The views expressed here are mine alone and have not been authorized by, and do not necessarily reflect the views of, Citrix.

Last week, two of Citrix’s peer IT certifying agencies, Cisco and Microsoft launched new exam security initiatives. Both, in an effort to combat the growing problem of test fraud and test theft, have implemented policies and programs to address this issue on a wide scale. The growing problem of exam security breaches has forced many players in IT certification to stand up and take notice. In this day and age, with the cost to develop quality examinations on the rise and the perceived value of certifications waning, it has become more critical that IT certification programs combat cheating and exam fraud from several different angles.

As the Manager of Exam Development in Citrix Education, I have also focused more on exam security. Beginning last year, I focused more than ever on security measures by working with industry peers, security consultants, and exam delivery providers (Prometric and VUE) to tackle the growing problem of cheating. I have to admit that when I first began this process it felt like an unrealistic goal to tackle.

The ever growing presence of brain dumps (those web sites that sell stolen exam content) is not easy to ignore. But to make matters worse, the attitudes of some towards the use of brain dumps and other forms of cheating just makes it that more difficult. In the last year I have had more opportunities than ever to meet and get to know Citrix certificants. What they have repeatedly stressed to me is how they want Citrix Education to do something about brain dumps; that they don’t want just any Joe Administrator to get Citrix Certified; that they are sick and tired of meeting “paper certified” individuals who have no experience.

So how do you eat an elephant? One bite at a time……

In 2007, Citrix Education started slowly by adopting a security plan. That security plan, addressed four areas:

Detection of test theft and fraud
Education of candidates to appropriate behavior
Development of comprehensive policies
Enforcement of policies

Citrix Education conducts web patrolling efforts 24 hours a day world wide to identify brain dumps as well as violators of our exam policies. Once a site is detected, staff members and security professionals purchase, analyze, and verify that advertised content or information is indeed the intellectual property of Citrix. Based on the information gathered, I have been able to serve legal take down notices to websites and cease and desist letters. In addition to brain dumps and auction sites, I have also discovered candidates “discussing” exam content and “sharing” answers…you know in the interest of “knowledge being FREE”.

Candidates sharing exam content, is by the way, in direct violation to the NDA that all exam takers must accept before taking an exam. When initially kicking off the security initiative, I realized that many did NOT read this NDA before taking the exam. Kind of like a EULA, exam candidates see that NDA and simply scroll to the radio button marked “Yes, I agree.” without ever considering what they have agreed to…..

So Citrix Education adopted a Candidate Conduct Policy that had been widely used by our IT Peers . This policy http://www.citrixtraining.com/content/index.cfm/cgroup_id:48 basically outlines everything that candidates have done in the past that is classified as illegal behavior. Additional Citrix Education policies include a retake, beta exam, and special needs testing policies: http://www.citrixtraining.com/content/index.cfm/cgroup_id:38.  A violation of any policy can result in a list of remedies including bans up to a year.

The newest addition to exam policies is that of classifying results as indeterminate. Basically based on data forensics, our security consultants identify suspicious results and depending on the strength of the data, say a 1 in 10,000,000,000 chance of a specific result occurring, I can definitely with confidence conclude that a result is not sound and will invalidate those results. Once invalidated, a result will not count toward certification.

After putting these policies and procedures in place it’s been really interesting what I have found:

Once people know someone is looking, they repent and cease with their misconduct.
Education of candidates is key; in fact candidates often state that they did NOT know that they were in violation of the NDA or any other policy.
Even those with the most grave violations, seem to value the cert when they are in danger of losing it.

I hope our efforts will help Citrix Education begin to make a dent in the challenge of exam security. But I realize that a huge part of the problem is in the attitudes and lack of a universal understanding of what constitutes test theft and fraud. So my mission is simple,

To educate Citrix Certification Candidates and Certificants on what constitutes cheating and how it impacts the value of the credential in an effort to maintain the integrity and validity of our certification programs.

What I really hope to get out of this besides the above is a better understanding of our certified community. And as Citrix Education takes bite after bite of the elephant known as cheating….I can only hope that candidates and certificants worldwide will see the return to the value of certification….

The million dollar question is with all the buzz by Citrix and others on increased security initiatives, how will the cheaters respond?

Sierra Hampton is the Manager of Exam Development and has worked at Citrix for 7 years.