Building Trust in the Educational Software Ecosystem

Jack Suess, CIO, University of Maryland Baltimore County

As educational software becomes more critical to instruction, I have seen a dramatic increase in software applications used. Often these applications are bundled with the purchase of electronic textbooks, but other times these are standalone applications that are used across courses. Increasingly, course-based applications are connected to the learning management system (LMS) and are installed as add-ons to the LMS and launched by the individual when they click on a link in the LMS.

As educational institutions, we are bound by the Federal government's Family Educational Rights and Privacy Act (FERPA). That requires educational organizations to secure and control how the educational data of our students is used and shared with individuals. In the K-12 space, many districts must also review vendors and software for compliance with the Children's Online Privacy Protection Act (COPPA), which requires verifiable parental approval. Finally, many states have established laws or requirements around student privacy and security. At a minimum, organizations are now regularly being audited on how they are managing these requirements.

Putting these two paragraphs together, every year, each educational organization has a larger number of software applications where we are required to review the vendor's security and privacy practices to meet audit requirements. What is also true in this statement is that there is a large duplication of effort across our ecosystem, where hundreds or thousands of talented individuals are all doing the same reviews independently. What makes this problem so difficult is how hard it is to get this information. Companies rarely share this information on their public website, and so our employees are forced to work through a chain of individuals trying to pull out the necessary information to review the product. This electronic game of tag can take days or weeks to complete and often requires individuals accustomed to reading legal documents to decipher the privacy policies.

This is a problem in search of a community solution, which is where 1EdTech's Trusted Apps and EDUCAUSE's HECVAT come into play. For software applications tied to the LMS and using LTI, 1EDTECH has pulled in people from the community to develop the Trusted Apps Program. This program uses criteria that member educational organizations deem essential and have vendors state whether they conform or not through a certification process. An educational organization can quickly look up a vendor and tell what they do. In the first two years of launching this initiative, they have gotten over 8000 products from hundreds of vendors in the Trusted Apps Catalog. If you visit the Trusted Apps Directory, you will see a list of filters along the right-hand side. From those, you can select the General Filters and select apps based on those that have been vetted. When I did that, I found 8709 apps. Of that number, 605 apps have fully met the Data Privacy Rubric developed by 1EDTECH member.

“If we want to prioritize privacy with vendors, having a community behind a common set of requirements is the key to making progress”

Collectively, for this solution to scale, we need educational institutions to get involved. This effort got a lot of attention when the states of South Carolina and Georgia joined 1EDTECH as state members and made this issue a priority. We need more educational organizations to join 1EDTECH and make this a priority. I am especially calling out my colleagues in higher education. If we want to make privacy a priority with vendors, having a community behind a common set of requirements is the key to making progress. For one, this makes it harder for software vendors to ignore the request, and at the same time, it gives those software vendors common requirements that they can implement and then be conformant. This win-win situation benefits both sides.

As we move forward, 1EDTECH is working with members to develop a management dashboard where you will be able to see all applications launched using LTI and what their conformance is to the Data Privacy Rubrik.

A similar effort has been underway at EDUCAUSE for the last decade that I was involved in with in the preliminary stages that have now become known as the Higher Education Community Vendor Assessment Toolkit (HECVAT). The HECVAT toolkit is managed by the EDUCAUSE Higher Education Information Security Council (HEISC) and is now on version 3.03. There is a full and lite version of the HECVAT. Hundreds of higher education institutions use the HECVAT for vendor security reviews, and vendors are getting accustomed to the fact they will be asked for these when selling to higher education institutions. Adopting the HECVAT as your standard security questionnaire will make your life much easier. We use the HECVAT lite for cloud applications that have very minimal data sharing and are a low-security risk. This is a more streamlined questionnaire, and most vendors have no problems answering the questions.

Let's start 2023 with a new year resolution to work together so we can collectively improve the security and privacy of educational software applications in use at our educational organizations and reduce our efforts! That is like finding a dessert that tastes great and helps you lose weight.

review

Information Security

Legal

Learning Management