Compliance Narratives

Judgment of Compliance

Narrative

Sam Houston State University (SHSU) takes a number of steps to protect the integrity of educational credentials awarded to students who are enrolled in distance and correspondence education, to protect the privacy of students enrolled in distance and correspondence education, and to ensure that students are notified of any additional fees or charges associated with identity verification.

Students Registering for Distance and Correspondence Courses Are the Same Students Participating in the Courses, Completing the Courses, and Receiving Credit

SHSU ensures the identity of students enrolled in distance and correspondence education courses through the use of secure usernames and passwords. By utilizing the most up-to-date technologies and practices to verify online student identity, SHSU monitors and secures students’ credentials from the moment they are initially established, continuing through subsequent changes and scheduled password refreshers.

Upon acceptance to SHSU, students are provided an opportunity to activate an account. Acceptance into the University generates a communication sequence that permits students to access a secure University web portal where they can establish their passwords according to strict security guidelines. As an added measure of security, the students’ usernames are provided for them. Special emphasis is placed on the importance of creating a secured password that is difficult to decode, as well as the critical nature of safeguarding the username. SHSU students are presented such guidelines and recommendations in a variety of ways, including the dissemination of the User Accounts Password Policy IT-02 [1], which establishes the confidentiality and strength expectations of the credentialing process and outlines explicit responsibilities of the account holder.

Additionally, an FAQ webpage for password guidelines [2] is made available via the Student Resources IT@Sam webpage [3]. From the Student Resources webpage, tutorials are provided on various practices related to computer account activation and changing passwords [4]. Guidelines are also provided via an FAQ pop-up [5] during the password creation and resetting process to promote the creation of hack-resistant passwords of sufficient length and strength. SHSU computer account passwords are valid for 180 days. Students are required to change their password before the 180 days to retain access to their account.

Once account activation has been established, student accounts are authorized to access the resources dictated by their role membership. For example, student accounts will have access to appropriate campus file shares and email with designated quotas, appropriate file servers, a personal website, wireless access, specific applications, and self-service functionality [6].

SHSU continues to enforce the student’s use of the secure login and password to access all SHSU systems for the duration of his/her academic time at the institution, as well as beyond graduation and into the alumni years. All inactive accounts (i.e., accounts that are not being accessed by logging in to a workstation or checking email, etc.) will either be disabled or deleted (depending on the account type) after 180 days of inactivity.

MySam

The controlled student access mentioned above is managed and authenticated via MySam [7]. MySam is the portal, or “front door,” to the Banner Student Information System (SIS). Once logged in, MySam allows authenticated users the ability to access personalized content, University information, and secure systems, such as Banner Self Service (BSS), the academic advising and degree audit tool, DegreeWorks®, the Learning Management System (LMS) Blackboard®, as well as other software programs peripheral to the academic experience, such as Microsoft Outlook for email.

Central Authentication Service (CAS)

Although MySam offers a robust component of identity management at the University, it is only one measure. MySam is additionally supplemented by the institutional adoption and use of CAS. CAS provides an additional layer of verification for credentialing and establishing student identity.

When a student attempts to login and authenticate via MySam, the authentication server redirects the request to CAS. CAS validates the student’s authenticity by checking his/her username and password against the institution’s Active Directory Database. When the authentication succeeds, CAS returns the student to MySam, passing along a security ticket. The application then validates the ticket and provides the application the trusted information about whether a particular user has successfully authenticated.

The CAS protocol establishes and verifies stricter controls over user account verification. All University CAS webpages are protected by an Extended Validation SSL Certificate (EV SSL). This level of certification is currently issued only to institutions that have adopted a more rigorous screening process to prove the user’s identity.

Technical assistance in support of MySam or CAS is provided by IT@Sam from 7:30 a.m. to 10:00 p.m., Monday through Thursday, and from 7:30 a.m. to 5:00 p.m. on Fridays via phone, email, and a self-service ticket system.

Blackboard

SHSU students completing online coursework do so through Blackboard, SHSU’s LMS. Access to Blackboard provides SHSU students right of entry and right to use courses for which they are registered. Blackboard courses contain lectures, discussions, assignments, examinations, and grades, as well as tool extensions for synchronous learning, web conferencing, group work, and student-to-student/student-to-instructor communication. Students may access content only for courses in which they are enrolled.

To verify the authenticity of the registered student, Blackboard uses MySam, which subsequently routes all access requests through CAS. CAS sends a credentialing ticket to its server to identify and authenticate users who attempt to access the Blackboard system with an SHSU username and corresponding password. Only authenticated users obtain access to the LMS.

Technical assistance in support of Blackboard is provided by SHSU Online 24 hours per day Monday through Friday, from 7:00 a.m. to midnight on Saturday, and from 1:00 p.m. to midnight on Sunday.

