The COVID-19 pandemic has accelerated the move from physical, face-to-face examinations to online, fully remote examinations. Medical schools, like the ones at University College Dublin, University of Nicosia and many others, have had to adapt to new technologies to ensure assessment continuity. Commercial entities, like ourselves, have had to adapt and deliver remote assessment platforms (using video integration) to support these institutions.
In an online exam, students join the examination from their own homes via an external platform like Qpercom and are assessed by examiners who are also logging on from a remote location.
Without being able to verify a student’s environment and their actions off-camera, can a secure exam, free from malpractice, be guaranteed?
What about data? Is exam content secure when hosted on an external platform and how can Qpercom prevent students or other users from accessing sensitive university data?
And similarly, from a student’s point-of-view, is their data and personal information safe in the hands of an external assessment agency?
At Qpercom, we’ve worked hard on online exam security, putting in place a number of features to help secure our platform for remote and online exams.
Here’s some further details on how online exam security can be achieved along with some of the challenges you’re likely to encounter when trying to facilitate a secure online exam.
Data Security and Information Protection
How secure is the software or platform that you’re using to facilitate an online exam?
Qpercom complies with ISO 27001, an international standard for security management of information. This means that security procedures are documented within the Information Security Management System (ISMS). At a basic level this is a guiding principle and where we can, we have gone above and beyond to increase security.
Hosting our platform on Amazon Web Services (AWS) provides us with further tools to assist with securing the data and information of our clients, such as:
- Every client instance of our assessment platform has its own database. Universities are not sharing a platform with other universities. Essentially, each user has their own version of the platform. Isolating data in this way means that there is no accidental disclosure of information to persons outside of those within the organisation.
- All client instances of the assessment software have separate sub-domains. This means that every organisation has their own cluster of services which can be accessed using a dedicated URL and each URL is different.
- Client instances are hosted by region. Having clients in different regions provides further disconnect from other clients and improves latency for the user. We utilise many regions that AWS provides from Canada to Singapore, Australia to Germany.
- Backups are taken nightly. Having backups allows us to restore user data in the event of something going wrong, ensuring that any data loss will be very limited.
- Database encryption is used as standard. We use the industry standard AES-256 to ensure even what is on the databases is not easily readable.
User access is controlled utilising Authentication and Authorisation processes. Where we can, we adopt industry best practice and always try to find solutions that can enhance what we do, such as:
- Minimum password strength. We enforce a minimum password strength policy for all users of the assessment platform ensuring passwords are:
- A minimum length of 8 characters
- Contain a mix of uppercase and lowercase characters
- Contain at least 1 numeric character
- Must conform to a minimum of “Medium” on the strength meter. Qpercom provides a password strength meter.
Authentication allows us to control who can access the system. Our platform has a minimum password standard and unique ID criteria which enables added security for users. Also, the services are broken down to provide an assessment and management tool, a monitoring tool and a student/actor patient console. Having these services segregated like this makes Authorisation a much simpler process.
The Authorisation controls what users have access to once on the perform. Certain roles within the system have access to only certain services once logged in, and in the case of the student (or actor patient for medical exams) there is only the ability to access the console service. Certain tools/features within the application can be managed to allow use by certain user roles making the system flexible for administration and management. Only an administrator can add/edit or delete user information.
If an online exam is taking place within an internet browser, the exam administrator has responsibility for ensuring the browser is secure.
Browsers like Tor and Brave focus heavily on the protection of privacy, blocking adverts and cookies by default. They also hide IP addresses which may not be conducive to candidate or student identification in the case of an online examination since those taking the exam should not be anonymous.
Qpercom uses Google Chrome to deliver its assessment platform. As the world’s most popular browser, it’s a stable environment that benefits from frequent updates. Google is well-known for rolling out quick security fixes when bugs are highlighted or become apparent and it’s recommended to always update Chrome as soon as security updates become available.
Proctoring and the prevention of cheating in online exams
Proctoring, or exam invigilation, can be a challenge for online exams. Normally, practical exams utilise the candidate’s webcam to verify their surroundings and activities. In a remote or online exam, objects that are outside the scope of the camera cannot be flagged. Students can set up multiple monitors that won’t be detected without special proctoring software that adds an extra layer of technology to an exam if an assessment software is already in use.
Some research has highlighted the challenges of using proctoring software in parallel with online assessment software. In this article, some of those challenges, including technical glitches and audio disruptions, are highlighted in the review of an academic paper which appeared in the International Journal of Distance Education Technologies (Volume 19, Issue 2, April-June 2021) entitled “State-of-the-Art of Commercial Proctoring Systems and Their Use in Academic Online Exams”. Caution is urged when considering the use of proctoring software in collaboration with assessment or video software. Institutions might instead consider ‘live’ proctoring where the Qpercom platform can be harnessed for observational assessments in an OSCE or MMI exam through a Monitoring or Watch tab which allows examination administrators to enter any station while the exam is in progress to manually check how the exam is proceeding.
Another vital part of the invigilation process which is easily handled remotely is the identification (ID) check. When facilitating an online exam with the Qpercom platform, an ID check stage is mandatory, where examiners should confirm that the student who is present within the system is the student who is eligible to take the exam.
In this case, the student would hold up a valid form of ID to the webcam so that the examiner can verify identification and then move the examination along to the next stage. The Photo ID can also be uploaded to the platform so that the invigilator or examiner can compare the document with the live picture of the candidate.
The highest standards of data security and protection should be met when handling both examination content and student data in the context of an online exam.
Qpercom meets these standards by adhering to ISO 27001, an international standard for security management of information and by restricting use of the software to users using the Google Chrome browser only. Additionally, our systems are hosted on AWS (Amazon Web Services), giving each user their own instance of the platform with access controlled by Authentication and Authorisation processes.
Preventing malpractice during an online exam can be a challenge as proctoring softwares on the market can interfere with other assessment or remote exam softwares leading to technical glitches or audio disruption. In the case of Qpercom, we focus on trust in exam security rather than on cheating while trying to meet the local requirements of our clients as much as technology allows us to do.
Questions about online exam security and our approach to it? Feel free to drop us a message below. We’d love to hear from you.