IT infrastructure reviews in FE: key findings

Strategic considerations

Digital strategic alignment has improved

In general, there has been an improvement in digital alignment with organisational strategic objectives. More colleges have a dedicated integrated technology strategy which informs and influences IT team’s operational plans including budget allocation.

Some colleges however still lack maturity in this area and are reliant on a standalone operational plan that often lacks organisational strategic alignment.

It is welcome to note that more colleges are acknowledging that IT services are a key component in supporting strategic objectives aiding the delivery of quality teaching and learning, enhancing the learner experience, rather than simply being a cost centre.

Finances remain challenging

Many colleges have faced a challenging financial situation, with some colleges seeking to reduce staffing numbers in response to funding reductions, which in some cases cascades to IT budgets and staffing.

Most have a budget allocation process for revenue and capital funding. Some colleges are unable to adequately fund equipment refresh plans which can impact on service delivery and place additional support overheads on the IT team’s ability to maintain older, less reliable equipment. Those colleges which have gone through a prolonged period of underinvestment are facing significant challenges in replacing legacy, unsupported systems and infrastructure.

The need to ensure equipment and systems are under vendor support and are receiving security updates to maintain Cyber Essentials certification is a common issue across most of the sector. Many colleges are faced with substantial expenditure in a relatively short period of time. This highlights the need for a robust and adequately funded refresh strategy.

Procurement processes vary across the sector – most are using framework agreements however some require a separate procurement process for each major purchase of hardware. While IT teams generally prefer to standardise hardware such as networking, servers, storage and endpoint devices with a single vendor, procurement processes and available budget means this is not always possible and mixed fleets add complexity and workload to often already stretched teams.

There has been an improvement in procurement authorisation – previously it was not uncommon for departments to procure equipment without the IT team’s knowledge which causes issues with compatibility, workload planning in terms of deployment and value for money. Now nearly all IT related spend is authorised by the IT team across the sector.

Colleges generally have successfully extended the useful life of Windows desktops and laptops rather than having a more regular replacement strategy. However, many are now facing the problem of having an extensive proportion of their PCs so out of date they will no longer be supported by Microsoft following the Windows 10 end of life date in October 2025, unless the extended security updates available for a limited period are purchased.

Most learning has returned to the classroom after the Covid-19 pandemic

Digital literacy continues to be mixed across the sector, with some curriculum staff championing the use of innovative technologies such as artificial intelligence, virtual reality, and augmented reality. Others remain reluctant to change practice.

While the period covered by the previous version of this synthesis included the start of the Covid-19 pandemic, the full impact can be seen in this period. Colleges are to be commended for their switch to remote learning in a short space of time. While there was a consensus during the pandemic that there would be a shift to hybrid learning in the longer term, this has not materialised in the FE sector. Nearly all colleges have moved to most or all teaching returning to the classroom as this reflects the experience learners prefer. Some aspects of remote learning provision continue to be used, for example for short courses or during periods of disruption such as rail strikes.

IT support

IT teams are becoming increasingly stretched

Many teams continue to be stretched which is a concern, while team sizes were previously considered too small the situation in this period has in fact worsened. Jisc recommends a ratio of IT support staff to support users of around 1:450-500 to ensure teams have the capacity to deliver day-to-day services and be able to focus on future service improvement projects, unless there has been significant investment in automation to mitigate for a smaller team size.

The average support ratio between 2016 and 2020 was 1:814. Based on infrastructure reviews conducted between 2020 and 2024 the average support ratio has risen to 1:869. It is also concerning to note that a sizeable minority of colleges have very under resourced teams resulting in extremely high support ratios, up to 1:1,748. Of the 62 colleges reviewed with in-house IT support, 18 have a support ratio of in excess of 1:1,000. This raises concerns not only for service delivery and vulnerability to security threats, it is also a wellbeing concern for team members given the workload faced.

Many colleges are working with smaller teams at a time when security threats are becoming ever more complex, and demand for IT services is increasing as innovative technologies mean that many curriculum areas which traditionally did not make any real use of technology begin to become reliant on it. Role segregation is often lacking due to capacity constraints – where this does exist it can bring advantages of improved audit and service change where staff have a primary focus, especially where changes affect security and data protection.

