Eight ways to check if security is more than skin deep

Picture of computer and padlockJohn Kleeman HeadshotPosted by John Kleeman

The assessment industry has always been extremely careful about exam security and ways to prevent cheating. As cloud and online assessment takes over as delivery models, it’s critical we all deeply embed IT security in our culture to ensure that computer vulnerabilities don’t leak sensitive data or disrupt the integrity of the assessment process.

Many years ago, Questionmark realized that data protection and IT security were critical to our success. We re-formed our culture to make security a priority. We followed our own path and looked for opportunities to learn from others such as Bill Gates and his famous trustworthy computing memo, part of which is quoted below:

… when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. …  These principles should apply at every stage of the development cycle of every kind of software we create …

Questionmark understands that we’re in an arms race. We stay vigilant and look for opportunities to improve our security. Here are eight key ways in which we have embedded security deep within our company. If you are an assessment provider, we’d encourage you to find your own way to follow suit. And if you are a customer, here are eight questions you can ask to identify whether an assessment provider is truly working to be as secure as it can,  instead of just claiming to be secure when in fact security is only skin deep.

1. Who does the security function report to?

At Questionmark our security officer reports directly to me as Questionmark Chairman. If security reports directly into IT or product development, a security concern might be overruled by operational need. We’ve found this separation very helpful to ensure security gets listened to throughout the organization.

2. Would a security flaw hold up a release?

In any sensible company, this has to be true. Feature improvements in software are important, but if there is a serious security issue, it needs to be fixed first. Developers need to know that they can’t make a release unless it is secure.

3. How do you check your employees know about security?

Questionmark trains all our employees on data security but how do we know they understand? We practice what we preach and everyone from senior management to sales to accounting to developers needs to take and pass a data security test every year to check understanding. I’d encourage everyone in the assessment industry to follow this approach.

4. How deep is your team’s knowledge of IT security?

SaaS security is complex. There are many layers to security and any weakness can lead to a vulnerability. Equally throwing resources in the wrong place won’t really help. We are fortunate to have at least half a dozen experts within Questionmark who have deep knowledge of and passion for different aspects of security. This helps us get things right,.

5. Is your ecosystem secure?

Every company operates in an ecosystem , and it’s the ecosystem that needs to be secure. Questionmark works with our suppliers, subcontractors and partners to help them to be secure, including offering training and advice. We even want our competitors to be secure as any breaches in the assessment industry would be hurtful to all.

6. How transparent and open are you on your security?

Security by obscurity is not secure. Questionmark shares information on the security of our OnDemand service in white papers (Security of Questionmark’s US OnDemand Service and Security of Questionmark’s EU OnDemand Service) and have “red papers” which describe our security and business continuity planning in detail, available under NDA to prospective customers. The review process as customers ask questions about these provides comfort for customers and input to us to improve our security.

7. What kinds of external review do you allow?

As we shared in Third-party audits verify our platform’s security, we run regular penetration tests by a third party company, Veracode on Questionmark OnDemand. We are also fortunate to have many customers who care deeply about security and undertake their own audits and reviews by experts. We welcome such review and learn from it to improve our own security.

8. Are you completely satisfied with your security?

imageAbsolutely not. There is an arms race happening in the security world. Hackers and other bad actors are increasing their capabilities and however good you are, if you rest on your laurels, the arms race will overtake you. See for example the graph to the right from Verizon showing the increase in breaches over time.

Questionmark, like other good SaaS companies, has a policy of continual improvement – we want to be much better each year than the last.

This video provides an overview of how Questionmark builds security into its products from day one. Watch below:

Tips for preventing cheating and ensuring assessment security: Part 2

julie-smallPosted by Julie Chazyn

My previous post offered three tips on making your assessments more secure and preventing cheating. Here are four more. You will find additional information about this in “Delivering  Assessments Safely and Securely,” and I’ll be mentioning other security tips in my future posts. I hope you will respond with your own ideas about avoiding the problem of cheating on tests.

Screening participants who achieve perfect scores

Given the rarity of achieving perfect scores on assessments, consider doing some investigating when you see perfect scores. Many organizations do this automatically. This might  interview the exam proctor and do other checks to ensure no suspicious behavior has occurred.

Verifying expected IP addresses

If you are administering an assessment  at a specific location, you will likely be able to obtain  the IP address of the computer being used. You can then tell whether participants took the assessment there or at an unauthorized location.

Using Trojan horse or stealth items

Use Trojan horse or stealth items to help detect whether a participant has memorized the answer key. Stealth items look just like the other questions, but they are purposely keyed incorrectly. You can include these items are generally included as non-scored items on the assessment. They will help you detect if a participant is simply memorizing content and keyed correct answers, since they will likely choose alternatives that they have memorized. Participants with overall reasonable assessment scores who got the stealth items “correct” might have memorized the answer key.

Reveal that cheater prevention tactics are used

Informing participants that reviews are regularly conducted to identify cheaters is a simple way to decrease the temptation to cheat. You don’t need to provide details about the sort of reviews you conduct, but do let participants know that cheater-detection tactics are regularly employed.