Educause Security Discussion mailing list archives
Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT
From: Chuck Dunn <chuck () BUFFALO EDU>
Date: Tue, 1 Apr 2008 18:37:26 -0400
At the risk of being repetitive, Kevin's right, and after exchanging e-mail with Rodney he appears to be ready and willing help. Defining student identifier as non-directory information will be a compliance issue with very direct business process fallout. The institutions affected need to describe the business impact (i.e., cost and service implications) of the proposed regulation changes so that Rodney and the EduCause staff have something persuasive on which to base a coordinated response. If we as the IT security folk can't do that, then we can at least ensure that our Registrar's Office and campus IT leadership are involved in the discussion and impact quantification process if for no other reason than they will most directly suffer much of the fallout. For the University at Buffalo, the constraints on public disclosure of student ids will be dramatic in regards to both services and cost. We long ago separated identification from authentication and authorization and that underlying separation notion is built into most of our systems, processes and student service delivery. It will require a substantial re-engineering of process and applications to accomplish compliance with the rule as proposed. Like many others in higher education, for us, the unique person identifier is of no value except as a data element used to locate the various portions of individual's University record (not just student record). It's really only an unambiguous alias for the persons name and defining it as non-directory information is senseless. Viewing and transactional access to those records is carefully controlled by other means appropriate to the specific type of situation, transaction or data request. If as Kevin supposes, the goal is to prevent instructors from using that identifier to post grades on their door, then this is a heavy handed, simplistic shot gun attempt to accomplish that objective with costly and unacceptable side-effects. In my view, it speaks more to the perception of security rather than the reality. Proposals for alternative approaches or language as modeled in Kevin's example may help to illuminate the discussion. For example, I'd suggest that the proposed regulation say that if the student identifier is used in any manner to authenticate access without some additional companion authentication mechanism known only to the student like a PIN or password, it cannot be included as directory information. If you are bashful about responding to the list, then I'd strongly recommend that you or your institution respond directly to Rodney. Maybe a survey would provide some structured data for the effort. Chuck Mclaughlin, Kevin (mclaugkl) wrote: "I agree with previous comments in this posting that Educause should help us with the comment to send back to the FERPA folks." -- Charles F. Dunn Information Security Officer University at Buffalo 716-645-3582
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT, (continued)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Michael R. Gettes (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Mclaughlin, Kevin (mclaugkl) (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Mclaughlin, Kevin (mclaugkl) (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Michael R. Gettes (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Charlie Prothero (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Chuck Dunn (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT David Lassner (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Drexel Atkinson (Apr 02)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Brad Judy (Apr 02)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Brad Judy (Apr 02)