Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT

["Basgen, Brian" <bbasgen () PIMA EDU>]

Kevin,

 While I agree that the government often confuses identification with
authentication, I'm wondering where you see that in this document. For
example, I found this section which seems to indicate a reasoned
approach and question to the community (p. 24):

"As noted above, single-factor
authentication of identity, such as a
standard form user name combined with
a secret password or PIN, may not
provide reasonable protection for access
to all types of education records or
under all circumstances."

 The meat of the issue is on page 3:

"Proposed Regulations: The proposed
regulations would provide that an
educational agency or institution may
not designate as directory information a
student's SSN or other student ID
number. However, directory information
may include a student's user ID or other
unique identifier used by the student to
access or communicate in electronic
systems, but only if the electronic
identifier cannot be used to gain access
to education records except when used
in conjunction with one or more factors
that authenticate the student's identity,
such as a personal identification
number (PIN), password, or other factor
known or possessed only by the student."


 It seems to me like they are addressing the issue reasonably well, and
taking head-on the problem of Student ID numbers, which has been a
subject of some debate over the years.


~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College




 


________________________________

        From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla
        Sent: Monday, March 31, 2008 11:37 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking
Addresses Changes in IT
        
        
        Thanks Rodney,
        
        It seems that the legislators here are confusing identification
with authentication.  I hope that universities learned from the social
security number problem (a number, stored in thousands if not millions
of IT systems around the country, properly used for identification and
improperly used (because it's convenient) as authentication) and are not
allowing knowledge of a student ID number to gain access to anything.
I'm pushing to define student ID as directory information so that it
cannot ever be used for authentication, but some on campus are afraid of
doing this.
        
        What do others think?
        
        Kevin
        
        At 12:58 PM 3/31/2008, Rodney Petersen wrote:
        
        

                The U.S. Department of Education has issued a Notice of
Proposed Rulemaking ( http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf
<http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf> ) with proposed
regulations pertaining to the Family Education Rights and Privacy
(FERPA).   Among other things, "the proposed regulations respond to
changes in information technology and address other issues identified
through the Department's experience administering FERPA," according to
the Notice. Additionally, the regulations are needed to implement
amendments to FERPA contained in the USA Patriot Act and the Campus Sex
Crimes Prevention Act, to implement two U.S. Supreme Court decisions
interpreting FERPA, and to make other necessary changes.
                
                Among the IT-related changes are: 

                *       Clarification of what can be included as
directory information, addressing Social Security Number (SSN), other
student ID numbers, and email addresses 
                *       Requiring the use of reasonable methods to
identify and authenticate the identity of students, parents, school
officials, and any other parties to whom personally identifiable
information is disclosed 
                *       Recommendations to assist institutions in
safeguarding educational records (Note:  this is covered on page 15598
of Federal Register Notice or page 26 of PDF document.) 


                The deadline for comments is May 8, 2008. 
                
                The EDUCAUSE Washington Office (
http://www.educause.edu/policy <http://www.educause.edu/policy> ) is
reviewing the proposed changes and welcome your comments or questions
(send comments to rpetersen () educause edu). We will provide a more
detailed analysis of the proposed rules and any further updates at a
later date.
                
                -Rodney 
                
                --------------------------------------------------
                Rodney J. Petersen, J.D.
                Government Relations Officer & Security Task Force
Coordinator
                
                EDUCAUSE
                1150 18th Street, N.W., Suite 1010
                Washington, D.C. 20036
                (202) 331-5368 / (202) 872-4200
                (202) 872-4318 (FAX)
                EDUCAUSE/Internet2 Security Task Force
                www.educause.edu/security
                --------------------------------------------------