Educause Security Discussion mailing list archives
Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT
From: Charlie Prothero <Charlie.Prothero () KEYSTONE EDU>
Date: Tue, 1 Apr 2008 18:02:50 -0400
It's amazing how far we've come in a relatively short time. Many of us on this list likely went to schools that routinely posted printouts of student social security numbers and grades, room assignments, etc. Imagine getting caught doing that now! -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla Sent: Tuesday, April 01, 2008 5:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses Changes in IT I think secure grade distribution should be addressed by every school as it chooses. Schools are ultimately liable for the actions of their employees, no? The secure distribution of grades has been handled by professors for centuries, in two general areas - grades for individual assignments, and midterm and final grades. The secure distribution of midterm and final grades has already been addressed by all modern student information systems - students log into the system and view their grades. The grades for individual assignments and exams used to be all done with pen, and handed to the student at the next class session. Now there are course management systems. Let the schools decide how to solve the problem, don't let Washington tell us that grades should be distributed by posting grades next to student IDs. Give us the real problem - privacy - and let us solve it. At 02:59 PM 4/1/2008, Mclaughlin, Kevin (mclaugkl) wrote:
Hi Brian: I think that this comment needs some push-back and is therefore the
crux of
my puzzlement on how to adhere to the intent of the new FERPA changes: (The proposal is that *every* teacher assigns unique
authenticators
(pins, words, colors codes -- anything) to each student that is relevant for only that class, for that semester. It is certainly a secure method, and puts the onus on the faculty member.) This certainly does put the onus on the faculty member but in order to
be in
compliance they now need to safeguard the delivery, use, storage and
ongoing
usage of the one time student authenticator. How are they going to
provide
the student with their code word? On paper, via email, whispering it
to
them, et cetera. If via paper is the faculty member going to then
watch as
the student shreds the paper? If via email is the email going to be encrypted in both transit and then in storage? If whispering it to
them are
they going to make sure no one else can hear? Is the class list of
secret
authenticators going to be encrypted by the faculty member? Will TAs
have
access to it (are they even allowed to have access to it?) How are we
going
to insure that the secret authenticators are destroyed at the end of
the
quarter? How is the secret authenticator going to be used effectively
-
most assuredly if I post a grade list in public and there are 15 grades
of A
and one F the kid who groans has just compromised his secret
authenticator.
I could go on but ....... I'll say it again Regulations need to be clearly articulated, concise, enforceable and if possible easy to comply with. If the crux of the
Student
ID issue is the public posting of student grades FERPA should say "if
you
put a student's grades of any type in an area accessible by anyone
other
than the student who owns the grade you are violating FERPA" . I agree
with
previous comments in this posting that Educause should help us with the comment to send back to the FERPA folks. -Kevin Kevin L. McLaughlin CISM, CISSP, GIAC-GSLC,PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) 513-558-ISEC (department) -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian Sent: Tuesday, April 01, 2008 1:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses Changes in ITto proceed. If we eliminate in house Identifiers (Student IDs) as Directory information and then we go with a PIN or secret word for faculty who post grades (and many do - at least here at UC) how do we secure the identity of the PINsThe proposal is that *every* teacher assigns unique authenticators (pins, words, colors codes -- anything) to each student that is
relevant
for only that class, for that semester. It is certainly a secure
method,
and puts the onus on the faculty member.if) stopping faculty from posting grades than FERPA regulation should simply mandate that this process stop or they will be out of compliance with FERPA.That would be interesting, but probably untenable. I tend to think
they
are okay with posting, so long as it is reasonably secure.point. One of the main reasons we (and I would assume others) went to a Student ID vs SSN was so that we had a way to identify students without giving up PII safeguardsRight, but they do have a fair point. Since the SID follows the student, as they point out, so long as you have the same class with the same student, you've figured out their SID. One-time authenticators, by contrast, don't have this problem. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
Current thread:
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT, (continued)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Mclaughlin, Kevin (mclaugkl) (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Michael R. Gettes (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Mclaughlin, Kevin (mclaugkl) (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Mclaughlin, Kevin (mclaugkl) (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Michael R. Gettes (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Charlie Prothero (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Chuck Dunn (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT David Lassner (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Drexel Atkinson (Apr 02)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Brad Judy (Apr 02)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Brad Judy (Apr 02)