Written by Dennis Maynes, Chief Scientist
June 26, 2105
About a year ago, in 2014, I received an impassioned plea for help. The organization’s exam development director had learned that the entire form of a recently administered exam was being distributed on the Internet. As far as could be ascertained, the item bank downloaded from the Internet was of such high quality that it must have been intercepted and stolen electronically. What should be done? What could be done? How should this incident be handled?
Every testing organization faces the potential loss of items and forms through relatively low-effort test theft. For just a small amount, spy devices can be purchased and used, computer systems can be hacked and infiltrated, and test booklets can be hijacked and intercepted. The negative leverage exerted on your testing program is tremendous. It may exceed 1,000 to 1. What cost you hundreds of thousands of dollars to create can be stolen and rendered worthless for mere hundreds of dollars. The risk is very high. Often when this happens, we fear that the items must be replaced, the forms must be rebuilt, and public confidence must be reclaimed. But, are there other choices? What else is possible?
Here are a few points to ponder:
If you fail to plan, you plan to fail. You need to create a Security Incident Response Plan before you have an incident. Your people should be aware of the plan's content and their responsibilities.
Practice makes permanent. Your people should be trained how to respond when disaster strikes. They also should practice. It's important to have drills. It's important to have cross-training.
Design in anticipation of security losses. It's not a matter of "if," it's just a matter of time. Using a modified exam publication process, you will be able to respond to this situation with built-in exam protection which can be activated quickly.
Keep your emergency contact list current. You will undoubtedly need some specialized help. These helpers could be investigators, intellectual property attorneys, web monitoring specialists, and others. At a moment's notice, you will want to contact these people who will be able to advise you on the exact specifics of the situation.
Set aside resources that can be drawn upon. Just like food, water, and shelter are needed when natural disasters occur, you may need money, travel plans, and a first-response team who can mobilize quickly and gather information to help guide your response.
In other words, you need to maintain a state of readiness. The Boy Scout motto, "Be Prepared," comes immediately to mind. You should examine and maintain your state of readiness to deal security incidents so that when the phone call, the email, the text message, or whatever manner of alert arrives, you will be ready.
By being prepared you will be able to respond quickly and decisively. There will be no need to panic. Instead, you will be able to confront calamity and chaos with calmness and confidence.