Top 5 benefits of permissions

Bart Hendrickx SmallPosted by Bart Hendrickx

We went over role-based access control and its advantages in some of my earlier blog posts:

As I mentioned previously, roles are made up of permissions. Today, I wanted to share 5 of the top benefits permissions have, in particular, Questionmark OnDemand permissions.

1. Keep your authoring content organized

You can use permissions to define where authors are allowed to create content, such as items (questions) and assessments. That enables you to set up a structure for topic folders and assessment folders, and make sure that authors won’t go outside the folders you gave them access to. That in turn helps you to keep your content organized, which benefits your assessment program’s efficiency.

2. Improve your authors’ user experience

Let’s say that all you want your authors to create are multiple choice questions. You can use a permission to that effect. As a consequence, authors will not be able to see other question types, which makes it less confusing to them. Think: I can only see what I can use. That improves their user experience.

3. Improve your reporters’ user experience

Similarly, for several reports, you can define which reports your reporters can run. By doing that, you guide your reporters to the appropriate reports and avoid confusing them with reports they should not be running.

4. Reduce error and fraud

By using permissions judiciously, you can separate duties in your organization. For example, there are permissions to create users, permissions to create assessments and permissions to schedule assessments. You can use those permissions to define that a user who can create other users cannot create assessments and vice versa. Likewise, the user who can schedule assessments cannot create users. That way, you ensure that each user is responsible for a specific part of the process. When the focus is defined, error is reduced. And if multiple users manage the process together, no-one has full power over everything, which makes fraud less likely.

5. Free up time

Finally, you can use permissions to delegate some of your role responsibilities to others. If you are the main admin user of your Questionmark OnDemand environment, you may want to give a colleague the permission to assign the reporter role to users, so that you do not have to do it repeatedly. However, you may not want to give your colleague the permission to edit the exact permissions that reporters have. By delegating the role assignment to your colleague, you remain in control over what a role can do and you get help with managing who can report. That frees up your time.

 

These are my top 5 reasons. If you can think of other benefits, contribute to this list by leaving a comment below, we’d love to see what benefits you’re experiencing.

The Power of Open: Questionmark’s open assessment platform

Posted by Steve Lay

In the beginning there was CVS, then there was SVN and now there’s Git.  What am I talking about?  These are all source code control systems, systems that are used to store computer source code in a way that preserves the complete version history and provides a full audit trail covering the who, what, when and why changes were made.

When we think of open source software we tend to think of the end product: a freely downloadable program that you can run on your computer or even a complete computer operating system in the case of Linux.  But to open source developers, open source is about more than this ‘free beer’ model of sharing software.  Open source software is shared at the source code level allowing people to examine the way it works, suggest changes to fix bugs, enhance it or even to modify it for their own purposes.  Getting the most from sharing source code requires more than just sharing an executable or a zip file of the finished product, open source developers need to open up their source code control systems too.

For years there have been services that provide a cloud-based alternative to  hosting your own source code.  The SourceForge system enjoyed many years of dominance but more recently it’s advertising sponsored model has seen it fall out of favour.

Most new projects are now created on a service called GitHub, which promises  free hosting of open source projects on a service funded by paying customers who are developing projects privately on the same platform.  The success of GitHub has been phenomenal – Google closed down its own rival service (Google Code) largely because of GitHub’s success.  In fact, GitHub is rapidly becoming a ‘unicorn’ with all the associated growing pains.  GitHub makes it easy to collaborate on projects too with its issue tracking system and user friendly tools for proposing changes (known as ‘pull requests’).

With GitHub as the de facto place to publish and share source code, it makes sense for Questionmark to use it to complement our Open Assessment Platform.  We have published source code illustrating how to use our APIs for many years and even publish the complete source to some of our connectors.  Putting new projects on GitHub means providing sample code in the most transparent and developer-friendly way possible.

Questionmark’s GitHub page lists all the projects we own.  For example, when we first brought out our OData APIs we published the sample reportlet code in the OData Reportlet Samples project.  You can experiment with these same examples running live in our website’s developer pages.

Recently we’ve gone a step further in opening up our assessment platform.  We’ve started publishing our API documentation via GitHub too!  Using a new feature of the GitHub platform we’re able to publish the documentation directly from the source control system itself.  That means you always get access to the latest documentation.

Opening up our API documentation in this way makes it easier for developers to engage with our platform.  Why not check out the documentation project.  If you’re already a GitHub user you could ‘watch’ it to get notified when we make changes.  You can even submit issues or send us ‘pull requests’ if you have suggestions for improvement.

With GitHub as the de facto place to publish and share source code, it makes sense for Questionmark to use it to complement our Open Assessment Platform.  We have published source code illustrating how to use our APIs for many years and even publish the complete source to some of our connectors.  Publishing this source code helps our customers and partners by providing working examples of how to integrate with our platform as well as providing complete transparency for our connectors allowing customers to audit the code before they run it on their own systems.  Putting new projects on GitHub means providing sample code in the most transparent and developer-friendly way possible.

How online assessments (quizzes, tests and exams) can help information security awareness and compliance

Posted by John Kleeman

With the rise of data security leakages, most professional organizations are seeking to significantly upscale their cybersecurity to better protect their organization from information security risks. I see an increasing use of online assessments helping information security and thought I’d provide some pointers about this.

There are three main ways in which online quizzes, tests, exams and surveys can aid information security:

  • Testing personnel to check understanding of security awareness and security policies
  • Ensuring and documenting that personnel in security roles are competent
  • Helping measure success against security objectivesNIST logo

Testing on security awareness and knowledge of policies

A cornerstone of good practice in security is training in security awareness. For example, the widely respected NIST 800-53 publication recommends that organizations provide general-purpose and role-based training to personnel as part of initial training and periodically thereafter. If you follow NIST standards, NIST control AT-4 also requires that all security training be documented and records retained.

There is widespread evidence that delivering an assessment is the best way of documenting that training took place, because it doesn’t just document attendance but also understanding of the training. For more explanation, see the Questionmark blog post Proving compliance – not just attendance. The only point of security awareness training is to have the training be understood, so testing to confirm understanding is widespread and sensible.

At Questionmark, we practice what we preach! All our employees have to take a test on data security when they join to check they understand our policies; all employees must also take and pass an updated test each year to ensure they continue to understand.

Ensure that people in security roles are competent

iso 27001The international security standard ISO 27001:2013 requires that an organization determine the necessary competence of personnel affecting information security performance. The organization must also ensures that personnel have such competence and retain evidence of this.

In a large organization with many different security roles, developing and using competence tests for each information security-related role is a good way of measuring and showing competence.  Knowing who is competent in which aspect of security and data protection matters: it ensures that  you are covering appropriate risks with appropriate people. Online testing is an effective way of measuring competence and makes it easy to update competence records by giving periodic tests every six months or annually.

Helping measure information security objectives

PCI logoISO 27001 also requires setting up metrics to measure information security objectives. Results from assessments can be a good metric to use.  Other standards say similar things. For example, the PCI standard widely used for credit card security says in its best practice guide:

“Metrics can be an effective tool to measure the success of a security awareness program, and can also provide valuable information to keep the security awareness program up-to-date and effective”

The PCI guide recognizes that good metrics include “feedback from personnel; quizzes and training assessments”. In my experience, as well as using quizzes and tests to measure knowledge, it also makes sense to use online surveys to assess actual practice by employees and to allow reporting of security concerns.

Testing on information security and data protection is an increasing use case for Questionmark’s trustable SaaS assessment management system, Questionmark OnDemand.  Whichever security standard you are following (ISO 27001, NIST, PCI or one of several others), creating online assessments tailored to measure knowledge of your organization’s policies and procedures using an assessment management system like Questionmark’s can make a useful difference.

Why a “good enough” assessment solution will do more harm than good

Posted by Chloe Mendonca

Regardless of the size of a department or organization, we’re all keen to improve efficiency and when it comes to assessments — improve validity and reliability. Selecting the right assessment tool is critical. Sticking with a “good enough” solution will do more harm than good. In the short term it will hinder your productivity; in the long run it could not only mean a painful migration from one system to another, but could also cost you a fortune in compliance fines or HR disputes!

“Good enough” assessment solutions are usually fine for creating basic surveys and quizzes, but when you use assessment results to make defensible decisions about people, you need a more complete solution. So how do you distinguish a “good enough” assessment solution from a complete one?

Choosing a complete solution

As you go through the selection process, consider whether simplicity comes at the expense of security or robust functionality.We know it can be confusing to sort through the extensive number of options. And we know every company has different assessment needs. If you need to weigh up your options, this cheat sheet will highlight the limitations of a “good enough” assessment tool and explain how a complete solution will help make your job easier and your assessments more valid and reliable.

Complete assessment management platforms are designed with security, validity and reliability in mind

The cheat sheet also discusses how complete assessment management technologies trump “good enough” solutions in several areas, including:

  • Establishing content validity
  • Managing multilingual assessments
  • Maintaining an audit trail
  • Developing observational assessments
  • Minimizing cheating and content theft

It’s worth spending a good amount of time fully evaluating your options and choosing a solution that can scale with your organization. Interested in learning more about how to evaluate a complete assessment solution? Download this cheat sheet, “Are you settling for a “good enough” assessment solution?”

Questionmark Conference 2017: Three hot topics from Santa Fe

Bart Hendrickx SmallPosted by Bart Hendrickx

There was a lot to learn at the Questionmark Conference 2017, as my colleagues Chloe Mendonça and John Kleeman alluded to in their blog posts Reminiscing about Santa Fe and Assessment good practice: 6 tips from Santa Fe. I had the privilege to present several sessions and interact with a lot of customers. Here are the key things I took away from the conference:

People want to brand assessment delivery screens

This is not new: we have been supporting the branding and customization of assessment delivery screens for many years. The new Questionmark OnDemand Portal also offers various options  for branding the user experience, including for admin users – a new development compared to the classic Portal. However, most people are especially interested in customizing the way assessments are delivered to participants.

Roles and permissions can be a little daunting

The new Questionmark Portal offers many capabilities relating to roles and permissions. Refer to these blog posts from last year to get an idea: Role-based permissions: A how-to guide part 1 and part 2. While people appreciate the power of Questionmark OnDemand’s roles and permission management, they also understand that sometimes it requires a specific combination of permissions to get a role “just right”. We received several suggestions from customers on how to make this part of the software more welcoming to new users.

Integrations with Learning Management Systems remain important

Again, not something new but it was interesting to experience just how important LMS integrations are for our users. Questionmark has been supporting several integration standards for a long time. We have also enhanced the ubiquitous SCORM integrations by making it possible to include SAML in the workflow. This enables customers to combine SCORM’s launch and track capabilities with SAML’s security and demographic mapping, resulting in more secure assessment delivery and additional participant demographics that can be used in reports.

I would like to thank everyone who shared such useful feedback with us.

Questionmark OnDemand Assessment Management System now HIPAA-compliant

Jamie ArmstrongPosted by Jamie Armstrong

Questionmark recently began offering US OnDemand Service customers the option of entering into an additional agreement for compliance with HIPAA (the US Health Insurance Portability and Accountability Act).

I’d like to provide some brief information on this exciting new development, particularly for those not familiar with what HIPAA is or involves. You can easily find additional information and resources on the U.S. Department of Health & Human Services website.

What is HIPAA and what kind of information or data does it cover?
HIPAA is a US federal law that in very general terms regulates access to and handling of “protected health information” (“PHI”) and provides individuals with important rights regarding their health information. PHI includes these categories of information:

  • health information collected from a person;
  • information relating to health conditions or health care provision created or received by an organization such as a health care provider, and;
  • information that either identifies or can reasonably be used to identify an individual.

For example, data gathered or used as part of an assessment using Questionmark OnDemand that relates to past, present or future health or condition may be PHI under HIPAA.

What types of organizations are subject to HIPAA requirements?
HIPAA applies to two main categories of organization having access to PHI. These are known as “covered entities” and “business associates.” A Questionmark customer that is a health plan or health care provider, e.g. a hospital, clinic or health insurance company,  may be a covered entity for HIPAA. Business associates include organizations receiving or maintaining PHI on behalf of a covered entity for functions such as data processing or administration (among other things). Questionmark may be a business associate in providing the OnDemand Service to customers that are either covered entities or business associates performing services for their own covered-entity clients.

What does HIPAA require?
HIPAA requires that covered entities and business associates meet various security, breach notification and privacy requirements. They must meet the requirements applicable to them internally and also have contracts with any third parties that may have access to PHI. This ensures  that these third parties are subject to the same restrictions and conditions. Before offering OnDemand Service customers the option of entering into a HIPAA business associate agreement, Questionmark completed a security and legal review to ensure compliance with relevant HIPAA requirements.

We are interested in obtaining HIPAA-compliant OnDemand Services.  How do we sign a HIPAA business associate agreement with Questionmark?
You can find our HIPAA business associate agreement here. If you’d like to learn more please contact your account manager. Questionmark is committed to safeguarding PHI in accordance with the HIPAA standards and looks forward to discussing your HIPAA compliance requirements.

Important disclaimer: This blog is provided for general information and interest purposes only, is non-exhaustive and does not constitute legal advice. As such, the contents of this blog should not be relied on for any particular purpose and you should seek the advice of your own legal counsel in considering HIPAA requirements.

« Previous PageNext Page »