LTI vendor risk management strategy?

["Hassler, Karl D." <khassler () UDEL EDU>]

Textbook publishers create interfaces to our LMS via the Learning Tools Interoperability (LTI) protocol as a way of 
integrating textbook learning activities with our LMS. More concerning, some professors arrange for students to create 
accounts directly on publisher textbook-specific learning websites.

Q - how do you manage the risks to the learning data (education records) processed by the publishers - either via LTI 
or directly with students?

Specifically, how do you assess the publisher's security practices, and how do you obligate them to adhere to them?

In most cases, there is no formal contract, unlike other cloud vendor arrangements.  The faculty member selects and 
textbook and simply requests the LTI integration, or directs the students to use the code that came with the textbook 
to create a publisher account.