Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT

["Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

Hi All:

This is an interesting topic.  I am still perplexed with how to proceed.  If
we eliminate in house Identifiers (Student IDs) as Directory information and
then we go with a PIN or secret word for faculty who post grades (and many
do - at least here at UC) how do we secure the identity of the PINs or
secret words and how is this really any different than having a non-SSN
student identifier, in my mind the PINs and Secret words would by default
become non-directory information that has to have security safeguards around
them and now we are depending on each faculty member to maintain those
safeguards.   

Legislation should be clear and easy to follow in order for us to be able to
implement and enforce.   If the issue with Student IDs is about (note I said
if)  stopping faculty from posting grades than FERPA regulation should
simply mandate that this process stop or they will be out of compliance with
FERPA.   The whole non-SSN identifier/secret word/ PIN not being directory
information does not get us to an enforceable compliance point.  One of the
main reasons we (and I would assume others) went to a Student ID vs SSN was
so that we had a way to identify students without giving up PII safeguards
and now we have FERPA saying don't use it for FERPA data.   Well then what
do we use for FERPA data?

I'll say it one last time in case it wasn't clear :  if FERPA wants to stop
faculty from posting grades or sharing student information they should
mandate that the specific activity stops.   

I guess when a student enrolls we could give them a public Student ID and
then a super secret PIN that they can't share with anyone other than faculty
and that may work - but it once again becomes a lot of process re-work or
worst case manual process re-work on the part of faculty and staff and I am
not sure that the cost of mitigation the nominal risk is worth the cost of
doing the re-work.

-Kevin
 

Kevin L. McLaughlin
CISM, CISSP, GIAC-GSLC,PMP, ITIL Master Certified  
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
513-558-ISEC (department)
 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Tuesday, April 01, 2008 1:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses
Changes in IT

Kevin,

 You have picked up an interesting point that is easy to miss due to the
similarity "Student user ID" and "Student ID". 

 It is an interesting situation, but their logic is discernable. User
IDs are, by definition, identifiers and not authenticators: thus they
can be directory information. SSNs, unfortunately, are used as
authenticators, so naturally they have to be excluded. The trouble is,
as you point out, with Student IDs. Now, they explain in their reasoning
why they have made this move: faculty posting grades. 

 In particular, they cite 5% of teachers engaging in this practice (a
pure guess being called an "estimate", it seems), and this gives them a
misleading so-called "exact" $8 million dollar amount in terms of extra
labor to stop doing this. This is all based on the assumption that the
SID is a knowable identifier that would thus reveal the grade. Instead
of a prohibition on grade posting, they seem to accept it as a necessary
practice, and as such, force a particular method to carry it out. 

 Perhaps an alternative would be language such that for institutions
that have faculty who post grades, they are prohibited from SIDs as
directory?

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
 
 
 

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla
> Sent: Tuesday, April 01, 2008 9:57 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking 
> Addresses Changes in IT
>
> Steve,
>
> Because we're considering law, not just a guideline, the 
> wording that is proposed must be highly scrutinized.  At our 
> institution the student's user ID is NOT the student ID 
> number, and the student ID number is NOT used to access or 
> communicate in electronic systems.  Because of this, I 
> believe that the proposed regulations clearly states that 
> student ID number must not be in the directory - and this is 
> the problem.
>
> This is what is proposed:
> The proposed regulations would provide that an educational 
> agency or institution may not designate as directory 
> information a student's SSN or student ID number. However, 
> directory information may include a student's user ID or 
> other unique identifier used by the student to access or 
> communicate in electronic systems, but only if the electronic 
> identifier cannot be used to gain access to education records 
> except when used in conjunction with one or more factors that 
> authenticate the student's identity, such as a personal 
> identification number (PIN), password, or other factor known 
> or possessed only by the student.
>
> This is what I would propose:
> The proposed regulations would provide that an educational 
> agency or institution may not designate as directory 
> information a student's SSN. Also prohibited from being 
> designated as directory information is any identifier that  
> would allow access to education records without requiring one 
> or more factors that authenticate the student's identity, 
> such as a personal identification number (PIN), password, or 
> other factor known or possessed only by the student.
>
> Kevin
>
> At 04:14 PM 3/31/2008, Basgen, Brian wrote:
> > Steve,
> >
> >  You raise an interesting point. Yet, student IDs as directory
> > information can be problematic, since faculty sometimes publicly post
> > grades with student IDs attached. In this case the faculty member is
> > confusing identification with authentication, but you know, good luck
> > explaining that to faculty. :)
> >
> >  In this sense, prohibiting student IDs in association with grades
> > helps. Naturally, the flip side is possible, that the 
> student ID could
> > become another form of authentication. Yet, I think the rule 
> gets beyond
> > this limitation.
> >
> >  Reading the section right after your quote: "However, directory
> > information may include a student's user ID ... if [it] 
> cannot be used
> > to gain access to education records except when used ... [with] a
> > personal identification number (PIN), password, or other 
> factor known or
> > possessed only by the student."
> >
> >  This seems to resolve the issue?
> >
> > ~~~~~~~~~~~~~~~~~~
> > Brian Basgen
> > Information Security
> > Pima Community College
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla
> > > Sent: Monday, March 31, 2008 12:44 PM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking
> > > Addresses Changes in IT
> > >
> > > Brian,
> > >
> > > The document recognizes that certain items may be in the
> > > directory, like user ID when other factors are required to
> > > access personal information, but it specifically prohibits
> > > student ID number:
> > > "...may not designate as directory information a student's
> > > SSN or other student ID number."
> > >
> > > And that prohibition demonstrates where I see them confusing
> > > identification with authentication.
> > >
> > > At our university, username isn't satisfactory to uniquely
> > > identify students - we need the student ID number, and the
> > > proposal prohibits that from being directory information.
> > >
> > > Kevin
> > >
> > > At 01:44 PM 3/31/2008, Basgen, Brian wrote:
> > > > Kevin,
> > > >
> > > >  While I agree that the government often confuses
> > > identification with
> > > > authentication, I'm wondering where you see that in this
> > > document. For
> > > > example, I found this section which seems to indicate a reasoned
> > > > approach and question to the community (p. 24):
> > > >
> > > > "As noted above, single-factor
> > > > authentication of identity, such as a
> > > > standard form user name combined with
> > > > a secret password or PIN, may not
> > > > provide reasonable protection for access to all types of 
> education
> > > > records or under all circumstances."
> > > >
> > > >  The meat of the issue is on page 3:
> > > >
> > > > "Proposed Regulations: The proposed
> > > > regulations would provide that an
> > > > educational agency or institution may
> > > > not designate as directory information a student's SSN or
> > > other student
> > > > ID number. However, directory information may include a
> > > student's user
> > > > ID or other unique identifier used by the student to access or
> > > > communicate in electronic systems, but only if the electronic
> > > > identifier cannot be used to gain access to education 
> records except
> > > > when used in conjunction with one or more factors that
> > > authenticate the
> > > > student's identity, such as a personal identification 
> number (PIN),
> > > > password, or other factor known or possessed only by the 
> student."
> > > >  It seems to me like they are addressing the issue 
> reasonably well,
> > > > and taking head-on the problem of Student ID numbers, which
> > > has been a
> > > > subject of some debate over the years.
> > > >
> > > >
> > > > ~~~~~~~~~~~~~~~~~~
> > > > Brian Basgen
> > > > Information Security
> > > > Pima Community College
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ________________________________
> > > >
> > > >         From: The EDUCAUSE Security Constituent Group Listserv
> > > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla
> > > >         Sent: Monday, March 31, 2008 11:37 AM
> > > >         To: SECURITY () LISTSERV EDUCAUSE EDU
> > > >         Subject: Re: [SECURITY] FERPA Notice of 
> Proposed Rulemaking
> > > > Addresses Changes in IT
> > > >
> > > >
> > > >         Thanks Rodney,
> > > >
> > > >         It seems that the legislators here are confusing
> > > > identification with authentication.  I hope that
> > > universities learned
> > > > from the social security number problem (a number, stored in
> > > thousands
> > > > if not millions of IT systems around the country, 
> properly used for
> > > > identification and improperly used (because it's convenient) as
> > > > authentication) and are not allowing knowledge of a student
> > > ID number to gain access to anything.
> > > > I'm pushing to define student ID as directory 
> information so that it
> > > > cannot ever be used for authentication, but some on campus
> > > are afraid
> > > > of doing this.
> > > >
> > > >         What do others think?
> > > >
> > > >         Kevin
> > > >
> > > >         At 12:58 PM 3/31/2008, Rodney Petersen wrote:
> > > >
> > > >
> > > >
> > > >                 The U.S. Department of Education has issued
> > > a Notice
> > > > of Proposed Rulemaking (
> > > > http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf
> > > > <http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf> ) 
> with proposed
> > > > regulations pertaining to the Family Education Rights and Privacy
> > > > (FERPA).   Among other things, "the proposed regulations 
> respond to
> > > > changes in information technology and address other issues
> > > identified
> > > > through the Department's experience administering FERPA,"
> > > according to
> > > > the Notice. Additionally, the regulations are needed to implement
> > > > amendments to FERPA contained in the USA Patriot Act and the
> > > Campus Sex
> > > > Crimes Prevention Act, to implement two U.S. Supreme 
> Court decisions
> > > > interpreting FERPA, and to make other necessary changes.
> > > >
> > > >                 Among the IT-related changes are:
> > > >
> > > >                 *       Clarification of what can be included as
> > > > directory information, addressing Social Security Number
> > > (SSN), other
> > > > student ID numbers, and email addresses
> > > >                 *       Requiring the use of reasonable 
> methods to
> > > > identify and authenticate the identity of students, 
> parents, school
> > > > officials, and any other parties to whom personally identifiable
> > > > information is disclosed
> > > >                 *       Recommendations to assist 
> institutions in
> > > > safeguarding educational records (Note:  this is covered on
> > > page 15598
> > > > of Federal Register Notice or page 26 of PDF document.)
> > > >
> > > >
> > > >                 The deadline for comments is May 8, 2008.
> > > >
> > > >                 The EDUCAUSE Washington Office (
> > > > http://www.educause.edu/policy 
> <http://www.educause.edu/policy> ) is
> > > > reviewing the proposed changes and welcome your comments or
> > > questions
> > > > (send comments to rpetersen () educause edu). We will provide a more
> > > > detailed analysis of the proposed rules and any further 
> updates at a
> > > > later date.
> > > >
> > > >                 -Rodney
> > > >
> > > >                 
> --------------------------------------------------
> > > >                 Rodney J. Petersen, J.D.
> > > >                 Government Relations Officer & Security 
> Task Force
> > > > Coordinator
> > > >
> > > >                 EDUCAUSE
> > > >                 1150 18th Street, N.W., Suite 1010
> > > >                 Washington, D.C. 20036
> > > >                 (202) 331-5368 / (202) 872-4200
> > > >                 (202) 872-4318 (FAX)
> > > >                 EDUCAUSE/Internet2 Security Task Force
> > > >                 www.educause.edu/security
> > > >                 
> --------------------------------------------------
> > >

Attachment: smime.p7s
Description: