[Xerte] Quiz Security

Martín Dobovšek mdobovsek at yahoo.com.ar
Wed Dec 10 13:54:11 GMT 2008 

Mark:

It´s related to the identity of the person and to the system: about its development to
fulfill all items the regulation expects, about security of stored data, about securing
the identity of the person who log in and store/change data, audit trail of every event,
binding this events with records in the database, controls to acces the program, system,
software and building and their maintenance. 

We have many systems like that who replace the paper: each record is legally binding. We
can and must assure who, when, what, and why introduce or change every data in the
system. We must keep audit trail with all history of the data.

It´s related to all aspects that must be under control to assure the identity of the
person and data integrity.

As i wrote, legally binding: no one can repudiate their own actions after login to the
system. There must be a lot of system controls, for example: after each data entry the
user must electronic sign each entry data in specific time lapse (there are specific
programing rules the systema must follow and many other more).

All this regulations states explicitly what a system must do (Functional specification).
Then you must develop the system, validate the system and validate the installation of
this system in your facility.

Hope this helps. Only as a reference of an existing approach about security of
electronics records, electronic signatures (this related to person identity) and its
maintenance.

Best regards

Martin

--- "Mark Tomlinson, AC&S Ltd" <mark.tomlinson at acns-group.com> escribió:

> Is that relating to the security of the data that you store about
> individuals?  If so, I am not talking about that....
> 
> What I am talking about is the following scenario:
> 
> - A legitimate user of a system is told to take some training, let's say for
> compliance purposes.  
> - Said user does not want to complete the training so he logs in to the LMS
> legitimately and launches the course he has been allocated to.  
> - This SCORM compliant course could have been created in Xerte, Flash,
> Authorware, Articulate, Presenter, Captivate or any number of other content
> creation systems.
> - Said user, opens another browser window and fills out some data in the
> form provided there for 100% Score, course passed and clicks a button.
> - That is then set in the LMS.
> 
> He then closes the course and logs out of the LMS.
> 
> In this simple scenario, there would be other indications that something was
> wrong if anyone was bothered to check such as the total time in the course.
> This and any other SCORM data type can be set in the same way though.
> 
> So in the database of the LMS this user is flagged as passed.  That data
> (and all the other user data) may be extremely securely held and meet the
> appropriate Federal Regulations you linked to, but the data itself is not
> correct, which was my point about SCORM.
> 
> I saw such as scenario demonstrated at EeLS this year.
> 
> Mark
> 
> -----Original Message-----
> From: xerte-bounces at lists.nottingham.ac.uk
> [mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Martín Dobov¹ek
> Sent: 10 December 2008 12:42
> To: Xerte discussion list
> Subject: RE: [Xerte] Quiz Security
> 
> Speaking about security and software electronic records take a look at
> 
> Title 21 Code of Federal Regulations (21 CFR Part 11) Electronic Records;
> Electronic
> Signatures
> 
> http://www.fda.gov/ora/compliance_ref/Part11/
> 
> Here you can find what a system must fulfill for electronic records and
> signatures.
> 
> After, you need to validate the software using specific rules and
> procedures.
> 
> It depends of the security level you are looking for. 
> 
> The one i point is the most strict: legal binding for pharmaceutical
> production records.
> 
> There are scorm packages and systems that fulfill this regulation.
> 
> Take a lool at 
> 
> http://www.sumtotalsystems.com/learning/res/datasheets/regulatory_compliance
> _ds.html
> 
> Hope this helps
> 
> Martin
> 
> 
> 
> --- Julian Tenney <Julian.Tenney at nottingham.ac.uk> escribió:
> 
> > Like I said, if passing the test puts you in control of an aircraft
> > acrrier or nuclear power station, then don't use Xerte. In fact, don't
> > use computers. Even if the system is secure (and very few are truly)
> > then unless you can see who is doing the test, how do you know the
> > student isn't cheating? How do you know it's the student you think it
> > is? How do you know they are not sitting there looking up the answers on
> > aircraftcarrierexams.com?
> > 
> >  
> > 
> >  
> > 
> > From: xerte-bounces at lists.nottingham.ac.uk
> > [mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Mark
> > Tomlinson, AC&S Ltd
> > Sent: Wednesday, December 10, 2008 11:18 AM
> > To: 'Xerte discussion list'
> > Subject: RE: [Xerte] Quiz Security
> > 
> >  
> > 
> > To be quite frank, SCORM itself is not secure at all, never mind the
> > eLearning tool.  I was shown at EeLS an html / javascript file that
> > allows a user to set what they want in the LMS while their course is
> > running....  You want a 100% pass...No problem, click a button!  You
> > want to show 'completed'..... No problem, click a button!
> > 
> >  
> > 
> > Mark
> > 
> >  
> > 
> > ________________________________
> > 
> > From: xerte-bounces at lists.nottingham.ac.uk
> > [mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
> > Sent: 10 December 2008 11:02
> > To: Xerte discussion list
> > Subject: RE: [Xerte] Quiz Security
> > 
> >  
> > 
> > I think it probably depends on what's at stake. If passing the exam
> > means a huge payrise, then students have a big incentive to try and
> > cheat. If the test is simply a formative test to give them feedback on
> > their learning, then you could argue that, as long as the students get
> > the feedback, they are continuing to learn.
> > 
> >  
> > 
> > If the test is high stakes, then Xerte probably isn't the tool for the
> > job. Students would have to try quite hard, and be reasonaly tech-savvy,
> > but they could get at the data if they really wanted to.
> > 
> >  
> > 
> > From: xerte-bounces at lists.nottingham.ac.uk
> > [mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Leonardi
> > Sent: Wednesday, December 10, 2008 5:13 AM
> > To: Xerte discussion list
> > Subject: [Xerte] Quiz Security
> > 
> >  
> > 
> > Hello all, i'm new in e-learning and scorm things... :)
> > 
> > I have a question, if i create a scorm web based quiz using xerte does
> > it secure? Can the students somehow cheating and obtain the answer?
> > 
> > Thanks.
> > 
> > -- 
> > Leonardi - 
> > dodollipret.wordpress.com
> > 
> > > _______________________________________________
> > Xerte mailing list
> > Xerte at lists.nottingham.ac.uk
> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte
> > 
> 
> 
> 
>       Yahoo! Cocina
> Recetas prácticas y comida saludable
> http://ar.mujer.yahoo.com/cocina/
> _______________________________________________
> Xerte mailing list
> Xerte at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte
> 
> _______________________________________________
> Xerte mailing list
> Xerte at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte
> 



      Yahoo! Cocina
Recetas prácticas y comida saludable
http://ar.mujer.yahoo.com/cocina/

More information about the Xerte mailing list