Educause Security Discussion mailing list archives

Re: Recommend changing students ID numbers?

From: Ben Marsden <bmarsden () SMITH EDU>
Date: Fri, 13 Sep 2019 14:32:26 -0400

Tangentially, we are finding it increasingly difficult to rely on a "name"
to be definitively useful for identity (name options include legal name,
chosen name, preferred name, professional name, etc.) and the name used in
any particular context may not match what is needed in another.  I think we
are trending towards relying on a person's institutional number to be the
more reliable method for identity, particularly over time -- which of
course means it can't be used for authentication purposes.   For FERPA, our
ID number is explicitly listed as a field in "directory information"....
just another tangle in our IAM (IGA) ball of string...

On Fri, Sep 13, 2019 at 11:33 AM Menne, Michael S <michael.menne () mnsu edu>
wrote:

My thoughts mirror Brad’s. While not ideal, what can be done with the
combination?  Is the ID number being used for an identification purpose?
Is it treated like an SSN?  Is it listed as directory data per your FERPA
policy?





*Michael Menne, CISSP*

*Chief Information Security Officer*

*IT Solutions Information Security*

*Minnesota State University, Mankato*

*Phone:  (507) 389-5705*

*www.mnsu.edu/its/security*
<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mnsu.edu%2Fits%2Fsecurity&data=02%7C01%7Cmichael.menne%40mnsu.edu%7Cc3f4cd9ab99f4649715b08d711fdf18b%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C636997654686922241&sdata=NzHU9kDya1V9tYgnABc4v7zjESJZYry6TOWstB%2FZSZs%3D&reserved=0>



[image: signature_2008603909]



*Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all copies
of the original message.*







*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Brad Judy
*Sent:* Friday, September 13, 2019 10:05 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Recommend changing students ID numbers?



That question begs another question in response:



What does just a student ID number get you at your institution? What is
the risk to the students? The statement that it isn’t confidential and is
printed on ID cards indicates that the number is (hopefully) not being used
for something like identity validation at your institution. I’d say that if
exposing the ID number poses a risk to your students, then you have a
bigger problem printing it on everyone’s ID cards.



Brad Judy



Information Security Officer

Office of Information Security

University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203

Office: (303) 860-4293

Fax: (303) 860-4302

www.cu.edu
<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cu.edu%2F&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C2ec233f1d71b4dbcda0108d7385bc9ea%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039839197112862&sdata=6tIUkGC0%2BbYUnHhqjYVTCXxivEpmNPoz5bt5FDobhpA%3D&reserved=0>



[image: cu-logo_fl]





*From: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of
Jared Evans <jared.evans () GALLAUDET EDU>
*Reply-To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
*Date: *Thursday, September 12, 2019 at 8:32 AM
*To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
*Subject: *[SECURITY] Recommend changing students ID numbers?



I would like to poll the other officers on this list and see if the below
scenario warrants changing the student ID numbers:



A file containing a list of new incoming students' names, email addresses,
and their student ID numbers was recently, by accident, emailed to all the
residents of a dorm building.



The student ID numbers can be seen on the student cards.  The above
information isn't confidential, but with student ID numbers aggregated
together, would not be ideal.



Does this event warrant making the suggestion that all the students
mentioned in the file should have their student ID number changed?



--

[image: Image removed by sender.]

Jared Evans
Information Security Officer
Gallaudet Technology Services
Gallaudet University

jared.evans () gallaudet edu

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community
<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C2ec233f1d71b4dbcda0108d7385bc9ea%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039839197112862&sdata=vvBf1QHj%2FKisYNNGSyW95jrUf4rYSljZ9EGEeeCuzUQ%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community
<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C2ec233f1d71b4dbcda0108d7385bc9ea%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039839197122856&sdata=VcgjwDP%2FtDgPzU%2FRTu8Lkd6lsS%2BImawKC0L688zzhpQ%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community



-- 
[}--> BEWARE of links and attachments in email!   *  Stop, Think before you
click *
============================================
Ben Marsden : Information Security Director, CISSP
ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063
---------------------------------------------------------------------
=-->

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Recommend changing students ID numbers? Jared Evans (Sep 12)
- Re: Recommend changing students ID numbers? Brad Judy (Sep 13)
  - Re: Recommend changing students ID numbers? Menne, Michael S (Sep 13)
    - Re: Recommend changing students ID numbers? Ben Marsden (Sep 13)
    - Re: Recommend changing students ID numbers? Menne, Michael S (Sep 13)