As Learning and Development experts, your role in understanding the digital security measures implemented by your Learning Management System (LMS) provider is not just crucial but integral, for safeguarding sensitive information and maintaining regulatory compliance.
You are tasked with not only identifying an LMS that meets the diverse learning needs of your organisation but also ensuring that it provides robust digital security measures to safeguard against potential breaches and protect valuable organisational assets.
When evaluating potential LMS providers, it’s not enough to be knowledgeable, you need to be proactive. Arm yourself with the knowledge and insights necessary to make informed decisions that align with your organisational strategic objectives and security requirements. Don’t wait for the information to come to you; go out and get it.
DPIAs are a standard process when implementing any new system, make sure you have one in place and remember the DPIA belongs to the organisation. Don't rely on your supplier completing it for you, rely on your supplier adhering to it once you have agreed the DPIA internally.
Let’s deep-dive into the top enquiries that HR professionals should pose to potential LMS providers. These are not just any enquiries; they are the key aspects of digital security that you need to understand.
We’ll look at encryption protocols, authentication mechanisms, data privacy measures, continuous monitoring practices, and incident response capabilities. These are the areas where you need to be most vigilant.
Here are some essential questions to ask your LMS provider to safeguard your organisation’s data.
What Security Protocols are in Place?
It seems the most obvious question to ask, but it is often overlooked when shopping for a new LMS. Ask what foundational security protocols your LMS provider has implemented. Ensure you get detailed information on the provider’s encryption standards to protect data both in transit and at rest. Robust access controls should be in place to ensure that only authorised personnel can access sensitive information.
Your supplier should be able to provide an evidence pack which outlines all security protocols that are in place. As for a copy.
Check that your LMS supplier performs regular accredited penetration tests on their servers, office networks and devices. CREST certified penetration testing (Council of Registered Ethical Security Testers) is an internationally recognised non-profit organisation that sets standards for penetration testing. CREST certification is considered the best way to measure a cybersecurity company's legitimacy and competence.
Additionally, inquire about data backup procedures and backup data location to ensure the resilience of your organisation’s data against loss or corruption.
Is the provider's systems audited to required standards?
Ask your supplier to reassure you that they are working to secure your IT against cyber attack. Are their systems and services audited to national and indusctry standards such as Cyber Essentials Plus and aligned with the National Cyber Security Centre?
And don't forget their employees. Does the organisation carry out vetting for personnel on employment and maintain this ongoing. Basic UK Government requirements include Baseline Personnel Security Standard (BPSS) screening which includes proof of ID and DBA background checks, alongside higher level checks such as Non Police Personnel Vetting (NPPV) clearance. You won't have any access to the checks themselves, but can your chosen supplier verify and prove that employee checks take place and are in date.
Your data will be held in a data centre. Where is the data centre and what accreditation do they hold alongside your chosen supplier. The data centre should hold full ISO with your data ideally being held in the UK and at most in the EU. Can the data centre accreditations be provided? Using a trusted data centre, such as Amazon Web Services (AWS) assures this.
Making sure your supplier can promise and prove their security measures, gives you a clear picture of the cyber security levels in place, and demonstrates certification compliance.
How is User Authentication Managed?
User authentication serves as the first line of defense against unauthorised access to the LMS platform.
Ask about the authentication methods employed, such as multi-factor authentication (MFA) or single authentication and single sign-on (SSO).
Does your supplier use cryptographic controls which are security measures that protect data using encryption and decryption and are a vital part of information security systems and can help protect against unauthorised access, data breaches, and tampering.
Multi-factor authentication adds an additional layer of security by requiring users to provide multiple forms of verification, while single authentication /sign-on enhances user convenience while maintaining security standards.
Can the LMS be integrated into your existing systems such as Microsoft 365, Azure, enforce MFA, and what methods are used to manage that process. You don't want to hinder staff logging on; to avoid this integration with existing authentication methods is vital.
What controls do they use internally for their employees to access your data. Do they have MFA activated on all internal systems, mechanisms to enable /disable role based access and monitoring on devices.
What Measures are in Place for Data Privacy?
Data privacy is fundamental to digital security, particularly concerning personally identifiable information (PII) and sensitive organisational data. Seek clarity on how the LMS provider ensures data privacy, including data anonymisation techniques, role-based access controls, and compliance with data protection regulations such as GDPR data protection regulations.
What accreditation does your provider hold to demonstrate compliance with regulatory bodies. It is not enough for them to say they meet (eg) GDPR and data privacy regulations, they should be able to prove it with accreditation such as the NHS Data Security and Protection Toolkit.
How are Continuous Monitoring and Incident Response Handled?
Adequate security measures require continuous monitoring and proactive incident response mechanisms. Enquire about the LMS provider’s approach to continuous monitoring, which identifies security threats and vulnerabilities in real time. Additionally, seek insights into the incident response protocols in place to address security incidents promptly and minimise potential damages.
Registration
Finally, are they registered with the Information Commissioners Office (ICO).
By posing these critical questions to your LMS provider, you can protect your organisation’s digital assets against evolving security threats. Prioritising digital security safeguards sensitive data, upholds organisational integrity, and fosters trust among employees and stakeholders.
Remember, proactive assessment and collaboration with your LMS provider, such as Totara, are key to maintaining a secure learning environment and mitigating potential risks effectively. Stay vigilant, stay informed, and prioritise digital security in your organisation’s learning initiatives.
About Chambury Learning
We promise to continually develop our services to meet and exceed customer expectations.
We take your requirements of a Learning Management System and support you into making your vision a reality.
All implementations include; a named Learning Consultant; UK hosting & maintenance; administrative training; deployment to your team. Also included is free access to customer conferences, workshops and focus groups.
Our extensive experience enables us to establish ourselves as a successful partner in your learning management project.
Chambury Learning commits to providing a professional, customer-focused, single point of contact for Learning Management Systems advice and support, ultimately being recognised as an excellent service provider to our customers and preferred supplier to the NHS.
We create an environment in which the customer feels that they can be open and transparent with their enquiry, that they are being listened to, making our customers feel that they are the most important part of the journey.
コメント