FERPA and ASP compliance

[Theresa M Rowe <rowe () OAKLAND EDU>]

Hi, Justin,
If your question has to do with FERPA, and authentication,
I'd suggest that you start with learning what is directory information and what isn't directory information at your 
individual university.  Every university defines directory information differently and that is valid under FERPA law.  
For most, it is student name, address, etc., and these data items can be published or shared as public, as long as the 
student has not specifically invoked privacy.  The rest of the academic record (i.e., GPA) can never be shared.

For us, we did not list our email/LDAP identifier as directory information, so it is not publicly shared.  We did that 
so that companies could not submit a FOIA (Freedom of Information Act) request and get all the IDs (which happened 
once).

When we work with an external ASP, we design authentication to work on a request basis; i.e., a secure web site is 
developed where an end-user enters a login ID and password, which is passed to us for true/false evaluation and a 
response is returned.  We do not send our entire ID population to the vendor.  We also ask our ASPs to complete a 
security review document before the contract is signed; a copy of that is on our web site 
http://www2.oakland.edu/uts/policies.cfm#outsourcing
Click on the red word STANDARDS.

We've just started evaluating the use of SAML for this kind of security request processing.
Theresa Rowe
Chief Information Officer
University Technology Services
www.oakland.edu/uts