Re: Recommend changing students ID numbers?

["Menne, Michael S" <michael.menne () MNSU EDU>]

If all of the elements presented are directory information, there is no breach.  With directory information any member 
of the public can request the information (the institution then should have procedures on how to evaluate and deal with 
those requests).  I would take a step back from this and determine whether or not it should be directory information 
and/or also look into removing it from student IDs.

Given our size and the size of our state system, it would be impossible for us to rely on name as an identifier. We shy 
away from SSN in the worst way as well.  The irony is that IT relies on the login name (randomly generated), while the 
rest of the institution relies on the student identification number.

At the very least, consider modifying your directory policy to move the student ID number into a Limited Directory 
information category so that it is not requestable by the public.

Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone:  (507) 389-5705
www.mnsu.edu/its/security<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mnsu.edu%2Fits%2Fsecurity&data=02%7C01%7Cmichael.menne%40mnsu.edu%7Cc3f4cd9ab99f4649715b08d711fdf18b%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C636997654686922241&sdata=NzHU9kDya1V9tYgnABc4v7zjESJZYry6TOWstB%2FZSZs%3D&reserved=0>

[signature_2008603909]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ben Marsden
Sent: Friday, September 13, 2019 1:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Recommend changing students ID numbers?

Tangentially, we are finding it increasingly difficult to rely on a "name" to be definitively useful for identity (name 
options include legal name, chosen name, preferred name, professional name, etc.) and the name used in any particular 
context may not match what is needed in another.  I think we are trending towards relying on a person's institutional 
number to be the more reliable method for identity, particularly over time -- which of course means it can't be used 
for authentication purposes.   For FERPA, our ID number is explicitly listed as a field in "directory information"....  
just another tangle in our IAM (IGA) ball of string...

On Fri, Sep 13, 2019 at 11:33 AM Menne, Michael S <michael.menne () mnsu edu<mailto:michael.menne () mnsu edu>> wrote:
My thoughts mirror Brad’s. While not ideal, what can be done with the combination?  Is the ID number being used for an 
identification purpose?  Is it treated like an SSN?  Is it listed as directory data per your FERPA policy?


Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone:  (507) 389-5705
www.mnsu.edu/its/security<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mnsu.edu%2Fits%2Fsecurity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb15b5dbaa40d43ae1c3c08d73878d0dd%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039963864266794&sdata=0dAhNRYro6utXW%2F2bZosvUVW55FN7%2FUo2lty9q2q%2Fxc%3D&reserved=0>

[signature_2008603909]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Brad Judy
Sent: Friday, September 13, 2019 10:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Recommend changing students ID numbers?

That question begs another question in response:

What does just a student ID number get you at your institution? What is the risk to the students? The statement that it 
isn’t confidential and is printed on ID cards indicates that the number is (hopefully) not being used for something 
like identity validation at your institution. I’d say that if exposing the ID number poses a risk to your students, 
then you have a bigger problem printing it on everyone’s ID cards.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cu.edu%2F&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb15b5dbaa40d43ae1c3c08d73878d0dd%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039963864276786&sdata=Ubot00u2MVu0VIH3R4YU8jm3BrjK7PCIUYeJHdCIEHQ%3D&reserved=0>

[cu-logo_fl]


From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of 
Jared Evans <jared.evans () GALLAUDET EDU<mailto:jared.evans () GALLAUDET EDU>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Thursday, September 12, 2019 at 8:32 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Recommend changing students ID numbers?

I would like to poll the other officers on this list and see if the below scenario warrants changing the student ID 
numbers:

A file containing a list of new incoming students' names, email addresses, and their student ID numbers was recently, 
by accident, emailed to all the residents of a dorm building.

The student ID numbers can be seen on the student cards.  The above information isn't confidential, but with student ID 
numbers aggregated together, would not be ideal.

Does this event warrant making the suggestion that all the students mentioned in the file should have their student ID 
number changed?

--
Jared Evans
Information Security Officer
Gallaudet Technology Services
Gallaudet University
jared.evans () gallaudet edu<mailto:jared.evans () gallaudet edu>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb15b5dbaa40d43ae1c3c08d73878d0dd%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039963864276786&sdata=Zyk0dAB42g2%2BDfBITwJYzOLgACd4itNeYr0bhUeDMEA%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb15b5dbaa40d43ae1c3c08d73878d0dd%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039963864286783&sdata=NOKnk1q%2BoB1OMdA9ogt%2F0HDBGXsKts%2FoxGlhJEwvhNo%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb15b5dbaa40d43ae1c3c08d73878d0dd%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039963864296777&sdata=ps1clb5LCy2UJN7tI9Dl0ku7iUYfo8pAHViXkVHvIog%3D&reserved=0>


--
[}--> BEWARE of links and attachments in email!   *  Stop, Think before you click *
============================================
Ben Marsden : Information Security Director, CISSP
ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063
---------------------------------------------------------------------
=-->


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb15b5dbaa40d43ae1c3c08d73878d0dd%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039963864296777&sdata=ps1clb5LCy2UJN7tI9Dl0ku7iUYfo8pAHViXkVHvIog%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community