20 July 2020

In recent years, infrastructure within further education (FE) has suffered from a lack of both investment and strategic alignment between IT and the organisation. Despite this, IT teams continue to deliver services in a challenging environment.

Hardware is often unsupported and deficient in security updates. Teams can also be stretched in both headcount and skills, making it difficult to provide ongoing support and service improvements.

Jisc has worked extensively with FE members and has carried out 107 infrastructure reviews. This piece reflects the experiences of the sector in areas including IT team skills and service management, networks, servers and storage, applications and device management.

It highlights areas of best practice and where investment could improve infrastructure and enhance services. It also highlights concerns such as the use of unsupported server operating systems, as well as areas where colleges have successfully delivered high quality services in a challenging environment through greater use of automation.

We have worked across the sector providing services, advice and guidance to members – this has provided an insight into the state of infrastructure within further education. Much of the evidence within this piece has been gathered through the infrastructure review service which has been offered since 2016.

The review involves discussions with IT managers and other staff where appropriate covering areas including strategy, team structure, networks, servers and storage, core enterprise services, applications, device management, security and governance. It is intended as a supportive review and is not an audit; as such, it is based only on what members are willing to discuss. The majority of these reviews (91%) have been conducted at FE member sites. This is largely due to the more extensive provision and generally better funding of IT teams within HE.

Strategic alignment

In addition to limited investment in IT, colleges are often restricted by a lack of technology-related strategic planning, evident in the majority of colleges. Jisc recommends that there is clear alignment between IT and the overall college strategy.

 

Organisations which have a chief technology officer (CTO), chief information officer (CIO) or head of technology-type senior role are able to make embedded use of technology due to improved organisation-wide technology decision making. When this occurs in the right place, at the right time, it can make a real difference to service delivery.

IT teams

Firstly, it should be noted that IT teams within FE colleges are to be commended for the work they have been doing in ‘keeping the lights on’. This has taken place despite significant challenges; in particular, it has been observed that in many cases, departing staff are not replaced.

As a result, the ratio of IT support staff to supported users based on infrastructure review data has increased to 1:814. When Jisc last analysed this ratio in 2017, it was around 1:450.

Lack of capacity also makes training and keeping up to date with technological developments challenging. Most colleges have gaps in the skills profile required for an IT team to effectively function, have key person dependencies which exposes them to risk should they leave – or both.

A number of colleges have engaged with third parties to provide managed services, with most reporting positive experiences of doing so. Where capacity does not exist, there is an opportunity to ensure funding is available. This could be used to make use of managed services where they are unable to recruit in a timely manner or be able to resource additional staff.

Recent weeks have seen IT teams doing an excellent job in maintaining services to facilitate the rapid transformation to remote learning. Behind the scenes, though, the sector is at risk of major service failure and data loss due to the lack of investment in technology from both a staffing and capital expenditure perspective.

There is limited use of IT service management frameworks such as ITIL (Information Technology Infrastructure Library). Those who have made use of such structures typically derive management and delivery benefits. While most teams have a basic operational plan in place, service level agreements and service catalogues are generally not applied, exposing IT teams to unrealistic expectations, as well as the risk of delivering inefficient services which are not strategically aligned.

Cloud and connectivity

The sector is making increasing use of software as a service (SaaS) delivery, with applications hosted in the cloud. This is an approach endorsed by Jisc, encouraging the use of a hybrid model where cloud services are adopted wherever they are appropriate.

The AoC/Jisc college IT and digital technology survey found that 68% of respondents were taking a hybrid approach, with 30% using in-house-only systems, and 2% cloud only. Of those who are not using the cloud, 65% cited concerns around costs as a barrier to doing so.

Increased reliance on cloud services also places additional reliance on connectivity. All colleges should have a resilient internet connection, especially when there is a reliance on cloud services. Currently, there are 150 colleges with only a single Janet connection. There are also 32 English FE colleges (13%) which have a connection speed of less than 1Gbps. Increased use of cloud services and remote delivery will place such connections under pressure.

Equipment

The majority of colleges who have undertaken an infrastructure review find capital spending on IT infrastructure difficult. While most are able to deliver services, and have been successful in moving to remote delivery, a lack of investment in equipment increases the risks they are exposed to. There have been some good examples of colleges extending the life of end user equipment including desktop and laptop fleets, such as by installing solid-state drives; however, the number of end-of-life devices remains high.

