How online assessments (quizzes, tests and exams) can help information security awareness and compliance

Posted by John Kleeman

With the rise of data security leakages, most professional organizations are seeking to significantly upscale their cybersecurity to better protect their organization from information security risks. I see an increasing use of online assessments helping information security and thought I’d provide some pointers about this.

There are three main ways in which online quizzes, tests, exams and surveys can aid information security:

  • Testing personnel to check understanding of security awareness and security policies
  • Ensuring and documenting that personnel in security roles are competent
  • Helping measure success against security objectivesNIST logo

Testing on security awareness and knowledge of policies

A cornerstone of good practice in security is training in security awareness. For example, the widely respected NIST 800-53 publication recommends that organizations provide general-purpose and role-based training to personnel as part of initial training and periodically thereafter. If you follow NIST standards, NIST control AT-4 also requires that all security training be documented and records retained.

There is widespread evidence that delivering an assessment is the best way of documenting that training took place, because it doesn’t just document attendance but also understanding of the training. For more explanation, see the Questionmark blog post Proving compliance – not just attendance. The only point of security awareness training is to have the training be understood, so testing to confirm understanding is widespread and sensible.

At Questionmark, we practice what we preach! All our employees have to take a test on data security when they join to check they understand our policies; all employees must also take and pass an updated test each year to ensure they continue to understand.

Ensure that people in security roles are competent

iso 27001The international security standard ISO 27001:2013 requires that an organization determine the necessary competence of personnel affecting information security performance. The organization must also ensures that personnel have such competence and retain evidence of this.

In a large organization with many different security roles, developing and using competence tests for each information security-related role is a good way of measuring and showing competence.  Knowing who is competent in which aspect of security and data protection matters: it ensures that  you are covering appropriate risks with appropriate people. Online testing is an effective way of measuring competence and makes it easy to update competence records by giving periodic tests every six months or annually.

Helping measure information security objectives

PCI logoISO 27001 also requires setting up metrics to measure information security objectives. Results from assessments can be a good metric to use.  Other standards say similar things. For example, the PCI standard widely used for credit card security says in its best practice guide:

“Metrics can be an effective tool to measure the success of a security awareness program, and can also provide valuable information to keep the security awareness program up-to-date and effective”

The PCI guide recognizes that good metrics include “feedback from personnel; quizzes and training assessments”. In my experience, as well as using quizzes and tests to measure knowledge, it also makes sense to use online surveys to assess actual practice by employees and to allow reporting of security concerns.

Testing on information security and data protection is an increasing use case for Questionmark’s trustable SaaS assessment management system, Questionmark OnDemand.  Whichever security standard you are following (ISO 27001, NIST, PCI or one of several others), creating online assessments tailored to measure knowledge of your organization’s policies and procedures using an assessment management system like Questionmark’s can make a useful difference.

Questionmark OnDemand Assessment Management System now HIPAA-compliant

Jamie ArmstrongPosted by Jamie Armstrong

Questionmark recently began offering US OnDemand Service customers the option of entering into an additional agreement for compliance with HIPAA (the US Health Insurance Portability and Accountability Act).

I’d like to provide some brief information on this exciting new development, particularly for those not familiar with what HIPAA is or involves. You can easily find additional information and resources on the U.S. Department of Health & Human Services website.

What is HIPAA and what kind of information or data does it cover?
HIPAA is a US federal law that in very general terms regulates access to and handling of “protected health information” (“PHI”) and provides individuals with important rights regarding their health information. PHI includes these categories of information:

  • health information collected from a person;
  • information relating to health conditions or health care provision created or received by an organization such as a health care provider, and;
  • information that either identifies or can reasonably be used to identify an individual.

For example, data gathered or used as part of an assessment using Questionmark OnDemand that relates to past, present or future health or condition may be PHI under HIPAA.

What types of organizations are subject to HIPAA requirements?
HIPAA applies to two main categories of organization having access to PHI. These are known as “covered entities” and “business associates.” A Questionmark customer that is a health plan or health care provider, e.g. a hospital, clinic or health insurance company,  may be a covered entity for HIPAA. Business associates include organizations receiving or maintaining PHI on behalf of a covered entity for functions such as data processing or administration (among other things). Questionmark may be a business associate in providing the OnDemand Service to customers that are either covered entities or business associates performing services for their own covered-entity clients.

What does HIPAA require?
HIPAA requires that covered entities and business associates meet various security, breach notification and privacy requirements. They must meet the requirements applicable to them internally and also have contracts with any third parties that may have access to PHI. This ensures  that these third parties are subject to the same restrictions and conditions. Before offering OnDemand Service customers the option of entering into a HIPAA business associate agreement, Questionmark completed a security and legal review to ensure compliance with relevant HIPAA requirements.

