Re: Best practices for identifying students

[Joanna Grama <jgrama () EDUCAUSE EDU>]

Good morning, Walter:

I am sure that you will get many responses to your question from members on this list.  In addition, the Higher 
Education Information Security Council (HEISC) has created an Information Security 
Guide<http://www.educause.edu/security/guide> that contains a chapter on identity and access management topics.  You 
may find some of the information in that chapter helpful: 
https://spaces.internet2.edu/display/2014infosecurityguide/Identity+and+Access+Management#IdentityandAccessManagement-Management
In particular, click on the link at the top of the page for “User Access Management.”  If you scroll down through that 
section, there are some institutional case studies on identity proofing tactics that may be useful to you.

The Information Security Guide is aligned with multiple standards (NIST 800-53; ISO/IEC 27002:2013; etc.) and includes 
key objectives and implementation guidance to assist organizations with developing an effective information security 
program. What makes the HEISC Information Security Guide so unique is that resources and content included in Guide 
chapters are provided by higher education information security professionals with expertise in both information 
security and higher education.

If I can be of more assistance, please do let me know.

Kind regards,
Joanna


Joanna Grama, JD, CISSP, CRISC, CIPT
Director of Cybersecurity and IT GRC Programs

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | cell: 720.507.5983 | jgrama () educause edu<mailto:jgrama () educause edu>

Become a Member- Everyone at your organization is an EDUCAUSE member when you join | Access discounts, resources, and 
valuable peer networks | Discover membership<https://www.educause.edu/about/discover-membership>




From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of WALTER 
KERNER
Sent: Thursday, September 7, 2017 7:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Best practices for identifying students

Hi all.  Can you comment on your practices and procedures for confirming student identity if they request a password 
re-set?  We have to service people in person, through email, and on the phone.  A couple of ideas if have heard


•         Ask the caller/emailer to text or email a picture of him/herself

•         Ask the caller/emailer questions from his/her student record, like birthdate or course name

•         Set up a knowledge-based question set like mother’s maiden name or favorite movie.

Are you using these or other techniques?  We appreciate the insights.  Thanks



Walter Kerner
Acting AVP and CISO
[blue]
333 7th Avenue, 13th Floor
New York, NY 10001
Voice: 212-217-3415