
- We issue a limited number of supply accounts per school up to the amount of the maximum number of possible simultaneous supply users.
- Each school will nominate a ‘responsible person’ to manage the distribution of these accounts locally.
- Passwords will be reset to temporary passwords every time they are issued to a person.
- As Multi-Factor Authentication (MFA) cannot be configured in the normal way for a shared account, the accounts can only be accessed from a trusted internal network only. The network becomes a second factor.
- No mailboxes are configured for the accounts. This mitigates against the GDPR implications of multiple people gaining access to the mailbox when signing in, and being able to see any messages sent or received. It also mitigates against data exfiltration via email.
SLT Responsibilities (School)
The SLT of the school agree to
- Nominate the responsible person.
- Ensure that password resets occur every time an account is issued, and at the end of the agency staff placement.
- Keep a detailed log of which people are issued which supply account, including dates and times.
- Be able to produce this information on request.
- Ensure that the agency staff agree to the Acceptable Use Policy while using SAND computer equipment and networks.
IT Services Responsibilities
SAND IT Services agree to
- Create and oversee the technical implementation of the shared accounts and associated infrastructure.
- Ensure the technical controls above are reliably implemented.
- Review and monitor the technical implementation of the shared accounts, making adjustments where necessary.
- Provide support and guidance to the school, and the responsible person, on how to manage these accounts.
- Maintain a secure web portal for the responsible person to manage supply passwords.