How to use this checklist
This checklist was developed by the nFlo team based on experience from security audits of educational institutions, regulatory requirements (GDPR, NIS2, national frameworks), and analysis of incidents in the education sector. It encompasses over 30 control points grouped into seven critical areas.
Each point contains a brief description of the requirement and verification guidance. The list is intended both for educational institution IT teams conducting self-assessments and for external auditors verifying security posture.
We recommend reviewing this list quarterly — cybersecurity is a continuous process, not a one-time task. Points marked as “critical” should be addressed first, as their absence creates a direct threat to institutional operations.
If your educational institution does not meet most points on this list, we recommend conducting a professional security audit as the first step. nFlo offers audits tailored to the specifics of the education sector, with a prioritized remediation plan and implementation support.
Area 1: Identity and Access Management (8 points)
1.1 [CRITICAL] Multi-Factor Authentication (MFA) Is MFA deployed for all accounts with administrative privileges? Does it cover academic and administrative staff? Is there a deployment plan for students?
1.2 [CRITICAL] Password Policy Is a minimum password length enforced (12+ characters)? Are passwords from known breaches blocked (password breach lists)? Are accounts locked after 5 failed login attempts?
1.3 Central Identity Management Is there a central identity system (Active Directory/LDAP) integrating all university systems? Is Single Sign-On (SSO) deployed for e-learning and administrative platforms?
1.4 Account Lifecycle Management Are former student accounts deactivated within 30 days of graduation? Are former employee accounts deactivated on the day of contract termination? Is there a regular (quarterly) review of active accounts?
1.5 Administrative Privileges Are administrative accounts separated from daily-use accounts? Is the Principle of Least Privilege applied? Does administrative access require additional authorization (PAM)?
1.6 Guest Account Management Is there a procedure for creating temporary accounts (visiting professors, conference guests)? Do guest accounts have automatic expiration? Do they have limited privileges?
1.7 Login Monitoring Are logins monitored for anomalies (unusual locations, hours, devices)? Are alerts generated for suspicious patterns?
1.8 Privileged Account Management Is there a registry of all accounts with administrative privileges? Are privileged account passwords rotated every 90 days? Is emergency (break-glass) access documented?
Area 2: Campus Network Security (6 points)
2.1 [CRITICAL] Network Segmentation Is the campus network divided into segments: administrative, academic, student, research, IoT? Are segments isolated using firewalls or VLANs with ACLs? Does compromise of one segment prevent automatic access to others?
2.2 [CRITICAL] Wi-Fi Security Does the Wi-Fi network use WPA3-Enterprise with 802.1X authentication? Is the student network isolated from the staff network? Do guest networks have restricted access (internet only, no internal resource access)?
2.3 Perimeter Protection Does a Next-Generation Firewall (NGFW) protect the internet connection? Are firewall rules reviewed and updated quarterly? Is encrypted traffic inspection (SSL/TLS inspection) enabled for outbound traffic?
2.4 Network Traffic Monitoring Is an NDR (Network Detection and Response) or IDS/IPS solution deployed monitoring campus network traffic? Are alerts analyzed in real-time or near-real-time?
2.5 Remote Access Security Is VPN the only method for remote access to internal resources? Does VPN require MFA? Is RDP disabled or accessible only through VPN?
2.6 IoT Device Management Are IoT devices (cameras, building control systems, network printers) in an isolated network segment? Have default passwords been changed? Is firmware regularly updated?
Area 3: Endpoint and Server Protection (5 points)
3.1 [CRITICAL] EDR/XDR Solution Is an EDR (Endpoint Detection and Response) solution deployed on all workstations and servers? Does it include computers in student labs? Are EDR alerts monitored and handled?
3.2 [CRITICAL] Patch Management Are critical security updates installed within 7 days of release? Is there a regular update schedule for all systems? Are end-of-life systems identified and covered by a migration or isolation plan?
3.3 System Hardening Are servers and workstations configured according to security benchmarks (CIS Benchmarks)? Are unnecessary services and ports disabled? Are macros in Office documents from external sources blocked?
3.4 Application Control Is Application Whitelisting deployed on critical workstations? Does software installation require administrative privileges? Is software installation restricted on student computers?
