IBP FO Standards Framework
What is the IBP FO Standards Framework?
The Information Security and Privacy Standards Framework for Primary and Secondary Education (IBP FO) is a tool for school boards to improve their information security and the protection of personal data.
The Ministry of OCW, Kennisnet, SIVON, the PO-Raad, and the VO-raad commissioned this standards framework as part of their Digital Safe Education program. That program is intended for primary and secondary education, also referred to as Funderend Onderwijs, and helps schools provide students and staff with a digitally safe school environment. FO not only represents by far the largest group of schools and students; those students are also younger and more vulnerable than students in vocational education and higher education. In addition, secondary schools or elementary schools, even when they collaborate, generally have less IT expertise than the average ROC, university of applied sciences, or university.
The IBP FO Standards Framework consists of 69 standards for your information security. The standards are clustered into 15 security domains, ranging from the setup of your risk management to guidelines for your Identity and Access Management. A later version will also add an extra category with privacy requirements.
Each domain is implemented concretely with a number of specific standards. An example is shown below. For each standard there is an assessment framework with the minimum requirements that schools must meet. Each standard also includes example measures that allow a school to meet the requirements automatically. More tools are becoming available as well such as checklists and templates. This enables us to improve information security and privacy across the education sector through this standards framework.
How did the IBP FO Standards Framework come about?
The standards framework was developed because IT plays an increasingly important role in Primary and Secondary Education. ICT solutions are no longer used only for administrative processes; smart digital applications are widely used in the classroom and for remote learning. This means information security and privacy also become much more important.
As a result, more and more personal data of millions of students are processed and stored over time. In addition, students move up each year to a next grade or to further education with different teachers and counselors. In such a dynamic environment, schools must ensure that all sensitive data of children and young people are handled with care, while teachers and staff can do their work safely and with sufficient privacy.
There are also many developments that make these challenges even greater. A so-called sector overview drawn up by the Dutch Data Protection Authority provides an overview of important privacy trends and developments within education. Examples include:
Education is taking on many more responsibilities such as the well-being and personal safety of pupils and students, promoting equal opportunities, and preventing polarization. Schools struggle with which personal data may be used for these purposes and under what conditions.
Algorithms and artificial intelligence are used more and more, for example in adaptive learning tools, learning analytics, and automated testing. How do you guarantee the correct interpretation of data, prevent bias, and ensure transparency and control over personal data?
In education, teachers, pupils, and students are increasingly enthusiastic about using all kinds of free apps and software, which can unintentionally lead to the proliferation of shadow IT. This makes it extra difficult for educational institutions to maintain control over the use of personal data and the privacy of pupils, students, and staff.
Research often involves collecting and processing personal data. Proper anonymization or, where permitted, pseudonymization raises many questions, as does sharing research data and any potential reuse. This already plays a role for high school students as well, for example with capstone projects.
In that same sector overview, the AP was also positive about the increasingly effective collaboration within education, for example in drafting joint requirements for privacy and information security. Vocational education and higher education already have sector-wide information security and privacy standards, and in 2023 primary and secondary education published the IBP FO Standards Framework. As in higher and secondary education, the NBA Information Security Maturity Model from the Royal Netherlands Institute of Chartered Accountants is used as the starting point.
Becoming compliant with the IBP FO Standards Framework?
It is not yet mandatory to comply with the IBP FO Standards Framework. Starting with the 2024 annual reports, school boards must actively address their plans and developments regarding information security and privacy. The ministry has also announced that schools must be compliant with the Standards Framework from 2027 onward.
But where do schools stand now? On behalf of the Digital Safe Education program, research firm Dialogic conducted a baseline measurement based on the Standards Framework (see link). Of all schools surveyed, a representative sample of 15 school boards, none yet met all requirements. The overview below also shows the compliance percentages per domain. With some optimism you could call Incident and Problem Management a positive outlier, but even that domain scores below 50%. The results of the other domains are clearly lower.
So there is still a lot of work to do. The study therefore categorized the schools. There is a top 10% that, although not yet compliant, are clear frontrunners with sufficient expertise and capacity to meet the standards on time. There is a larger group (50%) that is already working on it but still needs to scale up in IBP expertise and in broader awareness across the organization. Finally, there is a group of 40% that the report calls 'unconsciously incompetent'. That group includes relatively many smaller organizations that for now lack the capacity and knowledge to implement the Standards Framework.
Resources
Fortunately, schools have plenty of starting points to begin working with the Standards Framework. As noted, there are templates and example measures to meet the desired minimum level. The Standards Framework also includes an example roadmap. It guides a school to first establish a solid foundation, then address the high risks, and after that the smaller risks. Equally important are several clear basic principles in your information security policy and plans. By thinking these through, many requirements can be realized much more easily.
It is crucial to define job functions, roles, and separation of duties within the school from the outset. With Role Based Access Control you can easily determine for each job and staff member which access to applications and data is necessary. Those settings are also adjusted automatically when someone’s role changes, and with such a clear approach you can also easily set up processes for temporary coverage, incident response, and other special circumstances.
In a similar way, you will quickly see the need for structured monitoring of data and activities. This is important to continuously evaluate the effectiveness of your information security plans, but it is especially important to detect security weaknesses in time and to act quickly during incidents. You will notice that many requirements are easier to realize if you have thought through structural topics such as monitoring and logging.
Want to know more about the IBP FO Standards Framework? Interested in how a modern Identity and Access Management solution can help you structure the foundation of your information security? Check our white paper.