Do It Yourself Security Assessment: How Does Your Program Stack Up?
Originally Published in Certification Magazine, 4/2005
Do you know what your test security risks are? It’s important to determine if you have sound practices in all aspects of your testing program. You can classify security risks into the following categories: security planning, budgeting and resource allocation; policies and program agreements; item development, test design and scoring; test publication and administration; test systems and databases; physical security; and test incident action plan.
I’ve created a self-assessment that can be completed in just a few minutes. If your answer is no to any of these questions then your program may be at risk.
- Do you have a comprehensive test security plan?This plan would include information on how to manage security risks during each aspect of the exam process as well as a resource allocation plan for implementation (including budgeting, staffing and outsourcing). The plan needs to be accessible to all of those involved in the test development and maintenance process.
- Have you established ownership of your test content? This would include transfer of ownership from content providers to your organization as well as filing a copyright for each exam.
- Were your test items and test designed with security in mind? For example, are you using innovative item formats that may make the test content more difficult to memorize and are you using robust test designs that limit item exposure?
- Is your test content protected during the test publication and administration process? Do you require multiple forms of identification including a government issued ID in order to take an exam? Do you prohibit the use of electronic devices during the testing event?
- Is your infrastructure secure? Are your systems designed to protect the privacy of your examinees? In the case of computer based exams, are your files encrypted during transmission to and from test sites?
- Are your test materials and test results stored in a secure location? Are your materials (including servers) stored in a bonded warehouse or storage room under lock and key?
- Do you have a test incident action plan? Does your organization have a plan for responding to known security breaches? This response may involve further investigation and evaluation of compliance by the individuals or organizations involved. The plan also includes appropriate and measured responses to the breach.
The purpose of this assessment is to get you thinking about where you might improve your test security practices. The assessment above is just a sampling of where you may be at risk. A review of your processes, policies and procedures will allow you to determine areas of risk so that you can prioritize these risks and develop an action plan to minimize them. The mere act of doing an audit/review will also raise awareness of security issues within your organization.
I highly recommend developing both a comprehensive security plan as well as a test incident action plan. The other subtopics will fall under each of these plans. Do the analysis on what you’ve been doing so that you can go forward with confidence and less risk. Or, as Kierkegaard said, “Life can only be understood backwards; but it must be lived forwards.”