State finds security breach during STAR testing at Canyon Crest Academy

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.delmartimes.net/2013/08/19/55533/

According to a news release posted by the California Department of
Education Aug. 9, heightened monitoring of the state’s Standardized
Testing and Reporting (STAR) assessments, taken by public school
students in grades 2-11 last spring, identified 242 schools where
social media postings occurred during administration of the tests, 16
of which included postings of test questions or answers.

Last year, the CDE detected 216 schools, 12 of which had postings that
included legible test questions or answers.

Canyon Crest Academy, in the San Dieguito Union High School District,
was one of the 226 this year that was tagged as a school where a
student posted an image or video on a social media site that did not
include legible test items.

Nonetheless, the CDE posted the school’s STAR report this year with
this statement: “A security breach involving social media exposure of
2013 STAR test material has been confirmed at this school site.
Caution should be used when interpreting these results.”
Mike Grove, SDUHSD’s associate superintendent of educational services,
said one student during the mathematics portion of the STAR tests used
a cell phone to take a six-second video inside the classroom and
posted it on the social media site VINE.

The video did not show the test questions or answer sheets, just the
students in the class with the proctor present. But with stringent
attention being paid to security issues, the state flags any postings
taken during the STAR testing period that show classrooms, STAR
booklets (even if closed) or other STAR-related photos or video.

“This is a growing issue across the state, so the CDE is monitoring
very closely any potential security breach,” Grove said. “Just the
mere use of a cell phone can trigger attention.”

He said scores for that one student were invalidated for that single
STAR math test, and the school’s score will not be affected.
In 2012 the district had two incidents, Grove said, both at San
Dieguito Academy in Encinitas. One student posted a photo of a closed
and finished STAR booklet, and a second student posted a photo of a
friend sitting nearby after testing was concluded.

Grove said a search of STAR during the testing period will produce
hundreds of hits, and the state investigates all of them. The security
breaches have to happen during a testing period.

The incidents are rarely malicious with intent to cheat or distribute
secure information, he said, although some are.

In addition to Canyon Crest Academy this year, four schools in the San
Diego Unified School District were also flagged with security
breaches, but none of those involved the display of test items.

According to the CDE, the majority of postings involved students
posing with the covers of test booklets or with materials that were
not legible.

“These postings look to be attempts by students to gain attention
among their friends, not an effort to gain an advantage on a test,”
said CDE deputy superintendent Deb Sigman, who oversees assessments
and accountability issues.

According to the CDE news release, “If a security breach affects less
than 5 percent of the number of students tested, the school is
ineligible for academic awards. If the breach affects more than 5
percent of the number of students tested, the school’s API – the
state’s measure of accountability – could be invalidated.”

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.