As part of our ongoing prioritization of privacy and security, D2L made a number of commitments in August and September 2023. We document our advances to meeting those pledges below.
On August 8, 2023, D2L CEO John Baker was invited to announce several D2L commitments at a White House forum hosted by First Lady Jill Biden.
In September 2023, D2L was among the first in the sector to sign The U.S. Cybersecurity and Infrastructure Security Agency (CISA)’s ‘Secure by Design’ voluntary pledge for K-12 Education Technology software manufacturers.
D2L recognizes that an ever-evolving threat landscape requires us to be vigilant and adaptable to help keep learning safe and secure. Through these and other ongoing steps, D2L continues to work closely with customers to help implement strong privacy and security controls that can assist with reducing cybersecurity burdens for our customers. This in turn helps, for example, our K-12 customers further focus on their core mission of teaching and learning.
Cybersecurity Business Leader
Stephen Laster, President at D2L, serves as D2L’s senior cybersecurity business leader to help bring further accountability for cybersecurity to the most senior levels of D2L. Stephen is responsible for managing the ongoing process of integrating security as a core function of the business alongside D2L’s longstanding Chief Technology Officer and Chief Information Security Officer Nick Oddson, including the development and implementation of D2L's Secure by Design roadmap. [Secure-by-Design Principle 3.0]
Free SSO for Customers
As of March 2023, D2L offers Security Assertion Markup Language (SAML)-based Single Sign On (SSO) to all customers at no extra charge, to help reduce password-based cyber-attacks. Customers can find details on how to configure and manage their SSO on the Brightspace Community. [Secure-by-Design Principle 1.1]
Security Audit Log Assistance
D2L assists customers at no additional charge in responding to security questions and incidents including with regard to product and server log analysis for response to security/penetration testing, compromised user accounts, email phishing and vulnerabilities. In exceptional circumstances, fees may apply to limit cases of extraordinary scope. Customers can find details about the scope of service on the Brightspace Community. [Secure-by-Design Principle 1.2]
Helping to Reduce the Burden of Vetting Third-Party Tools
D2L is helping to reduce the burden for school other customers' IT departments that are responsible for reviewing numerous third-party tools and applications. While this type of review is already a standard practice for D2L, the more recently added “D2L Security Reviewed” badge on the D2L Partner Integration Hub can help signify which third-party partners have demonstrated their commitment to information security. These partners have been confirmed by D2L experts to satisfy the following standards:
- Undergone a comprehensive information security review, including submitting a SOC2 Type 2 third-party report or its equivalent, or
- Completed an AI impact assessment (if relevant) that is reviewed by D2L’s internal AI working group
Building on Third Party Validation
D2L’s privacy and security controls include encryption by default, key security certifications, and other layered protections. D2L continues to work to improve its security — and the security posture for its customers. D2L regularly achieves updated 3rd party verified certifications, including: ISO 27001, ISO 27017, ISO 27018, Level 2 certification for TX-RAMP and privacy certification 27701. D2L continues to pursue additional third-party validation to further confirm compliance with industry security standards.
Free Cybersecurity Course for K-12 School Leaders
D2L and Sinclair College have launched a free K-12 Cybersecurity Course to help school system leaders guide their districts to help increase their resilience to cyber threats to both student (and staff) data and learning continuity. The short, self-paced course is designed specifically for K-12 superintendents and administrators to understand key school threats, essential mitigation practices, and needed planning frameworks. For more information, view the announcement and the course information and registration page.
Product Roadmap
D2L further increased its transparency by updating D2L Security Practices and continues to treat security as an integral aspect of its product roadmap. The design of D2L products and services has the protection of private data and security top of mind at every stage of our Software Development Lifecycle (SDLC). [Secure-by-Design Principle 2.1]
Vulnerability Disclosure Policy
D2L published its Vulnerability Disclosure Policy (VDP) intending to provide security researchers clear guidelines for conducting vulnerability discovery activities and to convey D2L's preferences in how to submit discovered vulnerabilities for review. The policy increases visibility and collaboration, including terms regarding authorization of testing, legal safe harbor, public disclosure, and remediation processes. [Secure-by-Design Principle 2.2]
Where do I go to find out more?
Introducing SAML and SAML Administration blog post
Security Audit Log Assistance Policy blog post
K-12 Cybersecurity Course | D2L
Security Best Practices | D2L
Vulnerability Disclosure Policy