In recent months, the awarding bodies have stepped up the security to access their secure websites, a decision which has received a mixed reaction from the exams officer community. Apart from the fact that any change in routine or additional task to undertake, however minor, is rarely universally welcomed, the question is whether such additional security measures are necessary.
To assess this need for additional security, we must consider the cyber risks which currently exist within the examination system, the scale of these risks, and the effectiveness of the measures which have been put in place to mitigate these risks.
What are the risks in the examination system?
There are several reasons why the security of examination related information is of particular importance, and more significant than other areas within a centre.
As well as protecting candidate information, a major concern is unauthorised individuals gaining access to question papers ahead of the examination – this may include teachers whose access to specific areas within an awarding body secure website has not been restricted, students who have acquired a login and password to an awarding secure website, or third parties attempting to access question papers for financial gain. Therefore, threats may come from external sources attempting to hack centre’s IT systems, however, a threat may also be created as a result of poor internal information/account management.
There is no confirmation that the highest information protection and mitigation measures exist in every exams office in every centre in the country. There is no evidence or guarantee that all centre staff (not just exams officers) are not leaving login information in easy-to-find places, and therefore, the only option is for the authorities to implement measures which raise the standard to protect the security and integrity of the examination system within each centre.
A key aspect of every exam day for many exams officers is to download a question paper prior to the published starting time to undertake tasks such as transportation to an alternative site, preparing to deliver a particular access arrangement/modify a question paper, or to make question papers into more appropriately sized sets for different rooms on one or more site. These tasks are a part of the system and time must be allowed for these to be completed. However, despite reducing the time permitted to complete such tasks prior to the examination, more needs to be done to protect the security of question papers and maintain confidence within the system.
Measures taken by JCQ, the awarding bodies and other stakeholders
In November, JCQ published guidance for centres on account management and cyber security, with specific reference to the following areas:
- Creating strong unique passwords
- Keeping all account details secret
- Enabling additional security settings wherever possible
- Updating any passwords that may have been exposed
- Setting up secure account recovery options
- Reviewing and managing connected applications
- Staying alert for all types of social engineering/phishing attempts
- Monitoring accounts and reviewing account access regularly
- Staying informed about the latest security threats and trends in account security
- Educating staff on how to identify phishing attempts, secure devices and protecting systems and data
The JCQ guidance is based on the advice provided by the National Cyber Security Centre (NCSC) in relation to cyber security for schools, which includes the following topics/industry standard cyber security best practices:
- Establishing a robust password policy
- Enabling multi-factor authentication (MFA)
- Keeping software and systems up to date
- Implementing network security measures
- Conducting regular data backups
- Educating employees on security awareness
- Developing and testing an incident response plan
- Regularly assessing and auditing security controls
Therefore, with such guidance from the NCSC and JCQ, awarding bodies and their staff have a responsibility to ensure all their data, and the systems that house it, are as secure as they can be. The introduction of processes such as the email-based MFA introduced by Pearson in May of this year, is part of a wider package of measures which awarding bodies will be required to take.
Some awarding bodies will opt for an email-based solution, but some awarding bodies will also require centres to adhere to an app-based method of authentication as this gives greater control access to systems using personal login credentials. Such authentication requirements prevent unauthorised individuals from gaining access to awarding body secure systems.
There is a concern amongst some exams officers over the accessing such applications, but the NAEO is reassured that apps will not require any signal or data coverage beyond the initial installation, and once installed, they will not require any additional device access, such as to contacts, messages or even the user’s telephone number. The only concern which the NAEO has is over which device should be used – this should be supplied by the centre…exams officers should not be required to use their own equipment, such as their smart phone or similar device.
What is multifactor authentication (MFA) and how effective is it in addressing the current security concerns?
The system which some awarding bodies have implemented to increase security levels is one of multifactor authentication to gain access to their secure websites. It is used by many organisations which rely upon online systems including banks, social media platforms and those utilising an e-commerce site.
Multifactor authentication allows a system to require more than a username and password to gain access to a secure area, and therefore reduces the risk of a security breach. It also provides additional protection of sensitive data.
In relation to awarding body secure systems, such a system will require users to input a code sent via an app or email in addition to their username and password.
However, the NAEO also recognises that there are some disadvantages with multifactor authentication, including:
- Increased login time – Users must go through an extra step to login into an application, adding time to the login process.
- Cost – Centres will need to provide exams officers with hardware to access verification codes as exams officers should not be expected to use their personal equipment. This may include the purchase of an additional smart phone or other appropriate device
- Malfunction and maintenance – If the multifactor authentication system is provided to awarding bodies by a third party, they will be dependant on this external organisation to resolve any malfunctions and provide ongoing maintenance. This may cause delays/frustrations to users.
Conclusion – the NAEO view
The NAEO has yet to come across anyone who would prefer to engage with a multifactor authentication system. Having to comply with such a system may not be the most difficult or significant inconvenience faced on a daily basis, but it is understandable if some exams officers become frustrated by the need to acquire an authentication code from a reader machine or complete a verification challenge to confirm their identity, particularly with all of the other issues they have to contend with/complete every day.
However, as access to online systems is a pivotal element in the management, administration and conducting of examinations, centres have no option but to incorporate any measures which protect the integrity and security of the system and ensure that the system stays ‘one-step ahead’ of those who seek to undermine it.
We also need to be clear on two things:
- There are specific security concerns and risks relating to examinations which do not exist in other areas within a centre, hence the importance of having particular measures in place for the examination system within each centre
- The current concerns are as much about internal information protection as they are with centre-wide external cyber security system protection issues/requirements – and that there are specific measures which must be taken to address both areas
The NAEO has received communication from some exams officers who have expressed their displeasure at having to engage with a verification process, and whilst objections to any additional work is understandable, the NAEO requests that exams officers follow the guidance provided to centres and exams officers by the JCQ, and implements the additional verification measures as required by the awarding bodies.
The NAEO recognises that the introduction of the additional security measures are a necessity if we are to retain the highest possible standards of integrity and security and our reputation of possessing a world-leading examination system.
In the coming months, we will continue our dialogue with JCQ and the awarding bodies and request that the following recommendations are considered:
- Awarding bodies explain why they are required to introduce measures such as multifactor authentication and clear instructions for exams officers (particularly those new to the role) over how these should be implemented within their centre
- Wherever possible, provide a range of verification login options
- Awarding bodies to provide dedicated support/alternative options for centres who have issues in complying with the standard information protection/verification system
- The introduction of an (optional) easy-to-complete, annual, online, certificated assessment which tests awareness of cyber security/information protection knowledge
- Staff compliance/understanding of cyber security/information protection is measured as part of an inspection – either JCQ or Ofsted