Educause Security Discussion mailing list archives
FERPA and ASP compliance
From: Theresa M Rowe <rowe () OAKLAND EDU>
Date: Wed, 7 Nov 2007 08:19:01 -0500
Hi, Justin, If your question has to do with FERPA, and authentication, I'd suggest that you start with learning what is directory information and what isn't directory information at your individual university. Every university defines directory information differently and that is valid under FERPA law. For most, it is student name, address, etc., and these data items can be published or shared as public, as long as the student has not specifically invoked privacy. The rest of the academic record (i.e., GPA) can never be shared. For us, we did not list our email/LDAP identifier as directory information, so it is not publicly shared. We did that so that companies could not submit a FOIA (Freedom of Information Act) request and get all the IDs (which happened once). When we work with an external ASP, we design authentication to work on a request basis; i.e., a secure web site is developed where an end-user enters a login ID and password, which is passed to us for true/false evaluation and a response is returned. We do not send our entire ID population to the vendor. We also ask our ASPs to complete a security review document before the contract is signed; a copy of that is on our web site http://www2.oakland.edu/uts/policies.cfm#outsourcing Click on the red word STANDARDS. We've just started evaluating the use of SAML for this kind of security request processing. Theresa Rowe Chief Information Officer University Technology Services www.oakland.edu/uts
Current thread:
- FERPA and ASP compliance Theresa M Rowe (Nov 07)