Choosing a Tool

When requests to connect a service to an SPU system for teaching and learning come to ETM, our department works through a process that helps us look at data access, data storage, 

LTI Review Process

Company

1. Create an LMS/Canvas JIRA ticket to track progress/process of adding the LTI.
2. Ensure you have a formal written contract with the vendor and that your relationship with the vendor is in good standing.
3. These may be obtained by contacting CIS - Micah Schaafsma or a sales rep from the company.
We may not always have a formal contract, so if one is missing, review the Terms of Service.
4. Collect contact info for sales rep, support and any configuration documents and store in the ticket.

Data

1. Reach out to the sales rep to collect the appropriate documents.
   1. Ask for documented data points (API) touched in SPU System.
      1. Ask the vendor to explicitly document all of the API endpoints their integration will be using (this should be a list of all the data that is being read and written) and, optionally, why.
      2. If there are concerns about what endpoints are hit, make sure you clarify with the vendor why the data is collected and who has access.
      3. Reserve the right, in writing, to take any actions your team deems appropriate should the vendor make API calls outside of the scope that they defined without notifying your team.
      4. NOTE: Developer keys can be disabled via the Admin UI which will invalidate all issued API tokens to the integration.
   2. Ask the vendor to clearly state how it complies with FERPA and any other laws that apply to your students (e.g. COPPA, accessibility laws etc...). 
      1. WA state law indicates that Student ID Numbers are protected like SSNs and must be transmitted and stored on encrypted devices.
   3. Obtain the most recent copy of the vendor's VPAT and accessibility statement.
2. Review the documents.
   1. Ensure you understand the vendor’s security policy surrounding how they store API tokens and developer keys (ex. they should never be exposing the developer key or API tokens in any kind of UI, including error reports; only their core engineering team should have access).
   2. Ensure that the the product adheres to CIS's Enterprise Software Acquisition guidelines as close as possible.
      1. Optionally, you may ask a BA to review the VPAT and API, but this may end up lower in the queue, be sure to specify if it is urgent.
   3. If there are exceptions and you think the tool should still be connected, document the issue and discuss with the ETM Director and/or Associate Director.

Accessibility Review

1. Review the VPAT and accessibility statement.  
   1. It's important to verify and understand how the design plays out in real life, it's also good to know who to contact with concerns.
2. If possible, get into system and do the following:
   1. Tab navigate (can you get around without a mouse).
   2. Does a High Contrast UI mode exist or is the color or font difficult to see.
   3. Use a screenreader to see if you can navigate (NVDA is free or use Natural Reader Plugin).

Wrap Up

1. Document the final outcome on the JIRA ticket.
2. If the LTI has been approved document the work done to complete the integration.  This may need to be completed by the Director or Associate Director of ETM.
3. Create an LTI Vendor page in the wiki that includes contact information, support information, instructions for configuring the LTI and any other relevant information; including a link to the JIRA ticketSave the documentation and decision, for the duration of use of the tool.
4. Update documentation - your syllabus, your course (getting started modules), other colleagues or other individuals who may be interested in the tool.