13 Scary Questions to Ask your Assessment Cloud Provider
Posted by John Kleeman
As its Halloween I thought you might enjoy learning about 13 questions that might scare your Assessment Cloud provider.
With increasing use of Cloud systems like Google Docs, Microsoft’s Office 365, and Amazon, and with enterprise software giants like Oracle and SAP offering OnDemand services, many organizations that previously managed IT internally are delegating the running of servers. A Cloud service can save you money, and allow you to focus on core business and user issues, by letting someone else deal with the technology.
Secure and scalable Assessment Clouds are the next wave of tools available that help organizations to measure knowledge, skills, and attitudes securely for certification, regulatory compliance and successful learning outcomes
As you consider moving your assessments to a Cloud, you need to ensure your provider is offering the best possible service, security and data protection. You want a provider who is fully invested in giving strong security, scalability, elasticity and robustness, not just someone running a server under a desk! Exam security has different challenges and demands to other kinds of IT due to the confidentiality of personally identifiable information, questions and results, so you need to make sure that the system you use is safe and secure.
Here are 13 questions you might scare the less professional Assessment Cloud providers in the marketplace:
1. Do you host assessments in a well-established Data Center, certified to SAS 70 Type II, SSAE 16 Type II or ISO 27001?
2. Does your Data Center have multiple connections to the power grid with onsite generators with at least 24 hours fuel onsite in case of power outages?
3. Does your Data Center have multiple, fast Internet links so that if one goes down, connectivity remains?
4. Is every server in the system load balanced and does every component have redundancy, so that if any one system fails, another can take over?
5. Is browser access to assessments and administration protected by SSL (or TLS) to 128 bits or higher, so that assessment data and results cannot be intercepted on the Internet?
6. Do you follow industry good practice in software development to reduce surface areas of attack and protect against security vulnerabilities? Common methodologies to work with are called STRIDE and DREAD.
7. Do you have separate development/integration areas and staging areas to test on before deploying to production?
8. Do you have a data security policy for your employees who run the service to ensure that they maintain the secrecy of customer data? Does the policy include confidentiality agreements, background checks on employees, regular training, and regular testing of employees to check they that understand data security?
9. Can I see information on real time information on the current status and uptime, and access statistics from round the world? See status.questionmark.com for an example of what you might look for from a provider.
10. Is the service monitored and run 24/7 at both Data Center, network, hardware and application level, so that problems out of hours will be fixed?
11. Are results data backed up safely at least once an hour, so that in the event of a catastrophe, you should never lose more than an hour’s worth of data?
12. What access might government agencies have to data of foreign nationals and are your systems Safe Harbour Certified?
13. What is your track record do you have for being a trustworthy provider with references and case studies to back your claims up?
The answers to these questions for Questionmark’s OnDemand Service are all yes. If you want to find out more, read more details in our new white paper, Security of Questionmark’s OnDemand Service available here.