2016 Recap: 12 million+ assessments; 99.98% uptime

Posted by Julie Delazyn

Every day Questionmark customers around the world are deploying high stakes assessments – in 2016 alone, more than 12 million assessments were delivered through Questionmark OnDemand’s platform. 12 million + assessments is HUGE—that’s like saying every 2.5 seconds for 365 days someone is finishing an assessment. But when the stakes are high and the demand is even higher, the number one priority is making sure that your system is up and running.

Keeping up with demand has been Questionmark’s #1 priority, and we set high standards for ourselves. That’s why we’re excited to announce that in 2016, we exceeded our 99.9% uptime target on both our European-based and US-based services – averaging over 99.98% uptime for our assessment delivery service throughout the year.

And we believe in transparency— You can check out the current performance and availability status of Questionmark OnDemand at any time here: http://status.questionmark.com/

We know that obtaining optimal availability at all times is peace of mind for our customers and their test takers, and we look forward to protecting that uptime in 2017.

SAML 101

Bart Hendrickx SmallPosted by Bart Hendrickx

As I mentioned in my previous post on SSO, Single Sign-On: Who’s Involved?, we’ll take a look at SAML to understand what it is and how it’s used with SSO. In this post I’ll explain what SAML is, and I will offer an example use case in my next post.

Webinar

So, What Is SAML?

SAML, or Security Assertion Markup Language, is a protocol that allows systems to exchange authentication data on users. (It facilitates other use cases as well, but I will focus on authentication.) What does that mean? It means that one system can ask: “Who is this user?” and another system can answer: “This is Jane Doe.” As I mentioned in my post previous post, I am talking about the service provider (SP) and identity provider (IdP) respectively.

Service providers (SP) in this context can be any software system with which you can do something, such as sending and receiving email, tracking projects or delivering assessments. Similarly, an identity provider (IdP) can be any software system that contain data on users that you can use to determine who those users are.

If you manage an SP, you probably don’t want just any IdP telling you who someone is. You will typically trust only one or a few IdPs. And if you are in charge of an IdP, you will likewise prefer to send user data only to those SPs you know and trust. To accomplish that, the SP and IdP exchange data allowing them to establishing a trust relationship. Those data are often called federation metadata, federation referring to the fact that there is an alliance between the different systems.

SAML is a popular protocol to set up such federations between service providers and identity providers. Look up SAML in your favorite search engine and you will get many results. One of its advantages is that it is extensible, meaning that you can exchange information that is relevant to your situation. For example, do you have an IdP that stores the hire date for an employee (or enrollment date of a student)? Do you want to share those data with an SP so that it can decide whether the user is allowed to access a certain resource? Then you can set up the federation in such a way that the IdP will send an attribute for hire (or enrollment) date to the SP.

Another advantage, and it is a huge one, is that SAML can be used in situations where the IdP and SP cannot talk to each other, for example because they are on different networks. You may have an IdP running on your internal network, behind a firewall. Your SP may be available in the cloud, as is the case with Questionmark OnDemand. The SP cannot talk to the IdP because it cannot “see” it. However, that’s not a problem for SAML. In my next post, we’ll take a look at a typical use case so we can see the practicality of using SAML with SSO.

 

Single Sign-On: Who’s Involved?

Bart Hendrickx SmallPosted by Bart Hendrickx

This is the third post in a series on single sign-on (SSO). Go here for posts 1 and 2:

  1. Single sign-on: secure and easy access
  2. Single Sign-On Pros and Cons

In my first post, I offered this definition for SSO:

Single Sign-On (SSO) for software is the ability for one application, the identity provider, to tell another application, the service provider, who you are.

As you can gather from that definition, SSO involves two parties: the identity provider and the service provider. That is not the complete picture. In many cases, there is also the user and the user agent.

In this post, I explain who those parties are.

Service Provider (SP)

The service provider (SP) is the system a user wants to do something with. For example, Questionmark OnDemand: the user can be a participant who wants to take an assessment. Questionmark OnDemand provides the service of delivering an assessment that the user can take.

When single sign-on is set up, the SP relies on another system to authenticate a user. Therefore, the service provider is also called the relying party (RP). To keep things simple, I will stick to using “SP”.

Identity Provider (IdP)

You know that the SP relies on another system for authentication. That other system is called the identity provider (IdP). The IdP provides identity information on a user to the SP, so that the SP can make a decision to let the user in.

There are many systems that can act as identity providers and some systems specialize in identity. You will recognize many of these: Microsoft Active Directory, Google Account, Facebook, Twitter, LinkedIn—the list is very long.

User

There is nothing special to user: this is simply the person who wants to do something, such as the participant who wants to take an assessment. Well, the user does not need to be a person; it can also be a system. I will continue using the concept of “person” when I talk about “user”, for simplicity. (Did I already tell you I like to keep things simple?)

This party is sometimes called principal.

User Agent

The user agent is a piece of software, an application, which acts on behalf of the user. That sounds complicated, so let me give you an example. Your web browser is a user agent. When you visit a web page, your browser requests content on your behalf. Is an image referenced in the content? Your browser downloads it, on your behalf. Do you want to submit a form, such as an order with payment details? Your browser sends the information to the website, on your behalf.

In the context of SSO, the user agent often is a browser or an application that can access something on the Internet, such as an app on your smartphone to read emails or access a social network.

The Parties Working Together

Let me bring this together in a picture.

SSO2

You see a group of users, say, participants who want to take an assessment. They use their web browser, which is a user agent, to connect to the service provider; Questionmark OnDemand in this example.

The service provider relies on an identity provider to say who these users are. In this example, instead of talking directly to the identity provider, the service provider talks to the user agent (browser), who talks to the identity provider. “Who is this user?” the user agent asks the identity provider. The user may need to enter a username and password, on a page which is, you guessed it, displayed by the user agent.

When the identity provider successfully authenticates the user, it responds to the user agent: “This is Jane Doe.” The user agent passes that information on to the service provider, who then decides to give access: “This is Jane Doe and she is a participant; I will make this assessment available to her.”

How can the service provider and identity provider talk to each other, in this case indirectly through the user agent (browser)? They speak a shared language; a protocol that is used to exchange identity information. There are several popular such protocols. I will discuss them in a following post.

Next Gen Authoring & Intro to Questionmark – don’t miss these webinars!

Julie Delazyn Headshot

Helping our customers understand how to use assessments effectively is as important to us as providing good testing and assessment technologies.

Our free, one-hour web seminars give you the opportunity to find out what’s happening in the world of online assessment and consider which tools and technologies would be most useful to you. Here’s the current line-up:

Authoring Questions and Assessments with Questionmark OnDemand

This 45-minute webinar demonstrates the “next generation” authoring tool in Questionmark OnDemand. The session will show the basics authoring items and then organizing them into assessments.

Introduction to Questionmark’s Assessment Management System

Learn the basics of authoring, delivering and reporting on surveys, quizzes, tests and exams. This introductory web seminar explains and demonstrates key Questionmark features and functions.

If you’ve been waiting for a webinar in Portuguese, you don’t want to miss this one:

Como utilizar a plataforma de avaliações da Questionmark em conformidade com a RDC nº 17 de 2010

Introdução às tecnologias de gestão na medição de conhecimentos e habilidades de sua equipe de trabalho atendendo conformidades da ANVISA, através das soluções da plataforma de avaliações OnDemand da Questionmark.

Click here to choose your complimentary webinar and register online. And if you have any questions, don’t hesitate to reach out to us!

 

Role-Based Permissions: A How-To Guide (Part 2)

Bart Hendrickx SmallPosted by Bart Hendrickx

In my previous post on this subject (How-To Guide Part 1), I described a situation where managing permissions in the classic version of Questionmark Enterprise Manager can quickly turn into a complicated task. The new version of Questionmark, which we are starting to roll out to Questionmark OnDemand customers, offers a more efficient approach: managing permissions based on the tenets of role-based access control.

Interested in learning more about role-based permissions? Drop in on my session on this topic at Questionmark Conference 2016. Register before March 3 to take advantage of our final early-bird discounts.

The principle of role-based access control is that you use roles to define what users can do in the system. You are free to choose what a role is in your organization. You can tie it to a job title and create a role such as Learning and Development Specialist. You can map it to a role on a project team (e.g. the role of setting up a project for an employee satisfaction survey) and create a role like Project Owner. Or you can use any of the default roles that ship with the new version of Questionmark OnDemand, such as Admin and Reporter.

Roles contain permissions. For example, the Reporter role contains a set of permissions to run all reports on all results. When you add that role to a user, that user inherits those permissions. So far, this is similar to how profiles work in the classic version of Questionmark.