Recruitment and retention of staff is a consistent concern across the sector, compounded by underinvestment and unsustainable workloads. Colleges are losing staff not only to the private sector but also to other parts of the public sector. As colleges often cannot compete with salaries making attracting the right skills difficult, skills retention should be a priority as discussed in our blog on IT support staff retention.

Some colleges are using contracted third-party to support to mitigate against limited team resources, this can be particularly beneficial in smaller colleges with smaller IT teams. Only a small minority have outsourced IT support fully, of those that have some have sought to bring IT back in-house after a period due to dissatisfaction with the support provided. There has been a continuing trend of reducing support out of core hours such as evenings and weekends, this is endorsed as often time off in lieu arrangements result in technicians providing out of hours cover being unavailable during busier core hours.

While out-of-hours user support has reduced, technicians are often still expected to perform updates and maintenance tasks during evenings and weekends, often on a goodwill basis. Jisc recommends an at-risk period during or just outside of normal working hours where users are made aware of the potential for service outages while preventative maintenance tasks are undertaken. This will reduce the need for staff to work unsociable hours.

Most colleges have some form of demarcation of duties and dedicated first, second- and third-line roles, however due to demands on the team and capacity issues it is common for staff to perform multiple roles to get the job done. It is not uncommon for teams to be first-line heavy; this can be caused by skilled second- and third line staff leaving and not being replaced or being replaced with lower skilled staff. It is also common for IT managers to be performing hands-on support tasks due to lack of capacity – this is not recommended in most cases as it distracts from the important managerial and strategic responsibilities of management roles.

There is a general increase in representation of IT at a senior level, for example the IT Manager or Director being part of the senior management or leadership team. This is not always the case however which can make articulating the need for IT service improvements and investment difficult. In addition, representatives should have sufficient technical knowledge to be able to understand the issues and be able to articulate them to management in a way which can be understood.

Helpdesk logging and reporting can often be improved

Most members use a dedicated helpdesk ticketing system ranging from basic open-source products to advanced helpdesk systems incorporating asset management and fault trend analysis. ManageEngine and Freshworks are the most commonly used products, with in-house developed systems also commonly used.

There is a consistent issue across the sector regarding logging of tickets. While Jisc endorses user generated requests such as emailing the helpdesk or raising a ticket using a helpdesk portal, most colleges still receive a sizeable proportion of requests face-to-face. Not only can this be a distraction for technicians working on other tasks, it also places the onus on the IT team to ensure that jobs are logged in the helpdesk system. Due to pressures on staff to get the job done, recording is often missed and helpdesk reporting does not present an accurate portrayal of the value the team provides and prevents teams from being able to provide accurate reporting.

It is also common for service desk reporting to remain within the IT team – such reports should be escalated to senior management to highlight the work of the IT team in delivering college objectives and can also be used as evidence of the need for additional resources.

While many colleges have service level agreements (SLAs) in place, often these are limited in scope or are acknowledged to be unachievable due to resource constraints.

Very few colleges have a published service catalogue recommended by Jisc that defines exactly what the IT team does and does not support. Support creep is often observed, with IT teams often seen as supporting ‘anything with a plug.’ This can be mitigated by a service catalogue.

Staff skills gaps and key person dependencies remain

Most teams have adequate skills to deliver core day-to-day services. It is common for skills to be acquired through on-the-job learning. Limited formal training is a widespread issue, either from a budget perspective given the cost of technical training and certification, or from a capacity perspective where it simply is not possible to release staff for extended periods to undertake training.

Nearly all teams reported skills gaps - keeping up to date with skills and learning new technologies is regularly reported as a concern and can limit service improvement projects. Key person dependencies, where only one staff member has the required skills for a particular area of support to function, also remain a concern given the risk to colleges should that staff member leave or otherwise be unavailable to work.

Some colleges have sought to provide online training resources to staff such as Pluralsight of LinkedIn Learning. Many members are supportive of providing dedicated CPD time for staff, but often demands on the team prevent this from being implemented.

Networks

Wide area network (WAN) resilience has improved

While a mixed picture remains across the sector, more colleges have invested in network resilience. Secondary connections are becoming more common, especially where there is increased reliance on public cloud services. While 100Mbps connections were becoming uncommon in favour of 1Gbps, 1Gbps or 10Gbps links are almost universal.

All Janet colleges have access to Jisc Netsight monitoring tool, and most are using this to monitor traffic. Many are also using additional monitoring tools such as PRTG, MRTG, Cacti, Nagios and Zabbix. Additional campus network monitoring is recommended by Jisc.

Local area network (LAN) configurations are mixed and can lack resilience

LAN configurations are varied, and often do not provide full resilience. Single points of failure, for example due to a lack of route redundancy, are common. While most colleges have network documentation and schematic diagrams, this is often out of date and does not represent the current configuration or topology.

The use of unsupported legacy network hardware including core and edge switches has decreased since the last synthesis, due to colleges upgrading equipment to meet Cyber Essentials requirements. Most are patching switches regularly and in a timely manner following release, however some colleges are unable to do so due to resource constraints.

VLANs are in use at almost all member sites. VLAN configuration remains mixed – while Jisc recommends that VLANs are segregated by function and security group membership, many colleges continue to configure VLANs by geographical location.

Planned use of IPv6 is uncommon, with most members continuing to use IPv4. Many, however, do not disable or monitor traffic on IPv6 parts of the network, which can present a security or safeguarding risk, for example through students setting up peer-to-peer networks or connecting internet of things (IoT) devices such as cameras.

Wireless connectivity has been upgraded in many cases

Wireless connectivity continues to be the area IT services receive the most complaints from users, although this is often the result of unrealistic user expectations. Many have invested in new systems to mitigate this and to replace unsupported hardware as part of Cyber Essentials preparation. While some have migrated to Wi-Fi 6 (801.11ax), use of the older 802.11ac standard remains common.

It is common for colleges to broadcast multiple SSIDs which can degrade performance, 4 is a standard recommendation. Some are mitigating this through rationalising SSIDs, or by using the federated eduroam service which reduces the number of SSIDs required and provides secure authentication.

Most are using best-practice authentication methods including use of eduroam or a radius server. There are a number of colleges however who are using inadequate methods such as pre-shared key. This prevents web filtering and monitoring logs from being able to resolve traffic to an individual user, which presents a safeguarding risk. Guest access should also be logged and monitored, with user details recorded and time limited accounts issued.

Bring your own device (BYOD) support is typically limited to providing an internet connection only within a segregated VLAN, which is endorsed by Jisc. While student BYOD is not within the scope of Cyber Essentials, colleges need to consider arrangements for staff, either through ensuring that their devices are compliant, or restricting BYOD use and ensuring only college owned devices are used to access systems and services.

Telephony provision has continued to modernise

Nearly all colleges are using SIP channels over Janet or other networks. Use of analogue telephony which was becoming less common at the last synthesis has almost been eliminated. There are pockets of analogue telephony in limited areas which remain a concern for some colleges in advance of the retirement of analogue networks in 2025, for example emergency phones in lifts.

Servers and storage

Server rooms can be oversized as hardware requirements decrease

Many colleges have seen a reduction in hardware within server rooms. This can result in server rooms which are oversized for current requirements and incurring unnecessary cooling costs. In these cases, it is recommended that colleges consider repurposing unused space and consider the introduction of warm and cold lanes to improve sustainability and reduce energy costs. Server room security and contingency is generally good, although some colleges have a single point of failure in air conditioning where dual units with failover are not in place.

Nearly all colleges maintain a mix of physical and virtual servers. The primary hypervisors in use are VMWare and Hyper-V. Many VMWare colleges are considering their options when their agreement is to be renewed in light of Broadcom’s acquisition of VMWare and the impact of this on licence pricing.

The use of unsupported server operating systems which presents a major security risk has reduced substantially since the last synthesis as colleges upgrade to meet Cyber Essentials requirements. Some colleges retain legacy systems running unsupported operating systems which are not hosted within the live environment and only spun up when access to data is required. This is less of a concern.

Server patching is mixed, a majority are ensuring servers are updated soon after patches are released however some are not doing so, often due to a lack of capacity. Most colleges do not have a development or test environment, which can be useful for testing patches or new service configurations.

Onsite storage requirements are reducing

There is a consistent downward trend in on-campus storage requirements as colleges move to cloud solutions such as SharePoint, OneDrive, and Google Workspace. Storage hardware is mixed – most are using a mix of spinning disk and solid-state drives, and some are using tiered storage to prioritise most commonly accessed data onto faster storage.

Monitoring of storage is mixed, with some using monitoring tools to proactively monitor utilisation and take action when capacity is being reached. This is less of an issue as in the past given the general trend for decreasing requirements, however.

Archiving and retention policies could be improved in many cases. It is common for colleges to retain old data which is no longer required. Not only does this result in unnecessary storage costs, it can also make compliance with statutory requirements such as Freedom of Information requests and the right to be forgotten under GDPR more difficult. Jisc recommends data retention policies are agreed by college management and implemented by IT services, ensuring only data relevant to the organisation is retained and for an approved period.

Cloud adoption remains mixed

Adoption of cloud applications continues to be mixed, with some adopting a cloud first strategy and others maintaining nearly all services onsite. Most are running in a hybrid mode with most services onsite and some remotely hosted. The unpredictable nature of cloud costs continues to be a concern, especially where finances are challenging – the move from capital expenditure to operational expenditure also requires a change in operating model from a financial perspective.

Most colleges are not making use of remote infrastructure such as Microsoft Azure, Amazon Web Services and Google Cloud. While it may not always be appropriate for the delivery of day-to-day services, cloud infrastructure can be useful for disaster recovery.

Core enterprise services

Most account provision is automated

Nearly all colleges use Microsoft Active Directory (AD) as their primary user directory, most use Azure AD sync to synchronise AD passwords with Microsoft 365 and other applications.

The majority of colleges have automated processes in place to provision and disable/delete student accounts using data from the student records system. Staff account provision is a mix of manual, semi-automated and automated processes. Many colleges report that processes for staff account creation could be improved, especially HR requests for a new starter account which are often received just before, or on occasion after, the new member of staff has started work. While most retain disabled user accounts for a period before deletion in case they are needed (for example for students who return to study on another course the following academic year), a minority of colleges to not delete accounts at all, which is not recommended and can lead to an unmanageable number of accounts in use.

There has been an increase in the use of single sign on (SSO) particularly for core applications such as those within Microsoft 365. Most colleges use SSO wherever possible. Multi-factor authentication (MFA) has also become standard practice across the sector. Most have MFA in place for staff users and many are expanding it to student accounts.

DNS is often hosted by Jisc

DNS hosting is a mix of onsite and offsite. Many colleges are making use of the Jisc primary and secondary nameserver service for partial or full DNS hosting.

Most colleges also make use of special records to enhance email security, for example SPF, DKIM and DMARC to verify that messages have not been tampered with in transit.

Most college websites are externally hosted

The majority of colleges use an external third-party hosting company for their main college web presence. Management of externally hosted sites, including patching, is the responsibility of the third-party. Content is typically managed using a content management system (CMS) and is typically the responsibility of the marketing team. This is endorsed by Jisc, as it removes a possible threat vector and reduces management overhead on the IT team.

Enterprise applications

Email archiving can often be improved

Most use Microsoft 365 for email, although Google is also commonly used. A small number of colleges run both Microsoft and Google platforms in parallel – where this is the case clear delineation is required and users should only have a single email account to prevent confusion. While legacy Exchange servers were often in use at the previous synthesis, for example for multi-function devices which were not compatible with Microsoft 365, use of on-premise Exchange is rare now.

Email archiving could be improved at most colleges – most rely on the standard retention provided by email platforms such as Microsoft 365. Jisc recommends that archiving is reviewed and enhanced for a subset of staff accounts, for example senior leadership and staff with safeguarding responsibilities to ensure statutory requests for information can be fulfilled. Litigation hold could also be considered to ensure deleted messages are retained.

Email security is a mix of that provided by the email platform and use of additional software such as Mimecast. Most colleges have policies and technical rules in place to prevent automatic forwarding if incoming messages to an external account which is endorsed by Jisc.

Nearly all colleges provide information and training regarding email security and phishing awareness. Many colleges have also undertaken simulated phishing exercises.

Microsoft 365 is widely used

As with email, the majority of colleges use Microsoft 365 applications. Google Workspace is also sometimes used, although where Google applications are used this is usually in conjunction with Microsoft 365 and it is rare for colleges to not have a Microsoft 365 agreement. Microsoft licensing is mixed – smaller organisations are more likely to be on an A1 or A3 agreement, however many are upgrading to A5 to benefit from the advanced security features offered.

Use of Microsoft SharePoint has become increasingly common for document management, in many cases replacing departmental file shares using onsite storage. SharePoint is also often used as a college intranet. While many are using SharePoint as a storage platform, most could improve document management processes and take greater advantage of the advanced tools available within SharePoint such as document classification and expiry. This does require dedicated SharePoint administrator resource, however.

VLE delivery has transformed as Teams becomes part of curriculum delivery

While many colleges continue to use traditional virtual learning environments (VLEs) such as Moodle, there has been a marked shift towards Microsoft Teams in teaching and learning, accelerated by the need for remote learning platforms during the Covid-19 pandemic. While most colleges are running a dedicated VLE and Teams in parallel, some colleges have migrated entirely to Teams which is used as the sole learning platform.

Administrative applications in use are mixed

There is a mix of applications in use. Some of the most commonly used include:

• Student records/MIS: ProSolution, Tribal EBS and Capita Unit-e
• Finance: Sage, Advance Business Solutions, Unit4/Agresso. Resource 32000
• Human resources: Midland HR/iTrent, Cintra, SelectHR

There has been an increase in the use of data analytics and visualisation tools such as Microsoft PowerBI to manipulate college data from multiple sources and to provide self-service dashboards. Only the most mature colleges in this area are making use of data warehouses, which remain uncommon.

Endpoint device management

Windows 11 preparation is a common concern

The majority of desktops and laptops are running Microsoft Windows. Most colleges are having to invest in new equipment to meet the upcoming Windows 10 end of life date in October 2025. It is common for a substantial proportion of the fleet to be incapable of running Windows 11 and requiring replacement, and in some cases 100% of devices will need to be replaced. This not only presents a significant financial challenge, it is also likely disrupt day-to-day service delivery as staff resource is diverted to deployment of new machines.

Use of other devices such as Google Chromebooks and Apple Macs is less common. While the number of applications in areas such as media and computer aided design which cannot run on a Windows PC has reduced substantially, some colleges prefer to retain Apple devices as they are expected by students in some curriculum areas, as their removal may have a detrimental impact on the learner experience and reduce competitiveness when recruiting students. Not all colleges ensure access to the network by non-Windows devices is identifiable. Anonymous users should be identifiable for security audit purposes and to offer equitable access.

For learners, there continues to be a mix of desktop and laptop devices in use, including PC labs and laptop trolleys. For staff, laptops are becoming more common as colleges move to a single device per member of staff policy. Some are also seeking to reduce the number of classroom and student devices where utilisation is low.

It is rare for colleges to routinely issue college owned devices to learners, with devices only given in specific circumstances such as for learners with additional needs. The large-scale issue of devices during the Covid-19 pandemic has mostly been discontinued given that it was generally considered unsustainable in the longer term at the time. Many devices were also lost or damaged within a short period after being issued, and often a sizeable proportion of devices were not returned, with the legal processes required to address non-returns typically not considered worthwhile.

Use of mobile devices including phones and tablets is mixed and is typically limited to staff use only. Use of organisation owned mobile phones has in general become more tightly controlled in response to Cyber Essentials requirements. The number of devices typically has reduced as colleges seek to ensure there is a robust business case to support the issue of devices to staff.

Nearly all colleges are in the process or, or have completed, replacement of interactive whiteboards and projectors with large screen displays. Many are opting for non-interactive displays given the lower cost and evidence that the interactive features are not widely used by curriculum staff.

IT asset databases are commonly used

There is a mixed picture in terms of asset management systems. While some use dedicated systems such as ManageEngine and SolarWinds, others have largely manual processes in place using spreadsheets. Nearly all have processes in place to ensure that when assets are added, moved, or disposed of, they are recorded in the asset register.

Software licensing has become much less of a burden in this period given the move to site licensing or subscription models for many applications. As a result, it is common for simple methods such as spreadsheets to be used to track license allocation and renewal dates.

Use of approved companies to dispose of equipment properly and the issue of appropriate WEEE certificates is universal.

Deployment and management of devices has improved using modern platforms

Many colleges are using modern management platforms such as Microsoft Intune to deploy and manage endpoint devices, ensuring that critical security updates are deployed promptly. Microsoft System Centre Configuration Manager also continues to be commonly used. Use of mobile device management, again using platforms such as Intune is becoming increasingly common as colleges work towards compliance with Cyber Essentials requirements. Mac Device management is mixed, with some using Jamf and others using Intune which can be used to manage Windows as well as Apple devices.

Bring Your Own Device (BYOD) support is typically limited to provision of advice only, for example on connecting to the wireless network – no other services or applications are usually provided. Jisc recommends that hands-on support for BYOD devices is avoided to reduce the risk of liability to the college should devices be damaged, or data lost.

Remote access to onsite services, for example using a virtual private network (VPN) or virtual desktop infrastructure (VDI) is becoming less common as most common services such as Microsoft 365 can be accessed on any device with an internet connection. For those that continue to offer remote access services, these are typically licensed for a small number of staff users, for example MIS staff requiring access to core systems offsite.

Security

Backup processes have improved; not all are immutable

Most colleges have organisation wide business continuity plans and disaster recovery plans, which typically cascades down to IT specific plans including details on how to restore services, key contact details and information on vendors who may be required to procure equipment from at short notice.

While most have adequate documentation in place, many do not conduct any testing of plans or scenario-based exercises to ensure that plans in place are fit for purpose and is recommended by Jisc. Most do ensure that copies of documentation are held in multiple locations, offsite and offline.

Backup procedures have become more robust, although some colleges remain exposed to vulnerabilities by not having physically or logically offline backups which cannot be accessed by a bad actor in the event of a cyber security incident. Nearly all colleges use tools such as Veeam or Microsoft Data Protection Manager for backups. Tiered backups dependent on data are common, with the most important and most frequently accessed data backed up multiple times a day.

While some colleges have moved to offline backups using onsite or immutable cloud storage, many continue to use tape libraries which still provides an effective solution. Colleges should ensure that these are stored in a separate building from the server room in a fireproof safe. Periodic testing of all backups including tape libraries should be undertaken – some colleges are at risk of data loss by not doing so.

The recovery point objective (RPO), as in the period for which data would be lost in the event of an incident, is typically no more than 24 hours for mission critical data across the sector. For some other data of less importance, or where alternative storage such as tape libraries would be required, the RPO is typically longer, days to weeks.

The recovery time objective (RTO), as in the time it would take to restore services, is commonly unknown and would be dependent on the severity of the incident and the time taken to procure and deploy any new hardware required. Those with a disaster recovery environment accessible to them, either at another site or in the cloud would likely be able to restore services much faster than those requiring new hardware.

Data security is improving but password policies in cases should be reviewed

Most college firewall configurations provide adequate protection and many also rely on the firewall to provide web filtering and monitoring. A number of colleges with multiple connections do not have a high availability pair of firewalls configured, which represents a single point of failure should a connection be lost.

Most colleges ensure that web filtering and monitoring logs are shared with the safeguarding team and have proactive alerting in place to ensure that incidents can be dealt with quickly – this represents sector best practice.

Many colleges have reviewed password policies with increased complexity and length requirements in response to increasing security threats – this is typically in conjunction with multi-factor authentication as already noted above. A sizeable number of colleges however do not adhere to the National Cyber Security Centre (NCSC) recommendations which are for complex passwords which do not expire. Many still enforce password changes which is not recommended by either the NCSC or Jisc.

It is common to have differing requirements for learners and staff reflecting the increased risk of staff accounts being compromised. Measures in place to accommodate learners with additional needs who would not be able to cope with standard authentication requirements are also typical.

It is welcome to note that concerns regarding the use of domain administrator accounts have become much less common – in almost all cases administrator accounts are assigned to individual team members and are only used when elevated privileges are required. Standard accounts are used for all other tasks. The use of shared accounts or administrator accounts for day-to-day tasks is rare.

A range of anti-malware products are used across the sector. While many use Microsoft Defender there is a wide mix of other engines in use. In the past Jisc recommended different anti-malware engines on servers and endpoints, as one engine could pick up malware not detected by the other. Given improvements to the protection offered in recent years this is no longer considered recommended and many colleges use a single engine across the entire infrastructure. While multiple engines may bring some benefits Jisc no longer considers this an essential requirement to boost a college’s security posture.

Most colleges have put in place restrictions on the use of USB storage. In the past Jisc recommended that colleges ensure that all USB storage is encrypted. Now it is recommended that its use is blocked wherever possible, especially for staff users. Most have either technical blocks of devices in place or have documented in acceptable use policies when USB drives are not to be used. In most cases there are often exceptions, many continue to allow students to use drives for work including where large media files are used, and there are occasions where staff may require their use, for example during exams.

Governance

Policies are generally kept up-to-date

Acceptable use policies are universally used across the sector. Most have updated these policies recently and have procedures to review and ensure they continue to be relevant. There is a mix of single policies for all users and dedicated policies for students and staff.

Formalised change control policies and procedures are rare, only a small number of colleges are using change control logs. This is often due to a lack of capacity within the team.

While colleges were required to conduct data mapping exercises in preparation for the introduction of the General Data Protection Regulation (GDPR) in 2018, most colleges have done limited work since in updating these. The Data Protection Officer (DPO) role in most cases sits outside of the IT team as is recommended by Jisc. A small number of colleges have outsourced this role or entered into a shared service agreement with other colleges which can provide an added layer of independence to the role.

While most teaching has returned to the classroom as already noted, remote working with staff accessing college services offsite continues to be commonplace following the Covid-19 pandemic. While some colleges have produced dedicated remote working policies or ensured that considerations such as security such as the risk of ‘shoulder surfing’ are included in existing policy documents, many others have not.

Nearly all colleges have formalised assessments to determine additional equipment or software required by learners with additional needs. The cost of such equipment is usually met by a student services department or similar, however in some cases this cost is met by the IT team.

Colleges have responded to certification requirements including Cyber Essentials

Previously Jisc recommended that colleges undertake Cyber Essentials certification as this, in some cases could be a condition of funding by some bodies such as local authorities. During this period, the requirement has become much stronger although it has varied across the nations of the UK – for example, in England, colleges were only required to be working towards Cyber Essentials. For 2024/25 however, the Education and Skills Funding Agency (ESFA) has issued new guidance stating that colleges in England will be required to achieve Cyber Essentials. Previous plans to require colleges to undergo an IT Health Check will not be implemented at this time. The Scottish Funding Council also requires colleges in Scotland to undergo certification.

While nearly all colleges are working towards certification in England, many have not yet achieved this and are often delaying due to known issues such as unsupported equipment for which there is currently no budget to replace, or staffing limitations.

A smaller number of colleges have achieved the externally assessed Cyber Essentials Plus certification, the timescale to achieving Plus (90 days from Cyber Essentials certifications) can be a barrier to colleges. The fact that Plus is not a funding requirement in most cases also means that many colleges do not pursue it. There is some concern that colleges who have achieved Cyber Essentials may find it a challenge to achieve Cyber Essentials Plus.

Most colleges are not considering ISO27001 certification given the complexity and workload, however this is a requirement for Welsh colleges. Where colleges are considering aspects of ISO27001, Jisc recommends limiting this to either subsets of the standard (such as the Annex A controls checklist) or applying the standard to a single department in the first instance, rather than across the entire organisation.