Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [External] Re: [SECURITY] ID Cards

From: "Menne, Michael S" <michael.menne () MNSU EDU>
Date: Wed, 8 Jan 2020 14:54:03 +0000
We are in a weird situation as well.  Our student ID numbers are not part of our directory or limited director 
information, but are printed on the student's ID card.  However, the student's login ID is listed as limited directory 
information and is published in the Global Address List (they cannot be hidden).

In a sense, the student ID is still private. It is printed on their ID card, but nowhere else. The ID card is issued to 
the student and the student alone and contains their photo.  In this sense, the student ID number can be classified the 
same as a driver's license number.  The driver's license is protected information, but is printed on their driver's 
license.

We revised our directory policy a year or two, removing things like address and place of birth.  The combination of 
these elements with other directory information gave an identity thief everything they needed except the social 
security number.  We also stopped publishing a student directory in conjunction with this change, deeming it somewhat 
outdated given the technology and social media communication available today.


Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone:  (507) 389-5705
mnsu.edu/cyberaware<https://mnsu.edu/cyberaware>

[signature_2008603909]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Gregg, 
Christopher S.
Sent: Wednesday, January 8, 2020 8:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [External] Re: [SECURITY] ID Cards

Thanks Henk.  That is really helpful.  I am not sure how I have missed seeing that letter for the past 15 years...

We will definitely review our stance on ID numbers in the near future as we currently are operating in a weird in 
between world where we try to keep the numbers private and yet they are printed on ID cards, used in mailings, etc.  
With increased scrutiny from the DoE on things like GLBA and breach reporting, it would be good to clarify the 
classification of ID numbers.

Thanks,

Chris



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Sonder, Henk E.
Sent: Tuesday, January 7, 2020 5:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [External] Re: [SECURITY] ID Cards

We have, but with an opt-out clause. I believe that such ID is nowadays more broadly considered 'directory 
information'. This 2004 guidance from DOE 
(https://www2.ed.gov/policy/gen/guid/fpco/ferpa/mndirectoryinfo.html<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww2.ed.gov%2Fpolicy%2Fgen%2Fguid%2Ffpco%2Fferpa%2Fmndirectoryinfo.html&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768255312&sdata=rSQmWgcv1HhWAmBa14wVTSuvgHE%2FKTDcvZ0XfRUJtcA%3D&reserved=0>)
 and the more recent 
https://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/ryanuillinois.html<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww2.ed.gov%2Fpolicy%2Fgen%2Fguid%2Ffpco%2Fferpa%2Flibrary%2Fryanuillinois.html&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768265314&sdata=D5pZsXlOA5iguzs2nO%2BkgKnwZ4qch7vv1su5g1HU00Y%3D&reserved=0>
 confirms that under FERPA this can be considered as 'directory information' and providing an opt-out.

Henk E. Sonder
Director Information Security
Rhode Island College
600 Mount Pleasant Ave
Providence, RI 02908
Office: 401-456-9577
Email: hsonder () ric edu<mailto:hsonder () ric edu>


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Gregg, Christopher S.
Sent: Tuesday, January 7, 2020 5:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] [External] Re: [SECURITY] ID Cards

[EXTERNAL SENDER] DO NOT CLICK links/attachments unless you recognize the sender and know the content is safe.
That makes a lot of sense to me, but does anyone here actually have University ID# listed as Directory Information in 
their FERPA policy/privacy statement?

Chris


Chris Gregg
Associate Vice President of Information Security & Risk Management, CISO
Innovation & Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | 
stthomas.edu<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stthomas.edu%2F&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768265314&sdata=gYtoqeylfQ6YWkxA9cRhQ9M%2FL8rG1NRFuV9LeQ2TJhY%3D&reserved=0>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Piscitello, Frank
Sent: Tuesday, January 7, 2020 11:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [External] Re: [SECURITY] ID Cards

I am a believer, that if it's printed on an ID card, it could be viewed for public consumption (even by accident.) The 
point of the information on the card is to vet the identity of the person carrying the ID. We print ID numbers on our 
cards as well as the picture. Our card is also used as door access via a one-card system (HID/CCure) and a mag-stripe 
for vending machines.

So, if your FERPA policy defines what is considered directory vs private, maybe the ID should also reflect that concept 
as well.


