Transcript Negotiated Rulemaking: Program Integrity Issues

Who’s On the Phone?
Authenticating Identity
Val Meyers
Associate Director
Michigan State University
FERPA Rules
• Changes to FERPA published December 2008
led many schools to review how we release
information
• Previous regulation did not address
authentication of identity
• With new communications methods, it is
important to be certain who is on the “other
end”
Institutional Policies
• Data security is a growing concern at most
institutions
• Most institutions have adopted policies to
safeguard their institutional data, and have
procedures for reporting security breaches
Authentication
The institution must use “reasonable methods” to
authenticate the identity of the person asking for
student-specific information
Authentication involves:
• Something only the user knows;
• Something only the user has; OR
• Biometric factor associated only with the user
Name, Date of Birth, and SSN is NOT considered
“reasonable”
When do you need to authenticate?
– In Person
– Through Email
– On the Web
– On the phone
Methods that work for some of these don’t
work at all for others
Authentication Methods
• In person – something only the user has,
such as a student ID card or picture ID
• On the web or by secured email –
something only the user knows, such as
an institutional ID and password
• What do you use on the phone?
MSU’s solution
• Establish a “shared secret” by requiring the
student to select and answer security questions
• Allow for guest access by letting the student list
names of approved representatives and requiring
the guests to also supply the answers to security
questions
• This establishes both identity and authentication
• Students who have not completed eSecurity or
who cannot authenticate may not receive
student-specific information
The Process
• We reviewed the FERPA regulations and
analytical tools available (see references at the
end of this presentation)
• We drafted a procedure and a web site to
collect the security questions and authorized
“guest” names
• We put together a task force which reviewed
the documents
Who should be on your Task Force?
• The person responsible for FERPA
enforcement on your campus (at MSU, the
Registrar)
• Representative from General Counsel
• Technical representative (to program the web
site and make sure that access to it is secure)
• Customer service representative(s) who will
use it
Introduction to eSecurity
• Menu item “eSecurity” is added to MSU’s secure
student portal, STUINFO
• Students are sent an email from the Office of
Financial Aid that they must complete, and that
authentication begins on a future date.
• Other messages –
–
–
–
–
–
Main web page
Voice greeting on main phone letter
Parent electronic newsletter
Academic advisor listserv
Admissions, Registrar, and Controller staff
Initial Screen
Selecting Questions & Responding
eSecurity features
• The student may change questions or answers
to their questions at any time
• The student may add or revoke permission for
guest access at any time
• Staff see information in real time
Staff Use
• When a call comes in –
– Staff identify the student record by requesting
name, date of birth, and other information if
necessary (address, residence hall, etc.)
• SSN is never used as an identifier
– Once the MSU Personal ID number is found, that
is used to pull up the eSecurity screen
– At least one question is asked and the answer or
answers provide authentication
eSecurity Screen for Staff
References
• FERPA changes in the Federal Register (12/9/08)
- http://www2.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.pdf
• Section by Section Analysis
– http://www2.ed.gov/policy/gen/guid/fpco/pdf/ht12-17-08-att.pdf
• NASFAA Webinar
http://www.nasfaa.org/EntrancePDF.aspx?id=2579
- eSecurity on the MSU OFA web site
- http://www.finaid.msu.edu/esecurity.asp
How do you Authenticate Identity?
Discuss