What organizational and technical measures are appropriate in assessment delivery?

John Kleeman HeadshotPosted by John Kleeman

One of the key responsibilities of an assessment sponsor acting as data controller under European Law is to implement appropriate technical and organizational measures to protect personal data.  But what does appropriate mean?

And when you contract with a data processor to deliver assessments, you must ensure that the processor implements appropriate measures. But again what does appropriate mean?

This is not just an academic question. A  UK organization was fined £150,000 in 2013 for failing to protect personal data with the regulator commenting that a key reason for the fine was “… the data controller has failed to take appropriate technical measures against the loss of personal data”

The measures to use will depend on the risk to the data and to the assessment participant. But here are some measures  to consider. They are all met by Questionmark if you delegate service delivery to Questionmark – though some also need action by you:

For more information, you can download a complimentary version of the white paper: Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities [requires registration]

Measure Questionmark OnDemand? Your system?
Premises access control
Data center certified against ISO 27001 or SSAE 16
Two-factor authentication for staff and visitors
24/7/365 personnel intrusion alarms
24/7/365 monitored digital surveillance cameras
23/7/365 security team on site at all times
Strong physical security in nondescript building to aid anonymity
System controls
Well configured firewalls in each tier
Intrusion Detection System or Intrusion Prevention System
Secure software development approach following best practices
Comprehensive anti-virus measures
Regular third party penetration testing
Regularly updated system and application software
24/7/365 network monitoring
Data access control (authentication and authorization)
Individual, unique high strength passwords for all users (you need to action)
Users can easily be deleted when they leave an organization (you need to action)
Store administrator passwords in encrypted form
Administrators can be given access to only functions/data needed (you need to configure)
Participant login & identity can be confirmed by monitors/proctors (you need to configure)
Data transmission control
All participant access via well configured SSL/TLS
All administrator access to results via well configured SSL/TLS
Any data copied for troubleshooting purposes strongly encrypted
No need to send data physically – all data transmitted electronically
Data entry control (keeping track of who does what)
Able to present participant with information & record consent (you need to action)
Participant answers cannot be changed except with authority
Participant submissions recorded with time-stamp
Differential privileges for administrators, control over system functions (you need to configure)
Log important activities by administrators and other users
Contractual control
Have data protection compliant contracts with processors
Processing only performed on instructions from Data Controller
Logical or physical separation of data from different customers
Availability controls (protecting against unauthorized destruction or loss)
Power supply redundancy, UPSs and onsite generators
N+1 or 2N redundancy on all hardware and Internet connections
Backup of all assessment data to offsite location
Backup assessment results frequently (e.g. hourly) to avoid losing data
Regular restore tests of such backups
Save participant answers “as you go” on server during test-taking
Tested, current service continuity plan in place in event of disasters
24/7/365 environment monitoring
Organizational measures (These are all met by Questionmark; you will also have to follow these yourselves.)
Designate a data protection officer
Personnel have written commitment to confidentiality
Background checks on new employees
Regular training of employees on data security
Regular testing of personnel on data security to check understanding
Faulty or end of life disks degaussed or otherwise safely destroyed

I hope this helps you work out what measures might be appropriate for your needs. If you want to learn more, then please read our free-to-download white paper: Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities [requires registration].

If you are interested in seeing if Questionmark OnDemand could meet your needs, see here for more information.

Leave a Reply