Single sign-on: secure and easy access

Bart Hendrickx Small

Posted by Bart Hendrickx

It’s Tuesday morning. You have just started your computer. Now it’s time to open your day-to-day tools: email, chat/phone, tasks and so on. As you go through your tasks, you realize you need to take that data security test you’ve been postponing.

Every day, you interact with various applications. Some are installed on your personal computer, others on servers managed either by your organization by vendors.  Your applications might come from a multitude of service providers, in-house or on the Cloud.

For many of those applications, you need to authenticate—to tell the applications who you are—so that the app can present the information that pertains to you. Sometimes this happens automatically. When your email client connects to the mail server, you read your emails, not those of your co-workers. Your email client has authenticated you against your mail server because you entered a username or email address, a password and some other data, way back when.

You often need to use different sign-ins for different apps. When you log in tor you Questionmark OnDemand portal, for instance, you enter a different username and password than the one you used to unlock your computer earlier today, (Your organization’s data security policy does not allow you to  store your organizational password in other systems.)

Want to learn more? I’ll be discussing this topic and more at the Questionmark Conference 2016 in Miami, April 12-15. Register before March 3 to take advantage of our final early-bird discounts.

Problem: Unrecognized username or password

You’ve logged in for your exam, but you get an error message. Maybe you mistyped the password? Second try. Nope; same results. You must have forgotten your password. You start an instant message window with your internal IT help desk. “Sorry, we don’t manage Questionmark OnDemand. Can you use its password reset function?”

You go back to your Questionmark login page, get a secure on-time login and establish a new, permanent password that complies with the data security policy — “I better not forget my password this time,” you say to yourself as you finally start your data security test. “Isn’t there something more convenient?”

Solution: Single sign-on

We all find ourselves in similar situations, but with Single sign-on (SSO) we can avoid them.

Since, there are several definitions of SSO, here’s how I’ll define it in the context of this blog:

Single Sign-On (SSO) for software is the ability for one application, the identity provider, to tell another application, the service provider, who you are.

By identity provider, I mean a system that contains digital identity information—also known as people data—on users, For example, think of social network sites or Active Directory from Microsoft.

The service provider is the system that users work with to do something—say Questionmark OnDemand, in the case of your data security test.

With SSO, a user does not log on directly to the service provider. Instead, they log on to an identity provider, which then tells the service provider who the user is. The identity provider and service provider have been configured to trust each other. So when the identity provider says: “This is Jane Doe,” the service provider will trust and accept that.

It is important to note that SSO is therefore not about creating accounts with the same usernames and passwords—a prevalent mechanism for different service providers. SSO is about making those service providers accept what an identity provider says about a user.

Why SSO?

SSO comes with several advantages. Users can access all applications that are linked to their identity providers—using one username and password for multiple systems. Depending on the capabilities of the applications and how things have been set up, the authentication can be seamless. You might log on to your identity provider when you start your computer, and the other applications (service providers) you access during the day will automatically check with your identity provider without you having to enter your username and password again.

SSO makes password management easier for IT administrators. Having an employee leave an organization might mean having to decommission access to dozens of service providers. If the authentication to those service providers has been set up with SSO, then an IT administrator only needs to decommission the employee’s identity provider account. Without that account, the employee can no longer log on to any of the linked applications.

There is one disadvantage to SSO: If the account at the identity provider is hacked, all linked applications can be compromised. It is therefore imperative the account is properly secured. How can you set up SSO to ensure its security and effectiveness? Watch for more posts on this subject, which will include information about our newly added support for a popular technique called SAML.

If you would like to learn more, attend my session: Secure Authentication: Accessing Questionmark OnDemand with SSO at the Questionmark Conference 2016, April 12-15. Register before March 3 to take advantage of our final early-bird discounts.

Learn from your Peers: Case studies and PInG Sessions in Miami

Julie Delazyn HeadshotPosted by Julie Delazyncollage

Questionmark Conference 2016 is the place to be for vital info and training on the latest assessment technologies and best practices. It is the event that will give you the tools you need to take your assessments to the next level, while allowing you to harness the power of your results. On top of that, the conference provides an opportunity to network and learn from your peers!

Register by March 3rd for your final chance to save on early-bird discounts.

flamingo emoji Case Studies:

Hear experienced Questionmark users share their challenges, solutions and lessons learned in the Assessments in Practice sessions.

Attend the case studies that interest you!

  • The Case for Test Security Planning — Jamie Mulkey, Caveon
  • Creating a Global Knowledge and Skills Assessment Program for Amazon Sellers — ​Jason Sunseri, Amazon
  • Level up! Getting the right level of test security for your tests — Jamie Mulkey, Caveon and Rachel Schoenig, ACT
  • ​Safety in the Utilities Industry: Why Assessments Matter — Wendy Lau, Psychometrician, Pacific Gas and Electric Company
  • ​Creating an Assessment-based Culture at The Hartford — Jim Swan and Jim Laury, The Hartford
  • Busting the Objective Assessment Myth with Questionmark: The UFS case — Anneri Meintjes, Assessment Coordinator, University of the Free State, South Africa
  • ​Certification and Compliance Testing: Developing defensible assessments for a diverse clientele — Glen R. Budgell and Emrah Eren, Human Resource Systems Group (HRSG)

palm tree emoji 2PInG Sessions:

We’re very excited to introduce our newest Product Interest Groups (PInG), which provide an opportunity for some quality time with people who know Questionmark technologies from the inside out as well as fellow users working in the same functional area as you.

Attend the PInG Sessions that interest you!

  • Authoring/Item Banking PInG
  • Delivery/Participant Experience PInG
  • Reporting and Analytics PInG
  • People/User Management PInG
  • Integration/Single-sign-on/APIs PInG

Register by March 3rd for your final chance to save on early-bird discounts.

sun emogiLearn More:

See the full agenda
Book your hotel room
Register today and save!

We look forward to seeing you in Miami, April 12-15!

Will testing employees reduce fines for compliance errors?

John Kleeman Headshot

Posted by John Kleeman

If a bank faces a fine of millions for money laundering and then can prove, defensibly, that the ‘accused’ had passed competency tests, would that reduce or eliminate the fine? More generally, suppose employees do something wrong and the corporation is facing a regulatory fine. Does it make a difference if those employees were certified? Is it a defence against regulatory action that you took all the measures you could to prevent error?

We are asked this question from time to time, and the answer varies considerably by regulator and by offence. But in general having competent/certified people and good compliant processes will reduce the impact to the corporation of making a compliance mistake. In some cases it might eliminate a fine, but usually not.

Here are three specific examples where a good compliance program can reduce or eliminate fines.

Prosecutors should therefore attempt to determine whether a corporation’s compliance program is merely a “paper program” or whether it was designed, implemented, reviewed … in an effective manner. In addition, prosecutors should determine whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation’s compliance efforts. Prosecutors also should determine whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it. This will enable the prosecutor to make an informed decision as to whether the corporation has adopted and implemented a truly effective compliance program that … may result in a decision to charge only the corporation’s employees and agents or to mitigate charges or sanctions against the corporation.

  • The UK Ministry of Justice guidance on the Bribery Act recommends communication and training around bribery and says that “it is a full defence for an organisation to prove that despite a particular case of bribery it nevertheless had adequate procedures in place to prevent persons associated with it from bribing.”
  • Similarly, in Spain, the Spanish criminal code has been updated so that companies may avoid criminal prosecution if they have an effective compliance program in effect including evidence that employees have had sufficient training in the compliance program.

Fines rising to over one billion pounds in 2014 and nearly one billion pounds in 2015In general, the issue is more diffuse. For example, the UK Financial Conduct Authority, which has issued many huge fines over the years (see graph right), does not seem to explicitly reduce fines based on compliance measures.

