SAVE THE DATE: ITCC Fall In-Person Meeting

SAVE THE DATE: ITCC Fall In-Person Meeting
October 4th-5th, 2017

We are thrilled to share that Microsoft has graciously agreed to host the next ITCC Face to Face Meeting! Mark your calendar to join us October 4th-5th in Seattle, Washington. Both ITCC and the Performance Testing Council (PTC) will meet at Microsoft for their meetings and host a half day joint session between the two groups. The joint PTC and ITCC session will have performance based testing case studies as well as detailed discussion groups.

Fall Meeting Schedule:
Tuesday, October 3rd: PTC Meeting
Wednesday, October 4th:
Morning – ITCC Board Meeting
Afternoon – PTC and ITCC combined session
Thursday, October 5th: ITCC Meeting

Additional logistical details will be sent in the next few weeks.

Please feel free to contact us with questions in the meantime.


ITCC June Member Meeting

ITCC June Member Meeting
June 15, 2017
11:00 am CT


Integration of an Acquired Certification Program: M&A Considerations

Presenter: Beverly van de Velde, Senior Manager, Symantec

Have you ever wondered just where to begin when starting the integration process after acquiring another company’s certification program? If so, then this session will cover lessons learned touching on topics such as gathering requirements, planning the credentials data migration, planning exam migration, voucher management, communication planning, and best practices.


Beverly is a sailor, skier, paddle boarder, beach cruiser, hiker, foodie, world traveler, and occasional fisherwoman, as well as a Senior Manager for Symantec Global Education Services, specializing for 9+ years in high stakes certification testing. Her latest challenges include integrating a new company, implementing an LMS, evaluating testing approaches such as lab exams, implementing digital credentials, and leading a production team in the development of an end user security awareness service. She also serves on the Performance Testing Council board and enjoys receiving and sharing knowledge.

ITCC Certification Program Question List

ITCC Certification Program Question List

Working in the IT certification field I come across a plethora of certifications, some good, some bad and a few that crossed the line into ugly. As I’ve read and written about the merits and weaknesses of various certifications, I’ve occasionally wondered if I couldn’t put one together myself. Beyond wondering, I’ve even scribbled some ideas on a whiteboard. After all, even ink-stained hacks like myself can take a run at IT fame and fortune.

Alas, developing a certification program is a really, really difficult thing to do. The more I scribbled, the more it became evident that I was in the deep-end of the pool without my water wings. There were so many questions to be answered. Questions like: How much can I charge? Who can I sell it to? What should the certification cover? And finally, “What was I thinking? I don’t have any idea how to do this.”

I’m not trying to discourage anybody who is thinking of developing their own certification program. Far from it, I’m actually here to share some news about ITCC’s latest white-paper, the Certification Program Question List.

If you’ve got the itch to create your own certification, this paper is worth a deep-dive. Compiled by a multi-company team of ITCC members, it’s a detailed checklist of important questions that to consider before attempting to create a certification program. The checklist covers all of the major areas of concern that should be taken into consideration when starting a certification program from scratch including policies and agreements, systems and vendors, economics exams, security, maintenance and operations, and staffing needs.

Each section covers not only the obvious questions like renewal and test delivery, but important questions that are often overlooked. For example, who stops to think about addressing any legal or regulatory issues or how does the proposed certification fit in with existing certification products?

For those who follow the checklist carefully, it will be extremely useful in facilitating important discussions with stakeholders and executive management to ensure their full support. Moreover, obtaining answers in advance to the many questions presented in this document should be advantageous to the director of any high stakes certification program.

It is ITCC’s hope that the detailed, thought-provoking questions outlined in the document will “help create a solid foundation when constructing a new certification program from the ground up and to help others avoid the pitfalls that many of us have experienced in creating our own programs.”

Creating a certification program is anything but easy, and to be sure, no two certification programs are exactly alike. However, we can all benefit from the experience of those who have gone before us with a goal of creating the best certification program possible using whatever resources are available.

ITCC Projects are for the use of ITCC  Members. To download, visit Basecamp or request a copy from ITCC HQ.

About the Author — Calvin Harper is an associate editor for GoCertify and a veteran of the publishing industry.


