• Home
  • Standards
  • What organizational and technical measures are appropriate in assessment delivery?
  • What or...

Posted by John Kleeman

One of the key responsibilities of an assessment sponsor acting as data controller under European Law is to implement appropriate technical and organizational measures to protect personal data.  But what does appropriate mean?

And when you contract with a data processor to deliver assessments, you must ensure that the processor implements appropriate measures. But again what does appropriate mean?
This is not just an academic question. A  UK organization was fined £150,000 in 2013 for failing to protect personal data with the regulator commenting that a key reason for the fine was “… the data controller has failed to take appropriate technical measures against the loss of personal data”

The measures to use will depend on the risk to the data and to the assessment participant. But here are some measures  to consider. They are all met by Questionmark if you delegate service delivery to Questionmark – though some also need action by you:
For more information, you can download a complimentary version of the white paper: Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities [requires registration]

MeasureQuestionmark OnDemand?Your system?
Premises access control  
Data center certified against ISO 27001 or SSAE 16 
Two-factor authentication for staff and visitors 
24/7/365 personnel intrusion alarms 
24/7/365 monitored digital surveillance cameras 
23/7/365 security team on site at all times 
Strong physical security in nondescript building to aid anonymity 
System controls  
Well configured firewalls in each tier 
Intrusion Detection System or Intrusion Prevention System 
Secure software development approach following best practices 
Comprehensive anti-virus measures 
Regular third party penetration testing 
Regularly updated system and application software 
24/7/365 network monitoring 
Data access control (authentication and authorization)  
Individual, unique high strength passwords for all users(you need to action) 
Users can easily be deleted when they leave an organization(you need to action) 
Store administrator passwords in encrypted form 
Administrators can be given access to only functions/data needed(you need to configure) 
Participant login & identity can be confirmed by monitors/proctors(you need to configure) 
Data transmission control  
All participant access via well configured SSL/TLS 
All administrator access to results via well configured SSL/TLS 
Any data copied for troubleshooting purposes strongly encrypted 
No need to send data physically – all data transmitted electronically 
Data entry control (keeping track of who does what)  
Able to present participant with information & record consent(you need to action) 
Participant answers cannot be changed except with authority 
Participant submissions recorded with time-stamp 
Differential privileges for administrators, control over system functions(you need to configure) 
Log important activities by administrators and other users 
Contractual control  
Have data protection compliant contracts with processors 
Processing only performed on instructions from Data Controller 
Logical or physical separation of data from different customers 
Availability controls (protecting against unauthorized destruction or loss)  
Power supply redundancy, UPSs and onsite generators 
N+1 or 2N redundancy on all hardware and Internet connections 
Backup of all assessment data to offsite location 
Backup assessment results frequently (e.g. hourly) to avoid losing data 
Regular restore tests of such backups 
Save participant answers “as you go” on server during test-taking 
Tested, current service continuity plan in place in event of disasters 
24/7/365 environment monitoring 
Organizational measures (These are all met by Questionmark; you will also have to follow these yourselves.)  
Designate a data protection officer 
Personnel have written commitment to confidentiality 
Background checks on new employees 
Regular training of employees on data security 
Regular testing of personnel on data security to check understanding 
Faulty or end of life disks degaussed or otherwise safely destroyed 

I hope this helps you work out what measures might be appropriate for your needs. If you want to learn more, then please read our free-to-download white paper: Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities [requires registration].

If you are interested in seeing if Questionmark OnDemand could meet your needs, see here for more information.