A PRACTICAL GUIDE TO
Up2U ICT SECURITY
The Up2U ecosystem is based on the use of the
Internet, cloud systems and the Bring Your Own
Device (BYOD) approach. Creating a safe and secure
ICT learning environment for all the schools involved
in the project pilots is a priority. This guide offers
practical, simple suggestions for schools on how to
achieve such an environment.
A Framework of Whole-School
Awareness, Responsibilities, Policies
and Procedures
Establish a Security Task Force
For the Security Task Force, we suggest combining all the
human resources inside the school that can help to
identify security risks and create a common security
vision for your school. Complete collaboration at each
level is key.
Manage All the Users
 For systems that handle sensitive information, we
recommend applying strict user configurations. To be
able to associate users with devices and contact them
in case of need, it is necessary to set up a register of
users.
 Use standard accounts with limited privileges. Allow
the use of administrative accounts only for users with
appropriate skills.
 Use administrative accounts only to perform
operations that require privileges.
Create a Hardware and Software Inventory
 We recommend creating an inventory (manually or
with automatic software) of the existing devices
connected to the network, recording MAC address,
hostname, function, owner, associated office, etc.
 It could be useful to collect network-connected
devices discovery with an alert system in case of
anomalies and the identification of portable electronic
devices.
 Create a list of authorised software and an inventory
of installed software.
 Perform regular system scans to detect unauthorised
software.
Create a School Security Policy
We recommend that, as a minimum, a school
security policy should address the following:
Make it clear to users that:
 IT resources are for institutional purposes only
 They should avoid using videogames,
downloading illegal software (MP3, movies,
etc.)
 It is forbidden to launch cyberattacks on
internal and external systems
Regularly inform users about cautions:
 Beware of phishing emails. Some clues are:
 Strong sense of urgency
 Suspicious sender’s address
 Generic greetings and signature
 Spoofed hyperlinks
 Spelling and layout (poor grammar)
 Suspicious attachments
 Avoid browsing untrusted sites and clicking on
any link
 Download and install software and apps only
from trustworthy sites
 Delete programs or apps no longer used

The innovation action leading to these results has received funding from the European Union's Horizon 2020 research and innovation programme
under Grant Agreement No. 732049 - Up2U
Improve password security:
 Ensure that users:
 Never disclose the passwords, especially via the
Internet
 Make passwords long and complex (at least 12
characters, mixing capital letters, numbers, and
symbols). You can create a long password using
a passphrase, i.e. four or more random words
grouped together and used as a password.
 Create a unique password for each account
 Never use personal information
 Consider using a password manager
 Periodically force the password change
 Use two-factor authentication, if available
Keep Updated!
 Keep all software (both application and system)
updated and patched (in automatic mode if allowed).
 Keep all of your personal electronic device
software updated also. Manufacturers
release updates as they discover
vulnerabilities in their products.
Automatic updates make this easier for
many devices – including computers,
phones, tablets and other smart
devices – but you may need to
manually update other devices.
Only apply updates from
manufacturer websites and built-in
application stores – third-party
sites and applications are
unreliable and can result in an
infected device. When shopping for
new connected devices, consider
the brand’s consistency in providing
regular support updates.
 It is important to keep up with new
vulnerabilities and take regular
maintenance actions.
 Use updated vulnerability scanning tools.
 Verify that vulnerabilities emerging from scans were
resolved either by means of patches or by
implementing appropriate countermeasures, or by
documenting and accepting a reasonable risk.
 Use only supported software and operating systems
(for example, avoid MS Windows XP).
 The main attack vector is the browser, especially if it is
not kept up to date!
Be Aware!
 Check the logging of DHCP server operations (usually
enabled by default).
 Manage every access to the network by registering
the account, timestamp, MAC address, and IP address.
 Periodically perform an internal or external
vulnerability assessment to pre-emptively identify
your vulnerabilities before the bad guys do.
Implement a Backup Programme
 Perform regular backups of critical data and, at longer
intervals, of the entire system. Many cloud solutions
are available to help you do this.
 Ensure confidentiality of data in backup copies by
encryption. The encryption performed before
transmission allows safe remote backup in the cloud.
 Ensure that removable devices containing backups
(for instance, external hard disks or USB pen drives)
are not permanently accessible from the system, to
prevent local attacks from engaging security copies.
 Beware of inserting unknown USB devices into
school systems. They could contain a hidden
malware!
 A robust data backup programme can
save the day if you’re hit by ransomware.
Create an Incident Procedure
Every school system should have a
cyber-incident response plan in place.
If people know what to do in the event
of a problem, its impact can be
minimised.
After the incident, you should
document what happened and share
all the information, to prevent similar
cases in the future.
Apply Security Acceptable Use
Policies
Each network user should sign a Security
Acceptable Use Policy.
The school can follow the templates and guidance on the
website of the learning network WMnet ( http://
www.wmnet.org.uk ).

A SECURE ICT SYSTEM
Customise Network and System Configuration
Network Hardening
 Configure router appropriately (antispoofing filters,
filters that allow accessing only to institutional
services)
 Segment network into separate subnetworks,
applying, in relation to the context, the most rigorous
policies
 DMZ subnet exposed to the internet (DNS, web
server, mail server)
 Subnetwork for Management and Administration
 Subnetwork for didactics and laboratories
 Subnet for students and guests (BYOD:
smartphone, tablet, notebook)
 Subnetwork for printers, video surveillance,
building automation, IoT devices, etc.
 Install at least one network firewall blocking incoming
connections to all subnets (excluding DMZ), possibly
also with NAT function
 Mitigate attacks carried out by email by analysing
messages before they reach the recipient’s box. Do
this by configuring antispam and antivirus software on
mail server.
 Install a web filtering solution to protect users from
malicious sites while they are surfing
 Enable wireless security
 Use the strongest encryption protocol available
(WPA2/WPA3)
 Change the router’s default administrator password
 Change the default Service Set Identifier (SSID)
 Disable WiFi Protected Setup (WPS)
 Reduce wireless signal strength
 Turn the network off when not in use (or configure a
wireless schedule)
 Disable Universal Plug and Play (UPnP) when not
neededKeep all router and network devices
updated to the latest firmware version
 Disable remote management
 Monitor for unknown device connections
Firewalls
Firewalls provide protection against outside
attackers by shielding your computer or network
from malicious or unnecessary network traffic.
Firewalls can also prevent
malicious software from
accessing a computer or
network via the internet.
Firewalls can be
configured to block data
from certain locations,
applications or ports while
allowing relevant and
necessary data through.
Firewalls require trained
professionals to support their configuration and
maintenance. Most firewall products come
preconfigured and ready to use. Since each firewall is
different, you will need to read and understand the
documentation that comes with it to determine
whether the default firewall settings are sufficient for
your needs.
Firewalls do not guarantee that your computer will
not be attacked.
Firewalls primarily help protect against malicious
traffic, not against malicious programs (i.e., malware),
and may not protect you if you accidentally install or
run malware on your computer. However, using a
firewall in conjunction with other protective measures
(e.g., anti-virus software and safe computing
practices) will strengthen your resistance to attacks.

The innovation action leading to these results has received funding from the European Union's Horizon 2020 research and innovation programme
under Grant Agreement No. 732049 - Up2U
System Hardening
 Define and implement standard configurations and systems hardening policies:
 Uninstall unnecessary software
 Disable unnecessary services
 Share only necessary hardware resources and protect them
 Prevent changes to the configuration or installation of software
 Correct default software and hardware configurations (many products are preconfigured too openly)
 Configure clients and servers to use only encrypted protocols: SSH, HTTPS, IMAP and SMTP over SSL/TLS
 Install antivirus software locally (verify automatic update)
 Install firewall and Intrusion Prevention System (IPS) locally
 Install a Web Application Firewall (WAF) on the web server
 Disable automatic execution of contents when connecting removable devices
 Disable automatic execution of dynamic contents (e.g. macros) in files
 Turn off automatic opening of emails
 Disable automatic preview of file contents
 Before connecting a new device to the network, replace default administrative credentials with safe values

