Author Information
Paul Morales
VP of Information Security at Honorlock


Watch the Video

 

Security in online proctoring is extremely important because institutions and students expect that their data is well protected and their privacy is maintained. 

The online proctoring company is a partner in your overall assessment process, and because of that, their security becomes your security. 

Before we jump into the details of security, keep this in mind: There is no magic wand or final destination in the security journey. It’s an evolving process that requires us to improve both our proactive and reactive defenses.

Honorlock strongly believes that the entire online proctoring industry needs to focus on security, and we plan to share insights and learnings as we improve during our journey. 

Click to jump ahead to any of the sections below: 

In addition to the sections in the bullet list above, you can download our Vendor Security Cheat Sheet that gives you a list of real security questions you can ask technology vendors by entering your email below:


What is security?

Security has three key pillars, sometimes referred to as the CIA Triad: Confidentiality, integrity, and availability.

Confidentiality

This ensures that access to data is only allowed by those who are authorized. It also means that those who are unauthorized are actively prevented from obtaining access.

Example of confidentiality: If I send you a message, you and only you know what the message is.

Integrity

Ensuring that data has not been tampered with and, therefore, can be trusted. It is correct, authentic, and reliable. 

Example of integrity: The message you received is exactly what I sent you, without modification. 

Availability 

Put simply, availability is the assurance that networks, systems, and applications are up and running. It ensures that authorized users have timely, reliable access to resources when they are needed. 

Example of availability: I send you a message and you received it in a timely manner.

Availability has been the focus for a long time, but in recent years, many have realized how important confidentiality and integrity are in supporting operational security.


Security best practices for online proctoring companies

1. Assess all of your technology partners’ security practices

You’re only as secure as your weakest link. 

While security doesn’t happen overnight, if we’re open about what’s important, we can collectively improve security.

This effort to assess technology partners includes vendor security assessments and checking for a well-maintained risk management program, among other things.

2. Perform regular security testing

Regular security testing should include vulnerability scanning and penetration testing. 

What is vulnerability scanning?
Vulnerability scanning looks for areas of security that need further hardening or areas where action should be taken to reduce the chances of a security incident or breach. 

What is penetration testing?
Penetration testing uses the tactics of an attacker to exploit weaknesses in the environment to gain unauthorized access to sensitive information, systems, or assets. 

3. Review their privacy policy

You should also look for a clearly defined and public-facing privacy policy that explains: 

  • How data is collected and maintained
  • What type of data is collected 

Fully understanding this information prepares to handle questions from concerned students and faculty.


What should you look for when vetting the security of online proctoring companies?

Data ownership

Never assume who owns the data in the system. Be sure that you have an understanding of data ownership with each of your technology partners.

Data encryption in transit and at rest

Make sure that your data is encrypted in transit and at rest. This ensures the confidentiality and integrity of data in the system.

Security training for every employee

Security is everyone’s job, but many companies believe security is dependent on a single department or person. Because of this, organizations should take a holistic approach to cyber security awareness. 

Tips to assess the security maturity of an organization

Ask for the following information: 

  • Details about employee security training and how often it occurs (does this training align with your organization’s security posture)
  • How do individuals report a security incident?
  • Does the company routinely test employees to ensure they would act accordingly when faced with a threat or attack? 

Textbook/classroom knowledge is great, but you want to ensure the company’s employees are prepared in the event something goes wrong. 

Data security should be tiered and classified

The company should tier data security based on the sensitivity of the data being protected. The data should be classified so that users can easily understand how it should be handled. 

Ask the proctoring company if they have a data classification policy and if their employees are trained on handling different classifications of data. 

Examples of different data classifications include: 

  • Public 
  • Confidential
  • Private and Confidential  

This classification should drive security that protects the asset. For example, public data may require fewer safeguards than if the data were private and confidential. 

Incident response plan

Unfortunately, things can happen that can impact confidentiality, integrity, and availability. Remember, hope isn’t a strategy.

Be sure to ask the proctoring company if they have an incident response plan in place and how often they run through those plans in practice or simulations.


Vendor Security Assessment

Use this list of questions as a starting point for your vendor assessment/security questionnaire, but remember that you’ll need to customize your questions and requirements to meet your institution’s specific needs. 

It’s important to keep in mind that completing a vendor assessment or security questionnaire may add time to the procurement cycle, so make sure you account for additional time in your project timeline.

Examples of pre-configured security question sets:

  • Consensus Assessments Initiative Questionnaire (CAIQ/CAIQ Lite):
    The Cloud Security Alliance’s CAIQ is a downloadable list of yes or no questions about security controls that can be customized based on your institution’s needs. It helps create accepted industry standards and increases security control transparency.
  • Vendor Security Alliance Questionnaire (VSA)
    The VSA Questionnaire is a list of questions maintained by a group of companies that can be used to evaluate a vendor’s security and privacy. The VSA questionnaire can help streamline the evaluation process to save time and reduce costs.
  • Higher Education Community Vendor Assessment Tool (HECVAT)
    The HECVAT is a questionnaire created by EDUCAUSE’s Higher Education Security Council in collaboration with Internet2 and the REN-ISAC to help higher education institutions assess vendor risk.
  • NIST standard 800-171
    The NIST standard provides recommendations for protecting controlled unclassified information. While it’s often associated with government contracts, it can provide a wealth of information about supply chain security.

Review these resources and see how they can provide value in your overall vendor assessments. 

Don’t hesitate to modify or update your approach as you learn more about what is important to your business.


Security software and technologies

It’s important to remember that there is no single solution for security.

All of the security tools in this section, in combination with others, provide a layered approach to information security. 

  • Web Application Firewall
  • IDS/IPS 
  • Antimalware/Antivirus/Next Gen AV
  • SSO/MFA 
  • Logging tools 
  • Backups and Snapshotting 

While most foundational security doesn’t require additional purchases, technology can assist in making it easier to defend, remediate, and remove malicious threats. 

Web Application Firewall (WAF)
A Web Application Firewall is a defensive tool that filters, monitors, and blocks web traffic to and from a web service/application. 

Intrusion Detection System (IDS)
An Intrusion Detection System monitors network traffic and alerts to a threat. Intrusion Prevention Systems are designed to take action to block or remediate an identified threat. 

Antivirus/Anti-Malware
Antivirus and Anti-Malware are most often associated with security efforts, and they prevent, detect, and remove malicious software from the systems they run on. 

Next Generation Antivirus
Goes beyond signature-based detection and heuristics (or rule-based detection) because it’s a system-centric, cloud-based approach. It uses predictive analytics driven by machine learning and artificial intelligence, which combines with threat intelligence. This allows for the detection of zero-day threats and provides a much faster response than previously possible. 

What is a zero-day threat?
A zero-day threat, sometimes called a zero-day attack, is a new threat or malware variation that hasn’t been seen before, which makes it even more difficult to detect and protect against.

Single Sign-on and Multifactor Authentication
Allow for more secure and easy to manage identity and authentication management.

Single sign-on (SSO)
SSO provides a single source of truth for any integrated solution that allows for the centralized management of identity and authentication.

SSO also provides a much simpler onboarding and offboarding process for users. Because users will only need one password and login to access different tools.

Multifactor Authentication (MFA)
Provides an extra layer of security even if credentials are compromised. Multifactor Authentication is used to ensure that users are who they say they are by requiring that they provide at least two pieces of evidence to prove their identity. Each piece of evidence must come from a different category: something they know, something they have, or something they are. MFA should be implemented wherever possible. 

MFA example: If a user’s credentials are compromised, MFA makes it difficult for the attacker to gain access. The user would get a notification on their phone that provides a one-time key. If the user didn’t request this key, they’ll know that something is suspicious and can report this activity to the technology or security team.

Logging tools
Logging tools allow organizations to discover nefarious activities before they spread to other systems. They also provide information for disaster recovery or incident response scenarios. It gives insight into what the attacker did or tried to do which helps with efficient remediation. These tools can also be configured to send an alert when certain actions or criteria are satisfied. 

Snapshots and backups
In the event that something happens that affects the integrity or availability of the data, a backup or snapshot can allow for an organization to restore the environment to a previous state. Snapshots are frequently taken and can usually be restored faster in situations of limited or targeted data loss. 

Recovery Time Objective & Recovery Point Objective

Recovery Time Objective (RTO)
Refers to the agreed-upon
quantity of time that an application, system and/or process, can be down for without causing significant damage to the business, as well as the time spent restoring the application and its data. 

Recovery Point Objective (RPO)
Refers to the amount of data that can be lost within a period before significant harm occurs from the point of a critical event to the most recent backup. 

Understand these timelines and the impact they may have on your proctoring solution and high-stakes testing. 


Honorlock Security 

Honorlock maintains a public-facing privacy policy that clearly states that we will never sell or monetize your data with third parties. The institution owns the data and retention is governed by the MSA. Click here for the latest version of the privacy policy.

Your data is encrypted in both storage and at rest
Honorlock utilizes Amazon Web Services for our secure hosting needs. 

Amazon’s data centers are SOC 3 certified and exercise some of the most stringent physical security in the industry. 

We take a security-first approach
At Honorlock, security is a foundational element of everything we do. 

We know that it’s much more effective to address security issues in the design phase of any system. We’re constantly working to integrate security earlier into the requirement and design process. 

We are focused on creating a company culture that’s informed and trained on security best practices

Employee onboarding
Before joining the organization, every new employee receives a background check and signs a Non-disclosure agreement. 

As part of our company onboarding, each employee undergoes security training that covers compliance, information security, data classification, data handling, reporting security incidents, and much more. 

Ongoing security training for employees
Honorlock conducts annual security and privacy training for employees.

We also employ proactive security testing that simulates attacks against our most valuable defense – our people.

It is not enough to put people in a training room once a year and go through a 30-minute PowerPoint. At Honorlock, we challenge everyone to think about how their actions will affect the data we are entrusted with.

We treat your data like we would want our data to be treated.
Before onboarding a new vendor or sub-service organization that has access to confidential data, Honorlock performs a vendor assessment to ensure that each vendor passes our security, data, and privacy requirements. 

Disaster recovery to prepare for the unexpected
Unfortunately, risks are always present. What’s most important is that an organization is prepared if something doesn’t go as planned. We have Disaster Recovery & Business Continuity plans that we test annually. We also operate our infrastructure in multiple availability zones, which increases our resiliency to downtime. 


Watch the video