But its Penalties Manual does say that fines should be increased if the actions are deliberate or reckless or if the breach resulted from systematic weaknesses in the firm’s procedures. Equally, if the breach was inadvertent and there is no evidence that the breach indicates a widespread problem or weakness, the fine might be lower.

So how best to summarize this?

The biggest benefit of a programme for competency testing for employees is that, in conjunction with other compliance measures, it will reduce the chances of an infraction in the first place.

Having certified or competent people is not a “get out of jail free” card but if part of a professional compliance programme, it will help with many regulators in mitigating financial penalties after an infraction.

Next Gen Authoring & Intro to Questionmark – don’t miss these webinars!

Julie Delazyn Headshot

Helping our customers understand how to use assessments effectively is as important to us as providing good testing and assessment technologies.

Our free, one-hour web seminars give you the opportunity to find out what’s happening in the world of online assessment and consider which tools and technologies would be most useful to you. Here’s the current line-up:

Authoring Questions and Assessments with Questionmark OnDemand

This 45-minute webinar demonstrates the “next generation” authoring tool in Questionmark OnDemand. The session will show the basics authoring items and then organizing them into assessments.

Introduction to Questionmark’s Assessment Management System

Learn the basics of authoring, delivering and reporting on surveys, quizzes, tests and exams. This introductory web seminar explains and demonstrates key Questionmark features and functions.

If you’ve been waiting for a webinar in Portuguese, you don’t want to miss this one:

Como utilizar a plataforma de avaliações da Questionmark em conformidade com a RDC nº 17 de 2010

Introdução às tecnologias de gestão na medição de conhecimentos e habilidades de sua equipe de trabalho atendendo conformidades da ANVISA, através das soluções da plataforma de avaliações OnDemand da Questionmark.

Click here to choose your complimentary webinar and register online. And if you have any questions, don’t hesitate to reach out to us!

 

Role-Based Permissions: A How-To Guide (Part 2)

Bart Hendrickx SmallPosted by Bart Hendrickx

In my previous post on this subject (How-To Guide Part 1), I described a situation where managing permissions in the classic version of Questionmark Enterprise Manager can quickly turn into a complicated task. The new version of Questionmark, which we are starting to roll out to Questionmark OnDemand customers, offers a more efficient approach: managing permissions based on the tenets of role-based access control.

Interested in learning more about role-based permissions? Drop in on my session on this topic at Questionmark Conference 2016. Register before March 3 to take advantage of our final early-bird discounts.

The principle of role-based access control is that you use roles to define what users can do in the system. You are free to choose what a role is in your organization. You can tie it to a job title and create a role such as Learning and Development Specialist. You can map it to a role on a project team (e.g. the role of setting up a project for an employee satisfaction survey) and create a role like Project Owner. Or you can use any of the default roles that ship with the new version of Questionmark OnDemand, such as Admin and Reporter.

Roles contain permissions. For example, the Reporter role contains a set of permissions to run all reports on all results. When you add that role to a user, that user inherits those permissions. So far, this is similar to how profiles work in the classic version of Questionmark.

The power of the new role-based access control system becomes obvious when you want to give more roles to a user. In the classic version of Questionmark, you can assign only one profile to a user. In the new version, you can assign multiple roles to a user. Do you have a role for creating test items and another one for running reports, and do you have a user who will take on both roles? No problem: assign both roles to the user.

Another advantage of the new role-based access control system is that you can change the permissions of a role, which will automatically trickle down to all users who have that role. Do you want to remove the permission to run a Grade Book report from all users who have the Reporter role? Remove the permission from the Reporter role and you are done.

To ensure there are no loopholes, the new version of Questionmark OnDemand makes it impossible to assign permissions directly to users. Instead, all permissions will be granted within roles.

If you are a Questionmark OnDemand user interested in moving to the new version, contact your account manager. And if you are attending Questionmark Conference 2016, April 12-15, feel free to drop in on my session on this topic. Register before March 3 to take advantage of our final early-bird discounts.