Re: FERPA Notice [other IT potential changes]

["Basgen, Brian" <bbasgen () PIMA EDU>]

 Here is a list of some IT impacts I picked up while reading through the
document:

* Update the meaning of PII to include Biometrics

* Requires controls for access to student records, with suggestion (not
requirement) for NIST 800-53

* Interesting changes on authentication that seem to generally tie in
the use of online systems as an over-arching principle to be applied to
all access to student records. 

"Authentication of identity generally involves requiring a user to
provide something that only the user knows, such as a PIN, password, or
answer to a personal question; something that only the user has, such as
a smart card or token; or a biometric factor associated with no one
other than the user, such as a finger, iris, or voice print. Under the
proposed regulations an educational agency or institution may determine
that single-factor authentication, such as a standard form user name
combined with a secret PIN or password, is reasonable for protecting
access to electronic grades and transcripts. Single-factor
authentication may not be reasonable, however, for protecting access to
SSNs, credit card numbers, and similar information that could be used
for identity theft and financial fraud."

* "prohibit an educational agency or institution from using an SSN,
either alone or when combined with
other data elements, to identify or help identify a student or the
student's records"

* Several changes to enforcement. Not clear about the effectiveness of
these. 

 Btw, the most legible part of this (I realize in hindsight)/executive
summary starts on page 20 with "Executive Order 12866" and essentially
ends at page 26. :)

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College




 


________________________________

        From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Rodney Petersen
        Sent: Monday, March 31, 2008 10:58 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] FERPA Notice of Proposed Rulemaking
Addresses Changes in IT
        
        

        The U.S. Department of Education has issued a Notice of Proposed
Rulemaking (http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf
<http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf> ) with proposed
regulations pertaining to the Family Education Rights and Privacy
(FERPA).   Among other things, "the proposed regulations respond to
changes in information technology and address other issues identified
through the Department's experience administering FERPA," according to
the Notice. Additionally, the regulations are needed to implement
amendments to FERPA contained in the USA Patriot Act and the Campus Sex
Crimes Prevention Act, to implement two U.S. Supreme Court decisions
interpreting FERPA, and to make other necessary changes.

        Among the IT-related changes are: 

        *       Clarification of what can be included as directory
information, addressing Social Security Number (SSN), other student ID
numbers, and email addresses 
        *       Requiring the use of reasonable methods to identify and
authenticate the identity of students, parents, school officials, and
any other parties to whom personally identifiable information is
disclosed 
        *       Recommendations to assist institutions in safeguarding
educational records (Note:  this is covered on page 15598 of Federal
Register Notice or page 26 of PDF document.) 
                

        The deadline for comments is May 8, 2008. 

        The EDUCAUSE Washington Office (http://www.educause.edu/policy
<http://www.educause.edu/policy> ) is reviewing the proposed changes and
welcome your comments or questions (send comments to
rpetersen () educause edu). We will provide a more detailed analysis of the
proposed rules and any further updates at a later date.

        -Rodney 

        --------------------------------------------------
        Rodney J. Petersen, J.D.
        Government Relations Officer & Security Task Force Coordinator
        
        EDUCAUSE
        1150 18th Street, N.W., Suite 1010
        Washington, D.C. 20036
        (202) 331-5368 / (202) 872-4200
        (202) 872-4318 (FAX)
        EDUCAUSE/Internet2 Security Task Force
        www.educause.edu/security <http://www.educause.edu/security> 
        --------------------------------------------------