ITC Guidelines

International Test Commission

International Guidelines on Computer-Based and Internet Delivered Testing

 

Make appropriate provision for security and safeguarding privacy in CBT and Internet testing

 

Take account of the security of test materials
  1. Protect sensitive features of the test from illegitimate disclosure. For Internet testing, all important intellectual property (e.g., scoring rules, norms, interpretation algorithms) associated with a test should remain on the host server. Only test items and the outputs from report generators usually should appear on the test user’s or test-taker’s screens.
  2. Where appropriate, develop a policy that limits test material access to qualified and authorised test users and testing centres. For example, when testing over the Internet, test users would need to obtain and use a password before they were able to access test materials or set up an assessment for a test-taker.
  3. Passwords should be issued only to users qualified to use the Internet test.
  4. Verify and check that the CBT/Internet test has features to protect it from illegal hacking and computer viruses. Confirm for Internet testing that reasonable steps have been taken to prevent servers from being accessed by unauthorised or illegal means.
  5. For Internet testing, maintain control over the sensitive features of the test and report copyright violations on the Internet. M onitor the web for illegal versions, old/outdated versions and part versions of the Internet test and take steps (e.g., enforcing copyright law) to eliminate these violations.
  6. Take steps to secure protection of test content under existing laws.
  7. Take appropriate measures to identify stolen test material on the Internet and to estimate its impact of its distribution on the testing program.
  8. Take appropriate measures to control the distribution of stolen test material on the Internet including notification of appropriate legal authorities.
  9. Maintain a process for the adjudication of security breach allegations and specify appropriate sanctions.

 

Consider the security of test-taker’s data transferred over the Internet
  1. Maintain the security of test-taker data transmitted over the Internet (e.g. by encryption).
  2. Ensure that test users and test-takers are informed that the host server has correctly received their data.
  3. Inform test users of their rights and obligations in relation to local data protection and privacy legislation.
  4. Conduct regular and frequent backups of all collected data and provide test users with a detailed disaster recovery plan should problems emerge.

 

Maintain the confidentiality of test-taker results
  1. When test data must be stored with publishers, specify the procedures and systems to maintain the confidentiality and security of data.
  2. Inform test users of who has access to test data, for what purposes, and how long the data will be stored electronically.
  3. Adhere to country-specific data protection laws/regulations governing the storage of personal data.
  4. Restrict access to personal data stored on the host server to those who are qualified and authorised .
  5. Protect all sensitive personal material held on computer, disk, or a server with robust (non-trivial) encryption devices or passwords.
  6. Confirm the security and confidentiality of the backup data when used to store sensitive personal data.

 
  Copyright ©2005 International Test Commission. All Rights Reserved.