Educause Security Discussion mailing list archives
Learning Management Systems LTI Integrations
From: Sue McGlashan <sue.mcglashan () UTORONTO CA>
Date: Tue, 8 Aug 2017 17:30:20 +0000
Hi all Please will you respond about what policies / decisions you have made about what parameters you pass from your Learning Management System (LMS) through the LTI to a learning application (tool). Do you carry out privacy/ security assessments of such learning applications? Background to these questions. We carry out a security and privacy assessment of learning tools used through our LMS, because if the tool is required for a course, we are “endorsing” the tool. I have been trying to use the HECVAT Lite to gather answers. The time consumed in trying to assess a group like McGraw-Hill (see at end) is out of proportion to the risk of using them, but we are of the opinion an assessment must be completed at some level. Overall, I am interested in what you have decided: Do you have a policy about what may be passed through the LTI? Do you assess the security of the learning tool? Do you check whether the company is conforming to privacy requirements? How do you reduce the time this takes? e.g.s Crocodoc Inline Grading (works with Blackboard - I do not know about the other LMS’s). No PI is passed, just a connector, and the student assignments to be marked. These are stored encrypted in Crocodoc, and marked versions passed back. - very low risk. McGraw-Hill Connect require a full account (first, last name, account-id) be created in their system, and the user must create a password, plus agree to their terms of use / privacy policy. The University can choose how much PI to pre-populate through the LTI, but if we do not populate the details, the student will still need to do so. Once created, students and instructors can login directly into the account in McGraw-Hill Connect using the account-id and password. (The account-id is an email, so a concern is re-use of passwords.). Is McGraw-Hill Connect secure? - Most of the vendors will work with us, but McGraw-Hill responded to most questions in the HECVAT Lite with “Proprietary and Confidential”, so it is hard to assess. Note. I have found a concern in the password reset on their site, and the solution suggested by them (tell students / instructors to give false answers to QBA) is not useful. i.e. An instructor account is vulnerable to being taken over if the instructor put in their mother’s maiden name. Thank you for your time. -- Sue McGlashan M.Ed. CISSP ISA, Information Security and Enterprise Architecture Information and Technology Services University of Toronto Phone 416-946-3260 This email communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the email and all copies (electronic or otherwise) immediately.
Current thread:
- Learning Management Systems LTI Integrations Sue McGlashan (Aug 08)
- Re: Learning Management Systems LTI Integrations Jones, Mark B (Aug 08)