Regulatory Compliance / User Training / Identity Confirmation

[Anthony Maszeroski <maszeroskia3 () SCRANTON EDU>]

Before everyone falls into the haze of post-Thanksgiving Day dinner, I'd
like to throw some questions to the group :

1.) Has anyone had any experience, positive or negative, with bringing
in external consultants to provide the user training
recommended/mandated by the various regulations we are subject to (FTC
"Red Flag"/HIPAA/FERPA/GLBA/PATRIOT/etc.)? If so, who did you use? If
not, how did you tackle this in-house?

2.) Is anyone using a service (e.g., Acxiom FactCheck-X) to provide
identity confirmation for distance learning students? Are you happy with
the service?

3.) If I'm interpreting the proposed new FERPA regulations correctly,
the days of formulaic initial passwords derived from an individual's
D.O.B. and/or SSN are numbered (no pun intended). For institutions that
have already been down this road, have you moved to random initial
passwords? If so, how do you distribute them? We'd like to avoid paper
mailings if at all possible and instead distribute them electronically
with an identity confirmation system front-end similar to the one
utilized at AnnualCreditReport.com. The problem is finding enough data
on a new student that can be mined to populate the question/answer
challenges.

--
- Anthony Maszeroski, CCNA
-----------------------------------
Information Security Manager
The University of Scranton
email : maszeroskia3 () scranton edu
phone : 570-941-4226
-----------------------------------