Security in the final step of test delivery

Copyright © 1995-2012 Questionmark Corporation and/or Questionmark Computing Limited, known collectively as Questionmark. All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged.

Security in the Final Stepof Test and Exam Delivery


Protection of candidate/student/employee PII (Personally Identifiable Information)

Protection of valuable assessment content Test/Exams are expensive to develop:

Average corporate test: $20,000 USD Average certification test: $150K to $200K

Protect integrity of test/exam results A lot could be on the line…

Reputation Life and Limb

Key drivers for secure assessment delivery

Slide 2


Low/High to High/High Stakes Tests

Slide 3

Higher Stakes

High

Medium

Low

Medium Stakes

Low Stakes

What’s at Stake?

Life and Limb

Promotion & Jobs & Legal Concern

Educational Exams

Tests

Elearning & Surveys


Impersonation Content Theft Cheating

Key Threats to be Addressed in High-stakes Exam Delivery

Slide 4


Pre-employmen

t

Public Certification

s& Licensing

Regulatory Compliance

Sales and Technical Channel

Verification

Threat Level in Higher StakesShort Term with Low Trust Relationships

Long Term with High Trust Relationships

Larg

e Pr

ogra

ms

Smal

l Pro

gram

Higher threats require more

“Oversight” and so cost more

Lower threats require less “Oversight”

and so cost less to administer

Slide 5


Combating / Mitigating Threats

Slide 6


Tight controls over the access to content

Shuffling items and choices – limit exposure of item pool

Not exposing the scoring algorithm beyond the content repositories/databases

Securing, and only providing limited access to, the content repositories/databases

Legally enforceable candidate agreements

Vigorous follow up on infractions

Mitigate Leakage of Content

Slide 7


Legally enforceable candidates agreement;

formal honesty contracts

Invigilation/proctoring

Secure browsers/players on candidate devices

Mitigate Cheating

Slide 8


•Personable, consistent•Monitor vulnerable to unfair influenceTest Centers•Convenient, personable, consistent•Monitor vulnerable to unfair influence

Events (Classrooms or Conventions)

•Monitor is less vulnerable •New and not yet widespread

Remote Real-time 360 cam

•Monitor is less vulnerable•Easy to deploy for use at home

Remote Real-time webcam

•Seems secure•Nothing for content theft

Record & Review360 or webcam

•Works for employees•Nothing for content theftUn-Monitored

Monitoring Tests Securely

Slide 9

ID F

raud

Prot

ect

Cont

ent

Min

imize

s Ch

eatin

g

√ √ √

√ √ √

√ X

√ X X

√ √ √

√

√ √ √


Physical Security Measures Environment monitoring Power & Network Monitoring Certifications

Combating Technology Threats

Slide 10


Formal data security policy Employees tested on policy

Employee background checks Password policies Tracking of Highly Confidential data End of life disk policies

Mitigation: Ensuring Data Security

Slide 11


TLS/SSL security Intrusion

detection Firewalls Anti-virus Multiple servers

Segregated on separate networks

Bastion host

Mitigation: Ensuring Network Security

Internet

Firewalls

Business Layer

Presentation Layer

Participants Authors and Administrators

DataLayer


Architecture Authentication

By application External via single sign-on

Encryption Logging Application Development

Mitigation: Ensuring Application Security

Slide 13


Bonded security staff on duty 24/7/365

Multiple levels of physical security

Environment monitoring

Power & Network Monitoring

Mitigation: Ensuring Physical Security of Data Center

Slide 14


Power Grid

Redundancy to Ensure Service Continuity

Power Grid

Internet

Internet

GeneratorsBatteries

Backup


Security in the Final Stepof Test and Exam Delivery

www.questionmark.com

http://www.questionmark.com/

Security in the final step of test delivery

Education

Transcript of Security in the final step of test delivery