Educause Security Discussion mailing list archives
Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT
From: Kevin Shalla <kshalla () UIC EDU>
Date: Tue, 1 Apr 2008 16:30:15 -0500
I think secure grade distribution should be addressed by every school as it chooses. Schools are ultimately liable for the actions of their employees, no? The secure distribution of grades has been handled by professors for centuries, in two general areas - grades for individual assignments, and midterm and final grades. The secure distribution of midterm and final grades has already been addressed by all modern student information systems - students log into the system and view their grades. The grades for individual assignments and exams used to be all done with pen, and handed to the student at the next class session. Now there are course management systems. Let the schools decide how to solve the problem, don't let Washington tell us that grades should be distributed by posting grades next to student IDs. Give us the real problem - privacy - and let us solve it. At 02:59 PM 4/1/2008, Mclaughlin, Kevin (mclaugkl) wrote:
Hi Brian: I think that this comment needs some push-back and is therefore the crux of my puzzlement on how to adhere to the intent of the new FERPA changes: (The proposal is that *every* teacher assigns unique authenticators (pins, words, colors codes -- anything) to each student that is relevant for only that class, for that semester. It is certainly a secure method, and puts the onus on the faculty member.) This certainly does put the onus on the faculty member but in order to be in compliance they now need to safeguard the delivery, use, storage and ongoing usage of the one time student authenticator. How are they going to provide the student with their code word? On paper, via email, whispering it to them, et cetera. If via paper is the faculty member going to then watch as the student shreds the paper? If via email is the email going to be encrypted in both transit and then in storage? If whispering it to them are they going to make sure no one else can hear? Is the class list of secret authenticators going to be encrypted by the faculty member? Will TAs have access to it (are they even allowed to have access to it?) How are we going to insure that the secret authenticators are destroyed at the end of the quarter? How is the secret authenticator going to be used effectively - most assuredly if I post a grade list in public and there are 15 grades of A and one F the kid who groans has just compromised his secret authenticator. I could go on but ....... I'll say it again Regulations need to be clearly articulated, concise, enforceable and if possible easy to comply with. If the crux of the Student ID issue is the public posting of student grades FERPA should say "if you put a student's grades of any type in an area accessible by anyone other than the student who owns the grade you are violating FERPA" . I agree with previous comments in this posting that Educause should help us with the comment to send back to the FERPA folks. -Kevin Kevin L. McLaughlin CISM, CISSP, GIAC-GSLC,PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) 513-558-ISEC (department) -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian Sent: Tuesday, April 01, 2008 1:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses Changes in IT > to proceed. If we eliminate in house Identifiers (Student > IDs) as Directory information and then we go with a PIN or > secret word for faculty who post grades (and many do - at > least here at UC) how do we secure the identity of the PINs The proposal is that *every* teacher assigns unique authenticators (pins, words, colors codes -- anything) to each student that is relevant for only that class, for that semester. It is certainly a secure method, and puts the onus on the faculty member. > if) stopping faculty from posting grades than FERPA > regulation should simply mandate that this process stop or > they will be out of compliance with > FERPA. That would be interesting, but probably untenable. I tend to think they are okay with posting, so long as it is reasonably secure. > point. One of the main reasons we (and I would assume > others) went to a Student ID vs SSN was so that we had a way > to identify students without giving up PII safeguards Right, but they do have a fair point. Since the SID follows the student, as they point out, so long as you have the same class with the same student, you've figured out their SID. One-time authenticators, by contrast, don't have this problem. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
Current thread:
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Apr 01)
- <Possible follow-ups>
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Mclaughlin, Kevin (mclaugkl) (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Michael R. Gettes (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Mclaughlin, Kevin (mclaugkl) (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Mclaughlin, Kevin (mclaugkl) (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Michael R. Gettes (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Charlie Prothero (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Chuck Dunn (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT David Lassner (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Drexel Atkinson (Apr 02)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Brad Judy (Apr 02)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Brad Judy (Apr 02)