Ten tips for securing your assessment system
Posted by John Kleeman
What can you do to make your assessment system more secure? How can you avoid a disruptive data breach where people’s personal information is disclosed? Using a vendor who takes security seriously reduces risk, as I wrote in my blog article Eight ways to check if security is more than skin deep. But security involves both vendor and user. This post gives ten good practice tips on how you as a user or administrator of an assessment system can reduce the risk of data breaches.
1. Don’t give yourself or other administrators unnecessary privileges. Follow the principle of least privilege. It may sound counter-intuitive, but most administrative users don’t need access to all capabilities and data within your system. Limiting access reduces the impact of a data breach if an account is compromised or someone makes a mistake. If you are using Questionmark, allocate appropriate roles to limit people to what they need.
2. When someone leaves the project or organization, remove their access. Don’t allow someone who has left your team to still have access to your assessment data.
3. Follow good password security. Do not share passwords between people. Do not use the same password for two accounts. Choose strong passwords and change them periodically. If someone asks you for your password, never, ever give it. And if a web page doesn’t look right, don’t type your password into it.
4. Install all the patches and secure the system. A common cause of security breaches is failing to install the latest versions of software, and attackers exploit known vulnerabilities. You need to be proactive and always install the latest version of system and application software, set up good technical security and follow the vendor’s recommendations.
If you haven’t got the time or resources to do this properly, move to a cloud solution. In a cloud SaaS solution like Questionmark OnDemand, the vendor is responsible for updating Windows, updating the application, monitoring security and ensuring that everything is up to date.
5. Install good quality antivirus / anti-malware software. Reportedly there are nearly a million new or variant malware and viruses produced each day. Protect your computer and those of your co-workers with up to date, professional software to address this threat.
6. Protect any downloaded data. Questions, assessments and reports on results are generally safer on a server or in an on-demand service than on a workstation. If you need to download data locally, set up security procedures to protect it and try to ensure that any download is temporary only.
7. Dispose of data properly. Deleting a file on a computer doesn’t erase the data, it simply erases the index to it. If you use a reputable service like Questionmark OnDemand, if a disk is repaired or reaches end of life, it will be securely destroyed for example by degaussing. But if you download data locally or use installable software to manage your assessments, you need to do this yourselves. A recent study suggested that about half of used hard drives sold online contain residual data. Make sure this is not your assessment data!
8. Be careful about clicking on a link or attachment in an email. Phishing attacks use email or malicious websites (clicking on a link) to collect sensitive information or infect your machine with malware and viruses. Such attacks could even be aimed at your organization or assessment activity directly (this is called spear phishing!). Think before clicking.
9. Be aware of social engineering. Social engineering is when someone tries to trick you or someone else into a security breach. For example someone might ring up and claim to be a student who wants their results, but really is an imposter. Or someone might spoof an email from your boss asking for the questions for the next test to review. Be wary of strange phone calls or emails that ask for something urgent. If something seems suspicious, clear it with a security professional before you give them info or ask a caller to hang up and call them back on an official number.
10. Conduct security awareness training. If you’re not already doing this, organize training sessions for all your authors, proctors, administrators and other users to help them be security aware. if you can, deliver tests after the training to check understanding. Sharing this blog article with your co-workers would be a great way to start.