"Many of the truths that we cling to depend on our point of view." - Obi-Wan Kenobi
[mainLogo-128]
=#WCUGreenDot<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wcupa.edu%2F_services%2FgreenDot%2F&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768265314&sdata=iWLfu1lZj5rWowpNjXalMQ3VHA5jtqnCoDiXjlwmVn4%3D&reserved=0>
Frank J. Piscitello, Jr. , CISSP
Information Security Officer | Information Services & Technology
West Chester University of PA | 610-436-3192 | PGP-Key: 
D7289F1F<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwcupa.edu%2FInfoServices%2Fsecurity%2Fd7289f1f.aspx&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768275303&sdata=ksNqdog7lbZe95GBmjB2nJs38Ocyomxn3wyUkG3EGFk%3D&reserved=0>
wcupa.edu/infoservices/security/<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wcupa.edu%2Finfoservices%2Fsecurity%2F&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768285299&sdata=QBmImHNd9cff9GNKKPZ3U%2BuHHaPE3y9pdQO6zrDoXFk%3D&reserved=0>
 [Teams-16x16] 
<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fteams.microsoft.com%2Fl%2Fchat%2F0%2F0%3Fusers%3Dfpiscitello%40wcupa.edu&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768285299&sdata=NAlSEKcdqkLSiEPdhXPhSZILsQDy05GmqoAEZ53LRg4%3D&reserved=0>


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Jones, Mark B
Sent: Monday, January 6, 2020 2:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] ID Cards

I agree.  My comment was idealistic.  Michaels is pragmatic.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Menne, Michael S
Sent: Monday, January 6, 2020 1:07 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] ID Cards


**** EXTERNAL EMAIL ****
I agree with Mark that anything printed on an ID badge should be considered private or sensitive. That said, I would 
ask Marketing to take down the image and re-print it with a fake ID badge with fake numbers to ensure the student's 
privacy (as much as practically possible in this situation).

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Jones, Mark B
Sent: Monday, January 6, 2020 12:59 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] ID Cards

In my opinion it is a mistake to consider anything printed on ID cards as private (or worse, secret).

There are too many legitimate needs for access to and to exchange student/employee IDs for them to be used to prove 
identity.  They are not secret.

There are likely easier ways to get this student's ID than passing by that window display.  If you can do something 
malicious with it, it should not be printed on your ID card or you should put processes in place to protect against the 
malicious 'thing'.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Garrett McManaway
Sent: Monday, January 6, 2020 12:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] ID Cards


**** EXTERNAL EMAIL ****
Hello,

We recently had an issue come up where a med student was photographed where his student ID on his lab coat. That image 
was blown up larger than life and used by our marketing team in the window of our bookstore, which happens to face two 
busy public streets. As a result I have gotten a few questions on allowing the ID card to be used as a badge for 
physical identification.

Does anyone have a policy around using school issued ID cards as badges for identification? In particular, for Medical 
School students working in clinical practices?

We have a OneCard system, where the card contains a photo and other information including the student/employee ID. The 
ID is meant to be private and could be used for a number of malicious things, including validation of identity through 
our help desk.

As a side note we do not have our own hospital system so we do not issue any other type of badge to use for identity 
but rely on the partner institution to do so, but we believe in some cases the students are also displaying their WSU 
OneCard as well.

Garrett McManaway
CISO & Sr. Director
C&IT - Information Security and Compliance
Wayne State University
Phone: 313-577-3454


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMFAg%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DGV5PsXD6UvZsN71Rd3W3FPuIG6Ainw1JRUvxpo4jRyk%26s%3DAPcRvANQmXdD30YycYVh_drxX-ezFMECK9nGCANBsNE%26e%3D&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768295292&sdata=XYhsoL6lg5BR2duz6b%2B%2BT0WXvlNGuJvX6oSAvjtWuRo%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMFAg%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DIyogzd7jk7qi8mKY4KzbJQ_bYVLdKqjvRPnuwDTEkMs%26s%3DStwkfFlN5GG5TTTnZ_vyviSKeA6vxOL8pO9XdbDw9jc%26e%3D&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768295292&sdata=wdrK4p%2BFuXGg4t9T6EKsfEtvcywkKg%2BcAE5KmWuw5NQ%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMFAg%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DIyogzd7jk7qi8mKY4KzbJQ_bYVLdKqjvRPnuwDTEkMs%26s%3DStwkfFlN5GG5TTTnZ_vyviSKeA6vxOL8pO9XdbDw9jc%26e%3D&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768305285&sdata=R0UpeEADGrjHwpV0PwRedrBmEeCvRJiYfZ5wLRJRSXE%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768305285&sdata=2mHAqR1rD2nVryVayhl36J%2BRgRHvSkP1yTflHsyYvXk%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768315276&sdata=v89Sp9Jfx%2BNOBBLDA71hYEdzTzGZcUsPQARx5HQmuzc%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768315276&sdata=v89Sp9Jfx%2BNOBBLDA71hYEdzTzGZcUsPQARx5HQmuzc%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768325275&sdata=inJkK%2BX1U5lNrYaHmG5woVzxr0insOrfcXHHmfcGlo4%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768325275&sdata=inJkK%2BX1U5lNrYaHmG5woVzxr0insOrfcXHHmfcGlo4%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Previous By Date Next
Previous By Thread Next

Current thread: