Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT

[Charlie Prothero <Charlie.Prothero () KEYSTONE EDU>]

It's amazing how far we've come in a relatively short time.  Many of us
on this list likely went to schools that routinely posted printouts of
student social security numbers and grades, room assignments, etc.
Imagine getting caught doing that now!    

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla
Sent: Tuesday, April 01, 2008 5:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses
Changes in IT

I think secure grade distribution should be addressed by every school 
as it chooses.  Schools are ultimately liable for the actions of 
their employees, no?  The secure distribution of grades has been 
handled by professors for centuries, in two general areas - grades 
for individual assignments, and midterm and final grades.  The secure 
distribution of midterm and final grades has already been addressed 
by all modern student information systems - students log into the 
system and view their grades.  The grades for individual assignments 
and exams used to be all done with pen, and handed to the student at 
the next class session.  Now there are course management 
systems.  Let the schools decide how to solve the problem, don't let 
Washington tell us that grades should be distributed by posting 
grades next to student IDs.  Give us the real problem - privacy - and 
let us solve it.

At 02:59 PM 4/1/2008, Mclaughlin, Kevin (mclaugkl) wrote:
> Hi Brian:
>
> I think that this comment needs some push-back and is therefore the
crux of
> my puzzlement on how to adhere to the intent of the new FERPA changes:
>
>       (The proposal is that *every* teacher assigns unique
authenticators
>       (pins, words, colors codes -- anything) to each student that is
> relevant
>       for only that class, for that semester. It is certainly a secure
> method,
>       and puts the onus on the faculty member.)
>
> This certainly does put the onus on the faculty member but in order to
be in
> compliance they now need to safeguard the delivery, use, storage and
ongoing
> usage of the one time student authenticator.  How are they going to
provide
> the student with their code word?  On paper, via email, whispering it
to
> them,  et cetera.  If via paper is the faculty member going to then
watch as
> the student shreds the paper?  If via email is the email going to be
> encrypted in both transit and then in storage?  If whispering it to
them are
> they going to make sure no one else can hear?   Is the class list of
secret
> authenticators going to be encrypted by the faculty member?  Will TAs
have
> access to it (are they even allowed to have access to it?) How are we
going
> to insure that the secret authenticators are destroyed at the end of
the
> quarter?  How is the secret authenticator going to be used effectively
-
> most assuredly if I post a grade list in public and there are 15 grades
of A
> and one F  the kid who groans has just compromised his secret
authenticator.
> I could go on but .......
>
> I'll say it again  Regulations need to be clearly articulated, concise,
> enforceable and if possible easy to comply with.  If the crux of the
Student
> ID issue is the public posting of student grades FERPA should say "if
you
> put a student's grades of any type in an area accessible by anyone
other
> than the student who owns the grade you are violating FERPA" .  I agree
with
> previous comments in this posting that Educause should help us with the
> comment to send back to the FERPA folks.
>
>
> -Kevin
>
>
> Kevin L. McLaughlin
> CISM, CISSP, GIAC-GSLC,PMP, ITIL Master Certified
> Director, Information Security
> University of Cincinnati
> 513-556-9177 (w)
> 513-703-3211 (m)
> 513-558-ISEC (department)
>
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
> Sent: Tuesday, April 01, 2008 1:50 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses
> Changes in IT
>
> > to proceed.  If we eliminate in house Identifiers (Student
> > IDs) as Directory information and then we go with a PIN or
> > secret word for faculty who post grades (and many do - at
> > least here at UC) how do we secure the identity of the PINs
>
>  The proposal is that *every* teacher assigns unique authenticators
> (pins, words, colors codes -- anything) to each student that is
relevant
> for only that class, for that semester. It is certainly a secure
method,
> and puts the onus on the faculty member.
>
> > if)  stopping faculty from posting grades than FERPA
> > regulation should simply mandate that this process stop or
> > they will be out of compliance with
> > FERPA.
>
>  That would be interesting, but probably untenable. I tend to think
they
> are okay with posting, so long as it is reasonably secure.
>
> > point.  One of the main reasons we (and I would assume
> > others) went to a Student ID vs SSN was so that we had a way
> > to identify students without giving up PII safeguards
>
>  Right, but they do have a fair point. Since the SID follows the
> student, as they point out, so long as you have the same class with the
> same student, you've figured out their SID. One-time authenticators, by
> contrast, don't have this problem.
>
> ~~~~~~~~~~~~~~~~~~
> Brian Basgen
> Information Security
> Pima Community College