Re: LTI vendor risk management strategy?

[Andy Hooper <hooper () QUEENSU CA>]

> Q – how do you manage the risks to the learning data (education records)
> processed by the publishers – either via LTI or directly with students?

Our LMS oversight agreed to the following relationship with our cloud
Authorization to Operate (ATO) process.

1. If there is a request to integrate $LMS with an existing (known)
vendor site/application and no personal, confidential, or sensitive data
will be transferred, the ATO process is not required.

2. If there is a request to integrate $LMS with a new (unknown) vendor
site/application and no personal, confidential, or sensitive data will
be transferred, the ATO process is required. The new vendor is required
to complete the Vendor Security and Privacy Assessment template, and
that assessment will be provided to the ATO team for review.  The onus
will be on the ATO team to raise any concerns with the $LMS team.

3. If there is a request to integrate $LMS with a vendor
site/application and personal, confidential, or sensitive data will be
sent to the vendor via $LMS, the full ATO process will be required.
Integration will not take place until proper sign-off through the ATO
process has been achieved.

The distinction from 2. to 3. is 3. adds a privacy risk assessment, and
legal review.

- Andy Hooper - IT Services - Queen's University -
http://www.queensu.ca/its/security/services-templates-authorization-operate/authorization-operate