Don’t Let Compliance Blind you to Security

profile-picturePosted by David Hunt

The field of security is constantly growing, shifting and adapting to meet an ever changing threat landscape. To provide a degree of order in this chaotic landscape, we look to compliance standards such as NIST 800-53, PCI, HIPPA, ISO’s …. These standards provide frameworks which allow us to measure or determine the maturity of an organization’s security program. However, these frameworks need to be tempered by the current security environment or we risk sacrificing our security for compliance.

This idea was illustrated nicely at this year’s BSides Las Vegas security conference. Lorrie Cranor the Chief Technologist for the Federal Trade Commission provided the keynote speech about why we need to start training our clients and end users to reevaluate their thinking on mandatory password changes. In brief, Lorrie questioned the practice of frequent mandatory password changes, meant to prevent brute forcing (trying all possible combinations) or to lock out those who may have a shared or stolen password.

Here is what she found: Frequent password change requirements can actually make us less secure based on two separate studies. Lorrie’s message was to empower users to create good passwords and agree on what good is, while addressing common misconceptions. Questionmark OnDemand’s new portal, empowers customers to determine what good passwords are and to create customized roles based on their requirements. When configuring passwords requirements for your OnDemand users, consider Lorries advice for passwords.lorrie-cranor-image

  • Avoid common words, names
  • Avoid patterns
  • Digits and symbols add strength
  • Understand different types of attacks
  • Make them Better (Not Perfect)
  • Change them only when Required
  • Start with your Core accounts
  • Use Tools where appropriate

In this case, Lorrie did not blindly follow the path of compliance, leading to ever shorter password refresh limits. She got it right by looking at the issue from a security perspective. What are the threats to the use of passwords and are our mitigations of these threats reducing our risk? The answer, when it comes to mandatory password changes, is NO! We are actually increasing our risk in some cases. So when setting password policies in Questionmark OnDemand, it is always a good practice to regularly review your settings to ensure you are getting it right.

As with any good keynote speech, this one was a catalyst for many subsequent conversations both at and after the conference.

The dangers of security programs that blindly check compliance requirements off a list, news-driven security programs, and the proverbial not being able to see the security forest for the trees. The takeaway from these conversations was that we have an obligation to “disobey.” Not that we should break the rules but rather question them — lest we face a fate such as that which befell those in “The Charge of the Light Brigade,” a poem describing the tragedy resulting from the miscommunication of orders at the Battle of Balaclava.  in our case, we may not face a physical death by blindly following orders, but a virtual death is plausible.

Just as Lorrie asked “Why?” we should be asking it as well. As anyone who has spent time with a 3-year-old child knows, this one simple question is the key to building knowledge. We all should ask “Why?” and grow our technical and security knowledge to ensure we are not just compliant, but secure!

 

mk-cybersecurity

New best practice webinars: Taking your assessments from to good to great

Posted by Chloe Mendonca

“Good, better, best. Never let it rest. ‘Til your good is better and your better is best.” This old little rhyme teaches us a valuable lesson: There is always room for improvement! No matter what role or business you’re in, if you’re interested in long-term success, you should strive to continuously improve your knowledge, systems and processes.

But how does this relate to assessments? Well, in many ways, there are always things we can do to develop better assessments: more secure, more trustworthy assessment programs. Maybe your current assessment program is “good”, but is “good” good enough?

We’re offering two new webinars that will help you assess how you’re currently performing in two key areas — and take your assessments from good to great:

  1. Item Writing

How to write high quality test items [35-Minute Session]

  • 3rd August, 2016, 3:00 p.m. UK BST / 10:00 a.m. US EDT

Are your items poorly written? Perhaps they’re good but you want them to be “better”. Skilfully crafted items promote learning and memory recall. They help retain knowledge, skills and/or abilities over time, but writing high-quality items isn’t as easy as it looks. This session will give you tips for taking your items to the next level.

  1. Exam Integrity

Enhancing exam integrity with online proctoring [45-Minute Session]

  • 9th August, 2016, 3:00 p.m. UK BST / 10:00 a.m. US EDT

With online proctoring rapidly gaining the attention of organisations and test sponsors around the world, many are wondering how it compares with traditional test centre proctoring. This 45-minute webinar will discuss what online proctoring is, how it works and whether it can in fact boost test security. Don’t miss this session if you’re keen to extend geographic reach and lower test administration costs.


If you’re looking to learn more about what you can achieve with Questionmark’s Assessment Management System, join our 60-minute introductory session. We’ll demo the platform live and cover a number of key features and functions. Save your seat at one of these sessions:

Intro to Questionmark’s Assessment Management System [60-Minute Session]

  • 4th August, 2016, 10:30 a.m. (BST) UK
  • 10th August, 2016, 12:00 p.m. (EDT) US

We also deliver this webinar in Spanish and Portuguese. Check out the upcoming dates and times here.

Integrating with other systems: video tutorials

Julie Delazyn HeadshotPosted by Julie Delazyn

Although you can use Questionmark as a stand-alone Assessment Management System (AMS), it also integrates seamlessly with other key systems – everything from learning management systems and content management systems to portals and scanning technologies.

Questionmark Connectors make these integrations possible.

Some of these, such as the Blackboard Connector, the SAP Connector and the SharePoint Connector, are designed for use with specific systems.

We also support integrations with LTI-, AICC– and SCORM-compliant systems.

You can find video tutorials about many of these connectors in the Questionmark web site. There you’ll find videos on integrating with Moodle, SuccessFactors and Cornerstone OnDemand, as well as other systems such as SharePoint, Canvas, and Ning.

Here is a sneak peak – click to view each video:

blackboardcornerstonesharepoint9-3-2014 10-06-56 AM

Integrating and Connectors – playing nicely with other systems

Doug Peterson HeadshotPosted By Doug Peterson

You’ve just finished putting together the world’s greatest assessment in Questionmark. You also have the world’s greatest Learning Management System (LMS) installed on your company’s network. How do you get the two systems to play nicely together so that your learners can launch the world’s greatest assessment from the world’s greatest LMS?

At first glance, Questionmark appears to be a stand-alone Assessment Management System (AMS), and while it can certainly be used in that fashion, the truth is that Questionmark integrates very nicely with other systems such as SharePoint, an LMS, and even social networking and blogging sites such as Facebook and Ning.

One way that Questionmark integrates with other systems is through the use of connectors. Questionmark has a connector for Blackboard as well as an LTI Connector that can be used with systems like Moodle. We also have a SharePoint Connector – a web part that you can install in your SharePoint system that allows a learner to log into SharePoint and see and launch Questionmark assessments for which they have been scheduled. I encourage you to visit the Questionmark web site, roll your mouse over Learning in the navigation bar and select Learning Café. Under the Featured Videos, click on see all videos and scroll down to the Integration section. There you’ll find videos on integrating with Moodle, SuccessFactors and Cornerstone OnDemand, with more videos on integrating with other systems such as SharePoint, Ning, and Wikispaces coming very soon.

The great thing about integrating with Questionmark is that you don’t need to have a system for which we have provided a specialized connector. Questionmark allows you to publish your assessment into an AICC or SCORM content package, which you can then import into an LMS that uses the SCORM or AICC protocol (which is just about every LMS out there). The assessment is then a content object in the LMS that can be added to a course and launched by student – from the LMS! Be sure to check out these resources for more information on AICC and SCORM:

10 Reasons for Using an Assessment Management System for Compliance

Posted by John Kleeman

Most LMSs (learning management systems) have the capability to deliver basic quizzes and surveys. So is an LMS good enough to deliver online compliance assessments? Or do you need an assessment management system?

A strength of LMSs is that they roll up all training, for example face-to-face classroom events, and they’re often used as a system of record for compliance training events. But many companies that are professional about their use of assessments in compliance use an assessment management system as well as (or sometimes instead of) an LMS. Here are 10 of the reasons I hear for doing this.

Observational assessment

1. A key trend in compliance is to measure behaviour, not just knowledge. A great way to do this is observational assessments, during which an observer watches someone do something (e.g. interview a customer, use a machine) and rates them on an iPad or smartphone.  The ability to deliver assessments in many different environments is a leading advantage of a comprehensive assessment management system.

2. Running a professional assessment programme needs an item bank, where all your questions are organized by topic and metadata, so you can re-use questions and easily review and update them. Many LMSs link questions and assessments to courses, but you need a searchable item bank once you get a certain volume of assessments.

3. Assessment management systems usually provide an easier and more friendly user interface for Subject Matter Experts (SMEs) to author questions, for instance our easy-to-use Questionmark Live collaborative authoring environment.

Create Question set, add questions to set, download or email questions in a qpack, import into Perception

4. As mentioned in my earlier blog post, How Topic Feedback can give Compliance Assessments Business Value, being able to score and give feedback at the topic level lets you provide actionable feedback in compliance. You don’t just know  people are weak, you know where they are weak and how to improve it.

5. Assessment management systems offer more question types, allowing more variety and more engaging and realistic questions.

6. An assessment management system like Questionmark lets you deliver assessments on paper as well as on-screen, and also on mobile devices including smartphones and iPads; you can deliver assessments in more places.

Test analysis report7. Most LMSs have only basic assessment reporting – but to make your assessments valid and reliable and legally defensible, you need item and test statistics reports and other professional reports.

8. Assessments can continue to be delivered even if you change LMS – and many organizations are thinking of changing LMS or moving the LMS to the cloud.

9. Often an LMS is provisioned only for employees, but you may need to assess partners or contractors; it’s easy to allow direct login to Questionmark if desired.

Questionmark Secure icon10. Last but not least, the typical LMS does not major in test security. Most employees taking compliance assessments will not want to cheat, but it’s useful to have the stronger security — allowing monitoring, preventing cheating and avoiding fraud — of a professional assessment management system.

Bottom line, an assessment management system gives you trustable results that you can rely on. A large organization relies on employees who are geographically and functionally separated, but they all must act competently and follow proper procedures to make the business run effectively. Assessments delivered online to employees via an assessment management system are one of the few ways and likely the best way to touch individually your entire workforce and ensure that they understand their role in your business and what is required of them to meet business and regulatory needs.