3.5 Disk Encryption Are employee laptop drives encrypted (BitLocker/FileVault)? Do servers with personal data have encrypted data partitions? Are encryption keys centrally managed and secured?
Area 4: Data Protection and Backups (5 points)
4.1 [CRITICAL] Backup Strategy Is the 3-2-1 rule followed (3 copies, 2 media types, 1 off-site)? Is at least one copy offline (air-gapped) or immutable — inaccessible from the AD domain? Do backups cover all critical systems: student information, ERP, e-learning, email, research data?
4.2 [CRITICAL] Recovery Testing Are backup recovery procedures tested quarterly? Have RTO (Recovery Time Objective) and RPO (Recovery Point Objective) been measured and documented for each critical system? Did the last recovery test succeed?
4.3 Data Classification Is data classified by sensitivity level (public, internal, confidential, strictly confidential)? Does research data under NDA or state secrecy have additional protections? Is the classification policy known to staff?
4.4 Data Encryption Is data in transit encrypted (TLS 1.2+)? Is data at rest encrypted on critical servers? Do databases with personal data use column-level encryption or TDE?
4.5 Data Retention Policy Is there a documented retention policy specifying retention periods for each data category? Is data securely deleted after the retention period? Is the policy compliant with GDPR requirements and educational documentation regulations?
Area 5: Educational Platform Security (4 points)
5.1 [CRITICAL] E-Learning Platform Updates Is the Moodle/Canvas/other LMS on the current version? Are security updates installed within 7 days? Are plugins updated and unused ones removed?
5.2 Course Access Control Do students have access only to courses they are enrolled in? Are instructor permissions limited to their courses? Is there a process for removing access after course completion?
5.3 Integration Security Are all LTI, API, and SSO integrations documented and regularly reviewed? Do API tokens have limited scope and lifetime? Have unused integrations been removed?
5.4 Electronic Grade Book Security Does the electronic grade system have a Data Processing Agreement (DPA) with the provider? Does access require MFA for teachers? Are student data access logs retained and reviewed?
Area 6: Incident Management and Business Continuity (4 points)
6.1 [CRITICAL] Incident Response Plan Is there a documented security incident response plan? Does the plan define roles, responsibilities, and escalation procedures? Has the plan been tested (tabletop exercise) within the last 12 months?
6.2 National CERT Contact Has a person responsible for national CERT/CSIRT contact been designated? Are incident reporting procedures known (timeframes for public sector entities)? Have contact details been registered with the relevant CERT portal?
6.3 Business Continuity Plan (BCP) Is there a business continuity plan for the scenario of IT system loss? Have alternative methods been defined for key processes (enrollment, exams, communication)? Is the BCP tested annually?
6.4 Security Monitoring Are logs from critical systems centrally collected and analyzed (SIEM)? Does monitoring cover hours outside standard working time? Do critical alerts generate real-time notifications (SMS, phone call)?
Area 7: Compliance and Awareness (5 points)
7.1 [CRITICAL] Cybersecurity Training Have all staff completed cybersecurity training within the last 12 months? Are simulated phishing campaigns conducted (at least quarterly)? Is the phishing click rate measured and reported?
7.2 Data Protection Officer (DPO) Has a DPO been designated and are their contact details published? Does the DPO have sufficient resources and independence? Is the DPO involved in evaluating new IT systems and changes in data processing?
7.3 Record of Processing Activities Is an up-to-date Record of Processing Activities (Art. 30 GDPR) maintained? Does it cover all systems processing personal data? Is it reviewed and updated at least annually?
7.4 Data Processing Agreements Have Data Processing Agreements (Art. 28 GDPR) been signed with all providers processing personal data? Do agreements contain required elements (scope, security measures, breach procedures)? Are providers audited for security?
7.5 Security Audit Has an information security audit been conducted within the last 24 months? Have audit results been implemented (remediation plan with deadlines and responsible parties)? Have penetration tests of infrastructure and web applications been conducted?
Need support implementing this checklist? nFlo offers comprehensive cybersecurity services for educational institutions — from audits and pentests through technical implementations to training and 24/7 monitoring. Contact us to conduct a security review of your institution.
Cybersecurity for Your Industry
Learn more about cybersecurity in your industry:
Related topics
See also:
