Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT

[Kevin Shalla <kshalla () UIC EDU>]

I think secure grade distribution should be addressed by every school
as it chooses.  Schools are ultimately liable for the actions of
their employees, no?  The secure distribution of grades has been
handled by professors for centuries, in two general areas - grades
for individual assignments, and midterm and final grades.  The secure
distribution of midterm and final grades has already been addressed
by all modern student information systems - students log into the
system and view their grades.  The grades for individual assignments
and exams used to be all done with pen, and handed to the student at
the next class session.  Now there are course management
systems.  Let the schools decide how to solve the problem, don't let
Washington tell us that grades should be distributed by posting
grades next to student IDs.  Give us the real problem - privacy - and
let us solve it.

At 02:59 PM 4/1/2008, Mclaughlin, Kevin (mclaugkl) wrote:
> Hi Brian:
>
> I think that this comment needs some push-back and is therefore the crux of
> my puzzlement on how to adhere to the intent of the new FERPA changes:
>
>       (The proposal is that *every* teacher assigns unique authenticators
>       (pins, words, colors codes -- anything) to each student that is
> relevant
>       for only that class, for that semester. It is certainly a secure
> method,
>       and puts the onus on the faculty member.)
>
> This certainly does put the onus on the faculty member but in order to be in
> compliance they now need to safeguard the delivery, use, storage and ongoing
> usage of the one time student authenticator.  How are they going to provide
> the student with their code word?  On paper, via email, whispering it to
> them,  et cetera.  If via paper is the faculty member going to then watch as
> the student shreds the paper?  If via email is the email going to be
> encrypted in both transit and then in storage?  If whispering it to them are
> they going to make sure no one else can hear?   Is the class list of secret
> authenticators going to be encrypted by the faculty member?  Will TAs have
> access to it (are they even allowed to have access to it?) How are we going
> to insure that the secret authenticators are destroyed at the end of the
> quarter?  How is the secret authenticator going to be used effectively -
> most assuredly if I post a grade list in public and there are 15 grades of A
> and one F  the kid who groans has just compromised his secret authenticator.
> I could go on but .......
>
> I'll say it again  Regulations need to be clearly articulated, concise,
> enforceable and if possible easy to comply with.  If the crux of the Student
> ID issue is the public posting of student grades FERPA should say "if you
> put a student's grades of any type in an area accessible by anyone other
> than the student who owns the grade you are violating FERPA" .  I agree with
> previous comments in this posting that Educause should help us with the
> comment to send back to the FERPA folks.
>
>
> -Kevin
>
>
> Kevin L. McLaughlin
> CISM, CISSP, GIAC-GSLC,PMP, ITIL Master Certified
> Director, Information Security
> University of Cincinnati
> 513-556-9177 (w)
> 513-703-3211 (m)
> 513-558-ISEC (department)
>
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
> Sent: Tuesday, April 01, 2008 1:50 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses
> Changes in IT
>
> > to proceed.  If we eliminate in house Identifiers (Student
> > IDs) as Directory information and then we go with a PIN or
> > secret word for faculty who post grades (and many do - at
> > least here at UC) how do we secure the identity of the PINs
>
>  The proposal is that *every* teacher assigns unique authenticators
> (pins, words, colors codes -- anything) to each student that is relevant
> for only that class, for that semester. It is certainly a secure method,
> and puts the onus on the faculty member.
>
> > if)  stopping faculty from posting grades than FERPA
> > regulation should simply mandate that this process stop or
> > they will be out of compliance with
> > FERPA.
>
>  That would be interesting, but probably untenable. I tend to think they
> are okay with posting, so long as it is reasonably secure.
>
> > point.  One of the main reasons we (and I would assume
> > others) went to a Student ID vs SSN was so that we had a way
> > to identify students without giving up PII safeguards
>
>  Right, but they do have a fair point. Since the SID follows the
> student, as they point out, so long as you have the same class with the
> same student, you've figured out their SID. One-time authenticators, by
> contrast, don't have this problem.
>
> ~~~~~~~~~~~~~~~~~~
> Brian Basgen
> Information Security
> Pima Community College