The power of the new role-based access control system becomes obvious when you want to give more roles to a user. In the classic version of Questionmark, you can assign only one profile to a user. In the new version, you can assign multiple roles to a user. Do you have a role for creating test items and another one for running reports, and do you have a user who will take on both roles? No problem: assign both roles to the user.

Another advantage of the new role-based access control system is that you can change the permissions of a role, which will automatically trickle down to all users who have that role. Do you want to remove the permission to run a Grade Book report from all users who have the Reporter role? Remove the permission from the Reporter role and you are done.

To ensure there are no loopholes, the new version of Questionmark OnDemand makes it impossible to assign permissions directly to users. Instead, all permissions will be granted within roles.

If you are a Questionmark OnDemand user interested in moving to the new version, contact your account manager. And if you are attending Questionmark Conference 2016, April 12-15, feel free to drop in on my session on this topic. Register before March 3 to take advantage of our final early-bird discounts.

The 12 responsibilities of a data controller, part 1

John Kleeman HeadshotPosted by John Kleeman

In my earlier post, Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities, I suggested there are 12 responsibilities of assessment sponsors acting as Data Controllers when delivering assessments in Europe.

Here is an outline of the first 6 of these:

1. Inform participants

A key principle of data protection is that you tell people what is being done with their data. At a minimum, you need to inform assessment participants of:image_thumb.png

  • your identify and contact details
  • the purposes of the assessment and of any processing of its results
  • who will see the assessment results
  • the rights of the participant under data protection law to see data and correct inaccuracies
  • use of Internet “cookies” in delivering assessments

2. Obtain informed consent

It’s usually recommended to get informed, explicit and recorded consent from everyone whose data you process. You can ask for consent on the first screen of an assessment or in a prior agreement with test-takers. Failure to gain informed consent can have consequences: Case in point: a Portuguese company was fined €20,000 for hiring a third party to assess the professional skills of its employees without notifying them or gaining consent.

3. Ensure that data held is accurate image_thumb.png

You are required to ensure that data is accurate and up to date. In the assessment context, this might include ensuring that if you hold data about someone being certified or not certified, the data is accurate and up to date. It also likely means requiring your assessment itself to be accurate, i.e. created and delivered using appropriate procedures that ensure accuracy. See the Questionmark white papers, “Five Steps to Better Tests” and “Defensible Assessments: What You Need to Know”, for some guidance in this area. These papers are available from https://help.questionmark.com/content/white-papers.

Supervisory authorities can also issue penalties if you fail to maintain accurate data and this causes distress. For instance a UK company was fined UK£50,000 in 2012 for mixing up two individuals’ data and failing to correct it over a period of time.

4. Delete personal data when it is no longer needed

The regulations require that you must not keep data for longer than is necessary and to ensure data held is relevant and not excessive. How long to keep assessment data will depend on the purpose of the assessment. An organization that delivers a formal certification program trusted by the community might want to keep assessment records for decades if those records contribute to the issuing of certificates. Other organizations that deliver casual quizzes to employees or stakeholders would likely choose to delete much sooner.

5. Protect against unauthorized destruction, loss, alteration and disclosure image_thumb.png

This is a critical responsibility and one which typically requires the most effort and care from a Data Controller. You need to share assessment results only with those who are entitled to know about them and safeguard assessment data from being disclosed inappropriately, tampered with, lost or destroyed.

You are required to have in place “appropriate” organizational and technical measures commensurate with risk. Failure to put the appropriate measures in place can result in financial penalties. One UK organization was fined  £150,000 in 2013 for failing to take appropriate technical security measures. If you use Questionmark OnDemand to deliver your assessments, many technical and organizational measures are taken care of for you. You will of course need to take care of any data once it leaves the Questionmark system, e.g. is downloaded to your systems.

6. Contract with Data Processors responsibly

As Data Controller, you are responsible for all the processing that your Data Processors and their Sub-Processors do. You need to appropriately contract with Data Processors, ensure they only process data under your instructions and that they have appropriate technical and organizational measures. An organization was fined £250,000 in 2013 for failing to ensure that one of its processors safeguarded data properly. If you contract with Questionmark, we ensure that data centres and other Sub-Processors that comply with data protection law – and you should check that other suppliers you use also have this in place.

I hope this is helpful. I’ll write about the other 6 responsibilities next week. If you want more details or want to find out about the other 6 before my next post (!), you can download our white paper