LTI Assessment Procedure

Purpose

This procedure seeks to ensure that Learning Tool Integrations (LTIs) with the UO’s Academic Learning Management System (LMS) are appropriately assessed and documented to protect the confidentiality, integrity and availability of the data. The procedure outlines the steps for conducting assessment of these systems prior to acquisition or renewal by UO units.

Definitions

Term Definition
Learning Management System (LMS) A software application for the administration, documentation, tracking, reporting, automation and delivery of educational courses, training programs, or learning and development programs.
Academic Learning Management System The moniker ‘Academic’ is used to denote the Canvas instance used for Academic courses, also referred to as Academic Canvas (or the Academic instance of Canvas).  The alternate, Community Canvas or Community Learning Management System, is an instance of the Canvas LMS used for non-academic purposes.  This procedure does not apply to the Community LMS.
Learning Tool Integration (LTI) An education technology specification developed by the IMS Global Learning Consortium. It specifies a method for a learning system to invoke and to communicate with external systems. In the current version of the specification, v1.3, this is done using OAuth2, OpenID Connect, and JSON Web Tokens. For example, a Learning Management System (LMS) may use LTI to host course content and tools provided by external, third-party systems on a web site, without requiring a learner to log in separately on the external systems, with information about the learner and the learning context shared by the LMS with the external systems
Data Security Framework (DSF) A series of documented, agreed and understood policies, procedures, and processes that define how information is managed in a business, to lower risk and vulnerability, and increase confidence.  Also called an Information Security Framework
Artifact A piece of evidence, such as text or a reference to a resource, that is submitted to support a response to a question. In this case, a document submitted to the Information Security Office with evidence supporting the decision to integrate or not to integrate an LTI

Scope

Applies to all third-party LTIs to be integrated with the University of Oregon’s Academic LMS.

Criteria

All LTIs within scope need to be reviewed by the Information Security Office (ISO) or its delegates.  Any LTIs that meet the any of the following criteria must be referred to the ISO:

  • If the LTI is not FERPA or GDPR Compliant
  • If there is no cybersecurity program or Data Security Framework utilized to secure the LTI
  • If the LTI claims ownership or sells the data they retain

Decision Tree

The LTI assessment assessment process is shown in the following flow:

If the LTI is FERPA and GDPR compliant, as well as having cyber security program in place, the requestor will collect the cybersecurity, DSF, and liability information.  Then if the LIT stores data and owns or sells the data, the LTI will need to be reviewed by the information security office.  If no data is being stored, the LTI informaton will be collected and sent to the information security office for archival.  If the LTI is not FERPA and GDPR compliant, or there is no cyber security or DSF program in place, the LTI will need to be reviewed by the information security office.

Example Email to Vendor

Good Day,
I am reaching out to you from the University of Oregon.  We are in the process of evaluating your product, [ProductName].  Our Information Security Office has asked us to provide information on this product.  Please assist us by answering the following four (4) questions:

How does your company address information security and maintain the confidentiality, integrity and availability of the system our University will potentially integrate with?  Are you using a framework, such as ISO 27001? 

  1. Have you undergone a SOC2 audit? If your information systems have any certifications, please include them in your reply
  2. Does your company carry third party cyber liability insurance?  If so, what is the dollar value of the policy?  Does the policy provide any assistance, other than monetary, to your customers if a breach occurs in the infrastructure or product your customers are using?
  3. Does your company’s tool store or import any data from our University?  What data is stored? What is your company’s stance on ownership and rights of to that data (It is usually one of these three: 1)The University owns the data; 2)the University owns the data, however your company maintains some rights to the data for its’ business purposes; or 3) your company claims ownership and exclusive rights of the data)?
  4. Is your tool and supporting infrastructure FERPA and GDPR compliant?

Thank you for taking the time to provide answers to these questions.  Please attach any supporting documents to the return email.

Have a great day,

[YOUR NAME HERE]

ISO Review

If the reviewer determines that the ISO Should review the integration, the ISO will make every effort to render a determination within 3-4 business days.  This timeline is dependent on receiving requested information from the learning tool’s developer.

Details

Article ID: 113918
Created
Fri 8/14/20 11:06 AM
Modified
Thu 8/27/20 11:45 AM