Learning Management Systems LTI Integrations

[Sue McGlashan <sue.mcglashan () UTORONTO CA>]

Hi all

Please will you respond about what policies / decisions you have made about what parameters you pass from your Learning 
Management System (LMS) through the LTI to a learning application (tool). Do you carry out privacy/ security 
assessments of such learning applications?

Background to these questions.
We carry out a security and privacy assessment of learning tools used through our LMS, because if the tool is required 
for a course, we are “endorsing” the tool. I have been trying to use the HECVAT Lite to gather answers.
The time consumed in trying to assess a group like McGraw-Hill (see at end) is out of proportion to the risk of using 
them, but we are of the opinion an assessment must be completed at some level.


Overall, I am interested in what you have decided:
Do you have a policy about what may be passed through the LTI?
Do you assess the security of the learning tool?
Do you check whether the company is conforming to privacy requirements?
How do you reduce the time this takes?

e.g.s
Crocodoc Inline Grading (works with Blackboard -  I do not know about the other LMS’s).  No PI is passed, just a 
connector, and the student assignments to be marked.  These are stored encrypted in Crocodoc, and marked versions 
passed back.  - very low risk.

McGraw-Hill Connect require a full account (first, last name, account-id) be created in their system, and the user must 
create a password, plus agree to their terms of use / privacy policy. The University can choose how much PI to 
pre-populate through the LTI, but if we do not populate the details, the student will still need to do so.
Once created, students and instructors can login directly into the account in McGraw-Hill Connect using the account-id 
and password. (The account-id is an email, so a concern is re-use of passwords.).
Is McGraw-Hill Connect secure?  - Most of the vendors will work with us, but McGraw-Hill responded to most questions in 
the HECVAT Lite with “Proprietary and Confidential”, so it is hard to assess. Note. I have found a concern in the 
password reset on their site, and the solution suggested by them (tell students / instructors to give false answers to 
QBA) is not useful. i.e. An instructor account is vulnerable to being taken over if the instructor put in their 
mother’s maiden name.


Thank you for your time.
--
Sue McGlashan M.Ed. CISSP
ISA, Information Security and Enterprise Architecture
Information and Technology Services
University of Toronto
Phone 416-946-3260

This email communication is intended only for the person or entity to which it is addressed and may contain 
confidential and/or privileged information. Any use of this information by persons or entities other than the intended 
recipient is prohibited. If you received this in error, please contact the sender and delete the email and all copies 
(electronic or otherwise) immediately.