Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT

["Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

Hi Brian:

I think that this comment needs some push-back and is therefore the crux of
my puzzlement on how to adhere to the intent of the new FERPA changes:

      (The proposal is that *every* teacher assigns unique authenticators
      (pins, words, colors codes -- anything) to each student that is
relevant
      for only that class, for that semester. It is certainly a secure
method,
      and puts the onus on the faculty member.)

This certainly does put the onus on the faculty member but in order to be in
compliance they now need to safeguard the delivery, use, storage and ongoing
usage of the one time student authenticator.  How are they going to provide
the student with their code word?  On paper, via email, whispering it to
them,  et cetera.  If via paper is the faculty member going to then watch as
the student shreds the paper?  If via email is the email going to be
encrypted in both transit and then in storage?  If whispering it to them are
they going to make sure no one else can hear?   Is the class list of secret
authenticators going to be encrypted by the faculty member?  Will TAs have
access to it (are they even allowed to have access to it?) How are we going
to insure that the secret authenticators are destroyed at the end of the
quarter?  How is the secret authenticator going to be used effectively -
most assuredly if I post a grade list in public and there are 15 grades of A
and one F  the kid who groans has just compromised his secret authenticator.
I could go on but .......  

I'll say it again  Regulations need to be clearly articulated, concise,
enforceable and if possible easy to comply with.  If the crux of the Student
ID issue is the public posting of student grades FERPA should say "if you
put a student's grades of any type in an area accessible by anyone other
than the student who owns the grade you are violating FERPA" .  I agree with
previous comments in this posting that Educause should help us with the
comment to send back to the FERPA folks.


-Kevin


Kevin L. McLaughlin
CISM, CISSP, GIAC-GSLC,PMP, ITIL Master Certified  
Director, Information Security
University of Cincinnati
513-556-9177 (w)
513-703-3211 (m)
513-558-ISEC (department)
 
 


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Tuesday, April 01, 2008 1:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses
Changes in IT

> to proceed.  If we eliminate in house Identifiers (Student 
> IDs) as Directory information and then we go with a PIN or 
> secret word for faculty who post grades (and many do - at 
> least here at UC) how do we secure the identity of the PINs

 The proposal is that *every* teacher assigns unique authenticators
(pins, words, colors codes -- anything) to each student that is relevant
for only that class, for that semester. It is certainly a secure method,
and puts the onus on the faculty member. 

> if)  stopping faculty from posting grades than FERPA 
> regulation should simply mandate that this process stop or 
> they will be out of compliance with
> FERPA.

 That would be interesting, but probably untenable. I tend to think they
are okay with posting, so long as it is reasonably secure. 

> point.  One of the main reasons we (and I would assume 
> others) went to a Student ID vs SSN was so that we had a way 
> to identify students without giving up PII safeguards

 Right, but they do have a fair point. Since the SID follows the
student, as they point out, so long as you have the same class with the
same student, you've figured out their SID. One-time authenticators, by
contrast, don't have this problem.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College

Attachment: smime.p7s
Description: