Embed Size (px)
DESCRIPTION
CSC FERPA Requirements Planning Meeting. December 15, 2009. FERPA Changes. Final Amendments – December 9, 2008 Effective Date – January 8, 2009 Most interested in: FERPA 99.31(c); p. 74848; p. 74853. FERPA Changes. - PowerPoint PPT Presentation
Citation preview
CSC FERPA Requirements Planning Meeting
December 15, 2009
FERPA Changes
• Final Amendments – December 9, 2008• Effective Date – January 8, 2009• Most interested in:– FERPA 99.31(c); p. 74848; p. 74853
FERPA Changes
• Amending Sec. 99.5 to clarify the conditions under which an educational agency or institution may disclose personally identifiable information from an eligible student's education records to a parent without the prior written consent of the eligible student;
• Amending Sec. 99.31(a)(1) to ensure that teachers and other school officials only gain access to education records in which they have legitimate educational interests;
FERPA Changes
• Amending Sec. 99.31(a)(2) to permit educational agencies and institutions to disclose education records, without consent, to another institution even after the student has enrolled or transferred so long as the disclosure is for purposes related to the student's enrollment or transfer;
• Amending Sec. 99.31 to include a new subsection to provide standards for the release of information from education records that has been de-identified;
FERPA Changes• Amending Sec. 99.35 to permit State and local educational
authorities and Federal officials listed in Sec. 99.31(a)(3) to make further disclosures of personally identifiable information from education records on behalf of the educational agency or institution;
• and Amending Sec. 99.36 to remove the language requiring strict construction of this exception and add a provision stating that if an educational agency or institution determines that there is an articulable and significant threat to the health or safety of a student or other individual, it may disclose the information to any person, including parents, whose knowledge of the information is necessary to protect the health or safety of the student or other individuals.
For All Changes In New Legislation
http://www.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.pdf
FERPA 99.31(c) - Identification and Authentication of Identity
• Copied from website:• The regulations in Sec. 99.31(c) require educational agencies and
institutions to use reasonable methods to identify and authenticate the identity of parents, students, school officials and other parties to whom the agency or institution discloses personally identifiable information from education records.
• The use of widely available information to authenticate identity, such as the recipient's name, date of birth, SSN or student ID number, is not considered reasonable under the regulations.
• The regulations will impose no new costs for educational agencies and institutions that disclose hard-copy records through the U.S. postal service or private delivery services with use of the recipient's name and last known official address.
FERPA 99.31(c) - Identification and Authentication of Identity
• We were unable to find reliable data that would allow us to estimate the additional administrative time that educational agencies and institutions will spend checking photo ID against school records or using other reasonable methods, as appropriate, to identify and authenticate the identity of students, parents, and other parties to whom the agency or institution discloses education records in person.
• Authentication of identity for electronic or telephonic access to education records involves a wider array of security options because of continuing advances in technologies, but is not necessarily more costly than authentication of identity for hard-copy records.
• We assume that educational agencies and institutions that require users to enter a secret password or PIN to authenticate identity will deliver the password or PIN through the U.S. postal service or in person.
FERPA 99.31(c) - Identification and Authentication of Identity
• We estimate that no new costs will be associated with this process because agencies and institutions already have direct contact with parents, eligible students, and school officials for a variety of other purposes and will use these opportunities to deliver a secret authentication factor.
• As noted in the preamble to the NPRM, 73 FR 15585, single-factor authentication of identity, such as a standard form user name combined with a secret password or PIN, may not provide reasonable protection for access to all types of education records or under all circumstances.
• We lack a basis for estimating costs of authenticating identity when educational agencies and institutions allow authorized users to access sensitive personal or financial information in electronic records for which single-factor authentication would not be reasonable.
Key Words: Reasonable Methods
• Good – This is left to interpretation.
• Not So Good – This is left to OSU’s interpretation.
• We will be able to piggy-back on OSU’s implementation but will be somewhat limited in what we can do because of this.
Current OSU System Status
• SIS– User ID: SSN or CWID– PIN: Birthdate (default)
• C-Key– Last two digits of surname– Last five digits of SSN– Date of birth
What’s wrong?
• SIS– User ID: SSN or CWID– PIN: Birthdate (default)
• C-Key– Last two digits of surname– Last five digits of SSN– Date of birth
Cannot be used as they are widely known.
Password Resets
• SIS– Name– Birthdate– CWID Number
• C-Key (For employees only at this time.)– CSC Email Address– Response to challenge question– Last 4 digits of SSN– Date of birth
What’s wrong?• SIS
– Name– Birthdate– CWID Number
• C-Key (For employees only at this time.)– CSC Email Address– Response to challenge question– Last 4 digits of SSN– Date of birth
Challenge questions can be used, however, with the current questions it cannot be assumed that only the student will know the answer. All other data cannot be used.
Timeline
• February 2010:– CSC students should be added to AD/Exchange
which will help meet FERPA requirements and provide single sign-on for:• C-Key• SIS• Computer Labs and Libraries• WebCT (eventually)• If the student doesn’t supply the required information,
they will not be able to access these systems.
Timeline
• February 2010:– Phase I changes to C-Key activation• Alternate e-mail address• Optional permission for text messages• Updates to security questions
– Enable alternate email address management in C-Key
– Push alternate email address changes back to SIS– Push C-Key security Q&A to SIS
Timeline
• March/April 2010:– C-Key security questions will be pushed to SIS– Go live with changes to C-Key password resets– If locked out, token required to reset password• Can be sent to user remotely via:
– Email to alternate email address– Text message to cell phone (if given permission in C-Key)
Timeline
• Late July 2010– Phase 2 changes to C-Key activation– Require valid SIS PIN or HRS PIN to activate– C-Key will automatically send email to new user when
account ready to activate• Email will contain SIS/HRS PIN• Email to have link to website for more information
– PIN may be sent to user remotely via email to alternate email address during online activation
– SIS and HRS PIN will default to random number for new students and employees
The Plan
• According to OSU, this is the implementation plan.
The Plan• January 2010
– Admissions offices to begin entering alternate email address into SIS from admission applications.
• February 2010– Send communications to CURRENT students and employees
asking them to setup alternate email address and/or permission to receive text messages in C-Key.
– Human resources to add alternate email address to Personal Information Form (PIF) and enter into HRS.
– Modify batch processes that send student and employee information from SIS/HRS to C-Key to include alternate email address.
Other Plans
• SIS PIN Distribution plan– Most admissions offices at Stillwater plan to rely on
the automate email from C-Key that is sent to students when their account is ready for activation (contains SIS PIN and link to website for more instructions)
• HRS PIN Distribution plan– HR will rely primarily on automated email from C-Key
with PIN when account is ready to activate– HRS PINs can be obtained in person with photo ID
from HR
What does this mean to us?
• Many things will change.• The most important issues that we must be
concerned with are:– Entering– Distributing– Authenticating
Entering Information• Since OSU’s approach has been to gather email addresses
from Financial Aid batch processes, we have concluded that this will not work for us:– No batch process that currently enters email address into SIS– No guarantee we will receive an email address from students
(not required on FAFSA)– Not all students submit financial aid applications– Of those students submitting financial aid applications, some
are after admissions• Due to these reasons, relying on financial aid submissions
of information will not work for us
Entering Information
• Admissions office will enter alternative email addresses– Changes will be made to the admissions
application that will “require” the student to provide an alternative email
– We use “require” loosely as it will not necessarily be a requirement for admission but for access to CSC technology systems
Distributing Information
• OSU has already made this available to us in the form of automated emails to the user’s alternative email account.
• We can also implement distribution of the user’s initial PIN via face-to-face or phone (with appropriate authentication discussed later).
Authentication
• Currently, we use a combination of the following:– CWID– SSN– Name– Birthdate– Email Address– Security Questions
Authentication• Of these, only the security questions can provide reasonable
methods of authentication.• However, current security questions cannot be used as it cannot
be assumed that only the student knows the answer to these:– What is your mother’s maiden name? Mom will know.– What city were you born in? Mom should know.– What is the name of the street you grew up on? You can find this
information in many places.– What was the name of your high school mascot? Guessing could get
someone this information. Go Wildcats, Panthers, Tigers, etc.– What is the name of your pet? Spot, Lucky, Rufus? Again, guessing
could yield results.
Authentication• OSU will be creating new questions or allowing students to create their
own questions (bad idea in my opinion)• These will be populated into SIS so all offices can use these to
authenticate.• As noted in FERPA, you must use something only known to the student
to authenticate such as one of these prescribed methods:
– Photo ID– Random PIN or TOKEN– Password– Personal security questions– Smart card– Biometric indicators
Sample Processes for CSC
• Need information from students and employees including alternate email address and permission to use SMS service with cell phone.
• Students must activate using random PIN• Access is restricted based on required
information only the student will know• Resets are accomplished with a random TOKEN
that will be sent only to the alternate email address or via SMS (if applicable)
Information gathering• For students:
– Recruitment (Information gathered but not entered into SIS. Can be used to manually enter later, if necessary.)
– Admissions – Application for Admissions (Information entered into SIS. Will include alternate email.)
– Financial Aid (Information entered into SIS. Will soon include alternate email to help backup the above process. We will not hinge this requirement on Financial Aid for the reasons noted earlier.)
– Random PIN (6-digit, numerical) assigned by system.• For employees:
– HR – Personal Information Form (Information gathered and entered into SIS. Includes alternate email.)
– Random PIN (6-digit, numerical) assigned by system.
Distribute Information• For students:
– Once student has applied, they will receive an email from OSU showing them how to activate along with their PIN (must take place overnight, after application receipt as batch processes from SIS run overnight so C-Key will not be populated with data until then)
– This can also be given Face-to-Face or over the phone, after required authentication
• For employees:– Once employee has submitted application, interviewed, and hired,
they will receive an email from OSU showing them how to activate along with their PIN (note above)
– This can also be given face-to-face or over the phone, after required authentication
Activation
• For students:– Using the random 6-digit PIN provided, student
will activate C-Key account which will enable SIS, email, and computer login accounts.
• For employees:– Using the random 6-digit PIN provided, employee
will activate C-Key account which will enable SIS, email, and computer login accounts.
Account Resets• For students:
– Student will be authenticated via face-to-face, phone (form needed), or online
– A TOKEN (8-digit, alpha-numeric, non-case-sensitive) will be sent via email or SMS
– Will be available only for 24 hours• For employees:
– Employee will be authenticated via face-to-face, phone (form needed ), or online
– A TOKEN (8-digit, alpha-numeric, non-case-sensitive) will be sent via email or SMS
– Will be available only for 24 hours
Account Requests
• For students:– Security questions and answers will still be needed
along with the TOKEN– Requests must be completed online
• For employees:– Security questions and answers will still be needed
along with the TOKEN– Requests must be completed online
Account Inquiries• For students:
– Authenticated by looking up the student (via CWID, name, etc) and then asking for answers to security questions or via one of the other prescribed methods
– If validated, the user gains access– If invalidated, then no information may be given
• For employees:– Authenticated by looking up the employee (via CWID, name, etc)
and then asking for answers to security questions or via one of the other prescribed methods
– If validated, the user gains access– If invalidated, then no information may be given
Account Payments• Same as account inquiries, however, since the student should only
have access to this information, it will be extremely difficult to authenticate a parent/guardian in order for them to make a payment
• In-person payment by a non-student (parent or guardian) will essentially be impossible unless the student accompanies the parent or guardian and provides authentication
• We can get around this by enabling an online payment option• This will automatically authenticate the user and allow them to make a
payment without the problems of authentication and taking the payment over-the-phone or in-person
• Over-the-phone and in-person payments will still be possible but authentication via the prescribed methods must be used which may prove to be difficult and problematic
Other Improvements Worth Consideration
• Expand use of smart cards– Use for authentication (swipe in Admissions,
Business Office, Cafeteria, Bookstore, Computer Labs, etc.)
– Use for payments (Admissions, Business Office, Cafeteria, Bookstore, etc.)
– Expand information on card to encompass activation instructions
– Use as a true ID card
Departmental Changes
• Regarding Students– Admissions
• Collect alternate email on application for admissions• Input email on screen 010 as type A• Can provide initial PIN using acceptable authentication (state-issued
photo ID, for instance) and in-person request form (to be designed)– Business Office
• Can provide initial PIN using acceptable authentication (state-issued photo ID, for instance) and in-person request form (to be designed)
• Payments in-person for non-students (parents or guardians) will no longer be possible
Departmental Changes– Financial Aid
• Collect alternate email from FAFSA, if available• Input email on screen 010 as type A, if not already present• Can provide initial PIN using acceptable authentication (state-issued photo ID, for instance) and
in-person request form (to be designed)• Implement FERPA requirement training program for new and existing student employees
– Information Technology• Policies and procedures documentation will be updated to include new FERPA compliance
verbiage• Will ensure students are transition to C-Key to allow compliance• Can provide initial PIN using acceptable authentication (state-issued photo ID, for instance) and
in-person request form (to be designed)• Draft an informational handout (How to activate your account) and instructions for setting up
an alternate email• Update the online new-student instructions and make them more widely available by adding
the URL to the back of the ID card– Administration
• Provide oversight on FERPA compliance and implementation of new procedures
Departmental Changes• Regarding Employees
– Human Resources• Collect alternate email on employment application (PIF)• Input email on screen 010 as type A• Can provide initial PIN using acceptable authentication (state-issued photo ID, for instance) and in-
person request form (to be designed)• Implement FERPA requirement training program for new and existing employees
– Information Technology• Policies and procedures documentation will be updated to include new FERPA compliance verbiage• Can provide initial PIN using acceptable authentication (state-issued photo ID, for instance) and in-
person request form (to be designed)• Update the online new-student instructions and make them more widely available by adding the URL
to the back of the ID card• Draft an informational handout (How to activate your account) and instructions for setting up an
alternate email• Update the online new-employee instructions and make them more widely available by adding the
URL to the back of the ID card– Administration
• Provide oversight on FERPA compliance and implementation of new procedures
Any questions?
