The security of examination materials is of the utmost importance and departments will already have procedures in place to communicate with colleagues and external examiners, as well as to store examination papers and scripts during the assessment process. The Examinations Office and the Standing Committee on Assessment would like to remind departments of the need for vigilance and to encourage departments to undertake regular reviews of their processes.
Draft exam papers must be treated carefully to avoid compromising the security and validity of the paper before the exam. The use of computers to draw up exam papers means that careful attention must be paid to the security of the PC used to write questions or to assemble the paper and to the way drafts are stored and transferred.
The permitted methods for sharing draft exam papers are:
We strongly recommend using either method 1 or method 2.
Remember that e-mail attachments are not secure and consultations on examination questions should not be shared in this way unless the attachment is encrypted due to the risk of 1) interception and 2) accidentally sending the email to the wrong recipient.
Encryption of attachments
IT Services has a help page on how to do this and which methods are acceptable [http://www.york.ac.uk/it-services/it/security/encryption/]
Supported machines provided by IT Services will be patched and configured appropriately as part of the supported service. On a
supported machine it is best to store your draft exam papers on central filestore; either your own personal area (your M or H drives) or on a rented filestore. This ensures that the files are stored securely centrally and proper backups are taken for disaster recovery purposes.
Access to shared filestore is available from offsite via the WebVPN service (https://webvpn.york.ac.uk)
In order to be suitably secured, operating systems must be both currently supported by the vendor in terms of patches and be capable of being secured to a suitable standard. Please check that the version of the operating system you are using meets these requirements. In particular OS X prior to version 10.7 (Lion) and Windows prior to Windows XP do not meet these requirements and must not be used for exam paper production. Windows XP will stop receiving security updates from Microsoft in April 2014 and should not be used for the production of exam papers after this date.
Google Mail and Docs are now the University's official platform for email and collaboration. We strongly recommend the use of Google Drive as a method of securely sharing documents. Google Drive can be used to store any sort of file (i.e. as a "cloud USB stick") and it is not necessary to use the Google word processing apps etc to use Google Drive. For more information, please see
Normal 'consumer' Google accounts (or similar services) should not be used for the preparation of exams as this provides no access to the data in cases of accidents, lost passwords etc.
Machines should be kept in a locked office and access to this office should be restricted. In particular, visitors or students should not have unaccompanied access to the machine. Whenever the machine is left it must be either switched off or a screensaver/screenlock must be used that requires a password to gain access. It is best to set your screensaver to lock the screen automatically after a fairly short period of inactivity (for example 5 minutes) to ensure this.
Laptops that are used both at home and on the University network present particular security risks. When placed on the internet or an unsecured home connection they can become infected in many ways, and then bring these problems back onto the University network.
A laptop that is only used on the University network can be treated in the same way as above. A laptop that is also used on other networks/home internet connections must also run a personal firewall in addition to the other requirements above.
Machines in the homes of members of staff should not be used for the production of exam papers unless
The transfer of files between home and work should not be done via FTP since this can be read in-transit. It is best to use either the WebVPN or Google Drive instead.
Any departmental fileserver must be secured to the standards above and in addition must be kept in a secure area (a dedicated machine room) which does not have general access.
Any queries can be directed to the Information Security Officer, Arthur Clune, who will provide detailed advice if needed.
Last updated on 27 September 2013