24 midsummer questions to ask your assessment software provider

John Kleeman HeadshotPosted by John Kleeman

This week marks the longest day of the year in the Northern Hemisphere, and in a few lucky places there are 24 hours of daylight.

We can imagine that in ancient days, watchers on castles could relax a bit with the longer hours of sunlight, as it was harder for marauders to sneak up without the cover of night. But in the modern-day cloud world, time of day doesn’t impact security much. Light or dark, you need to keep watch 24 hours a day, 365 days a year to be sure of your assessment security.

Here are 24 questions you might want to ask your assessment software supplier to check that your assessments and results will be safe all day and night long.

Data CenterData center batteries (picture from Wikipedia by Jelson25)

1. Do you host assessments in a professional Data Center, certified to SSAE 16 or ISO 27001?

2. Does the Data Center have 24/7/365 physical security?

3. Does the Data Center have 24/7/365 network monitoring so that if an issue arises, someone is continually monitoring to react to it?

4. Are the servers monitored by CCTV cameras?

5. Does your Data Center have multiple connections to the power grid with onsite generators with at least 24 hours fuel onsite in case of power outages?

6. Does your Data Center have multiple, fast Internet links so that if one goes down, connectivity remains?

Systems and softwareSystems and software

7. Is every server in the system load balanced and does every component have redundancy, so that if any one system fails, another can take over?

8. there an Intrusion Detection or Protection System (IDS or IPS) to help protect against attackers?

9. Is browser access to assessments and administration protected by SSL/TLS to 128 bits or higher, so that assessment data and results cannot be intercepted on the Internet?

10. Is your anti-virus software deployed on all relevant servers and up to date?

11. Do you have separate staging areas to test on before deploying to production?

12. Does all application communication use a strong encryption algorithm? Have you retired any use of the less secure MD5 algorithm, very popular in the past?


security people13. Do you background check all employees before you hire them in case of a criminal history?

14. Do you have a signed confidentiality agreement on file with all your employees and do subcontractors have such agreements on file with all their personnel?

15. Do you train all personnel on data security and test them annually to check they understand?

16. When an employee leaves, do you remove all their access? Do you have a procedure to audit this to confirm it’s really happened?

17. Do you follow industry good practice in software development to reduce surface areas of attack and protect against security vulnerabilities?

18. Do you have a dedicated security team reporting in to an executive officer of the company?

Putting it all together to ensure you don’t lose the “crown jewels” of your assessment data

crown19. Are regular penetration tests run against the system by a third-party supplier?

20. Do you destroy faulty or end-of-life disks to ensure no-one can later access the data?

21. Do you have a disaster recovery plan? Suppose you lose your email or another key system, can you communicate internally and with customers, and have you tested this?

22. Are you transparent about your security? For instance, did you disclose what you did about the Heartbleed vulnerability that impacted much of the Internet in April 2014?

23. Can I see real-time information on the current status and uptime, and access statistics from round the world? See http://status.questionmark.com for an example of what you might look for from a provider.

24. Are results data backed up safely and off-site (over the Internet) at least hourly, so that in the event of a catastrophe, you would not normally lose more than an hour’s worth of data?

I hope this list of questions helps you think about your assessment security over midsummer and all the other days of the year. In case you’re wondering, if you use Questionmark OnDemand, the answers to all the questions are “yes”.

Click here to see for Questionmark’s security video.

Security Video Image

Securing online assessment content, exam results and personal information

Joan Phaup 2013 (3)Posted by Joan Phaup

How safe are your online assessment content and exam results?
How secure is the personal information you store?
How would a data breach impact your organization’s reputation?

Secure test delivery and painstaking protection of data are crucial for successful online testing and assessment programs.

Find out in this video about the many measures we take to provide a secure assessment platform and keep information safe.

You will find more information in the Questionmark White Paper, Delivering Assessments Safely and Securely


Podcast: John Kleeman on Questionmark’s expanding assessment cloud

Posted by Joan Phaup

John Kleeman

We recently celebrated a major expansion of our cloud-based Questionmark OnDemand service with the addition of Questionmark’s European Data Centre to the service we have been providing for some time in the United States.

Wanting to learn more about the reasons for adding the new data centre, I spoke with Questionmark Chairman John Kleeman about the transition many customers are making to cloud-based assessment management.

Here are some of the  points we covered:

  • why software-as-a-service offers a reliable, secure and cost-effective alternative to deploying assessments from in-house servers
  • the importance of giving customers the option of storing data either in the United States or the European Union
  • the extensive security procedures, system redundancy, multiple power sources, round-the clock technical supervision and other measures that make for reliable cloud-based assessments
  • the relative merits of  Questionmark OnDemand  (cloud-based) and Questionmark Perception (on-premise) assessment management — and how to choose between them

You can learn more listening to our conversation here and/or reading the transcript.

Podcast: Essentials of Data Security for Online Assessments

Posted by Joan Phaup

Sean Decker

Data security being a crucial component of Questionmark’s D3 platform for Questionmark OnDemand hosted and subscription solutions, I got together recently with Questionmark chairman John Kleeman and Sean Decker, our IT architect, to learn more about how we  ensure the safety and security of confidential data.

John Kleeman

I  peppered John and Sean with questions about everything from intrusion detection systems to precautions for preventing the loss of data. We talked about the extensive protections at our SAS 70 Type II-certified data center, employee training on data security, multiple firewalls,  encryption and  other safeguards as well as the ways in which our software development process addresses potential security issues.

Questionmark takes the subject of data security very seriously, and our conversation was both serious and fascinating. If you’d like to know more about this subject, I hope you will listen in.