Educause Security Discussion mailing list archives
Re: Recommend changing students ID numbers?
From: "Menne, Michael S" <michael.menne () MNSU EDU>
Date: Fri, 13 Sep 2019 20:01:03 +0000
If all of the elements presented are directory information, there is no breach. With directory information any member of the public can request the information (the institution then should have procedures on how to evaluate and deal with those requests). I would take a step back from this and determine whether or not it should be directory information and/or also look into removing it from student IDs. Given our size and the size of our state system, it would be impossible for us to rely on name as an identifier. We shy away from SSN in the worst way as well. The irony is that IT relies on the login name (randomly generated), while the rest of the institution relies on the student identification number. At the very least, consider modifying your directory policy to move the student ID number into a Limited Directory information category so that it is not requestable by the public. Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 www.mnsu.edu/its/security<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mnsu.edu%2Fits%2Fsecurity&data=02%7C01%7Cmichael.menne%40mnsu.edu%7Cc3f4cd9ab99f4649715b08d711fdf18b%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C636997654686922241&sdata=NzHU9kDya1V9tYgnABc4v7zjESJZYry6TOWstB%2FZSZs%3D&reserved=0> [signature_2008603909] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ben Marsden Sent: Friday, September 13, 2019 1:32 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Recommend changing students ID numbers? Tangentially, we are finding it increasingly difficult to rely on a "name" to be definitively useful for identity (name options include legal name, chosen name, preferred name, professional name, etc.) and the name used in any particular context may not match what is needed in another. I think we are trending towards relying on a person's institutional number to be the more reliable method for identity, particularly over time -- which of course means it can't be used for authentication purposes. For FERPA, our ID number is explicitly listed as a field in "directory information".... just another tangle in our IAM (IGA) ball of string... On Fri, Sep 13, 2019 at 11:33 AM Menne, Michael S <michael.menne () mnsu edu<mailto:michael.menne () mnsu edu>> wrote: My thoughts mirror Brad’s. While not ideal, what can be done with the combination? Is the ID number being used for an identification purpose? Is it treated like an SSN? Is it listed as directory data per your FERPA policy? Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 www.mnsu.edu/its/security<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mnsu.edu%2Fits%2Fsecurity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb15b5dbaa40d43ae1c3c08d73878d0dd%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039963864266794&sdata=0dAhNRYro6utXW%2F2bZosvUVW55FN7%2FUo2lty9q2q%2Fxc%3D&reserved=0> [signature_2008603909] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Brad Judy Sent: Friday, September 13, 2019 10:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Recommend changing students ID numbers? That question begs another question in response: What does just a student ID number get you at your institution? What is the risk to the students? The statement that it isn’t confidential and is printed on ID cards indicates that the number is (hopefully) not being used for something like identity validation at your institution. I’d say that if exposing the ID number poses a risk to your students, then you have a bigger problem printing it on everyone’s ID cards. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cu.edu%2F&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb15b5dbaa40d43ae1c3c08d73878d0dd%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039963864276786&sdata=Ubot00u2MVu0VIH3R4YU8jm3BrjK7PCIUYeJHdCIEHQ%3D&reserved=0> [cu-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Jared Evans <jared.evans () GALLAUDET EDU<mailto:jared.evans () GALLAUDET EDU>> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Thursday, September 12, 2019 at 8:32 AM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [SECURITY] Recommend changing students ID numbers? I would like to poll the other officers on this list and see if the below scenario warrants changing the student ID numbers: A file containing a list of new incoming students' names, email addresses, and their student ID numbers was recently, by accident, emailed to all the residents of a dorm building. The student ID numbers can be seen on the student cards. The above information isn't confidential, but with student ID numbers aggregated together, would not be ideal. Does this event warrant making the suggestion that all the students mentioned in the file should have their student ID number changed? -- Jared Evans Information Security Officer Gallaudet Technology Services Gallaudet University jared.evans () gallaudet edu<mailto:jared.evans () gallaudet edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb15b5dbaa40d43ae1c3c08d73878d0dd%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039963864276786&sdata=Zyk0dAB42g2%2BDfBITwJYzOLgACd4itNeYr0bhUeDMEA%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb15b5dbaa40d43ae1c3c08d73878d0dd%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039963864286783&sdata=NOKnk1q%2BoB1OMdA9ogt%2F0HDBGXsKts%2FoxGlhJEwvhNo%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb15b5dbaa40d43ae1c3c08d73878d0dd%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039963864296777&sdata=ps1clb5LCy2UJN7tI9Dl0ku7iUYfo8pAHViXkVHvIog%3D&reserved=0> -- [}--> BEWARE of links and attachments in email! * Stop, Think before you click * ============================================ Ben Marsden : Information Security Director, CISSP ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063 --------------------------------------------------------------------- =--> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7Cb15b5dbaa40d43ae1c3c08d73878d0dd%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637039963864296777&sdata=ps1clb5LCy2UJN7tI9Dl0ku7iUYfo8pAHViXkVHvIog%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Recommend changing students ID numbers? Jared Evans (Sep 12)
- Re: Recommend changing students ID numbers? Brad Judy (Sep 13)
- Re: Recommend changing students ID numbers? Menne, Michael S (Sep 13)
- Re: Recommend changing students ID numbers? Ben Marsden (Sep 13)
- Re: Recommend changing students ID numbers? Menne, Michael S (Sep 13)
- Re: Recommend changing students ID numbers? Menne, Michael S (Sep 13)
- Re: Recommend changing students ID numbers? Brad Judy (Sep 13)