/ GURU UPDATES

Guru "Reasons Why" Series - Exam Security

This post is the first in our series of reasons why institutions are moving to Guru services. During our discussions with institutions, it has become very apparent that existing processes result in a number of significant problems. Foremost among these problems are numerous issues around examination paper security!

Nearly every institution that we have talked to have experienced examination paper compromises. Performing a simple Google search for ‘Exam Paper Compromise’ will show hundreds of examples with varying degrees of severity. It is worth noting that these search results only represent the compromises that have made their way into the public media. In reality, most compromises are either

A) Handled locally
or
B) Not detected

At the lower end of severity, institutions discover a potential problem early in the process and simply reschedule or resit the examination. At the critical, upper end, institutions have experienced decade-long legal issues at considerable cost and institutional reputation.

Exam Paper Leaks

So how do exam papers leak? Here is a short list that is far from exhaustive:

  1. Device Loss - Staff typically work on laptops when generating examination papers and sometimes use USB keys for transfer of these documents. Unless these devices are encrypted, loss can result in potential exam paper compromise.
  2. Username/Password Compromise - Where examination papers are stored in the Cloud (Office 365, Google Drive, DropBox etc.) they are often only protected by a username/password combination. This protection is often only as strong as the weakest campus system and the strength of the password chosen.
  3. Hacking - There are hundreds of ways of hacking devices using Trojans, KeyLoggers, Phishing etc. These approaches can be used to target specific users in order to access documents.
  4. Human Error - These scenarios include papers left in photocopy rooms, sent to the wrong printer, documents being mislaid, documents posted incorrectly and delivery issues.
  5. Paper Sharing - A number of institutions have had scenarios where papers have seemingly been purposefully shared with third parties, including friends, colleagues and family members.

We will come back to these later when we talk about how Guru Exam addresses these concerns. But first, let us think about the scale of the problem, by considering the following diagram:

Insecure Exam Paper Processing (Red icons mark points of potential compromise)

This diagram represents a very small institution with a very big problem! On the left hand side, we can see 400 academics who have responsibility for submitting examination papers, which is typically done by transferral to the school office using USB keys. Assuming that about 10% of staff are appropriately sensitive around encyption, this represents 720 potentially compromisable devices which are being used to store examination papers. On the bottom and right sides, these represent 100 external examiners who are being sent examination papers using email. Again this represents a large number of devices and email accounts which are potential sources of a compromise. Along the top, this smaller number represents the administrative staff (school and exams office) who are involved in working with examination paper files. These files could be stored locally on their machines for the purposes of printing, emailing etc.

While this diagram makes various assumptions around exam paper submission (USB) and distribution (email), the number of potential compromise points is typically consistent across other approaches. For example, where an institution has a paper-based system, we instead have paper documents instead of USB keys as potential targets of problems. We would also have postage/courier issues instead of email concerns.

In short, institutions have hundreds and potentially thousands of points of compromise around exam processes.

Using Guru Exam

And now let us consider Guru Exam: Secure Exam Paper Processing

Because Guru Exam works on the process of encrypting files from cradle-to-grave, we can make the bold claim in the diagram above. Before academics begin work on examination papers, they first download a password-protected, encrypted template which allows them to securely work offline (a core user requirement) on their documents. Submission is managed directly through the system straight-forward, user-friendly, secure interfaces.

When it comes to administrative users and external examiners, they interface directly through the system which requires two stages of authentication: username/password AND two-factor-authentication (2FA). This form of two-step authentication is commonly used across banking systems where an increased level of security would be considered a requirement. You would not accept username/password as the sole protection for your money - we treat exam papers with the same level of importance.

So let us re-visit the first three of our reasons for exam paper leaks and consider them against a Guru Exam context:

  1. Device Loss - As examination papers are encrypted from draft to final stages, device loss is not a concern so long as the user chooses an appropriate password -> No examination process compromise.
  2. Username/Password Compromise - With Guru, we work off the assumption that accounts have been otherwise compromised. While usernames/passwords offer some moderate protection, it would be negligent for an institution to only protect live papers in this way. With Guru, no user can access an examination paper using a username/password alone. They must provide a response to an additional challenge which involves their mobile or landline devices.
  3. Hacking - The encryption of documents on user devices greatly limits the potential of hackers to compromise examination papers. Using Guru, hackers would need to hack both the device AND the encrypted files. It should be noted that there are a number of exceptions to this (e.g. a pre-installed keylogger before an examination paper is typed).

Before we talk about the final two reasons, let us talk briefly about three additional features provided by Guru Exam around security:

  • Transparent Exam Audit Trails - Every interaction with an examination paper is added to an audit record against that course/module. This includes every viewing of the examination paper, the date/time, the user involved and the digital address of the access.
  • Document Metadata - All documents viewed, printed or downloaded from within Guru exam are embedded with meta-data that directly links to the information in the audit trail. This is managed through both digital and physical watermarking.
  • Fine-grained Access Control - Using our unique roles system, only the users who need access to particular documents can be provided with the means to do so. Users are aware that their every access is recorded and that they have been restricted as appropriate.

Finally, let us consider the last two reasons we originally provided:

  1. Human Error - While there is always some risk of human error, Guru Exam reduces the amount of paper/file handling, documents are never mislaid, there are no mistakes with envelopes and couriers. Using simple interfaces, administrators can perform in a few clicks process steps that were largely manual and paper-based previously.
  2. Paper Sharing - The risk of this type of activity occuring is greatly reduced, due to our tighter access control and audit trails. Where papers were previously stored in filing cabinets, it would be possible for numerous individuals to anonymously view exam papers. Using Guru, this figure is reduced to the minimum number of document processors who are aware that their actions are tightly monitored.

Conclusion

Examination processes have long been a problem for Universities and Colleges. Most institutions have encountered some significant issues in the past and many have been looking for mechanisms for improving these processses into the future. While it is not possible to protect against every single form of compromise around examination papers, with Guru Exam it is possible to reduce this risk to a negligible amount.

Give us a shout today if you’re interested in learning more!

Contact Us

dave

David Molloy

David is the Head of the Guru Development Unit at Dublin City University. He spends his days doing a little bit of everything.

Read More