Embedding security into school IT systems - Scotch College and Presbyterian Ladies' College

Organisations typically understand IT management well. The challenge occurs when it comes time to understand security responsibilities.


Scotch College is a modern, progressive and successful independent school for boys. For over a hundred and twenty years the School has been providing an intellectually and personally challenging programme in keeping with the best traditions of liberal education.

Presbyterian Ladies' College (PLC) was founded in 1915 and has since sustained an international reputation for academic excellence and outstanding success in preparing young women to lead and contribute.

Classified as tier-one schools, Scotch College and PLC are located in the Western suburbs of Perth. Scotch has a student population of 1500 and 320 staff, while PLC has 1100 students and 250 Staff. 

PLC and Scotch College have a shared IT infrastructure and support agreement, with an IT director whose role spans both schools and coordinates resources and decision- making. This allows the schools to share knowledge, documentation, processes and resources as well as infrastructure, specific risk mitigation and disaster recovery networks.

The Challenge

Organisations typically understand Information Technology (IT) management well. The challenge occurs when it comes time to understanding their security responsibilities.

This is a very broad and specialised skillset and is often less about IT and more about the organisation itself and how it operates. PLC and Scotch College wanted to foster better engagement between IT and the broader organisation, to improve service delivery while always ensuring the best levels of security.

They identified that secure service delivery required all stakeholders and participants to be security aware while also embedding security into processes. It was also important that any solution not be dependent on any specific piece of technology.

The fundamental requirement was the research and preparation of a vendor-agnostic report which identified areas of maturity while also highlighting those areas of risk and offering recommendations.

The Datacom Difference

Datacom used a senior information security consultant to run a security baseline assessment. This was a bespoke service centred on the Information Security standard ISO/IEC 27001. This included a series of onsite workshops with senior management, technical support staff and other departments.

The result was an end-to-end assessment of business and IT processes, looking at these domains:

1.            Information security policies
2.            The organisation
3.            Human resources
4.            Asset management
5.            Access control
6.            Cryptography
7.            Physical security
8.            Operational security
9.            Network and communications
10.          System development
11.          Suppliers
12.          Incident response
13.          Business continuity
14.          Compliance

Applying an appropriate organisational context was key to the success of this project. The assessment, gaps, and recommended improvements needed to be seen in the context of a school environment.

This meant taking account of those controls necessary for such an environment as well as those that would be too restrictive or inefficient in a modern school setting.

Datacom prides itself on maintaining a local approach while leveraging the very best technology-based solutions, insights and experience.

Our unique culture, heritage and ownership enables us to maintain this kind of truly personalised, local focus.


The final assessment was a risk- based executive report highlighting mature areas of delivery, identifying current risks, while also offering a comprehensive set of pragmatic recommendations specific to the school environment.

Recommendations included changes to the operational environment, both logical and procedural as well as policy-based improvements to ensure a robust delivery of secure services that should result in a sustained improvement in the overall security posture of the schools.

Datacom’s service was considered a perfect fit because it was completely vendor-agnostic, it did not seek to solve security problems with any specific technology, and it covered the entirety of their organisation. It was a context specific, risk- based assessment specific to the market it was being delivered for.

The risk based focus of the report ensured that senior and executive leadership were able to easily relate to its findings.

The success of the engagement was evident through the support the outcomes provided to the Information and Learning and Technologies Director:

•             It served as a useful educational piece on security requirements and how immature business processes can affect an organisation

•             It provided a strong procedural uplift in security policy and supported the business case for future investment in security initiatives

•             Provided a roadmap of improvement for the year ahead and a framework for future self-assessment


“We didn’t want to be presented with a solution that relied on us constantly upgrading to more expensive technology or having to employ specialist staff. We needed a consultant with the expertise to accurately assess our needs without pushing us into any technology vendor. Datacom did just this – identified the areas where improvement was needed and helped us easily implement a solution. It’s this kind of personalised service that’s given us the roadmap we needed to implement improvements to keep our system secure and safe in the years to come.”

Anna Hu , Director of Information and Learning Technologies