Educause Security Discussion mailing list archives
Re: google docs google services
From: Ruth Ginzberg <rginzberg () UWSA EDU>
Date: Tue, 23 Feb 2016 19:04:32 +0000
I agree, you can designate Google a “school official” but isn’t the institution itself is still responsible for the actions of those it so designates? Ruth Ginzberg, CISSP, CTPS Sr. I.T. Procurement Specialist University of Wisconsin System 608-890-3961 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bellina, Brendan Sent: Tuesday, February 23, 2016 1:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] google docs google services There have been updates to FERPA since '73 to accommodate the use of third party vendors acting on behalf of the institution to carry out functions that the institution would otherwise do internally. Basically this was done to allow Google for Education to be utilized since schools were going ahead and doing so anyway to get away from running their own email systems. Regards, Brendan Bellina Identity Mgmt. Architect, IT Services, UCLA ✉ bbellina () ucla edu<mailto:bbellina () ucla edu> ☏ +1 310 206 3131 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Ruth Ginzberg <rginzberg () UWSA EDU<mailto:rginzberg () UWSA EDU>> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Tuesday, February 23, 2016 at 10:50 AM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] google docs google services The thing that makes this so challenging is that “FERPA compliance” isn’t defined anywhere w.r.t. computer security. There is nothing whatsoever in 20 U.S.C. § 1232g; 34 CFR Part 99 a.k.a. “FERPA” that says anything at all about what kind of security measures 3rd party providers are obligated to take. So (technically) a 3rd party provider could do nothing at all with respect to FERPA and claim that it is “FERPA compliant.” As it stands right now, there is the law, and there are about a gad-zillion letters (http://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/index.html ) saying what the Dept of Ed thinks FERPA says. But it is up to each individual institution to interpret those and figure out what IT is willing to argue constitutes “compliance” with FERPA when it comes to electronic records. The law itself was written in (I think…) 1973 (?) when most educational records were still paper items in manila file folders in drawers in cabinets in rooms filled with such filing cabinets. It is always, always, always up to the INSTITUTION (not the 3rd party) to ensure FERPA compliance (i.e., you can’t outsource responsibility for regulatory compliance). So different institutions are going to make different judgment calls regarding whether something is “compliant” with FERPA as that institution understands it. What matters most is whether the institution in question believes (and is willing to defend, if called on the carpet for it) that the 3rd party’s security practices are “FERPA compliant.” Ruth Ginzberg, CISSP, CTPS Sr. I.T. Procurement Specialist University of Wisconsin System 608-890-3961 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, Mark B Sent: Tuesday, February 23, 2016 12:29 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] google docs google services We use GAE and our legal department was satisfied with regard to FERPA. I don’t know if the standard Google agreement was sufficient or if Google signed an addendum. Either way, FERPA Compliance is doable. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jay Fowler Sent: Tuesday, February 23, 2016 10:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] google docs google services Perhaps this would be helpful. Google mentions this with regard to FERPA: https://www.google.com/edu/trust/#does-google-apps-for-education-comply-with-ferpa ________________________________ From: "Mark Reboli" <mreboli () MISERICORDIA EDU<mailto:mreboli () MISERICORDIA EDU>> To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Sent: Tuesday, February 23, 2016 8:00:56 AM Subject: [SECURITY] google docs google services Is anyone utilizing Google Docs or Google Services? If so how have you dealt with the FERPA compliance component. I know this has been discussed in the past and the issue according to our FERPA person on campus has also indicated in his discussion with other registrars etc. is the potential for the mining of FERPA information store by Google. We have likewise tried for several months to find a good source at google that we can discuss information about this but have never been responded in all of the requests we have made, so If you have a contact that you can share I would be most appreciative. m [Description: MU Arches] Mark Reboli Network/Telecom Manager Misericordia University (570) 674-6753
Current thread:
- google docs google services Mark Reboli (Feb 23)
- Re: google docs google services Jay Fowler (Feb 23)
- Re: google docs google services Jones, Mark B (Feb 23)
- Re: google docs google services Ruth Ginzberg (Feb 23)
- Re: google docs google services Judith L. Tabron (Feb 23)
- Re: google docs google services Steve Terry (Feb 23)
- Re: google docs google services Jones, Mark B (Feb 23)
- Re: google docs google services Jay Fowler (Feb 23)
- <Possible follow-ups>
- Re: google docs google services Bellina, Brendan (Feb 23)
- Re: google docs google services Ruth Ginzberg (Feb 23)
- Re: google docs google services Bellina, Brendan (Feb 23)
- Re: google docs google services Ruth Ginzberg (Feb 23)