I’ve had a troublesome security breach. What do I do now?
Written by John Fremer, President, Consulting Services
May 15, 2015
Now that you have a confirmed security breach, your senior management insists upon quick and decisive action.
If you have a Security Incident Response Plan (SIRP) – Be thankful. Be very thankful. Because you have a SIRP, you can calmly and confidently activate the plans that you and your colleagues made with expert guidance when all stakeholders were represented. You still have that worrisome breach but you have the following tools and strategies to work with:
- An overall test security goal and an approach for deciding upon your breach remediation actions
- An existing group that immediately will help you move forward in carefully agreed upon directions and approved by the areas that must be involved in your response, e.g. test program management, finance, psychometrics, legal, communications, and relevant vendors
- Specific roles and responsibilities assigned for various evaluation, investigation, and follow up actions
- Strategies for collecting and evaluating data of different types relevant to the breach
- A communications plan that spells out who will be notified, by whom, and in what level of detail
- Experienced on-call talent for communications, legal issues, and financial matters
- Prior approval, and perhaps even a retainer arrangement, permitting you to bring in trained and experienced investigators if needed
If you do not have a Security Incident Response Plan – Resolve to never face a future situation without having such a plan in place and proceed to tackle the current security situation with the best expertise you can bring to bear on the situation. Look over the tools and strategies above that will eventually be part of your own plan and proceed as follows:
- Try to bring into your response someone who has dealt on previous occasions with breaches of the type that you are facing
- Possibilities include a colleague in another testing agency, Caveon Investigative Services (a component of Caveon Test Security), or the ATP Security Council
- As soon as feasible, try to determine the extent of your security problem. Must you retire a test form or pool, suspend testing, and/or consider score invalidations? Or, is the situation sufficiently limited so that you can proceed fairly typically while you address the problem
- Follow a style of addressing the “worst of the worst” while you explore the possibility that multiple test takers or test administrators may be implicated.
- Focus your resources, especially if they are relatively limited as compared with the scope of the problem, on the most important areas. Do not assume that you must fully investigate every “statistically significant” irregularity.
- Be open minded and do not leap to conclusions or actions. The old cliché “act in haste, repent in leisure” is very relevant here. You may face considerable pressure to move very quickly which could force you to take back actions or explain missteps that would have been avoided had more careful review and consideration been sought.
- And one last suggestion – as you address your current problem look to the future – you should realize that you may be setting precedents that could limit your choices in the future. Be sure that you understand how today’s action will impact the future of your program as well as your own professional standing and situation.
Closing Thought – It would be preferable, to be sure, if you only encountered security breaches in media reports, conference presentations, and articles about other testing programs. If you manage a high stakes program regardless of its purpose, delivery approach, and testing population, it’s only a matter of time before you encounter attempts to cheat and to steal test items and other confidential and/or proprietary information. When you suffer breaches, how you handle them will be challenging. The better prepared you are when a breach occurs and the more carefully and thoughtfully you proceed, the better you will serve your testing program, the test takers, and yourself. For further information please feel free to contact me.