Educause Security Discussion mailing list archives
Re: [External] Re: [SECURITY] ID Cards
From: "Menne, Michael S" <michael.menne () MNSU EDU>
Date: Wed, 8 Jan 2020 14:54:03 +0000
We are in a weird situation as well. Our student ID numbers are not part of our directory or limited director information, but are printed on the student's ID card. However, the student's login ID is listed as limited directory information and is published in the Global Address List (they cannot be hidden). In a sense, the student ID is still private. It is printed on their ID card, but nowhere else. The ID card is issued to the student and the student alone and contains their photo. In this sense, the student ID number can be classified the same as a driver's license number. The driver's license is protected information, but is printed on their driver's license. We revised our directory policy a year or two, removing things like address and place of birth. The combination of these elements with other directory information gave an identity thief everything they needed except the social security number. We also stopped publishing a student directory in conjunction with this change, deeming it somewhat outdated given the technology and social media communication available today. Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 mnsu.edu/cyberaware<https://mnsu.edu/cyberaware> [signature_2008603909] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Gregg, Christopher S. Sent: Wednesday, January 8, 2020 8:29 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [External] Re: [SECURITY] ID Cards Thanks Henk. That is really helpful. I am not sure how I have missed seeing that letter for the past 15 years... We will definitely review our stance on ID numbers in the near future as we currently are operating in a weird in between world where we try to keep the numbers private and yet they are printed on ID cards, used in mailings, etc. With increased scrutiny from the DoE on things like GLBA and breach reporting, it would be good to clarify the classification of ID numbers. Thanks, Chris From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Sonder, Henk E. Sent: Tuesday, January 7, 2020 5:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] [External] Re: [SECURITY] ID Cards We have, but with an opt-out clause. I believe that such ID is nowadays more broadly considered 'directory information'. This 2004 guidance from DOE (https://www2.ed.gov/policy/gen/guid/fpco/ferpa/mndirectoryinfo.html<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww2.ed.gov%2Fpolicy%2Fgen%2Fguid%2Ffpco%2Fferpa%2Fmndirectoryinfo.html&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768255312&sdata=rSQmWgcv1HhWAmBa14wVTSuvgHE%2FKTDcvZ0XfRUJtcA%3D&reserved=0>) and the more recent https://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/ryanuillinois.html<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww2.ed.gov%2Fpolicy%2Fgen%2Fguid%2Ffpco%2Fferpa%2Flibrary%2Fryanuillinois.html&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768265314&sdata=D5pZsXlOA5iguzs2nO%2BkgKnwZ4qch7vv1su5g1HU00Y%3D&reserved=0> confirms that under FERPA this can be considered as 'directory information' and providing an opt-out. Henk E. Sonder Director Information Security Rhode Island College 600 Mount Pleasant Ave Providence, RI 02908 Office: 401-456-9577 Email: hsonder () ric edu<mailto:hsonder () ric edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Gregg, Christopher S. Sent: Tuesday, January 7, 2020 5:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] [External] Re: [SECURITY] ID Cards [EXTERNAL SENDER] DO NOT CLICK links/attachments unless you recognize the sender and know the content is safe. That makes a lot of sense to me, but does anyone here actually have University ID# listed as Directory Information in their FERPA policy/privacy statement? Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Innovation & Technology Services (ITS) csgregg () stthomas edu<mailto:csgregg () stthomas edu> p 1 (651) 962-6265 University of St. Thomas | stthomas.edu<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stthomas.edu%2F&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768265314&sdata=gYtoqeylfQ6YWkxA9cRhQ9M%2FL8rG1NRFuV9LeQ2TJhY%3D&reserved=0> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Piscitello, Frank Sent: Tuesday, January 7, 2020 11:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [External] Re: [SECURITY] ID Cards I am a believer, that if it's printed on an ID card, it could be viewed for public consumption (even by accident.) The point of the information on the card is to vet the identity of the person carrying the ID. We print ID numbers on our cards as well as the picture. Our card is also used as door access via a one-card system (HID/CCure) and a mag-stripe for vending machines. So, if your FERPA policy defines what is considered directory vs private, maybe the ID should also reflect that concept as well. "Many of the truths that we cling to depend on our point of view." - Obi-Wan Kenobi [mainLogo-128] =#WCUGreenDot<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wcupa.edu%2F_services%2FgreenDot%2F&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768265314&sdata=iWLfu1lZj5rWowpNjXalMQ3VHA5jtqnCoDiXjlwmVn4%3D&reserved=0> Frank J. Piscitello, Jr. , CISSP Information Security Officer | Information Services & Technology West Chester University of PA | 610-436-3192 | PGP-Key: D7289F1F<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwcupa.edu%2FInfoServices%2Fsecurity%2Fd7289f1f.aspx&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768275303&sdata=ksNqdog7lbZe95GBmjB2nJs38Ocyomxn3wyUkG3EGFk%3D&reserved=0> wcupa.edu/infoservices/security/<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.wcupa.edu%2Finfoservices%2Fsecurity%2F&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768285299&sdata=QBmImHNd9cff9GNKKPZ3U%2BuHHaPE3y9pdQO6zrDoXFk%3D&reserved=0> [Teams-16x16] <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fteams.microsoft.com%2Fl%2Fchat%2F0%2F0%3Fusers%3Dfpiscitello%40wcupa.edu&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768285299&sdata=NAlSEKcdqkLSiEPdhXPhSZILsQDy05GmqoAEZ53LRg4%3D&reserved=0> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Jones, Mark B Sent: Monday, January 6, 2020 2:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] ID Cards I agree. My comment was idealistic. Michaels is pragmatic. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Menne, Michael S Sent: Monday, January 6, 2020 1:07 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] ID Cards **** EXTERNAL EMAIL **** I agree with Mark that anything printed on an ID badge should be considered private or sensitive. That said, I would ask Marketing to take down the image and re-print it with a fake ID badge with fake numbers to ensure the student's privacy (as much as practically possible in this situation). From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Jones, Mark B Sent: Monday, January 6, 2020 12:59 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] ID Cards In my opinion it is a mistake to consider anything printed on ID cards as private (or worse, secret). There are too many legitimate needs for access to and to exchange student/employee IDs for them to be used to prove identity. They are not secret. There are likely easier ways to get this student's ID than passing by that window display. If you can do something malicious with it, it should not be printed on your ID card or you should put processes in place to protect against the malicious 'thing'. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Garrett McManaway Sent: Monday, January 6, 2020 12:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] ID Cards **** EXTERNAL EMAIL **** Hello, We recently had an issue come up where a med student was photographed where his student ID on his lab coat. That image was blown up larger than life and used by our marketing team in the window of our bookstore, which happens to face two busy public streets. As a result I have gotten a few questions on allowing the ID card to be used as a badge for physical identification. Does anyone have a policy around using school issued ID cards as badges for identification? In particular, for Medical School students working in clinical practices? We have a OneCard system, where the card contains a photo and other information including the student/employee ID. The ID is meant to be private and could be used for a number of malicious things, including validation of identity through our help desk. As a side note we do not have our own hospital system so we do not issue any other type of badge to use for identity but rely on the partner institution to do so, but we believe in some cases the students are also displaying their WSU OneCard as well. Garrett McManaway CISO & Sr. Director C&IT - Information Security and Compliance Wayne State University Phone: 313-577-3454 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMFAg%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DGV5PsXD6UvZsN71Rd3W3FPuIG6Ainw1JRUvxpo4jRyk%26s%3DAPcRvANQmXdD30YycYVh_drxX-ezFMECK9nGCANBsNE%26e%3D&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768295292&sdata=XYhsoL6lg5BR2duz6b%2B%2BT0WXvlNGuJvX6oSAvjtWuRo%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMFAg%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DIyogzd7jk7qi8mKY4KzbJQ_bYVLdKqjvRPnuwDTEkMs%26s%3DStwkfFlN5GG5TTTnZ_vyviSKeA6vxOL8pO9XdbDw9jc%26e%3D&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768295292&sdata=wdrK4p%2BFuXGg4t9T6EKsfEtvcywkKg%2BcAE5KmWuw5NQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.educause.edu_community%26d%3DDwMFAg%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DIyogzd7jk7qi8mKY4KzbJQ_bYVLdKqjvRPnuwDTEkMs%26s%3DStwkfFlN5GG5TTTnZ_vyviSKeA6vxOL8pO9XdbDw9jc%26e%3D&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768305285&sdata=R0UpeEADGrjHwpV0PwRedrBmEeCvRJiYfZ5wLRJRSXE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768305285&sdata=2mHAqR1rD2nVryVayhl36J%2BRgRHvSkP1yTflHsyYvXk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768315276&sdata=v89Sp9Jfx%2BNOBBLDA71hYEdzTzGZcUsPQARx5HQmuzc%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768315276&sdata=v89Sp9Jfx%2BNOBBLDA71hYEdzTzGZcUsPQARx5HQmuzc%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768325275&sdata=inJkK%2BX1U5lNrYaHmG5woVzxr0insOrfcXHHmfcGlo4%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C78e0daf5fff14281a08208d794472e74%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637140905768325275&sdata=inJkK%2BX1U5lNrYaHmG5woVzxr0insOrfcXHHmfcGlo4%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- ID Cards Garrett McManaway (Jan 06)
- Re: ID Cards Jones, Mark B (Jan 06)
- Re: ID Cards Menne, Michael S (Jan 06)
- Re: ID Cards Jones, Mark B (Jan 06)
- Re: ID Cards Piscitello, Frank (Jan 07)
- Re: [External] Re: [SECURITY] ID Cards Gregg, Christopher S. (Jan 07)
- Re: [External] Re: [SECURITY] ID Cards Sonder, Henk E. (Jan 07)
- Re: [External] Re: [SECURITY] ID Cards Gregg, Christopher S. (Jan 08)
- Re: [External] Re: [SECURITY] ID Cards Menne, Michael S (Jan 08)
- Re: ID Cards Menne, Michael S (Jan 06)
- Re: ID Cards Jones, Mark B (Jan 06)