Educause Security Discussion mailing list archives
Re: LTI vendor risk management strategy?
From: Andy Hooper <hooper () QUEENSU CA>
Date: Tue, 3 Jul 2018 13:11:49 -0400
Q – how do you manage the risks to the learning data (education records) processed by the publishers – either via LTI or directly with students?
Our LMS oversight agreed to the following relationship with our cloud Authorization to Operate (ATO) process. 1. If there is a request to integrate $LMS with an existing (known) vendor site/application and no personal, confidential, or sensitive data will be transferred, the ATO process is not required. 2. If there is a request to integrate $LMS with a new (unknown) vendor site/application and no personal, confidential, or sensitive data will be transferred, the ATO process is required. The new vendor is required to complete the Vendor Security and Privacy Assessment template, and that assessment will be provided to the ATO team for review. The onus will be on the ATO team to raise any concerns with the $LMS team. 3. If there is a request to integrate $LMS with a vendor site/application and personal, confidential, or sensitive data will be sent to the vendor via $LMS, the full ATO process will be required. Integration will not take place until proper sign-off through the ATO process has been achieved. The distinction from 2. to 3. is 3. adds a privacy risk assessment, and legal review. - Andy Hooper - IT Services - Queen's University - http://www.queensu.ca/its/security/services-templates-authorization-operate/authorization-operate
Current thread:
- LTI vendor risk management strategy? Hassler, Karl D. (Jul 03)
- Re: LTI vendor risk management strategy? Andy Hooper (Jul 03)