Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [External] Re: [SECURITY] ID Cards

From: "Gregg, Christopher S." <csgregg () STTHOMAS EDU>
Date: Tue, 7 Jan 2020 22:17:00 +0000
That makes a lot of sense to me, but does anyone here actually have University ID# listed as Directory Information in 
their FERPA policy/privacy statement?

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Innovation & Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu/>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Piscitello, Frank
Sent: Tuesday, January 7, 2020 11:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [External] Re: [SECURITY] ID Cards

I am a believer, that if it's printed on an ID card, it could be viewed for public consumption (even by accident.) The 
point of the information on the card is to vet the identity of the person carrying the ID. We print ID numbers on our 
cards as well as the picture. Our card is also used as door access via a one-card system (HID/CCure) and a mag-stripe 
for vending machines.

So, if your FERPA policy defines what is considered directory vs private, maybe the ID should also reflect that concept 
as well.


"Many of the truths that we cling to depend on our point of view." - Obi-Wan Kenobi
[mainLogo-128]
=#WCUGreenDot<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wcupa.edu%2F_services%2FgreenDot%2F&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cf4d64ee91b274c60e43f08d79394e2e3%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637140140083662364&sdata=9UZS%2BjyQOlidPVT6HUCQefKaT6o98l3lp8cymbZdgZ8%3D&reserved=0>
Frank J. Piscitello, Jr. , CISSP
Information Security Officer | Information Services & Technology
West Chester University of PA | 610-436-3192 | PGP-Key: 
D7289F1F<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwcupa.edu%2FInfoServices%2Fsecurity%2Fd7289f1f.aspx&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cf4d64ee91b274c60e43f08d79394e2e3%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637140140083662364&sdata=YiZ6g87uu9L%2F8sJyYlDC8pc11Fw97qVFzeYIu%2BSARWE%3D&reserved=0>
wcupa.edu/infoservices/security/<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wcupa.edu%2Finfoservices%2Fsecurity%2F&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cf4d64ee91b274c60e43f08d79394e2e3%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637140140083672354&sdata=hfLvEdOk0Xug08iMFxEXLGDDMKmalx0iXG0bsieE1Fs%3D&reserved=0>
 [Teams-16x16] 
<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fteams.microsoft.com%2Fl%2Fchat%2F0%2F0%3Fusers%3Dfpiscitello%40wcupa.edu&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cf4d64ee91b274c60e43f08d79394e2e3%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637140140083672354&sdata=zY9HqrJyhcFmzQKLsjzrg80hGA7jaCMwmXLT%2B32YP58%3D&reserved=0>


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Jones, Mark B
Sent: Monday, January 6, 2020 2:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] ID Cards

I agree.  My comment was idealistic.  Michaels is pragmatic.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Menne, Michael S
Sent: Monday, January 6, 2020 1:07 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] ID Cards


**** EXTERNAL EMAIL ****
I agree with Mark that anything printed on an ID badge should be considered private or sensitive. That said, I would 
ask Marketing to take down the image and re-print it with a fake ID badge with fake numbers to ensure the student's 
privacy (as much as practically possible in this situation).

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Jones, Mark B
Sent: Monday, January 6, 2020 12:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] ID Cards

In my opinion it is a mistake to consider anything printed on ID cards as private (or worse, secret).

There are too many legitimate needs for access to and to exchange student/employee IDs for them to be used to prove 
identity.  They are not secret.

There are likely easier ways to get this student's ID than passing by that window display.  If you can do something 
malicious with it, it should not be printed on your ID card or you should put processes in place to protect against the 
malicious 'thing'.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Garrett McManaway
Sent: Monday, January 6, 2020 12:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] ID Cards


**** EXTERNAL EMAIL ****
Hello,

We recently had an issue come up where a med student was photographed where his student ID on his lab coat. That image 
was blown up larger than life and used by our marketing team in the window of our bookstore, which happens to face two 
busy public streets. As a result I have gotten a few questions on allowing the ID card to be used as a badge for 
physical identification.

Does anyone have a policy around using school issued ID cards as badges for identification? In particular, for Medical 
School students working in clinical practices?

We have a OneCard system, where the card contains a photo and other information including the student/employee ID. The 
ID is meant to be private and could be used for a number of malicious things, including validation of identity through 
our help desk.

As a side note we do not have our own hospital system so we do not issue any other type of badge to use for identity 
but rely on the partner institution to do so, but we believe in some cases the students are also displaying their WSU 
OneCard as well.

Garrett McManaway
CISO & Sr. Director
C&IT - Information Security and Compliance
Wayne State University
Phone: 313-577-3454


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMFAg%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DGV5PsXD6UvZsN71Rd3W3FPuIG6Ainw1JRUvxpo4jRyk%26s%3DAPcRvANQmXdD30YycYVh_drxX-ezFMECK9nGCANBsNE%26e%3D&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cf4d64ee91b274c60e43f08d79394e2e3%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637140140083682354&sdata=J2ECO92y29yCx%2BjHGaBEXkvArV7MGmlf2Ia8pRKqusE%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMFAg%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DIyogzd7jk7qi8mKY4KzbJQ_bYVLdKqjvRPnuwDTEkMs%26s%3DStwkfFlN5GG5TTTnZ_vyviSKeA6vxOL8pO9XdbDw9jc%26e%3D&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cf4d64ee91b274c60e43f08d79394e2e3%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637140140083682354&sdata=P8QtpmLHxx5WFD7DWdoqhP0deic0X9tvOTO9OvXbIzs%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMFAg%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DIyogzd7jk7qi8mKY4KzbJQ_bYVLdKqjvRPnuwDTEkMs%26s%3DStwkfFlN5GG5TTTnZ_vyviSKeA6vxOL8pO9XdbDw9jc%26e%3D&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cf4d64ee91b274c60e43f08d79394e2e3%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637140140083692347&sdata=niSE%2F3kq8fdzhudlO%2Bfy3z%2BCF9HpiH1mupxEuGH6jXY%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cf4d64ee91b274c60e43f08d79394e2e3%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637140140083692347&sdata=dNIivrCbkRBNFDUuWub3yxEl1y0f2L3HpaY6s4vRzJM%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ccsgregg%40STTHOMAS.EDU%7Cf4d64ee91b274c60e43f08d79394e2e3%7Ca081ff79318c45ec95f338ebc2801472%7C1%7C0%7C637140140083692347&sdata=dNIivrCbkRBNFDUuWub3yxEl1y0f2L3HpaY6s4vRzJM%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Previous By Date Next
Previous By Thread Next

Current thread: