October is Cyber Security Awareness Month, and while we don't think that cyber awareness is something to cover just once in the year, we think it's a good opportunity to publish some information that can be used all year round.
Awareness Day Seventeen: Access Control - Users
Awareness Day Seventeen: Access Control - Users

Users of all systems should be regularly reviewed and should be part of the onboarding and leavers process of staff and students.

Regularly reviewing access control in line with job roles ensures that only those that have access to data and systems are those that require it.   The DfE Meeting Digital and Technology Standards in Schools and Colleges document advises that accounts should only have the access they require to perform their role and should be authenticated to access data and services.  

Successful cyber attacks target user accounts with the widest access and highest priviliedges on a network as this gets the widest impact with the most sensitive data and information.  You should limit the numbers and access of network and global administrative accounts.

If a single staff member controls account access, then another senior school staff member or governor should approve that staff member's own account.

Different accounts with specific rights for different purposes or have IT service providers and adminsitrators enable just-in-time access, giving individuals time-limited priviledges as required.

Review: NCSC Identity and Access Management

More questions like these are in our Information and Cyber Security Checklist (only viewable with a valid Data Protection Education subscription):