On the login page (https://bit.ly/2OrVuw8) you will
find all the following authentication methods:
Up2U has sought to provide solutions that allow
users to manage user identities on platforms
available from the project.
To access Up2U services, go to the platform link:
https://learn.up2university.eu/?redirect=0 platform
and access the login page.
WHAT IS A DIGITAL
IDENTITY?
Digital identity is the virtual representation of the real
identity that can be used during electronic
interactions with people or machines.
What are authentication and authorisation?
 Authentication
Authentication is the first mechanism we activate when
we want to log in to an environment by providing
information that uniquely identify ourselves (our
credentials).
 Authorisation
Authorisation is the second mechanism that is activated,
once the authentication procedure is successful. It is a
check carried out by the service we want to access,
based on the information we previously provided.
Single Sign-On (SSO)
Single sign-on (SSO) is the mechanism by which, within an
organisation, a user can use the same credentials to
access multiple services because there is a single
infrastructure managing digital identities.
When does digital identity become
federated?
Digital identity becomes federated when the single sign-
on mechanism is extended out of its native organisation
and gives access to a multitude of services provided by
different organisations. Therefore, a user can access
services and resources of all the federated organisations
without changing the credentials he/she uses within his/
her home organisation.
Authentication with single sign-on (SSO)
Authentication is the process by which a user provides
information that uniquely identifies themselves (their
credentials). Authorisation is the mechanism by which a
Up U IAM solutions

The innovation action leading to these results has received funding from the European Union's Horizon 2020 research and innovation programme
under Grant Agreement No. 732049 - Up2U
system determines what level of access a particular
authenticated user should have to secured resources
controlled by the system.
eduGAIN
The eduGAIN service interconnects academic identity
federations around the world, enabling the trustworthy
exchange of information related to identity, authentication
and authorisation. eduGAIN helps students, researchers
and educators access online services while minimising
the number of accounts users and service providers have
to manage – reducing costs, complexity and security
risks. eduGAIN is used for giving access to the Up2U
ecosystem to all academic and NREN users of the
project.
Local registration
Up2U affords users without an identity provider (IdP) the
chance to become a “member” of the Next-Generation
Digital Learning Environment (NGDLE). The Up2U
WebSSO front end provides a local user registration
option.
Authentication via social networks
Social Network Login is single sign-on for end users.
Using existing login information from a social network
provider such as Facebook, Twitter, or Google, the user
can sign in to a third-party website instead of creating a
new account specifically for that website. This simplifies
registrations and logins for end users.
All channels are managed by a Lightweight Directory
Access Protocol (LDAP) layer. LDAP user authentication is
the process of validating a username and password
combination with a directory server. LDAP directories are
standard technology for storing user, group and
permission information.

 Use anti-virus software.
 Don’t open emails or messages or attachments from
unknown sources. Be suspicious of any emails or
messages or attachments that are unexpected, even if
they come from a known source.
 Protect your device from Internet intruders.
 Regularly download security updates and patches for
operating systems and other software.
 Use hard-to-guess passwords. Mix upper case, lower
case, numbers and other characters not easily found
in the dictionary. Make sure your password is at least
twelve characters long.
 Back-up your data on disks or cloud storage regularly.
 Don’t share access to your device with strangers.
Learn about file-sharing risks.
 Disconnect from the Internet when you’re not using it.
 Check your security on a regular basis.
 Make sure you know what to do if a device or system
is believed to be infected or corrupted.
CYBER-SECURITY TIPS FOR
STUDENTS
10 tips on BYOD
1. Use encryption to protect your data (Settings ->
Security -> Encrypt device), even if you are going to
reset the smartphone.
2. Do not install software from untrustworthy
markets. (Trusted markets are, e.g.: Google Play,
Apple’s App Store, Amazon’s Appstore for Android.)
Check and understand application permissions.
3. Wipe your data remotely if the device is lost or
stolen (Google Android Device Manager, Lost
Android, Anti-Theft, Cerberus, etc.) and pay
attention to the data on your dismissed devices.
4. Use a passcode or password to protect the
device. It is a bit cumbersome but it is certainly safe.
A good password would be the best, but at least a
non-trivial sequence.
5. Turn on the Bluetooth only when needed.
6. Avoid connecting to unknown wireless networks.
7. Keep all devices updated with the latest
firmware version.
8. Backup your data.
9. Avoid storing usernames and passwords on the
device or in the browser.
10. Do not jailbreak or root the device (jailbreaking
or rooting a device are processes that remove the
platform’s restrictions, allowing users to install any
applications from any market, install a modified
operating system, and have administrative user
permissions)

The innovation action leading to these results has received funding from the European Union's Horizon 2020 research and innovation programme
under Grant Agreement No. 732049 - Up2U

What is GDPR?
The General Data Protection Regulation (GDPR) is a legal
framework that sets guidelines for the collection and
processing of personal information of individuals within
the European Union (EU). GDPR came into effect across
the European Union on May 25 2018, replacing the Data
Protection Directive 95/46/EC, aiming at:
 harmonising data privacy laws across Europe
 protecting and empowering data privacy of all EU
citizens
 redesigning the way organisations across the region
approach data privacy
Who does GDPR apply to?
It applies to those who process personal data. More
exactly it applies to those who “determine the purpose
and means of processing of personal data” (Article 4
paragraph 7). The processing of personal data must take
place in compliance with the principles and the rules
established by the GDPR.
In the Up2U project, the purposes and the means by
which the personal data are processed is determined by
the partners in the project in accordance with the
contents of the Grant Agreement and the Up2U
Consortium Agreement.
Therefore, in Up2U, the Data Controller is the group of
participants in the project, who have issued a regulation
on their respective obligations and responsibilities,
signing a specific agreement (Joint Controller Agreement).
HOW GDPR APPLIES TO
SCHOOLS INVOLVED IN THE
Up2U PROJECT
GDPR compliance of the UP U project
If your school joins the Up2U project, personal data
coming from teachers, school staff and students
(data subjects) using our tools and ICT services will
be controlled and processed by Up2U.
No actions are required by pilot schools in order to
be compliant with GDPR inside the Up2U project, as
the schools do not process personal data, do not
collect any data, and do not determine the
purposes and means of the processing of personal
data inside the Up2U project.
The pilot schools are informed through the
Memorandum of Understanding (MoU) about the
foreseen activities of the Up2U project, in order to
verify that the project’s actions correspond with the
mission of the school.
The Data Controller is the group of Up2U partners
who have to sign a Joint Controller Agreement,
which serves to regulate the respective tasks, the
internal relationships between the joint Data
Controllers and the management of the activities
towards the data subjects and the authority. The
contact person for the rights of data subjects is, in
compliance with Art. 26, the “Contact Point”,
represented by: the GÉANT Association.
The processing of personal data will start on the
occasion of access to the Next-Generation Digital
Learning Environment (NGDLE) platform and will
end at the end of the Project.

The innovation action leading to these results has received funding from the European Union's Horizon 2020 research and innovation programme
under Grant Agreement No. 732049 - Up2U