We are interested in obtaining HIPAA-compliant OnDemand Services.  How do we sign a HIPAA business associate agreement with Questionmark?
You can find our HIPAA business associate agreement here. If you’d like to learn more please contact your account manager. Questionmark is committed to safeguarding PHI in accordance with the HIPAA standards and looks forward to discussing your HIPAA compliance requirements.

Important disclaimer: This blog is provided for general information and interest purposes only, is non-exhaustive and does not constitute legal advice. As such, the contents of this blog should not be relied on for any particular purpose and you should seek the advice of your own legal counsel in considering HIPAA requirements.

FBI and Homeland Security advice on trumping cybersecurity attacks

Posted by John Kleeman

There’s a lot in the news recently about possible cybersecurity attacks on the political process. Here are some thoughts on how we can learn from this and apply it to assessment security.

One of the most interesting documents I’ve read on this subject is the Department of Homeland Security and FBI’s joint analysis report  JAR-16-20296 titled GRIZZLY STEPPE – Russian Malicious Cyber Activity.  This presents evidence on how a cybersecurity attack was made on a US political party in 2016 and gives some practical advice on how others can set up their systems to avoid such attacks.

Whoever the attack was performed by (and there has been some debate about this), the practical advice is useful to anyone who wants to improve their security. I was particularly struck by a section in the report which offered questions to ask your organization to see if they have good cybersecurity practices. I’ve taken the liberty of including the questions in the graphic below:

See Grizzly Steppe report for text here

I’ve shared various sets of security questions in this blog, including Eight ways to check if security is more than skin deep and 24 midsummer questions to ask your assessment software provider, but here are some questions from a very credible source!

I’d encourage you to pose these questions within your organization and with your suppliers to check that you are well protected in case of a cyberattack. Questionmark, like all sensible organizations, believes in continuous improvement in our security, and listening to sources like this analysis informs our improvement.

I hope highlighting the report and these questions helps strengthen your defenses against cybersecurity and acts as a guide in choosing your vendors.

Seven New Year’s Resolutions to Keep Your Assessments Safe

Paper with "Resolutions" written on it implying one is about to write some resolutions downJohn Kleeman HeadshotPosted by John Kleeman

Many blogs at this time of year seek to predict the year ahead, and many of them foresee more data breaches and security incidents in 2017.  But I’m a great believer that the best way to predict the future is to create or change it yourself. So if you want to reduce the chances of your assessment data security being breached in 2017, make some of the things you’ve talked about happen.

Here are some possible New Year’s resolutions that could help keep your assessments safe and secure.

1. Audit your user accounts. Go through each of your systems that hold or give access to assessment data, and check there are no accounts for ex-employees or ex-contractors. Make sure there are no generic or test accounts that do not belong to a current individual. Dormant accounts like this are a common route to a breach. Also check that no one who has changed role has the privileges of their old role.

2. Run an incident response table-top practice exercise. This is a session where you gather together those responsible for security, pretend there is a breach or other incident and work through verbally how you’d deal with it as a team. You can do this in a couple of hours with good preparation, and it allows you to check your procedures and ensure people know what to do. It will often give useful insight into improving your preparedness.  As Benjamin Franklin once said “An ounce of prevention is worth a pound of cure”.

3. Start testing your personnel on security procedures. One of the biggest security risks for any organization is staff mistakes and accidents that compromise credentials or data. Security awareness training makes an important difference. And if you test your personnel on security after the training, you verify that people understand the training and you identify areas of weakness. This makes it more likely that your personnel become more aware and follow better security practices. If you have access to an online assessment tool like Questionmark, it’s very, very easy to do.

Photo of doctor stethoscope on computer keyboard4. Review some of your key vendors. A risk for most organizations is weaknesses in suppliers or subcontractors that have access to your data. Ask suppliers to share information on their technical and organizational measures for security and what they are doing to ensure that your data is not breached. Any reputable organization will be willing and able to provide this under NDA. See 24 midsummer questions to ask your assessment software provider on this blog for some of the questions you can ask.

 

5. Conduct a restore test from backups. How do you know your backups work? Over the years, I’ve come across a few organizations and teams who’ve lost their data because their backups didn’t work. The only way to be sure is to test restoring it from backup and check data is there. If you don’t already run restore tests, organize a restore test in 2017 (ideally once a quarter, but once is better than not at all). You shouldn’t need to do this if you use a cloud service like Questionmark OnDemand as the vendor should do it for you.

6. Run a pilot for online proctoring. Microsoft do it. SAP do it. Why shouldn’t you do it? If you run a certification program that uses physical test centers, consider whether online proctoring might work for you. Not only will it reduce the risk of collusion with proctors helping candidates cheat, but it will also be a huge boon to your candidates who will no longer need to travel to test centers.

