Is Your LMS Security Good Enough? | Episode 5

Clara Jensen

Hey everyone, welcome back to Getting the Most From Your LMS. I’m Clara Jensen, and today I’m joined by Eric Marquette. Eric, it’s really good to have you back. How have you been!?

Eric Marquette

Hey Clara, I’m good. Really looking forward to this one. Security isn’t always the most glamorous topic… but it’s definitely more important than ever.

Clara Jensen

Absolutely... and it feels like things have been getting more unpredictable lately. Didn't you say you have a story about that?

Eric Marquette

Oh yeah — I do. Not too long ago, I was supporting a university that got hit with a ransomware attack. They were locked out of their LMS. Student records were compromised. Classes were disrupted almost overnight. It was a tough situation… and a real wake-up call.

Clara Jensen

And I think that’s exactly why this matters. It’s not just about compliance — it’s about protecting your learners, your teams, and your organization. So let’s talk about what people should actually be looking for when it comes to LMS security.

Eric Marquette

Right… so let’s break down what a secure LMS should actually have. First up — compliance certifications. If your provider isn’t I-S-O Twenty-Seven-Thousand-One or Sock-Two certified, that’s a red flag. These aren’t just fancy acronyms — they mean the platform’s been audited for real security controls. And I always tell folks, don’t just take their word for it. Ask to see the certificates. — I-S-O Twenty-Seven-Thousand-One is all about managing sensitive info, and Sock-Two digs into security, privacy, and all that good stuff. And if your LMS is handling personal data, you definitely want those badges.

Eric Marquette

And... there’s also the encryption. You want TLS protocols for data in transit—so when you’re logging in or submitting assignments, it’s all scrambled up for anyone trying to snoop. And don’t forget encryption at rest. If someone gets their hands on the server, your data should still be unreadable.

Clara Jensen

That's a good point, and you know… secure engineering practices really matter. I’ve seen platforms skip regular code reviews… or not train their developers on security at all. That’s how problems slip through. That’s how you end up with things like se-kwəl injection…or cross-site scripting — XSS —that's for all the acronym lovers out there... But, still, it's rarely just a one big mistake… It’s usually a lot of small ones that keep adding up.

Eric Marquette

Yeah, those are the classics. And honestly, they’re still around because people get complacent. Regular audits and penetration testing are a must. You want your provider to be looking for holes before the bad guys do.

Clara Jensen

Totally. I actually worked with a nonprofit a while back—and you know, as you would imagine, they were super nervous about security, and for good reason. — We helped them roll out multi-factor authentication and set up role-based access controls. It was a bit of a learning curve, but once they saw how easy it was to limit who could see what, they were all in. It’s not just about stopping hackers, it’s about making sure only the right people have access to sensitive info.

Eric Marquette

And that’s a great point. Role-based access, MFA, regular audits—these aren’t just “nice to haves.” They’re the basics now. If your LMS provider can’t talk you through their process for these, I’d start looking elsewhere.

Clara Jensen

And don’t forget about the people side. Engineering teams need ongoing security training — oh-WASP standards… all of that. And as you know, the threats change fast, so you definitely want your team ahead of the curve… without playing any catch-up.

Eric Marquette

I couldn’t agree with you more. Security isn’t a one-and-done thing. It’s a moving target, and you need a provider who treats it that way.

Clara Jensen

Alright, so now let’s talk about privacy and data management. It’s not just about keeping hackers out—it’s about respecting your users’ rights. That means strong encryption — sure... but also clear privacy policies and compliance with laws like GDPR and CCPA.

Eric Marquette

Yeah, and I think a lot of folks underestimate how important transparency is. Users want to know what’s happening with their data. Is it being sold? Who can see it? Your LMS provider should be able to answer those questions without hesitation.

Clara Jensen

And disaster recovery—oh man, I can’t tell you how many times I’ve seen organizations skip this. If your data’s hosted in the US, you’ve got to make sure your provider has solid backup and redundancy plans. If something goes wrong, you want to be back up and running quickly, instead of scrambling for many weeks.

Eric Marquette

Exactly. And don’t forget about the “right to be forgotten.” Users should be able to request that their data be deleted or at least updated. That’s not just a European thing anymore—it’s becoming standard everywhere. Your LMS should make it easy, simple, and straightforward.

Clara Jensen

Oh yeah, and when you’re evaluating providers, have a checklist. Ask about compliance—I-S-O, Sock-Two, all that. Ask how they handle encryption, what their audit process looks like, where the data’s hosted, and also how they handle deletion requests. If they can’t answer, or they get cagey, I would say that’s probably your cue to walk away.

Eric Marquette

And honestly, don’t be afraid to get specific. Like, “How do you protect against se-kwəl injection?” or “Can I see your disaster recovery plan?” The good providers will have answers ready. The others, well, you’ll know pretty quick.

Clara Jensen

Oh yeah — I think that’s a good place to wrap. Security’s a big topic, but hopefully we gave you a helpful starting point for thinking about LMS security and, most importantly, keeping your learners safe.

Eric Marquette

Yeah, and if you’re feeling overwhelmed, don’t worry. We’ll keep breaking this down in future episodes. Thanks for hanging out with us today. Always a pleasure.

Clara Jensen

Thanks, Eric. And thanks so much to everyone for listening. Stay safe… ask the tough questions…and we’ll catch you next time on Getting the Most From Your LMS.

Eric Marquette

Take care and see you next time!