IBP FO Standards Framework
What is the IBP FO Standards Framework?
The Information Security and Privacy Standards Framework for Primary and Secondary Education (IBP FO) is a tool for school boards to improve their information security and the protection of personal data.
The Ministry of Education, Culture and Science (OCW), Kennisnet, SIVON, the PO-Raad and the VO-raad commissioned this standards framework as part of their Digital Safe Education programme. The programme is intended for primary and secondary education, also referred to as Funderend Onderwijs, and helps schools provide pupils and staff with a digitally safe school environment. Primary and secondary education not only represents by far the largest group of schools and pupils; those pupils are also younger and more vulnerable than students in secondary vocational education (MBO) and higher education. In addition, secondary schools and primary schools, even when they collaborate, often have less IT knowledge than the average regional training centre (ROC), university of applied sciences, or university.
The IBP FO Standards Framework comprises 69 standards for your information security. The standards are clustered into 15 security domains, ranging from the setup of your risk management to guidelines for your Identity and Access Management. A later version will also add an additional category with privacy requirements.
Each domain is made concrete with a number of specific standards. An example is shown below. For each standard there is an assessment framework with the minimum requirements that schools must meet. Each standard also includes example measures that enable a school to meet the requirements. Increasingly, tools such as checklists and templates are becoming available. In this way, we can improve information security and privacy across the education sector through this standards framework.
How did the IBP FO Standards Framework come about?
The standards framework was developed because IT plays an increasingly important role in Primary and Secondary Education. ICT solutions are no longer used only for administrative processes; smart digital applications are widely used in the classroom and for remote learning. This means that information security and privacy have become much more important as well.
Gradually, more and more personal data on millions of pupils is processed and stored. Pupils also move to the next school year or to further education with different teachers and mentors every year. In such a dynamic environment, schools must ensure that all sensitive data on children and young people is managed carefully, while teachers and staff can work securely and with sufficient privacy.
There are also many developments that increase these challenges. A sector overview published by the Dutch Data Protection Authority provides a summary of important privacy trends and developments within education. Examples include:
Education is assigned many more responsibilities such as the welfare and personal safety of pupils and students, the promotion of equal opportunities and the prevention of polarisation. Schools struggle with the question of which personal data may be used for this and under what conditions.
There is increasing use of algorithms and artificial intelligence (AI), for example in adaptive learning tools, learning analytics and automated testing. How do you guarantee the correct interpretation of data, prevent bias and safeguard transparency and control over personal data?
In education, teachers, pupils and students increasingly use various free apps and software, which can unintentionally lead to a proliferation of shadow IT. This makes it particularly difficult for educational institutions to maintain control over the use of personal data and the privacy of pupils, students and staff.
Research often involves the collection and processing of personal data. Correct anonymisation or, where permitted, pseudonymisation raises many questions, as does the exchange of research data and any potential reuse. This already arises among secondary school pupils, for example with final profile assignments.
In the same sector overview, the Dutch Data Protection Authority (AP) was positive about the steadily improving collaboration within education, for example in formulating joint requirements in the areas of privacy and information security. Secondary vocational education and higher education already have sector-wide information security and privacy standards, and in 2023 primary and secondary education published the IBP FO Standards Framework. As with higher and secondary vocational education, it uses the NBA Information Security Maturity Model from the Netherlands Institute of Chartered Accountants as its basis.
Becoming compliant with the IBP FO Standards Framework?
Compliance with the IBP FO Standards Framework is not yet mandatory. However, from 2024 school boards must actively address their plans and developments around information security and privacy in their annual reports. The ministry has also announced that schools must be compliant with the Framework from 2027.
So where do schools stand now? Commissioned by the Digital Safe Education programme, research firm Dialogic conducted a baseline measurement using the Framework (see link). Of all the schools surveyed, a representative sample of 15 school boards, none yet met all requirements. The overview below also shows the compliance percentages per domain. With some optimism, Incident and Problem Management could be called a positive outlier, although that domain still scores below 50%. The results for the other domains are clearly lower.
There is therefore still a great deal to do. The study categorised schools accordingly. There is a top 10% that, although not yet compliant, are clear frontrunners with sufficient knowledge and capacity to meet the standards in time. There is a larger group, 50%, that is already actively working on it but still needs to scale up in terms of information security and privacy expertise and, or broader awareness within the organisation. Finally, there is a group of 40% described in the report as "unconsciously incompetent". This group includes relatively many smaller organisations that currently lack the capacity and knowledge to implement the Framework.
Resources
Fortunately, schools have ample starting points to begin working with the Framework. As noted, there are templates and example measures to meet the desired minimum level. The Framework also includes an example step-by-step plan. In that plan, a school first ensures that the basics are in order, then addresses the high risks and afterwards the smaller risks. Equally important are several clear principles in your information security policies and plans. If you think this through carefully, many requirements become much easier to achieve.
It is crucial to consider roles, responsibilities and segregation of duties within the school from the outset. With Role-Based Access Control (RBAC) you can easily determine for each role and employee which access to applications and data is necessary. Those settings are automatically adjusted when someone’s role changes, and with such a clear approach you can also easily set up processes for temporary cover, incident handling and other special circumstances.
In a similar way, the need for structured monitoring of data and actions becomes clear very quickly. This is important to continually evaluate the effectiveness of your information security plans, but it is especially important to detect security weaknesses in time and to act quickly during incidents. You will find that many requirements are easier to realise if you have thought structurally about monitoring and logging.
Want to know more about the IBP FO Standards Framework? Interested in how a modern Identity and Access Management solution can help you set a robust foundation for your information security? Read our whitepaper.