The AoC/Jisc survey also found that on average only 55% of colleges consider most or all of their desktop devices fit for purpose, decreasing to 46% for portable devices such as tablets and laptops. 95% of respondents reported that devices which were not fit for purpose were due to their age/wear and tear.

With the recent move to remote learning, it is vital to ensure that there is adequate investment in devices so that learners, particularly disadvantaged learners, are not left behind. Jisc’s digital experience insights research has found that 5% of learners do not own their own device.

Core infrastructure such as servers and storage which is ‘end-of-life’ is regularly in continued use due to a lack of capital funding. Such equipment is typically no longer supported by vendors should it fail and is not receiving security updates or patches which are essential to ensuring the security of systems. The use of legacy server operating systems including Windows Server 2008 and. in some cases Windows Server 2003, are still in use for core systems.

This, among other issues uncovered during infrastructure reviews, leads Jisc to conclude that 85% of further education members reviewed have concerns relating to gaining Cyber Essentials certification in line with the ESFA expectations in 2020/21. There is also evidence that there are a small number of providers which have received certification based on self-assessment, which would not withstand the external validation of their cyber security posture as is required to achieve Cyber Essentials Plus certification.

Applications

A wide range of applications are in use across the sector, with no evidence of any particular vendors of systems such as student records and finance being favoured by colleges. Email and Office applications are primarily Microsoft Office 365, with some using Google GSuite.

There is little evidence of enterprise architecture frameworks being applied, which is to be expected given the capacity constraints within teams. Where it is being applied, there are a small number of sector exemplars where colleges have created data warehouses, enabling self-service reporting and the ability to easily replace systems where appropriate.

Security

As already discussed, many colleges will find it difficult to achieve Cyber Essentials certification in line with the ESFA expectations in 2020/21.

Jisc recommends that colleges achieve this as soon as possible as a solid base from which to work to achieve Cyber Essentials Plus and ISO27001, as this is expected to be a requirement in the future.

Nearly all colleges have adequate firewall technologies. Web filtering and monitoring arrangements in the majority of cases meet Ofsted’s best practice expectations in line with the Prevent Duty. A small number, however, are unable to use their logs of internet usage to identify traffic to an individual user. It is encouraging to note that increasing numbers of colleges are ensuring devices such as laptops which are taken offsite are encrypted. This is particularly relevant given that homeworking has increased significantly.

Password policies vary across the sector. Many apply password requirements which need strengthening and enforce password expiry. Jisc recommends that colleges adhere to the National Cyber Security Centre guidance in requiring strong passwords which do not expire.

Most colleges offer some form of training and awareness raising on cyber security issues for staff – 67% of Jisc/AoC survey respondents make training compulsory for all or some staff. Only 27%, however, do so for all or some students. A more coordinated approach may be beneficial for the sector.

Disaster recovery

The back up and disaster recovery procedures in the majority of organisations reviewed is a concern, although there are some examples of sector best practice which should be replicated across all colleges. The current situation in most colleges represents a major business continuity risk. It is reassuring to note that most colleges have mitigated against the risk of physical damage such as fire and flood.

The main concern is that many back up systems are not logically offline or physically offline, for example, by using a tape library. This increases the risk of a total loss of data including that held on back-ups in the event of a cyber attack. A total loss of data would have enormous implications for colleges.

Conclusion

Based on the evidence seen by Jisc working with the sector, the following requirements are considered necessary:

• A resilient and minimum 1Gbps Janet connection, accelerating the upgrade path for those who do not yet have this using the £300m per annum capital fund
• Continued investment in end-user devices to support learners, especially for disadvantaged and vulnerable learners
• Up-to-date servers and storage, and the discontinuation of legacy operating systems
• Infrastructure upgrades to include offline back-ups where they do not exist. Ensure server and back-up solutions comply with Cyber Essentials Plus and ISO27001
• The creation of a senior technology role where there is no such position within an organisation’s structure
• Better strategic alignment of technology with the overall college objectives, with a clearly defined service catalogue in place
• Ensure staffing levels are appropriate within IT teams, staff are replaced when team members leave, and staff have the opportunity and capacity to access appropriate training and development, particularly on cloud services
• A coordinated approach to end user awareness training and awareness raising on safeguarding and cyber security issues

This article is part of a new e-book produced by the Association of Colleges and funded by Ufi, Creating a post-Covid19 EdTech Strategy, bringing together all the wisdom and lessons learned from lockdown.