When requests to connect a service to an SPU system for teaching and learning come to ETM, our department works through a process that helps us look at data access, data storage,
If an LTI can be installed at the course level, without any admin work, then a full review may not be necessary.
ETMs Technology Review Process
Choosing your Tool
Identify your need and if the tool supports your needs and learning objectives? ETM doesn't explicitly review for this, but we do want to encourage faculty to choose technology that aligns with their course or program objectives.
Instructors may even want to check out the company more to see if it's a company you'd like to work with.
It's a lot easier for us if there is a contract that has been reviewed by CIS and the Office of Planning & Administration.
Sometimes you may not have a formal contract, in that case, it's important to make sure you review the Terms of Service.
Collect contact info for sales rep, support and any other important documents/instructions related to the tool.
ETM can collect this information, but it helps us if you have a named contact or can tell us who to work with.
Important documents, includes what's listed below, but also instructions on how to use the tool both as an instructor and student, support resources, instructions to connect the tool, etc.
Locate this information on the company website or reach out to the sales rep or support to collect the following documents:
ETM asks for the documented data points (API) touched in SPU System.
ETM asks the vendor to explicitly document all of the API endpoints their integration will be using (this should be a list of all the data that is being read and written) and, optionally, why
We also ask the vendor to clearly state how it complies with FERPA and any other laws that apply to your students (e.g. COPPA, accessibility laws etc...).
WA state law indicates that Student ID Numbers are protected like SSNs and must be transmitted and stored on encrypted devices.
We request the most recent copy of the vendor's VPAT and accessibility statement.
We also request a HECVAT or HECVAT Lite, some companies may not be familiar with it, you could ask for them to complete one, but it's not the end of the world if there isn't one readily available.
These are documents that help show and explain in further detail how the company has developed and secured the tool and the data it holds
Next we review all of the documents.
Some of the questions we're looking to have answered are:
Who can access the data? Where is the data stored? Who owns the data and does that change if we no longer use the service?
Sometimes we ask CIS to help review the security of a document because their office works more closely and regularly with enterprise systems and administration.