Computer Security and Cybersecurity
At St Joseph's School, we manage our school digital, physical, and information assets in a way that is financially responsible and protects personal privacy (Education and Training Act 2020, Privacy Act 2020). We aim to create a secure and safe online school environment and use a range of cybersecurity practices that are appropriate to the needs of our school to protect IT infrastructure, data, and digital resources from unauthorised access (e.g. suspicious or criminal activity). This may include implementing access security measures, firewall and antivirus software, back up strategies, regular system updates and maintenance. We also use a secure and safe internet provider and take measures to safeguard school networks.
The principal and board are responsible for school computer security and cybersecurity and reviewing our procedures at least annually. Staff using school devices (e.g. staff laptops) are expected to take appropriate care of their devices, including storing them securely and maintaining digital security measures.
Access security
We aim to use the 
principle of least privilege to ensure that access to school accounts is specific to each person's role and responsibilities. We restrict access to personal information or sensitive data (e.g. limiting access to staff who require it as part of their duties, ensuring discussions of sensitive information are confidential). See Personal Information.
We aim to use the principle of least privilege which means that access is tailored to each person's role and requirements. We implement this by:
- only allowing authorised people to have access to systems and resources
- only assigning specific permissions to the user
- assigning the user management admin role to a staff member that manages users
- ensuring there are reasonable number of accounts with administrator privileges.
We review our processes regularly which includes removing access as needed (e.g. when staff resign).
See How to apply the right levels of access 
(Ministry of Education)
All school devices and accounts are password protected and we expect school community members to create, use, and manage passwords securely and keep them confidential.
If staff have a concern that their password has been compromised, they should:
- attempt to reset the password
- report the concern, if appropriate, to relevant staff (e.g. principal, IT support) who may follow responding to digital incidents policy as needed
- contact relevant agencies if needed (e.g. school banking provider, Ministry of Education, Office of the Privacy Commissioner).
We are guided by Ministry of Education recommendations to implement our access security measures.
The Ministry of Education recommends that staff:
- change the default password given to them when they first log in
- create and use different passwords for school accounts they have
- not share any logins of passwords with others and sign out when not using it
- use strong passwords (i.e. following good practice guidelines such as not using personal information in passwords)
- have 2-factor authentication, where possible
- use a password manager.
See Ministry of Education | Te Tāhuhu o te Mātauranga:
Data protection
We aim to maintain the integrity and confidentiality of school information. We regularly back up critical data needed for the day-to-day operations of our school. Back up data is stored in a different location to original data and can be used if something happens to the original (e.g. lost devices, stolen information). This reduces the risk of data loss and helps us to quickly recover information.
We store data for an appropriate length of time. See School Records Retention and Disposal.
We are guided by Ministry of Education recommendations for backing up important school data.
The Ministry of Education recommends:
- assigning specific responsibilities within your school to ensure duties are clear (e.g. board, IT lead, teachers/staff)
- at least backing up staff and student files, student management data, the school website, and local servers and file stores
- having two copies of critical data (i.e. online back up and offline back up)
- developing a back up testing plan and carrying out regular tests.
See Ministry of Education | Te Tāhuhu o te Mātauranga:
Software security
We take a number of measures to ensure school software settings are managed effectively, including:
- setting up software permissions and email security settings appropriately
- updating our permissions and settings as needed
- monitoring alerts and taking any necessary actions.
We are guided by Ministry of Education recommendations for configuring security settings.
The Ministry of Education recommends:
- installing firewall and antivirus software on all school devices to guard against malicious malware (e.g. viruses, ransomware)
- setting up systems to protect the school email domain from spoofing (i.e. this is when unauthorised parties send emails as your school)
- implementing Sender Policy Framework (SPF) to send school emails in a way that shows they are legitimate
- using email and web filtering (e.g. scanning for malicious content, viruses, blocking unwanted content, safe searches)
- disabling automatic email forwarding function to avoid phishing or spam emails being forwarded
- adding digital signatures to outgoing emails
- disabling POP and IMAP which allows users to sync school Gmail accounts with other email providers increasing the risk of emails being hacked.
See Ministry of Education | Te Tāhuhu o te Mātauranga:
Upgrades and maintenance
As required by the Ministry of Education, when upgrading our ICT network, we:
- use an approved ICT contractor
- implement a network that meets current standards
- submit our network design to the Ministry for approval before starting
- run a tender process using the Government Electronic Tenders Service (GETS) if the total project costs $100,000 or more.
We also guided by the recommended Ministry of Education process for school-led ICT project upgrades.Our property maintenance plan includes a budget for ICT network maintenance. See ICT network upgrades and maintenance (Ministry of Education).
Also see Property Management and Property Maintenance and Repairs.
Managing computer and cybersecurity incidents
Staff, students, and our school community are encouraged to keep alert for cybersecurity concerns and breaches (e.g. checking sender details, acting with caution if emails contain attachments). In the event an incident occurs, we act immediately to minimise distress and harm, safeguard the safety and wellbeing of those affected, and resolve the matter as soon as possible.
- If there is reason to believe school systems may be at risk (e.g. phishing, virus, unauthorised access), we respond appropriately (e.g. reset account logins, scan for viruses/malware, alert our IT provider).
- If St Joseph's School experiences a cyberattack, we contact the Ministry of Education or other agencies for advice and support, as appropriate.
- If there is data breach that impacts personal privacy, we follow the Privacy Commissioner's steps for responding to privacy breaches – see Privacy Policy.
Supporting policies
At St Joseph's School, we have other policies that support our approach to computer security and cybersecurity:
Legislation
- Education and Training Act 2020
- Privacy Act 2020
Resources
: Term 3 2025, Term 4 2022, Term 2 2021
The release history is a record of changes made to a SchoolDocs Core topic as the result of an internal or scheduled review. The date indicates when a change was made. If you have a customised topic, it may not have received the updates described. Release history links are kept for five years, then archived.
