Educause Security Discussion mailing list archives
Re: Telephone Verification of Identity
From: "Irish, Adrian L" <Adrian.Irish () MSO UMT EDU>
Date: Fri, 20 Mar 2009 09:37:54 -0600
Regarding your number 4, I'm not aware of anything in FERPA that prevents this. There may be other limiting factors that influence your decision on whether to use SS# for verification, but it should not be FERPA. In fact, FERPA does not specify "levels" of sensitive data; it's either protected or not, and if it is protected, then your obligations apply equally across all the data, whether that's SS#, birth date, grades, etc. Back to your original question. One area that has dealt with this issue the most on our campus is the registrar, in the context of transcript requests. They will ask for multiple items when verifying identity, and at least one of those will be something related to the persons academic records, such as "Who was your professor for Chemistry 101?", etc. The key in this process is asking for multiple items and varying what they ask for from person to person. For current and recent student's, we do have challenge questions established, but these are used primarily in the context of password resets. Adrian Irish IT Security Officer The University of Montana SS 126D Missoula, MT 59812 (406) 243-6375 adrian.irish () umontana edu
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kenneth Arnold Sent: Thursday, March 19, 2009 7:59 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Telephone Verification of Identity We are dealing with the problem of how you verify the identity of a person over the telephone sufficiently to discuss non-directory/confidential information with them. Do you require the person to supply specific data about themselves? If so, what data? Do you have challenge questions/responses on file that you use to verify identity? How are other schools dealing with the problem? We currently don't have a standard method to verify identity. We have tossed around some ideas like: 1. Is the student ID sufficient? Is the student ID similar to the SSN in that we can't use it for identification either because of FERPA? 2. Is the birthdate sufficient? Facebook makes this information readily available. A doctor's office tends to use this to verify identity over the phone. 3. Is the student ID and the birthdate sufficient? 4. It is our impression that we can't use the social security number or even part of it because of FERPA. 5. Do you call the person back at a telephone number recorded for that person in our administrative database? 6. Do you use caller ID to verify that the person is calling from a number recorded for that person in the administrative database? Caller ID can be forged. 7. Do you generate a random number, display it to the person answering the phone, send the random number to the person through email and then require the person to give you the random number? -- Brother Kenneth Arnold Director of Network Systems Christian Brothers University Memphis, TN (901) 321-4333
Current thread:
- Telephone Verification of Identity Kenneth Arnold (Mar 19)
- <Possible follow-ups>
- Re: Telephone Verification of Identity Tonkin, Derek K. (Mar 20)
- Re: Telephone Verification of Identity Irish, Adrian L (Mar 20)
- Re: Telephone Verification of Identity Matthew Giannetto (Mar 20)