TheCadetHonorCodeMonument7. Put in place a code of conduct for your participants. This is a simple thing to do and can make a big difference in reducing cheating by encouraging test-takers to stay honest.  See Candidate Agreements: Establishing honor codes for test takers and What is the best way to reduce cheating? on this blog for tips on how and why to do this. If you are looking for inspiration, at famous code of conduct is that of the U.S. Army West Point Military Academy which simply says: “A cadet will not lie, cheat, steal, or tolerate those who do.” Of course you need to communicate and get buy-in for your code of conduct, but if you do, it can be very effective.

Many of you will already be doing all of these things, but if you’re not, I hope one or more of these resolutions help you improve your assessment security in 2017.

And here’s a bonus New Year’s resolution to consider. Questionmark Information Security Officer David Hunt and I are giving a session on Staying Ahead of Evolving Security Threats at the Questionmark conference in March in Santa Fe. Make a New Year’s resolution to come to the conference, and learn about security and assessment!

Transform Your 2017 Assessment Strategy

Julie ProfilePosted by Julie Delazyn

As the year draws to close and you wrap up the final exams for 2016,  you may be thinking about your 2017 assessment strategy. Transform the way you manage learning and training in 2017 by taking advantage of these learning opportunities:

 Transforming Your Test Program with Online Proctoring

Person-taking-a-test.jpg

If you’ve been considering implementing online proctoring, 2017 is the year to make it happen. With the increase in test security threats and the growing demand for flexibility in learning and training, there’s no better time to turn to a secure and cost-effective alternative to traditional brick-and-mortar test centers.

This 45-minute webinar will cover the basics of online proctoring and describe how it manages the variety of test security threats.

WHEN: This Wednesday (Dec. 14) 3:30 p.m. UK GMT / 10:30 a.m. US EDT —  Register now

Intro to Questionmark’s Assessment Management System

WebinarIf you’d like to end this year by getting a better understanding of how Questionmark’s assessment solutions can help you gain the impact you need from your test programs, then attend this 60-minute introductory webinar. We’ll give you a live demo of Questionmark OnDemand showing you key features and functions.

WHEN: This Wednesday  (Dec. 14) 6:00 p.m. UK GMT / 1:00 p.m. US EDTRegister now

If you can’t make it to tomorrow’s webinars, check back here for new dates and themes. We look forward to helping you transform your assessment strategy in 2017!

U.S. Privacy Shield: Data protection and security

Jamie ArmstrongPosted by Jamie Armstrong

Earlier this year I wrote blog post that summarized some important recent data protection and privacy law developments. Today, I wanted to follow up on that posting by looking particularly at the EU-U.S. Privacy Shield (“Privacy Shield”).

The Privacy Shield came into being to fill the void left by the invalidation of the European Commission decision underpinning the US-EU Safe Harbor Agreement (“Safe Harbor”). From August this year, US organizations have been able to certify compliance to the Privacy Shield – the list of those certified organizations can be viewed here. Questionmark Corporation has certified to the Privacy Shield, and you can view our updated privacy policy here. As was the case for Questionmark’s self-certification to Safe Harbor, our compliance with the Privacy Shield principles is just part of Questionmark’s broader strategy to ensure that relevant international data transfers conform to applicable legal requirements.privcy-shield

The Privacy Shield, as well as other mechanisms such as the EU Model Clauses, provides a way for organizations to comply with EU data protection requirements when personal data is transferred to the US from the EU. Remember that whereas the EU Model Clauses may be relied on for transfers of EU personal data to third countries (i.e. those that are not part of the EEA), the scope of the Privacy Shield is limited to personal data transfers to the US.

The European Commission has produced a helpful guide on the Privacy Shield, aimed at EU citizens, with some key improvements as compared with Safe Harbor being:

  • Greater oversight and monitoring by authorities in the US and EU to ensure compliance, for example by the US Department of Commerce, Department of Transport and Federal Trade Commission;
  • A greater number of ways for individuals to make complaints to enforce their rights without cost, including to an Ombudsman within the US Department of State, via an EU Data Protection Authority, an independent recourse mechanism, and binding arbitration;
  • Additional obligations for participant organizations, like ensuring any third-party transferees provide the same level of protection for personal data as is required by the Privacy Shield.

Although the Privacy Shield includes a number of additional protections for individuals and obligations on organizations, some interest groups remain unconvinced that it is meaningfully different to Safe Harbor and legal challenges in the EU have already been made. With this in mind, organizations that have certified to or may certify to the Privacy Shield will have to monitor EU developments and continue to review their data protection and privacy approaches, so that they are satisfied that there are a sufficient number of means available to them to show adequate protection for EU personal data being transferred to the US. Questionmark’s Privacy Shield certification demonstrates to customers our particular commitment to data protection and security in respect of applicable data.

Check back here for future blog posts on data protection and privacy law issues early next year.

Disclaimer: This blog is provided for general information purposes only and does not constitute legal advice. Any views included are personal to me.

« Previous PageNext Page »