Eight ways to check if security is more than skin deep
Posted by John Kleeman
The assessment industry has always been extremely careful about exam security and ways to prevent cheating. As cloud and online assessment takes over as delivery models, it’s critical we all deeply embed IT security in our culture to ensure that computer vulnerabilities don’t leak sensitive data or disrupt the integrity of the assessment process.
Many years ago, Questionmark realized that data protection and IT security were critical to our success. We re-formed our culture to make security a priority. We followed our own path and looked for opportunities to learn from others such as Bill Gates and his famous trustworthy computing memo, part of which is quoted below:
… when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. … These principles should apply at every stage of the development cycle of every kind of software we create …
Questionmark understands that we’re in an arms race. We stay vigilant and look for opportunities to improve our security. Here are eight key ways in which we have embedded security deep within our company. If you are an assessment provider, we’d encourage you to find your own way to follow suit. And if you are a customer, here are eight questions you can ask to identify whether an assessment provider is truly working to be as secure as it can, instead of just claiming to be secure when in fact security is only skin deep.
1. Who does the security function report to?
At Questionmark our security officer reports directly to me as Questionmark Chairman. If security reports directly into IT or product development, a security concern might be overruled by operational need. We’ve found this separation very helpful to ensure security gets listened to throughout the organization.
2. Would a security flaw hold up a release?
In any sensible company, this has to be true. Feature improvements in software are important, but if there is a serious security issue, it needs to be fixed first. Developers need to know that they can’t make a release unless it is secure.
3. How do you check your employees know about security?
Questionmark trains all our employees on data security but how do we know they understand? We practice what we preach and everyone from senior management to sales to accounting to developers needs to take and pass a data security test every year to check understanding. I’d encourage everyone in the assessment industry to follow this approach.
4. How deep is your team’s knowledge of IT security?
SaaS security is complex. There are many layers to security and any weakness can lead to a vulnerability. Equally throwing resources in the wrong place won’t really help. We are fortunate to have at least half a dozen experts within Questionmark who have deep knowledge of and passion for different aspects of security. This helps us get things right,.
5. Is your ecosystem secure?
Every company operates in an ecosystem , and it’s the ecosystem that needs to be secure. Questionmark works with our suppliers, subcontractors and partners to help them to be secure, including offering training and advice. We even want our competitors to be secure as any breaches in the assessment industry would be hurtful to all.
6. How transparent and open are you on your security?
Security by obscurity is not secure. Questionmark shares information on the security of our OnDemand service in white papers (Security of Questionmark’s US OnDemand Service and Security of Questionmark’s EU OnDemand Service) and have “red papers” which describe our security and business continuity planning in detail, available under NDA to prospective customers. The review process as customers ask questions about these provides comfort for customers and input to us to improve our security.
7. What kinds of external review do you allow?
As we shared in Third-party audits verify our platform’s security, we run regular penetration tests by a third party company, Veracode on Questionmark OnDemand. We are also fortunate to have many customers who care deeply about security and undertake their own audits and reviews by experts. We welcome such review and learn from it to improve our own security.
8. Are you completely satisfied with your security?
Absolutely not. There is an arms race happening in the security world. Hackers and other bad actors are increasing their capabilities and however good you are, if you rest on your laurels, the arms race will overtake you. See for example the graph to the right from Verizon showing the increase in breaches over time.
Questionmark, like other good SaaS companies, has a policy of continual improvement – we want to be much better each year than the last.
This video provides an overview of how Questionmark builds security into its products from day one. Watch below: