CSC FERPA Requirements
Planning Meeting
December 15, 2009
FERPA Changes
• Final Amendments – December 9, 2008
• Effective Date – January 8, 2009
• Most interested in:
– FERPA 99.31(c); p. 74848; p. 74853
FERPA Changes
• Amending Sec. 99.5 to clarify the conditions
under which an educational agency or institution
may disclose personally identifiable information
from an eligible student's education records to a
parent without the prior written consent of the
eligible student;
• Amending Sec. 99.31(a)(1) to ensure that
teachers and other school officials only gain
access to education records in which they have
legitimate educational interests;
FERPA Changes
• Amending Sec. 99.31(a)(2) to permit educational
agencies and institutions to disclose education
records, without consent, to another institution
even after the student has enrolled or transferred
so long as the disclosure is for purposes related
to the student's enrollment or transfer;
• Amending Sec. 99.31 to include a new subsection
to provide standards for the release of
information from education records that has
been de-identified;
FERPA Changes
• Amending Sec. 99.35 to permit State and local educational
authorities and Federal officials listed in Sec. 99.31(a)(3) to
make further disclosures of personally identifiable
information from education records on behalf of the
educational agency or institution;
• and Amending Sec. 99.36 to remove the language requiring
strict construction of this exception and add a provision
stating that if an educational agency or institution
determines that there is an articulable and significant
threat to the health or safety of a student or other
individual, it may disclose the information to any person,
including parents, whose knowledge of the information is
necessary to protect the health or safety of the student or
other individuals.
For All Changes In New Legislation
http://www.ed.gov/legislation/FedRegister/finr
ule/2008-4/120908a.pdf
FERPA 99.31(c) - Identification and
Authentication of Identity
• Copied from website:
• The regulations in Sec. 99.31(c) require educational agencies and
institutions to use reasonable methods to identify and authenticate
the identity of parents, students, school officials and other parties
to whom the agency or institution discloses personally identifiable
information from education records.
• The use of widely available information to authenticate identity,
such as the recipient's name, date of birth, SSN or student ID
number, is not considered reasonable under the regulations.
• The regulations will impose no new costs for educational agencies
and institutions that disclose hard-copy records through the U.S.
postal service or private delivery services with use of the recipient's
name and last known official address.
FERPA 99.31(c) - Identification and
Authentication of Identity
• We were unable to find reliable data that would allow us to
estimate the additional administrative time that educational
agencies and institutions will spend checking photo ID against
school records or using other reasonable methods, as appropriate,
to identify and authenticate the identity of students, parents, and
other parties to whom the agency or institution discloses education
records in person.
• Authentication of identity for electronic or telephonic access to
education records involves a wider array of security options
because of continuing advances in technologies, but is not
necessarily more costly than authentication of identity for hardcopy records.
• We assume that educational agencies and institutions that require
users to enter a secret password or PIN to authenticate identity will
deliver the password or PIN through the U.S. postal service or in
person.
FERPA 99.31(c) - Identification and
Authentication of Identity
• We estimate that no new costs will be associated with this process
because agencies and institutions already have direct contact with
parents, eligible students, and school officials for a variety of other
purposes and will use these opportunities to deliver a secret
authentication factor.
• As noted in the preamble to the NPRM, 73 FR 15585, single-factor
authentication of identity, such as a standard form user name
combined with a secret password or PIN, may not provide
reasonable protection for access to all types of education records or
under all circumstances.
• We lack a basis for estimating costs of authenticating identity when
educational agencies and institutions allow authorized users to
access sensitive personal or financial information in electronic
records for which single-factor authentication would not be
reasonable.
Key Words: Reasonable Methods
• Good 
– This is left to interpretation.
• Not So Good 
– This is left to OSU’s interpretation.
• We will be able to piggy-back on OSU’s
implementation but will be somewhat limited
in what we can do because of this.
Current OSU System Status
• SIS
– User ID: SSN or CWID
– PIN: Birthdate (default)
• C-Key
– Last two digits of surname
– Last five digits of SSN
– Date of birth
What’s wrong?
• SIS
– User ID: SSN or CWID
– PIN: Birthdate (default)
• C-Key
– Last two digits of surname
– Last five digits of SSN
– Date of birth
Cannot be used as they are widely known.
Password Resets
• SIS
– Name
– Birthdate
– CWID Number
• C-Key (For employees only at this time.)
– CSC Email Address
– Response to challenge question
– Last 4 digits of SSN
– Date of birth
What’s wrong?
• SIS
– Name
– Birthdate
– CWID Number
• C-Key (For employees only at this time.)
–
–
–
–
CSC Email Address
Response to challenge question
Last 4 digits of SSN
Date of birth
Challenge questions can be used, however, with the current
questions it cannot be assumed that only the student will
know the answer. All other data cannot be used.
Timeline
• February 2010:
– CSC students should be added to AD/Exchange
which will help meet FERPA requirements and
provide single sign-on for:
•
•
•
•
•
C-Key
SIS
Computer Labs and Libraries
WebCT (eventually)
If the student doesn’t supply the required information,
they will not be able to access these systems.
Timeline
• February 2010:
– Phase I changes to C-Key activation
• Alternate e-mail address
• Optional permission for text messages
• Updates to security questions
– Enable alternate email address management in CKey
– Push alternate email address changes back to SIS
– Push C-Key security Q&A to SIS
Timeline
• March/April 2010:
– C-Key security questions will be pushed to SIS
– Go live with changes to C-Key password resets
– If locked out, token required to reset password
• Can be sent to user remotely via:
– Email to alternate email address
– Text message to cell phone (if given permission in C-Key)
Timeline
• Late July 2010
– Phase 2 changes to C-Key activation
– Require valid SIS PIN or HRS PIN to activate
– C-Key will automatically send email to new user when
account ready to activate
• Email will contain SIS/HRS PIN
• Email to have link to website for more information
– PIN may be sent to user remotely via email to
alternate email address during online activation
– SIS and HRS PIN will default to random number for
new students and employees
The Plan
• According to OSU, this is the implementation
plan.
The Plan
• January 2010
– Admissions offices to begin entering alternate email
address into SIS from admission applications.
• February 2010
– Send communications to CURRENT students and
employees asking them to setup alternate email address
and/or permission to receive text messages in C-Key.
– Human resources to add alternate email address to
Personal Information Form (PIF) and enter into HRS.
– Modify batch processes that send student and employee
information from SIS/HRS to C-Key to include alternate
email address.
Other Plans
• SIS PIN Distribution plan
– Most admissions offices at Stillwater plan to rely on
the automate email from C-Key that is sent to
students when their account is ready for activation
(contains SIS PIN and link to website for more
instructions)
• HRS PIN Distribution plan
– HR will rely primarily on automated email from C-Key
with PIN when account is ready to activate
– HRS PINs can be obtained in person with photo ID
from HR
What does this mean to us?
• Many things will change.
• The most important issues that we must be
concerned with are:
– Entering
– Distributing
– Authenticating
Entering Information
• Since OSU’s approach has been to gather email
addresses from Financial Aid batch processes, we have
concluded that this will not work for us:
– No batch process that currently enters email address into
SIS
– No guarantee we will receive an email address from
students (not required on FAFSA)
– Not all students submit financial aid applications
– Of those students submitting financial aid applications,
some are after admissions
• Due to these reasons, relying on financial aid
submissions of information will not work for us
Entering Information
• Admissions office will enter alternative email
addresses
– Changes will be made to the admissions
application that will “require” the student to
provide an alternative email
– We use “require” loosely as it will not necessarily
be a requirement for admission but for access to
CSC technology systems
Distributing Information
• OSU has already made this available to us in
the form of automated emails to the user’s
alternative email account.
• We can also implement distribution of the
user’s initial PIN via face-to-face or phone
(with appropriate authentication discussed
later).
Authentication
• Currently, we use a combination of the
following:
– CWID
– SSN
– Name
– Birthdate
– Email Address
– Security Questions
Authentication
• Of these, only the security questions can provide
reasonable methods of authentication.
• However, current security questions cannot be used as it
cannot be assumed that only the student knows the answer
to these:
– What is your mother’s maiden name? Mom will know.
– What city were you born in? Mom should know.
– What is the name of the street you grew up on? You can find
this information in many places.
– What was the name of your high school mascot? Guessing could
get someone this information. Go Wildcats, Panthers, Tigers,
etc.
– What is the name of your pet? Spot, Lucky, Rufus? Again,
guessing could yield results.
Authentication
• OSU will be creating new questions or allowing students to create
their own questions (bad idea in my opinion)
• These will be populated into SIS so all offices can use these to
authenticate.
• As noted in FERPA, you must use something only known to the
student to authenticate such as one of these prescribed methods:
–
–
–
–
–
–
Photo ID
Random PIN or TOKEN
Password
Personal security questions
Smart card
Biometric indicators
Sample Processes for CSC
• Need information from students and employees
including alternate email address and permission
to use SMS service with cell phone.
• Students must activate using random PIN
• Access is restricted based on required
information only the student will know
• Resets are accomplished with a random TOKEN
that will be sent only to the alternate email
address or via SMS (if applicable)
Information gathering
• For students:
– Recruitment (Information gathered but not entered into SIS. Can
be used to manually enter later, if necessary.)
– Admissions – Application for Admissions (Information entered
into SIS. Will include alternate email.)
– Financial Aid (Information entered into SIS. Will soon include
alternate email to help backup the above process. We will not
hinge this requirement on Financial Aid for the reasons noted
earlier.)
– Random PIN (6-digit, numerical) assigned by system.
• For employees:
– HR – Personal Information Form (Information gathered and
entered into SIS. Includes alternate email.)
– Random PIN (6-digit, numerical) assigned by system.
Distribute Information
• For students:
– Once student has applied, they will receive an email from OSU
showing them how to activate along with their PIN (must take
place overnight, after application receipt as batch processes
from SIS run overnight so C-Key will not be populated with data
until then)
– This can also be given Face-to-Face or over the phone, after
required authentication
• For employees:
– Once employee has submitted application, interviewed, and
hired, they will receive an email from OSU showing them how to
activate along with their PIN (note above)
– This can also be given face-to-face or over the phone, after
required authentication
Activation
• For students:
– Using the random 6-digit PIN provided, student
will activate C-Key account which will enable SIS,
email, and computer login accounts.
• For employees:
– Using the random 6-digit PIN provided, employee
will activate C-Key account which will enable SIS,
email, and computer login accounts.
Account Resets
• For students:
– Student will be authenticated via face-to-face, phone
(form needed), or online
– A TOKEN (8-digit, alpha-numeric, non-case-sensitive) will
be sent via email or SMS
– Will be available only for 24 hours
• For employees:
– Employee will be authenticated via face-to-face, phone
(form needed ), or online
– A TOKEN (8-digit, alpha-numeric, non-case-sensitive) will
be sent via email or SMS
– Will be available only for 24 hours
Account Requests
• For students:
– Security questions and answers will still be
needed along with the TOKEN
– Requests must be completed online
• For employees:
– Security questions and answers will still be
needed along with the TOKEN
– Requests must be completed online
Account Inquiries
• For students:
– Authenticated by looking up the student (via CWID, name,
etc) and then asking for answers to security questions or
via one of the other prescribed methods
– If validated, the user gains access
– If invalidated, then no information may be given
• For employees:
– Authenticated by looking up the employee (via CWID,
name, etc) and then asking for answers to security
questions or via one of the other prescribed methods
– If validated, the user gains access
– If invalidated, then no information may be given
Account Payments
• Same as account inquiries, however, since the student should only
have access to this information, it will be extremely difficult to
authenticate a parent/guardian in order for them to make a
payment
• In-person payment by a non-student (parent or guardian) will
essentially be impossible unless the student accompanies the
parent or guardian and provides authentication
• We can get around this by enabling an online payment option
• This will automatically authenticate the user and allow them to
make a payment without the problems of authentication and taking
the payment over-the-phone or in-person
• Over-the-phone and in-person payments will still be possible but
authentication via the prescribed methods must be used which may
prove to be difficult and problematic
Other Improvements Worth
Consideration
• Expand use of smart cards
– Use for authentication (swipe in Admissions,
Business Office, Cafeteria, Bookstore, Computer
Labs, etc.)
– Use for payments (Admissions, Business Office,
Cafeteria, Bookstore, etc.)
– Expand information on card to encompass
activation instructions
– Use as a true ID card
Departmental Changes
• Regarding Students
– Admissions
• Collect alternate email on application for admissions
• Input email on screen 010 as type A
• Can provide initial PIN using acceptable authentication
(state-issued photo ID, for instance) and in-person request
form (to be designed)
– Business Office
• Can provide initial PIN using acceptable authentication
(state-issued photo ID, for instance) and in-person request
form (to be designed)
• Payments in-person for non-students (parents or guardians)
will no longer be possible
Departmental Changes
– Financial Aid
• Collect alternate email from FAFSA, if available
• Input email on screen 010 as type A, if not already present
• Can provide initial PIN using acceptable authentication (state-issued photo ID, for
instance) and in-person request form (to be designed)
• Implement FERPA requirement training program for new and existing student employees
– Information Technology
• Policies and procedures documentation will be updated to include new FERPA
compliance verbiage
• Will ensure students are transition to C-Key to allow compliance
• Can provide initial PIN using acceptable authentication (state-issued photo ID, for
instance) and in-person request form (to be designed)
• Draft an informational handout (How to activate your account) and instructions for
setting up an alternate email
• Update the online new-student instructions and make them more widely available by
adding the URL to the back of the ID card
– Administration
• Provide oversight on FERPA compliance and implementation of new procedures
Departmental Changes
•
Regarding Employees
– Human Resources
•
•
•
•
Collect alternate email on employment application (PIF)
Input email on screen 010 as type A
Can provide initial PIN using acceptable authentication (state-issued photo ID, for instance) and inperson request form (to be designed)
Implement FERPA requirement training program for new and existing employees
– Information Technology
•
•
•
•
•
Policies and procedures documentation will be updated to include new FERPA compliance verbiage
Can provide initial PIN using acceptable authentication (state-issued photo ID, for instance) and inperson request form (to be designed)
Update the online new-student instructions and make them more widely available by adding the URL
to the back of the ID card
Draft an informational handout (How to activate your account) and instructions for setting up an
alternate email
Update the online new-employee instructions and make them more widely available by adding the
URL to the back of the ID card
– Administration
•
Provide oversight on FERPA compliance and implementation of new procedures
Any questions?