OER GUIDELINES
“Roadmap” for the use of OER
Step : Choose a Creative Commons
Licence to License the OER
In order to choose a CC licence for a learning object such
as an OER, or for any other work or creation, you should
be able to answer four questions:
 Do you agree with the fact that other people could
copy and distribute your contents without any kind of
permission?
 Do you agree with the fact that other people could
edit and adapt the contents when they use them?
 Do you mind other people making money out of your
contents?
 If you allow modifications to your work, would you
like the new content to carry the same licence that
you chose?
CC has an online service that could help identify the
appropriate licence, based on answering those basic
questions.
Step : Search for Basic Objects with a
Compatible Licence
There are six different Licences of Use and each bears
special conditions. Selecting resources is a matter of
finding those with a Licence of Use compatible with the
one you are going to use, so that they can be integrated
as a Business Object (BO) in your Learning Object (LO). A
compatibility chart is provided.
Step : Acknowledge the Resources Used
It is important to acknowledge the resources used in your
Learning Object.
A useful acronym to remember, to help ensure you make
a correct attribution of each resource, is “TYAOL”, which
points to the five aspects to cite:
TITLE The name or title of the work.
YEAR The date the work was published.
AUTHOR The name of the work’s creator.
ORIGIN Where the work can be found.
LICENCE How the work can be used.
https://en.wikipedia.org/wiki/Creative_Commons_license
It is important to understand the compatibility
among the permissions and conditions of the six
CC licences in order not to override the wishes
of the authors of the works you use.

The innovation action leading to these results has received funding from the European Union's Horizon 2020 research and innovation programme
under Grant Agreement No. 732049 - Up2U
Step : Define the Metadata
When you publish your own resource, the service
where it will be published should include and relate it
to the same basic information – also known as the
metadata or descriptive signature – that you use to
attribute or cite the work of another person. In short,
remember the acronym TYAOL and make sure the
information is clearly visible so that other people can
make the correct attribution to your work.
Additionally, it is advisable to include:
 Entity(ies): Evaluate in each case the need to also
associate data such as the entity, institution or
organisation that supports the production process,
and the respective collaborators.
 Contact: Provide contact details, e.g. an email
address that you check frequently, so that
someone who is interested in your resource can
communicate with you.
In the case of a Learning Object, it is suggested that
the material includes a page or credit space where the
metadata is incorporated.Thus, even when the
material is moved from the original publication site, it
will retain the data needed for proper
acknowledgement and recognition.
Step : Publish or Distribute the Work
The last step in building your OER is to publish or
distribute it, to make it available to your students and
to other potential users as well.
There are different mechanisms for sharing digital
information, for example, sending the file by email or
uploading it to a social network for students to
download and view on their devices. The effectiveness
of these methods is proven. However, the Up2U
platform provides another way to share these
resources online that:
 Saves time. If you publish the OER in a single site,
you only need to indicate the link or address for
anyone to access it from any device, either to view
it or download it.
 Potentially expands the audience. Potentially
increases the number of users and their access to
the resource, especially considering that this is the
intention when licensing with CC.
 Makes it easy to view. Enables a direct and
immediate visualisation of the OER without
downloading.
 Ensures best practices are followed for the
publication and distribution of information,
through the use of forms.
Up2U offers a range of web services that work as
repositories of content to share, and which include
forms that prompt completing fields such as:
Up U Tools to Create and Reuse OERs
A selection of tools in the Up2U ecosystem that
enable the creation and managing of OERs is
shown below.
Moodle
Web: https://moodle.org/
Up2U platform: https://learn.up2university.eu/
Tutorial: https://docs.moodle.org/22/en/
Moodle_video_tutorials
H P
Web: https://h5p.org/
Tutorial: https://h5p.org/documentation
Examples: https://h5p.org/content-types-and-
applications
Knockplop
Web: https://github.com/so010/knockplop
Tutorial: https://up2university.eu/2018/01/18/
knockplop/
SeLCont
Web: https://github.com/netmode/selcont
Tutorial: http://www.netmode.ntua.gr/main/index.php?
option=com_content&view=article&id=142&Itemid=9
 Title.
 Description.
 Category.
 Tags or keywords.
 Language.
Suitable services for publishing OERs include those
used to search for information, for example:
 For images, audio, vídeo: DSpace.
 For text: blogs, websites.
 For sharing a folder: a cloud service such as
CERNBox.