Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info
iconfalse

Table of Contents


Choosing a Tool

When requests to connect a service to an SPU system for teaching and learning come to ETM, our department works through a process that helps us look at data access, data storage, 

Tip

If an LTI can be installed at the course level, without any admin work, then a full review may not be necessary.

LTI Review Process

Company

Ensure you have a formal written contract with the vendor and that your relationship with the vendor is in good standing


ETMs Technology Review Process

Choosing your Tool

  1. Identify your need and if the tool supports your needs and learning objectives?  ETM doesn't explicitly review for this, but we do want to encourage faculty to choose technology that aligns with their course or program objectives.
    1. Instructors may even want to check out the company more to see if it's a company you'd like to work with.
  2. It's a lot easier for us if there is a contract that has been reviewed by CIS and the Office of Planning & Administration. 
    1. Sometimes you may not have a formal contract, in that case, it's important to make sure you review the Terms of Service.
  3. Collect contact info for sales rep, support and any
configuration documents and store in the ticket.

Data

Reach
  1. other important documents/instructions related to the tool.
    1. ETM can collect this information, but it helps us if you have a named contact or can tell us who to work with. 
    2. Important documents, includes what's listed below, but also instructions on how to use the tool both as an instructor and student, support resources, instructions to connect the tool, etc.

Collect Information

Locate this information on the company website or reach out to the sales rep or support to collect the

appropriate

following documents

.

:

Ask
  1. ETM asks for the documented data points (API) touched in SPU System.
    Ask
      1. ETM asks the vendor to explicitly document all of the API endpoints their integration will be using (this should be a list of all the data that is being read and written) and, optionally, why
    .
  2. If there are concerns about what endpoints are hit, make sure you clarify with the vendor why the data is collected and who has access.
  3. Reserve the right, in writing, to take any actions your team deems appropriate should the vendor make API calls outside of the scope that they defined without notifying your team.
  4. NOTE: Developer keys can be disabled via the Admin UI which will invalidate all issued API tokens to the integration.
  5. Ask the vendor to
    1. We also ask the vendor to clearly state how it complies with FERPA and any other laws that apply to your students (e.g. COPPA, accessibility laws etc...). 
      1. WA state law indicates that Student ID Numbers are protected like SSNs and must be transmitted and stored on encrypted devices.
    Obtain
    1. We request the most recent copy of the vendor's VPAT and accessibility statement
    .Review the documents.
  6. Ensure you understand the vendor’s security policy surrounding how they store API tokens and developer keys (ex. they should never be exposing the developer key or API tokens in any kind of UI, including error reports; only their core engineering team should have access).
  7. Ensure that the the product
    1. .
    2. We also request a HECVAT or HECVAT Lite, some companies may not be familiar with it, you could ask for them to complete one, but it's not the end of the world if there isn't one readily available.
      1. These are documents that help show and explain in further detail how the company has developed and secured the tool and the data it holds
    3. Next we review all of the documents.  
      1. Some of the questions we're looking to have answered are:
        1. Who can access the data? Where is the data stored? Who owns the data and does that change if we no longer use the service? 
      2. Sometimes we ask CIS to help review the security of a document because their office works more closely and regularly with enterprise systems and administration.
      3. We try to ensure that the the technology and company adheres to CIS's Enterprise Software Acquisition guidelines
    as close as possible.Optionally, you may ask a BA to review the VPAT and API, but this may end up lower in the queue, be sure to specify if it is urgent
      1. ,
      2. Our goal is to prioritize teaching & learning while in a secure environment.
    1. If there are exceptions and
    you think
    1. an instructor thinks the tool should still be connected, we document the issue and discuss with the ETM Director
    and/or
    1. , Associate Director and CIS as needed.

    Accessibility Review

    Review
    1. ETM review the VPAT and accessibility statement.  
      1. It's important to verify and understand how the design plays out in real life, it's also good to know who to contact with concerns.
    2. If possible, we'd like to get into system and do
    the following
    1. testing, but we may need to coordinate this with the instructor:
      1. Tab navigate (can you get around without a mouse) and complete the same functions that you intend all students to complete.  Can you do it?  Is it reasonable?
      2. Does a High Contrast UI mode exist or is the color or font difficult to see.
      3. Use a screenreader to see if you can navigate (NVDA is free or use Natural Reader Plugin).
      4. If there is video, are there captions or transcripts?
      5. Keep in mind that even with an accessibility review and test, you may still have to make specific accommodations. 
    2. We encourage all instructors to have a backup plan/idea in mind if someone cannot use the technology for any reason (including accessibility, internet access, device functionality, etc.).

    Wrap Up

    1. Save the documentation and decision, for the duration of use of the tool.
    2. Update documentation - your syllabus, your course (getting started modules), other colleagues or other individuals who may be interested in the tool.
      1. Make sure students know about the technology and where to get help if needed - if it's not a campus-wide tool purchased by SPU, then support should be provided directly by the company.