CoMaS Data

Data in the system: Scheduling and Examination Services e-Proctoring team and Professor Tony White (for CoMaS).

Exam generated data: Course instructor, and the Associate Dean in the case of an alleged Academic Integrity Allegation.

The system requires authentication in order to access the data. Accounts require a strong password that is consistent with Carleton University password rules. As well, there is restricted physical access to the server, data in transfer is protected through encryption, and data at rest is stored on encrypted drives.

The server is located on campus in Herzberg Building, accessible through physical access controls. The machine hosting the data is behind both the Carleton firewall and a secondary device. The data is backed automatically on locally-attached, encrypted storage. The university is responsible for its management.

The data will be kept for a period of time consistent with Carleton’s exam-record keeping (Carleton University Retention Schedule – refer to TEA-02 for examinations).

On primary storage, all data can be removed by simple file system manipulation. Primary storage is solid state drive. Secondary storage is mechanical hard drive. Multi-pass erase will remove data.

CoMaS does not look at network traffic and does not probe devices with which you communicate. It does not record any information from your browser history, cache, or cookies or any internet connections. 

CoMaS monitors file activity in two forms:

1. All open files are detected. No access to those files is attempted. Open files of certain types are logged.
2. All file activity within the CoMaS folder and subfolders is monitored. All file creation, deletion and modification is monitored within this folder and its subfolders.

CoMaS uses RESTful interactions for all communications.

In transit:

Protocols used are HTTPS and WSS. No data is sent unencrypted. POST requests are used to hide parameters and their values.

At rest:

Disks support low level encryption. Sensitive information uses file-level AES encryption.

Carleton University is performing a data protection risk assessment, but the software has not undergone an independent third-party information security audit.

For the security assessment, we are using the National Institute of Standards and Technology (NIST) Risk Management framework (SP800-53) methodology. This is the same level of assessment of security controls that the federal government uses for its information.

Yes, it is available as of release 0.7.5.

The university is the entity responsible/liable given that there are no third party service providers or processors involved in the process.

CoMaS only monitors activity after you run the application and it is successfully logged in. While monitoring, CoMaS does these tasks: 

1. Screenshots and snapshots of the webcam are taken at a random interval and transmitted securely to the server. This information is also available locally on your computer in the CoMaS folder.  
2. It records if a snapshot or file, inside the CoMaS folder, has been deleted or modified while the application is running. (If CoMaS stops working during the exam and you need to run it again, overwriting and replacing the folder is permitted)
3. It will record if a network connection is lost.  
4. If you have a document open or modify a document (pdf, doc, docx, txt, xls, xlsx, ppt, pptx, py, java, html, htm) while running CoMaS, it will record the name and path of that document and name of the application that opened or modified it. It will not look at the content of any file including the open ones.  
5. It does not record or look inside any of your files and documents (except for the files inside the CoMaS folder which are generated on the desktop each time you log in). 
6. It does not record any information from your browser history, cache, or cookies. 
7. It does not look at network traffic and does not probe devices with which you communicate. 
8. It does not record what applications you are running (however, if that application modifies a document of the mentioned types, it will record the path and name of the file and name of the application). Again, it will not read the content of any files.