Re: FERPA Notice [other IT potential changes]

[Chuck Dunn <chuck () BUFFALO EDU>]

These are PROPOSED rule changes.

There are some changes proposed that I see as positive, but some that
have real cost and service implications.

In my view, it is an unfunded mandate and for many institutions, it will
translate directly into retooling costs and significant disruption of
services. In those cases, we need to estimate the cost and clearly
explain the consequences to student services.

Get your Registrar and Government Affairs staff clued in about the
potential impacts.  I think it's time to do a bit of serious lobbying.

Working toward having EduCause represent our interests by gathering and
consolidating our concerns for input into the rule-making process would
seem a prudent measure.   Rodney asked for feedback in his original message:

"The EDUCAUSE Washington Office (http://www.educause.edu/policy) is
reviewing the proposed changes and welcome your comments or questions
(send comments to rpetersen () educause edu)."

Chuck

Mclaughlin, Kevin (mclaugkl) wrote:
> Hi Brad:
>
>
> We attempted that approach but a lot of the Professor's in our graduate
> programs pushed back hard. I had many comments like "the electronic
> gradebook doesn't work in the manner I need it to,   I have specific grade
> requirements that can't be supported by the Gradebook tool, are you now
> trying to dictate how I conduct course assessments? Et cetera."   I do like
> the number or secret word idea for hardcopy postings and will try to wrap my
> mind on some ways to do that electronically as well.  At the end of the day
> though I suspect even the Security supporters within my community will see
> this as yet another unfunded mandate that requires significant process
> change to comply with and in the case of a single list of class grades
> little risk associated with non-compliance.
>
> I have no solutions here - just questions.... :-)
>
> -Kevin
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy
> Sent: Tuesday, April 01, 2008 9:11 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY]
>
> We restricted the use of SID's for displaying grades a long time ago.
> Faculty are encouraged to use the course management system as a gradebook,
> even if they aren't using it for course content.  This is a good option
> since students can check their grades from anywhere and there is built-in
> authentication and access control.  For traditional "paper on the wall"
> grade postings, faculty collect a number sequence or word of choice from
> their students to use as an identifier.
>
> Brad Judy
>
> IT Security Office
> University of Colorado at Boulder
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mclaughlin, Kevin
> (mclaugkl)
> Sent: Tuesday, April 01, 2008 7:04 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY]
>
> This potentially hits us hard on the whole Student ID front.  We don't use
> SSNs or User IDs as Directory information but we do treat our UC specific
> student IDs as Directory (internal use non restricted) data.  These UC IDs
> are restricted by policy from being used in any sort of authentication
> process and it would make sense for us to continue using these as Directory
> data on many of the other regulated fronts.  Now FERPA is saying to restrict
> the use of these as well so with my adjunct hat on I am scratching my head
> wondering how in the world I can share my student's progress with them in a
> manageable way.  Also, I already know, based on previous conversations with
> full time faculty, that going to them and telling them that we have now
> decided to also restrict the use of Student ID for communicating grades and
> progress to students will cause an uproar and protest.
>
> Any suggestions?
>
> -Kevin
>
> Kevin L. McLaughlin
> CISM, CISSP, GIAC-GSLC,PMP, ITIL Master Certified Director, Information
> Security University of Cincinnati
> 513-556-9177 (w)
> 513-703-3211 (m)
> 513-558-ISEC (department)
>
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential,
> intended solely for the addressee, and may be legally privileged. Access to
> this message and its content by any individual or entity other than those
> identified in this message is unauthorized. If you are not the intended
> recipient, any disclosure, copying or distribution of this e-mail may be
> unlawful. Any action taken or omitted due to the content of this message is
> prohibited and may be unlawful.
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Stephen J Smoogen
> Sent: Monday, March 31, 2008 7:22 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY]
>
> Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses
> Changes
>  in IT
> In-Reply-To:
> <BE7F8D9715234E47955624FF7D429170015B3676 () DO-EX03 PCC-Domain pima edu>
> Message-ID: <alpine.LRH.1.10.0803311715280.23798 () xanadu unm edu>
> References: <06EA97D7AA1D534682A5F217BA78E2E00502B9A0 () mailco1 educause edu>
> <7.0.1.0.2.20080331132546.03829e88 () uic edu>
> <BE7F8D9715234E47955624FF7D429170015B3666 () DO-EX03 PCC-Domain pima edu>
>
>  A<7.0.1.0.2.20080331142826.038806c8 () uic edu>
> <BE7F8D9715234E47955624FF7D429170015B3676 () DO-EX03 PCC-Domain pima edu>
> User-Agent: Alpine 1.10 (LRH 962 2008-03-14)
> MIME-Version: 1.0
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
> X-WatchGuard-IPS: message checked
> X-WatchGuard-Spam-ID: str=0001.0A090204.47F17206.028E,ss=1,fgs=0
> X-WatchGuard-Spam-Score: 0, clean; 0, no virus
> X-WatchGuard-Mail-Client-IP: 64.106.76.41
> X-WatchGuard-Mail-From: smooge () unm edu
> X-WatchGuard-Mail-Recipients: SECURITY () listserv educause edu
>
> On Mon, 31 Mar 2008, Basgen, Brian wrote:
>
> > Steve,
> >
> > You raise an interesting point. Yet, student IDs as directory
> > information can be problematic, since faculty sometimes publicly post
> > grades with student IDs attached. In this case the faculty member is
> > confusing identification with authentication, but you know, good luck
> > explaining that to faculty. :)
>
> Actually good luck with explaining it to most people.. is there a nice
> pop-up book or something similar that explains what identity is, what
> authentication is, and why they are not the same? Something that helps
> everyone from secretaries to Provosts understand when and where the two
> conflict in people's minds.
>
> I mean how often can one get past some sticky point because someone says
> "Listen, we really need to get this done because Provost A has been
> asking about it." Or something else. People will take that name, and
> accept it as identity and authentication that Provost A wants to get
> this done. And we do it because A) Humans are naturally trusting of
> their social monkey group, and B) Asking too many questions to confirm
> authorization and authentication slows things down, makes our fellow
> monkeys cranky and is usually false alarms.

--
Charles F. Dunn
Information Security Officer
University at Buffalo
716-645-3582

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature