Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC FERPA Requirements Planning Meeting December 15, 2009.

Similar presentations


Presentation on theme: "CSC FERPA Requirements Planning Meeting December 15, 2009."— Presentation transcript:

1 CSC FERPA Requirements Planning Meeting December 15, 2009

2 FERPA Changes Final Amendments – December 9, 2008 Effective Date – January 8, 2009 Most interested in: – FERPA 99.31(c); p ; p

3 FERPA Changes Amending Sec to clarify the conditions under which an educational agency or institution may disclose personally identifiable information from an eligible student's education records to a parent without the prior written consent of the eligible student; Amending Sec (a)(1) to ensure that teachers and other school officials only gain access to education records in which they have legitimate educational interests;

4 FERPA Changes Amending Sec (a)(2) to permit educational agencies and institutions to disclose education records, without consent, to another institution even after the student has enrolled or transferred so long as the disclosure is for purposes related to the student's enrollment or transfer; Amending Sec to include a new subsection to provide standards for the release of information from education records that has been de-identified;

5 FERPA Changes Amending Sec to permit State and local educational authorities and Federal officials listed in Sec (a)(3) to make further disclosures of personally identifiable information from education records on behalf of the educational agency or institution; and Amending Sec to remove the language requiring strict construction of this exception and add a provision stating that if an educational agency or institution determines that there is an articulable and significant threat to the health or safety of a student or other individual, it may disclose the information to any person, including parents, whose knowledge of the information is necessary to protect the health or safety of the student or other individuals.

6 For All Changes In New Legislation ule/2008-4/120908a.pdf

7 FERPA 99.31(c) - Identification and Authentication of Identity Copied from website: The regulations in Sec (c) require educational agencies and institutions to use reasonable methods to identify and authenticate the identity of parents, students, school officials and other parties to whom the agency or institution discloses personally identifiable information from education records. The use of widely available information to authenticate identity, such as the recipient's name, date of birth, SSN or student ID number, is not considered reasonable under the regulations. The regulations will impose no new costs for educational agencies and institutions that disclose hard-copy records through the U.S. postal service or private delivery services with use of the recipient's name and last known official address.

8 FERPA 99.31(c) - Identification and Authentication of Identity We were unable to find reliable data that would allow us to estimate the additional administrative time that educational agencies and institutions will spend checking photo ID against school records or using other reasonable methods, as appropriate, to identify and authenticate the identity of students, parents, and other parties to whom the agency or institution discloses education records in person. Authentication of identity for electronic or telephonic access to education records involves a wider array of security options because of continuing advances in technologies, but is not necessarily more costly than authentication of identity for hard- copy records. We assume that educational agencies and institutions that require users to enter a secret password or PIN to authenticate identity will deliver the password or PIN through the U.S. postal service or in person.

9 FERPA 99.31(c) - Identification and Authentication of Identity We estimate that no new costs will be associated with this process because agencies and institutions already have direct contact with parents, eligible students, and school officials for a variety of other purposes and will use these opportunities to deliver a secret authentication factor. As noted in the preamble to the NPRM, 73 FR 15585, single-factor authentication of identity, such as a standard form user name combined with a secret password or PIN, may not provide reasonable protection for access to all types of education records or under all circumstances. We lack a basis for estimating costs of authenticating identity when educational agencies and institutions allow authorized users to access sensitive personal or financial information in electronic records for which single-factor authentication would not be reasonable.

10 Key Words: Reasonable Methods Good – This is left to interpretation. Not So Good  – This is left to OSU’s interpretation. We will be able to piggy-back on OSU’s implementation but will be somewhat limited in what we can do because of this.

11 Current OSU System Status SIS – User ID: SSN or CWID – PIN: Birthdate (default) C-Key – Last two digits of surname – Last five digits of SSN – Date of birth

12 What’s wrong? SIS – User ID: SSN or CWID – PIN: Birthdate (default) C-Key – Last two digits of surname – Last five digits of SSN – Date of birth Cannot be used as they are widely known.

13 Password Resets SIS – Name – Birthdate – CWID Number C-Key (For employees only at this time.) – CSC Address – Response to challenge question – Last 4 digits of SSN – Date of birth

14 What’s wrong? SIS – Name – Birthdate – CWID Number C-Key (For employees only at this time.) – CSC Address – Response to challenge question – Last 4 digits of SSN – Date of birth Challenge questions can be used, however, with the current questions it cannot be assumed that only the student will know the answer. All other data cannot be used.

15 Timeline February 2010: – CSC students should be added to AD/Exchange which will help meet FERPA requirements and provide single sign-on for: C-Key SIS Computer Labs and Libraries WebCT (eventually) If the student doesn’t supply the required information, they will not be able to access these systems.

16 Timeline February 2010: – Phase I changes to C-Key activation Alternate address Optional permission for text messages Updates to security questions – Enable alternate address management in C- Key – Push alternate address changes back to SIS – Push C-Key security Q&A to SIS

17 Timeline March/April 2010: – C-Key security questions will be pushed to SIS – Go live with changes to C-Key password resets – If locked out, token required to reset password Can be sent to user remotely via: – to alternate address – Text message to cell phone (if given permission in C-Key)

18 Timeline Late July 2010 – Phase 2 changes to C-Key activation – Require valid SIS PIN or HRS PIN to activate – C-Key will automatically send to new user when account ready to activate will contain SIS/HRS PIN to have link to website for more information – PIN may be sent to user remotely via to alternate address during online activation – SIS and HRS PIN will default to random number for new students and employees

19 The Plan According to OSU, this is the implementation plan.

20 The Plan January 2010 – Admissions offices to begin entering alternate address into SIS from admission applications. February 2010 – Send communications to CURRENT students and employees asking them to setup alternate address and/or permission to receive text messages in C-Key. – Human resources to add alternate address to Personal Information Form (PIF) and enter into HRS. – Modify batch processes that send student and employee information from SIS/HRS to C-Key to include alternate address.

21 Other Plans SIS PIN Distribution plan – Most admissions offices at Stillwater plan to rely on the automate from C-Key that is sent to students when their account is ready for activation (contains SIS PIN and link to website for more instructions) HRS PIN Distribution plan – HR will rely primarily on automated from C-Key with PIN when account is ready to activate – HRS PINs can be obtained in person with photo ID from HR

22 What does this mean to us? Many things will change. The most important issues that we must be concerned with are: – Entering – Distributing – Authenticating

23 Entering Information Since OSU’s approach has been to gather addresses from Financial Aid batch processes, we have concluded that this will not work for us: – No batch process that currently enters address into SIS – No guarantee we will receive an address from students (not required on FAFSA) – Not all students submit financial aid applications – Of those students submitting financial aid applications, some are after admissions Due to these reasons, relying on financial aid submissions of information will not work for us

24 Entering Information Admissions office will enter alternative addresses – Changes will be made to the admissions application that will “require” the student to provide an alternative – We use “require” loosely as it will not necessarily be a requirement for admission but for access to CSC technology systems

25 Distributing Information OSU has already made this available to us in the form of automated s to the user’s alternative account. We can also implement distribution of the user’s initial PIN via face-to-face or phone (with appropriate authentication discussed later).

26 Authentication Currently, we use a combination of the following: – CWID – SSN – Name – Birthdate – Address – Security Questions

27 Authentication Of these, only the security questions can provide reasonable methods of authentication. However, current security questions cannot be used as it cannot be assumed that only the student knows the answer to these: – What is your mother’s maiden name? Mom will know. – What city were you born in? Mom should know. – What is the name of the street you grew up on? You can find this information in many places. – What was the name of your high school mascot? Guessing could get someone this information. Go Wildcats, Panthers, Tigers, etc. – What is the name of your pet? Spot, Lucky, Rufus? Again, guessing could yield results.

28 Authentication OSU will be creating new questions or allowing students to create their own questions (bad idea in my opinion) These will be populated into SIS so all offices can use these to authenticate. As noted in FERPA, you must use something only known to the student to authenticate such as one of these prescribed methods: – Photo ID – Random PIN or TOKEN – Password – Personal security questions – Smart card – Biometric indicators

29 Sample Processes for CSC Need information from students and employees including alternate address and permission to use SMS service with cell phone. Students must activate using random PIN Access is restricted based on required information only the student will know Resets are accomplished with a random TOKEN that will be sent only to the alternate address or via SMS (if applicable)

30 Information gathering For students: – Recruitment (Information gathered but not entered into SIS. Can be used to manually enter later, if necessary.) – Admissions – Application for Admissions (Information entered into SIS. Will include alternate .) – Financial Aid (Information entered into SIS. Will soon include alternate to help backup the above process. We will not hinge this requirement on Financial Aid for the reasons noted earlier.) – Random PIN (6-digit, numerical) assigned by system. For employees: – HR – Personal Information Form (Information gathered and entered into SIS. Includes alternate .) – Random PIN (6-digit, numerical) assigned by system.

31 Distribute Information For students: – Once student has applied, they will receive an from OSU showing them how to activate along with their PIN (must take place overnight, after application receipt as batch processes from SIS run overnight so C-Key will not be populated with data until then) – This can also be given Face-to-Face or over the phone, after required authentication For employees: – Once employee has submitted application, interviewed, and hired, they will receive an from OSU showing them how to activate along with their PIN (note above) – This can also be given face-to-face or over the phone, after required authentication

32 Activation For students: – Using the random 6-digit PIN provided, student will activate C-Key account which will enable SIS, , and computer login accounts. For employees: – Using the random 6-digit PIN provided, employee will activate C-Key account which will enable SIS, , and computer login accounts.

33 Account Resets For students: – Student will be authenticated via face-to-face, phone (form needed), or online – A TOKEN (8-digit, alpha-numeric, non-case-sensitive) will be sent via or SMS – Will be available only for 24 hours For employees: – Employee will be authenticated via face-to-face, phone (form needed ), or online – A TOKEN (8-digit, alpha-numeric, non-case-sensitive) will be sent via or SMS – Will be available only for 24 hours

34 Account Requests For students: – Security questions and answers will still be needed along with the TOKEN – Requests must be completed online For employees: – Security questions and answers will still be needed along with the TOKEN – Requests must be completed online

35 Account Inquiries For students: – Authenticated by looking up the student (via CWID, name, etc) and then asking for answers to security questions or via one of the other prescribed methods – If validated, the user gains access – If invalidated, then no information may be given For employees: – Authenticated by looking up the employee (via CWID, name, etc) and then asking for answers to security questions or via one of the other prescribed methods – If validated, the user gains access – If invalidated, then no information may be given

36 Account Payments Same as account inquiries, however, since the student should only have access to this information, it will be extremely difficult to authenticate a parent/guardian in order for them to make a payment In-person payment by a non-student (parent or guardian) will essentially be impossible unless the student accompanies the parent or guardian and provides authentication We can get around this by enabling an online payment option This will automatically authenticate the user and allow them to make a payment without the problems of authentication and taking the payment over-the-phone or in-person Over-the-phone and in-person payments will still be possible but authentication via the prescribed methods must be used which may prove to be difficult and problematic

37 Other Improvements Worth Consideration Expand use of smart cards – Use for authentication (swipe in Admissions, Business Office, Cafeteria, Bookstore, Computer Labs, etc.) – Use for payments (Admissions, Business Office, Cafeteria, Bookstore, etc.) – Expand information on card to encompass activation instructions – Use as a true ID card

38 Departmental Changes Regarding Students – Admissions Collect alternate on application for admissions Input on screen 010 as type A Can provide initial PIN using acceptable authentication (state-issued photo ID, for instance) and in-person request form (to be designed) – Business Office Can provide initial PIN using acceptable authentication (state-issued photo ID, for instance) and in-person request form (to be designed) Payments in-person for non-students (parents or guardians) will no longer be possible

39 Departmental Changes – Financial Aid Collect alternate from FAFSA, if available Input on screen 010 as type A, if not already present Can provide initial PIN using acceptable authentication (state-issued photo ID, for instance) and in-person request form (to be designed) Implement FERPA requirement training program for new and existing student employees – Information Technology Policies and procedures documentation will be updated to include new FERPA compliance verbiage Will ensure students are transition to C-Key to allow compliance Can provide initial PIN using acceptable authentication (state-issued photo ID, for instance) and in-person request form (to be designed) Draft an informational handout (How to activate your account) and instructions for setting up an alternate Update the online new-student instructions and make them more widely available by adding the URL to the back of the ID card – Administration Provide oversight on FERPA compliance and implementation of new procedures

40 Departmental Changes Regarding Employees – Human Resources Collect alternate on employment application (PIF) Input on screen 010 as type A Can provide initial PIN using acceptable authentication (state-issued photo ID, for instance) and in- person request form (to be designed) Implement FERPA requirement training program for new and existing employees – Information Technology Policies and procedures documentation will be updated to include new FERPA compliance verbiage Can provide initial PIN using acceptable authentication (state-issued photo ID, for instance) and in- person request form (to be designed) Update the online new-student instructions and make them more widely available by adding the URL to the back of the ID card Draft an informational handout (How to activate your account) and instructions for setting up an alternate Update the online new-employee instructions and make them more widely available by adding the URL to the back of the ID card – Administration Provide oversight on FERPA compliance and implementation of new procedures

41 Any questions?


Download ppt "CSC FERPA Requirements Planning Meeting December 15, 2009."

Similar presentations


Ads by Google