Remote Proctoring: Benefits, Risks, and Lessons Learned

Remote Proctoring

It’s an online world and we are all captives. Almost any sort of business can now be conducted via the internet. This includes shopping, gambling, gaming, programming, day-trading, data entry, transcribing, recruiting, accounting, payroll services, and even one as famously stress-filled as wedding planner.

It turns out that the internet is also a great place for learning, particularly when it comes to certifications. Of course, once instruction began taking place online, it was only a matter of time before somebody came up with the idea that testing could also be done online. Hence the introduction of remote proctoring, (also known as online proctoring) the “process by which a candidate is proctored live over the internet via a web camera rather than being proctored by someone in the same physical location.”

Candidates who are being remote proctored typically sit in front of their computer keyboards and screens with a camera focused on them. Proctors watch test takers through the camera in order to detect any cheating activities like crib-notes or unauthorized study materials. Proctors can view the entire room and even detect any prolonged eye-movements away from the screen that might indicate a candidate is looking at notes.

During the last decade, remote proctoring has become a widely accepted method for delivering tests to students and candidates. One major advantage is cost savings: test providers don’t need to set-up an established test site and test takers can avoid having to spend a great deal of time and money traveling to a designated testing site.

Academic institutions in particular have found remote proctoring to be good fit for themselves and their students. However, credentialing and licensing bodies have only recently begun to experiment with remote proctoring with the greatest interest coming from credentialing organizations, particularly those offering IT certifications.

Given the IT community’s increased interest in remote proctoring, the ITCC Securing Certifications subcommittee commissioned the Remote Proctoring Task Force to document the pros and cons of remote proctoring, interview IT certification organizations regarding their experience with remote proctoring, and provide considerations for those exploring the adoption of remote proctoring.

Certifying organizations are increasingly enamored with remote proctoring because the process enables them to introduce new content to the course quickly and easily and, since exam sessions are typically recorded, they can readily audit proctors and exam candidates to help resolve any complaints or issues that arise.

Accessibility is the most commonly mentioned reason for an organization to utilize remote proctoring. The increased coverage and convenience to candidates is vital to companies with global programs, whose candidates often have to drive long distances or fly to testing centers. One company interviewed stated that “offering online proctoring makes it more convenient for current candidates, and potentially opens opportunities for new business.”

Remote proctoring has thus far proven helpful, but it’s not a panacea for either candidates or certifying organizations. There are advantages and disadvantages in each of the following areas:

  • Testing Environment
  • Perceptions of Remote Proctoring
  • Exam Structure
  • Access/Convenience and Geographical Reach
  • Comfort and Anxiety
  • Cost
  • Technology
  • Privacy

For example, the comfort and anxiety levels of candidates can vary greatly. Some may be comfortable using the technology in their home or office and are able to ignore the camera. Others however, may find the camera distracting and the limitations on body and eye movements to be intimidating and stressful.

It’s the same with access and convenience. While certification opportunities are open to individuals living or working in remote areas, such opportunities require the proper technology and internet access.

While remote proctoring appears to be here to stay, there are certain questions one should answer before deciding to implement it, including: what are the benefits to your organization, what happens if a candidate experiences technical issues during an exam, and how will you ensure the privacy of test takers in compliance with the legal requirements of different countries.

ITCC Projects are for the use of ITCC  Members. To download, visit Basecamp or request a copy from ITCC HQ.

About the Author — Calvin Harper is an associate editor for GoCertify and a veteran of the publishing industry.

ITCC Member Updates

As a member of ITCC, we wanted to provide you with key details on the latest special projects and member benefits. Below highlights the ways you can get more involved in ITCC in the coming months.

Join a Project or Task Force
Contribute to industry task forces and special projects that influence global IT Certification policies. Current projects include:

  • Agile Development
  • Documentation of the IT Certification Ecosystem
  • Process for Legal and Program Support to Invalidate if Unauthorized Material is Used
  • ITCC Marketing Task ForceIf you are interested in participating or have additional ideas, tell us here.

Monthly Member Meetings
Each month ITCC hosts virtual Member Meetings with the goal of encouraging members to take time to listen to what others are doing in the certification industry to spark discussion. Meetings are held the third Thursday of each month. Have an idea for an upcoming meeting? Interested in reviewing recent meetings? Visit the Member Meeting Database on Basecamp for more information.

Basecamp is the project management tool ITCC Task Forces use to collaborate and also hosts:

  • Member Meeting Video Database – All Member Meeting Videos since 2014
  • ITCC March In Person Member Meeting Wrap-Up
    • March Meeting Presentation and Minutes
    • 2016 Employer Survey Results
    • Recently Completed Task Force Projects:
      • ITCC Incident Matrix
      • Certification Program Question List
      • Remote Proctoring – Benefits, Risks, and Lessons Learned White Paper

March In Person Meeting Wrap Up
If you weren’t able to attend the March in person meeting at ATP, stop by the ITCC Blog for a quick recap. Otherwise, all materials are available on Basecamp for your review.

Join Our LinkedIn Group
ITCC’s private LinkedIn Group is the format members use to engage with each other. Have a quick question or interested in starting a discussion? This is the place to connect with other individuals in the industry who are part of ITCC.

We also have a public company page, so feel free to connect with ITCC there as well.

Have questions about your membership? Want to learn more about other members of the group? Interested in getting more involved? Contact ITCC HQ for more information and support!

Invite Your Colleagues
To make sure you and your colleagues stay up to date on the newest ITCC news, please email ITCC the contact information of those who should be added to our member roster.

Fighting Fire: The ITCC Incident Matrix

When viewing the entire IT certification landscape, the multitude of problems posed by cheating on certification exams probably often seems like a plume of smoke from a far-off wildfire. There’s visible evidence of danger and destruction, but unless the flames are literally beneath your nose, then it’s easy to discount the damage done and tuck the incident into a file marked “Pending Action: Must Address Someday.”

Perhaps the issue can be contained without needing to be stamped out. Maybe it will eventually subside and disappear altogether. Don’t wildfires sometimes burn out and dwindle away without any direct intervention from human responders?

Cheating on exams, of course, may represent the destructive flames of our metaphorical wildfire. There are a host of contributing factors, however, which could be seen as acting in the same manner as wind, or deadfalls and dry brush: causing the initial burn to spread and rage out of control. If these exacerbating agents could be better managed, then the fires, when they break out, might be easier to confront.

Actual firefighters don’t typically have the means or information needed to mitigate the ruinous impact of wildfires before they strike. Those who manage and administer IT certification programs, on the other hand, need not be taken by surprise when a cheating crisis emerges. With the right blend of precautions and active monitoring, certification programs can be fortified and protected against the devastating effects of cheating.

Ready and Waiting

Sometimes knowing where to start is among the biggest hurdles to overcome when tackling a complex and ongoing problem. The IT Certification Council, with a big assist from the certification team at Citrix, has designed an outline for certification programs to follow when assessing threats and implementing precautions. The ITCC Incident Matrix can be your test and testing protection blueprint, guiding you in securing both exam materials and the exam process itself.

One early indication of brewing trouble, for example, is exam candidates using forums, chat rooms, list mail, or other means to ask about the availability of content from past or current certification exams. The inquiry may sound harmless: “I’m preparing to take the XYZ exam and I’m wondering what to expect. Does anyone have any questions from past exams that I could look at?” The initial intent may even be harmless. Sinister ends don’t always arise from sinister intentions.

The ITCC Incident Matrix can help you determine the appropriate level of response to the various activities that either directly indicate, or could lead to, actions that compromise exam security. It can also help you know where to direct your monitoring. A candidate who retakes a certification exam after passing could merely be a perfectionist driven to pursue a better score. Seeking repeated exposure to exam content, on the other hand, could certainly be spurred by ulterior motives.

Cybersecurity experts are bound to be familiar with the “defense in depth” approach to information security, which uses multiple layers of security controls to protect an IT system. An attacker may penetrate one layer of protection, but get tangled in the next, or the one after that. The ITCC Incident Matrix can similarly help certification programs deploy multiple protections against cheating.

Cheating on certification exams may seem like a distant or insignificant problem. Just as wildfires can suddenly and dramatically increase in size and destructive intensity, however, the harmful consequences of cheating can quickly spiral out of control. The ITCC Incident Matrix can help you immediately embark on a course of proactive and preventive action.

ITCC Projects are for the use of ITCC  Members. To download, visit Basecamp or request a copy from ITCC HQ.

Article by: Cody Clark, Managing Editor, Certification Magazine

Recap: ITCC Spring In-Person Member Meeting


In March, 33 members of the IT Certification Council (ITCC) gathered together in Scottsdale, Arizona for their
Spring Meeting. Each year the group convenes ahead of the Innovations in Testing Conference to discuss the latest from member organizations and the industry. The day kicked off with updates from each of the different Task Forces and Committees including Membership, Education, Securing Certifications, Badging, Marketing, and Finance.
The highlight of the day was when members exchanged ideas and best practices for success in the testing industry in small groups. Discussions focused on key issues facing stakeholders including certification candidates, program managers, and vendors. The interactive session led to the development of new projects for the Badging Task Force Task Forces around agile development, documentation of the IT certification ecosystem, and developing a process for legal and program support to invalidate if unauthorized material is used.

During the meeting, ITCC also presented the Innovation Award in recognition of
achievements or innovations from a team for the creation of a product, service, or initiative that resulted in a positive impact to their company or the IT certification industry. This year, Acclaim / IBM were announced as the winners in acknowledgment of the innovative learning recognition program created by IBM. With a goal of attracting, developing, and engaging a workforce of IT talent to support its strategic goals, the recognition program uses open badges, which IBM began issuing in 2015 through Pearson’s Acclaim platform. Working together, the two organizations developed and applied best practices to create an industry-leading badging program that is producing remarkable results, increasing learner engagement and motivating skills progression across IBM’s talent ecosystem.

As the Board and members alike wrap up details of the Spring Meeting, consider joining in and contributing your experience at the ITCC Fall Meeting. Additional information to follow when available.

Looking to learn more about the details of the meeting? The presentation and meeting minutes are available for your review on Basecamp. Contact ITCC HQ for access today.


2016: Held Ransom

Written and originally posted by Transcender

It was predicted late last year that 2016 would the year for ransomware. Thus far, the prediction is proving right; only four months in to 2016, the Locky ransomware has managed to spread itself over 114 countries (displaying its demands in dazzling array of 24 languages). The Hollywood Presbyterian Medical Center paid $17,000 in bitcoins after having their computer systems seized in February 2016, while hospitals in Kentucky and Maryland report similar attacks.

In case you’ve been in that doomsday bunker a bit too long, ransomware is malicious mobstersoftware that blocks access to your own data, usually by encryption that targets a local computer. Data stays locked away until you pay a tidy sum of money to the hacker (or, more commonly, to the hacking organization). The malware usually contains a ticking bomb that will format the entire hard drive if you don’t pay by a deadline (or post the data for everyone to see, just as extra motivation). The data kidnappers may call themselves hackers or vigilantes, or even pretend to be a federal agency, but their demand is always the same: pay us for your data — or else!

Worse, with automated viruses like Crytpolocker, Crytowall and TeslaCrypt, hackers don’t have to go through the extra effort of targeting big fish like CEOs of Fortune 500 companies. Any end user could be bilked for hundreds of dollars. And, through the economies of scale, hackers rake in millions per campaign. While current year damages won’t be tallied for a while,  the FBI estimates the CrytoWall variant pulled in over $18 million from 2014 to 2015 alone.

End users are not the only targets; nor are Windows users. Major sites like the New York Times, BBC, AOL and NFL had their advertising networks compromised by malvertising, where a malicious ad hijacked user’s browsers and redirected them to install a crypto-virus via the Angler toolkit (another argument for using adblockers?). And the once near-invincible Mac OS has been revealed as the target of the KeRangers malware – the first ransomware Mac users have ever had to contend with.

Posting to the security community in late March, Jonathan Klijnsma noticed an unusual vulnerability to the Angler toolkit on a WordPress plugin used by the iClass site. It was possible for a TelsaCrypt payload to be installed if the following conditions were met:

  • The user’s browser was Internet Explorer (or the user-agent was set to IE).
  • The user was redirected from a search engine, like Google or Bing.
  • The user’s IP address or location information was blocked (probably from some blacklist to protect the hackers  from getting served themselves!).

This vulnerability was not only difficult to detect, but also uncommon – most users do not use IE and EC-Council students would access the iClass directly without going through a search engine. I’m proud to say that EC-Council didn’t rest on their laurels. They fixed the problem within days of being notified of the security breach.

A Testing Horror Movie

Written by David Foster, CEO of Caveon

There is a funny television commercial where a group of friends is running from an unseen danger, seeking a place to hide. They make several panicked suggestions to each other including hiding in an attic and a basement. They finally decide to hide behind a wall of chainsaws. The point was that in a horror movie you make poor decisions.

For a high-stakes testing program, the number and variety of test security threats would rival any horror movie, and the potential and actual damage can keep you up at night. In the light of day, it makes sense to be aware of those threats—and what to do about them—in order to make better decisions than the group in the commercial.

For years now I’ve talked about using a threat-based approach to security, eventually producing a list of 12 test security threat categories, divided equally between cheating and theft. In its simplest form, here is the list:

Cheating Threats

  • Using Pre-Knowledge of Test Questions
  • Using a Proxy Test Taker
  • Getting Help During the Test
  • Using Cheating Aids
  • Tampering with Scores after the Test
  • Copying from Another Person During the Test

Theft Threats

  • Capturing Downloaded Test Files on a Server or Stealing Test Booklets
  • Photographing Test Content During the Exam
  • Copying the Test Content Electronically
  • Memorizing the Test
  • Recording the Content Orally on a Recorder
  • Receiving the Test Content from a Testing Program Insider

For each of these there are dozens, or maybe even hundreds, of different ways the threat can be carried out.

By reviewing this list, a program can evaluate which threats pose the greatest danger or risk. The program can then put in place a carefully-crafted solution to prevent a possible breach or deter an attacker. It can set up a defense in order to better detect the beginnings of a breach or to mitigate any potential damage.

There are several reasons why avoidable test security breaches occur. Some testing programs will be surprised by a breach, and then be focused for months and years on future solutions for that specific breach, ignoring other dangers. A program may rely on a single security solution, such as requiring proctoring for their exam, not realizing that there are many threats to the security of a program that a proctor cannot detect or do anything about. Programs may not be aware how technology is being used today to cheat or to steal a program’s tests. Or a program is simply not funded adequately to protect the tests and usefulness of the test scores. These programs are living in a real horror movie with no control over the ending.

The good news is that great decisions can be made; risks of cheating and test piracy can be eliminated or mitigated. Good solutions are available. There is no reason to be in a horror movie to begin with or to stay there any longer than is necessary.

CISSP 2015: What’s New

As many of you are probably aware, (ISC)2 updated the Certified Information Systems Security Professional (CISSP) exam in April 2015. You may be worried that the update meant all the existing CISSP products out there immediately became obsolete. Fortunately, that is just not true.

So what did change? Well, there are several points that you need to understand about this new version. (ISC)2 posted a wonderful FAQ regarding the new version:

Here’s what I found from my own investigation of the new CISSP exam.

No topics were REMOVED from the exam.

From the FAQ link above: “Some topics have been expanded (e.g., asset security, security assessment and testing), while other topics have been realigned under different domains.” There was also this answer to a question: “Content was not removed from the exam and/or training material, but rather refreshed and reorganized to include the most current information and best practices relevant to the global information security industry.”

New topics WERE added to the exam.

From the FAQ link above: “The CISSP exam is being updated to stay relevant amidst the changes occurring in the information security field. Refreshed technical content has been added to the Official (ISC)² CISSP CBK to reflect the most current topics in the information security industry today.”

New item types WERE added to the exam.

The exam includes both multiple choice and “advanced innovative” questions. The new innovative questions are hot spot and drag-and-drop questions. For more information on these question types, see

The exam contains the same number of questions as before.

This exam still have 250 questions. You still have 6 hours to complete the exam.

The exam was condensed from 10 domains to 8 domains.

But let me repeat, content was not removed. It was simply restructured.

The new domains are:

  1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  2. Asset Security (Protecting Security of Assets)
  3. Security Engineering (Engineering and Management of Security)
  4. Communications and Network Security (Designing and Protecting Network Security)
  5. Identity and Access Management (Controlling Access and Managing Identity)
  6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  7. Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  8. Software Development Security (Understanding, Applying, and Enforcing Software Security)
The experience prerequisites have not changed.

Again, as per the FAQ: “For the CISSP, a candidate is required to have a minimum of 5 years of cumulative paid full-time work experience in 2 out of the 8 domains (experience in 2 out of the total number of domains) of the CISSP CBK.”

If you don’t meet the experience requirements, you can still take the exam.

Basically, if you take and pass the exam without having the experience requirements, you don’t get the CISSP certification, but you do become an Associate of (ISC)2. That means they give you six years to meet the experience and CISSP endorsement requirements. See for more information on this loophole.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin Abernathy