Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT

[Chuck Dunn <chuck () BUFFALO EDU>]

At the risk of being repetitive, Kevin's right, and after exchanging
e-mail with Rodney he appears to be ready and willing help.

Defining student identifier as non-directory information will be a
compliance issue with very direct business process fallout.  The
institutions affected need to describe the business impact (i.e., cost
and service implications) of the proposed regulation changes so that
Rodney and the EduCause staff have something persuasive on which to base
a coordinated response.  If we as the IT security folk can't do that,
then we can at least ensure that our Registrar's Office and campus IT
leadership are involved in the discussion and impact quantification
process if for no other reason than they will most directly suffer much
of the fallout.

For the University at Buffalo, the constraints on public disclosure of
student ids will be dramatic in regards to both services and cost.  We
long ago separated identification from authentication and authorization
and that underlying separation notion is built into most of our systems,
processes and student service delivery.  It will require a substantial
re-engineering of process and applications to accomplish compliance with
the rule as proposed.

Like many others in higher education, for us, the unique person
identifier is of no value except as a data element used to locate the
various portions of individual's University record (not just student
record).  It's really only an unambiguous alias for the persons name and
defining it as non-directory information is senseless.  Viewing and
transactional access to those records is carefully controlled by other
means appropriate to the specific type of situation, transaction or data
request.

If as Kevin supposes, the goal is to prevent instructors from using that
identifier to post grades on their door, then this is a heavy handed,
simplistic shot gun attempt to accomplish that objective with costly and
unacceptable side-effects.   In my view, it speaks more to the
perception of security rather than the reality.

Proposals for alternative approaches or language as modeled in Kevin's
example may help to illuminate the discussion.  For example, I'd suggest
that the proposed regulation say that if the student identifier is used
in any manner to authenticate access without some additional companion
authentication mechanism known only to the student like a PIN or
password, it cannot be included as directory information.

If you are bashful about responding to the list, then I'd strongly
recommend that you or your institution respond directly to Rodney.

Maybe a survey would provide some structured data for the effort.

Chuck


Mclaughlin, Kevin (mclaugkl) wrote:

"I agree with previous comments in this posting that Educause should
help us with the comment to send back to the FERPA folks."




--
Charles F. Dunn
Information Security Officer
University at Buffalo
716-645-3582

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature