April 14, 2014
Written by Dennis Maynes, Chief Scientist
While your test security program is primarily composed of tactical elements, it requires a strategy to guide it. However, I have seen that most testing program managers focus on security tactics, with little or no thought for strategy. Doing so, will leave you with a metaphorical ship floating in the sea without a rudder. Without strategy, your test security tactics lack cohesion, coordination, and vision.
Strategic thinking is big thinking. It defines the all-encompassing plan, including the goals, processes, and principles which govern your test security activities. Minimally, your test security program should include the following strategic elements.
1. Vision – Your vision statement provides your "why" for test security. This is the reason why you spend time and resources ensuring that tests are administered securely and with integrity. For a credentialing program, your vision statement might be: We ensure that all credential holders are properly trained. For an admissions program, your vision statement might be: We want all entrants into the program to possess the skills needed for success.
2. Threat Assessment – The threat assessment allows you to understand your vulnerabilities. It determines where and when to allocate resources. How you decide to deal with threats will govern your strategic and tactical plans. Is your program vulnerable to test piracy and distribution of content by cheat sites? What loss does your program suffer when a single individual cheats? What loss is there when thousands cheat? The threat assessment needs to be reviewed and updated regularly as your test security becomes stronger, as technical capabilities of cheaters improve, and as the world evolves around you.
3. Resources – For the same reason that a general lists troop strength, a review of resources allows you to determine who can be enlisted to help improve test security. Resources include personnel, budget, and support elements. Additional resources will be made available to you as you communicate the vision of test security to stake holders (i.e., managers, partners, in-house counsel). Obtaining the support of these people is crucial. Without it, you won't be able to meet the threats that your program faces.
4. Training – Just because you have a name on a list doesn't mean that person knows his or her role, responsibilities, duties, and how to do the job. The most effective people are those who have been trained. They know how to implement your tactical elements. Know-how is critical. If your organization doesn't have it, you need to figure out how to get it.
5. Logistics – It is important to provide your people with what they need, when they need it, and where they need it. This is the function of logistics. Do you need trained investigators or "feet on the street" to respond to potential test security violations? Do you need processes which allow you to track the chain of custody of secured test content? When do you need access to legal expertise?
6. Communications – Some of the elements of communications that you need to implement and manage are (1) receiving reports of testing irregularities, (2) sharing with stake holders and staff the vision you have, and (3) having proper outward-facing public relations. The message and the manner in which it is communicated define your efforts to those who are interested and concerned.
7. Processes – The most effective test security is built into and not bolted onto the program. You do this by defining, implementing, and integrating processes into your testing program. An example of a test security process at its highest level is Protect-Detect-Respond-Improve. However, there are many sub-processes which should be incorporated into your high level processes. Test security is a process, not a state. Consequently, it must continually be in operational mode. Your people must be doing, not sitting.
Strategic thinking allows you to organize your tactical efforts. These are the big plans and the vision that must be communicated to your staff and stakeholders. Whenever you are trying to answer the big questions, it is helpful to answer six little questions: Who? What? Where? When? Why? How? I would suggest that you do not overlook the importance of strategic thinking. If you are unsure how to do it, consider bringing in an expert, such as Caveon Test Security, to help.