Module 6: Protective Questions

Security, Privacy, and Risk Management

Keeping Assessment Safe

Duration: 30 minutes
Focus: Use targeted questioning to strengthen security, safeguard privacy, and manage risk in RM Compare
Goal: Equip yourself to use your LLM to identify vulnerabilities, set robust policies, and ensure compliance every step of the way

Key Benefit:
By asking the right protective questions, administrators can avoid costly mistakes, strengthen trust, and ensure RM Compare supports institutional responsibilities.

Slide 2: Why Protective Questions Matter

Protects sensitive learner and organizational data from threats and misuse
Ensures compliance with legal, regulatory, and institutional policies
Reduces exposure to operational, reputational, and legal risk
Builds a culture of security awareness and shared responsibility

Challenge:
Security and privacy are not “one and done” issues. They require ongoing vigilance, review, and adaptation—driven by sharp, proactive questioning.

Lessons

Lesson 1: Five Types of Protective Questions
Lesson 2: Scenario Questions – Protecting in Practice
Lesson 3: Protective Question Creation
Lesson 4: Building Your Protective Question Library
Lesson 5: Validating Security and Privacy Measures
Lesson 6: Module 6 Wrap-Up & Next Steps

Lesson 1: Five Types of Protective Questions

Data Protection Questions
"What safeguards exist for data at rest, in use, and in transit in RM Compare?"
Access and Permissions Questions
"How are permissions structured to prevent unauthorized access to sensitive data?"
Policy and Compliance Questions
"Which policies and regulations govern our use of RM Compare, and how do we ensure compliance?"
Incident and Response Questions
"What steps should we follow if a security or privacy incident occurs?"
Ongoing Review Questions
"How do we regularly test, update, and communicate our security and privacy controls?"

Question Framework #1 – Data Protection

The Template:
"How does RM Compare protect data at every stage (storage, transfer, processing), and what encryption or safety measures are in place?"

Examples:
✅ "What encryption protocols and storage solutions does RM Compare use to secure uploaded assessment content?"
✅ "How are backups handled and who can access them?"

Question Framework #2 – Access and Permissions

The Template:
"What access controls and permission hierarchies restrict sensitive RM Compare functions and data to authorized roles only?"

Examples:
✅ "How are admin, creator, and judge permissions managed to minimize risk of accidental or deliberate misuse?"
✅ "How can we audit permission grants and changes across the system?"

Question Framework #3 – Policy and Compliance

The Template:
"What legal and organizational requirements apply to our RM Compare usage, and what controls and documentation ensure we meet them?"

Examples:
✅ "How does our use of RM Compare comply with GDPR, FERPA, or local data protection laws?"
✅ "What policy documentation, consent procedures, and training should we mandate for all RM Compare users?"

Question Framework #4 – Incident Response

The Template:
"If we suspect or detect a privacy or security breach in RM Compare, what is our incident response workflow?"

Examples:
✅ "What are the immediate steps if a Judge accesses data outside their remit?"
✅ "How do we communicate and log incidents, and when do we notify affected users or authorities?"

Question Framework #5 – Ongoing Review and Audit

The Template:
"How do we continually monitor, test, and update our RM Compare privacy and security posture?"

Examples:
✅ "What regular audits, tests, or drills should we schedule in partnership with IT and RM Compare support?"
✅ "How do we keep users informed of evolving risks and policy changes?"

Lesson 2: Scenario Questions – Protecting in Practice

Scenario 1:
"If a departing administrator neglects to revoke their access, what questions help ensure no lingering risk?"

Scenario 2:
"After launching a new large-scale DataShare collaboration, what ongoing privacy checks should be scheduled?"

Practice:
Craft a protective scenario relevant to your institution—a risk, breach, or change—and develop a sequence of questions for reviewing, resolving, and learning from the situation.

Lesson 3: Protective Question Creation

Exercise 1: Data Protection (6 min)

Write an LLM prompt to explore how RM Compare protects at least one type of sensitive data.

Exercise 2: Access Control (6 min)

Develop a question about reviewing or updating user permissions for security.

Exercise 3: Policy Compliance (6 min)

Formulate a question to check your organization’s compliance with data/privacy laws on the platform.

Exercise 4: Incident Response (6 min)

Draft an incident response question addressing what should happen during a breach.

Exercise 5: Review and Communication (6 min)

Create a question about maintaining user awareness and regular security reviews.

Lesson 4: Building Your Protective Question Library

Keep an up-to-date file of critical questions (and best answers) for data, security, privacy, and compliance
Review and revise after audits, incidents, or policy changes
Share effective prompts with administrators as part of onboarding or periodic training

Lesson 5: Validating Security and Privacy Measures

Confirm responses with official RM Compare security documentation and support
Consult IT or legal advisors for complex regulatory or technical questions
Schedule regular reviews and drills, documented for accountability

Lesson 6: Module 6 Wrap-Up & Next Steps

What You’ve Mastered:
✅ Questioning to uncover and address security, privacy, and risk gaps in RM Compare
✅ Designing and maintaining robust controls and response workflows
✅ Encouraging a culture of shared vigilance across your organization

Next Module Preview:
Module 7: Improvement Questions – Continuous Learning and Optimization

Your Assignment:
Pick one real RM Compare process and run a security, privacy, or risk review using the question templates. Document issues found and the actions or policy updates taken.

This module places you at the frontline of RM Compare’s safe and responsible use—helping your team and users thrive in a secure, compliant environment through expert questioning and practical vigilance.

Group	Name	Domain	Expiration	Security	Purpose
necessary	csrftoken	compare.rm.com	365 days, 0:00:00	HTTP	Helps prevent CSRF attacks
necessary	_cf_bm	vimeo.com	1 day, 0:00:00	HTTP	Used to distinguish between humans and bots
preferences	wtm	compare.rm.com	365 days, 0:00:00	HTTP	Used to store users cookie preference choices
statistics	_ga	rm.com	365 days, 0:00:00	HTTP	Registers a unique ID used to generate statistical data on how visitor used the website
statistics	_ga_#	rm.com	365 days, 0:00:00	HTTP	Used by Google Analytics to collect data on user visits to the website
statistics	_hp2_#	rm.com	1 day, 0:00:00	HTTP	Collects data on the user's navigation and behaviour on the website
statistics	_hp2_id.#	rm.com	365 days, 0:00:00	HTTP	Collects data on the user's navigation and behaviour on the website
statistics	_hp2_ses_props.#	rm.com	1 day, 0:00:00	HTTP	Collects data on the user's navigation and behaviour on the website
statistics	vuid	vimeo.com	365 days, 0:00:00	HTTP	Collects data on the user's visits to the website
marketing	td	googletagmanager.com	0:00:00	HTTP	Used by Google Tag Manager to collect data on the user behaviour and interaction with the website
marketing	h	heapanalytics.com	0:00:00	HTTP	Collects data on the user behaviour and interaction with the website

Name	Domain	Purpose	Expiration	Security
csrftoken	compare.rm.com	Helps prevent CSRF attacks	365 days, 0:00:00	HTTP
_cf_bm	vimeo.com	Used to distinguish between humans and bots	1 day, 0:00:00	HTTP

Name	Domain	Purpose	Expiration	Security
_ga	rm.com	Registers a unique ID used to generate statistical data on how visitor used the website	365 days, 0:00:00	HTTP
_ga_#	rm.com	Used by Google Analytics to collect data on user visits to the website	365 days, 0:00:00	HTTP
_hp2_#	rm.com	Collects data on the user's navigation and behaviour on the website	1 day, 0:00:00	HTTP
_hp2_id.#	rm.com	Collects data on the user's navigation and behaviour on the website	365 days, 0:00:00	HTTP
_hp2_ses_props.#	rm.com	Collects data on the user's navigation and behaviour on the website	1 day, 0:00:00	HTTP
vuid	vimeo.com	Collects data on the user's visits to the website	365 days, 0:00:00	HTTP

Name	Domain	Purpose	Expiration	Security
td	googletagmanager.com	Used by Google Tag Manager to collect data on the user behaviour and interaction with the website	0:00:00	HTTP
h	heapanalytics.com	Collects data on the user behaviour and interaction with the website	0:00:00	HTTP