Proctored Examinations

SHSU regularly researches and adopts best practices regarding authentication of online learners’ identities to ensure that students registered for SHSU online courses are the individuals engaged in and completing the work for those courses. One widely adopted and implemented methodology for supporting the institution’s stated expectations regarding student identification and authentication is test proctoring.

ProctorFree’s [8] remote proctoring feature ensures the integrity of exams by authenticating the student using facial recognition and maintaining continuous identity verification throughout the exam. When a student attempts to use ProctorFree, a facial profile for the student’s associated Blackboard account is created. ProctorFree records video and audio of the student’s exam from the student’s webcam and computer activity for the duration of the test.

ProctorFree serves a critical purpose in the verification of student identity at SHSU, and the faculty widely subscribe to the service, relying heavily on its benefit. On the rare occasion in which a test may call for live proctoring to be conducted in a physical lab setting, alternatives to ProctorFree are afforded to the student and instructor by SHSU Online.

When a distance education student is called upon to complete an examination in a physical lab setting, two options are presented to the learner to assist in the verification of his/her identity:

Testing Center in Local Area. At times, a student may need to attend a physical testing lab for an examination. Although SHSU does not offer a testing center on any of its campuses, distance and correspondence education students may attend a testing center in their local area. These official testing centers require students to produce, prior to the exam, an original and current ID issued by a city/state/federal government agency or the University. Electronic forms of identification in a physical lab are not acceptable. Additionally, the student’s first and last names must match the testing request submitted by the instructor, and the photo on the ID must be clearly recognizable as the student entering the lab.

Public Library Agreement. Another methodology utilized by SHSU in assisting learners who require a physical testing setting is to connect the student with a public library in his or her geographical region that will proctor an exam at no cost. On the rare occasion that this need arises, SHSU Online works on behalf of the learner with a public library in the appropriate geographical region to make testing arrangements. Public libraries adhere to common test proctoring protocols when it comes to the verification of the test taker’s identity, including the authentication of a valid, government-issued ID.

Written Procedures for Protecting the Privacy of Students Enrolled in Distance and Correspondence Education Courses or Programs

SHSU’s written policies and procedures for protecting the privacy of students, inclusive of students enrolled in distance and correspondence education courses and programs, are expressed in the following institutional documents:

• Academic Policy Statement 810806, Student Educational Records [9]
• Student Handbook, SHSU [10]
• Data Standard Guidelines [11]
• Data Access Review Policy IT-05 [12]
• Privacy Rights – Family Education Rights and Privacy Act (FERPA) [13]
• Privacy Rights – Responsibilities as a Faculty and Staff Member [14]
• Privacy Rights – Responsibilities as a Student Employee [15]
• Privacy Rights – Parental Access to Children’s Education Records [16]
• SHSU Information Security Program [17]
• Technology Security Training Policy IT-13 [18]
• User Accounts Password Policy IT-02 [19]
• Annual Security Awareness Training Presentation [20]
• Network Use and Vulnerability Assessment Policy IT-12 [21]
• Firewall Policy IT-21 [22]

These written policies and procedures (a) define the protected student data and related FERPA regulations; (b) establish expectations for University personnel in the use of student data; and (c) provide for a system of accountability and continued monitoring of the institution’s efforts to protect the privacy of all SHSU students, regardless of course or program modality. Each of these policies and procedures is discussed below.

Academic Policy Statement 810806, Student Educational Records [9], was developed to assure compliance with the Family Educational Rights and Privacy Act of 1974 (FERPA) and established protocols for the safekeeping of student educational records. Academic Policy Statement 810806 applies to all students at SHSU, regardless of course or program modality. Student educational records are defined within the policy as “any record maintained by Sam Houston State University, an employee of the University, or an agent of the University which is directly related to a student or former student . . .” Further, the policy designates the following information as directory information in accordance with FERPA regulations:

• The student’s name
• The student’s local and home address
• The student’s major
• The student’s minor
• The student’s local and home telephone numbers
• The student’s degrees, diplomas, and certificates and dates of award
• The student’s honors and awards
• The student’s classification
• The student’s extracurricular activities
• The student’s birth date and place of birth
• Names and addresses of parents or legal guardians of the student
• Weight, height, and related information of athletic team members
• The student’s age, race, sex, and marital status
• The student’s email address

In accordance with section 8.01 of the policy, directory information may be disclosed without a student’s prior written consent at the discretion of the institution; however, all students are afforded the opportunity and right of “refusal to permit the University to designate an item of information as directory information to be released” (sections 8.03 and 8.04). Directory information and the related rights of students to refuse disclosure of such information are also communicated to students via the Student Handbook [10].

Academic Policy Statement 810806, Student Educational Records [9], further establishes expectations of SHSU officials in the handling of student educational records and is applicable to all students, regardless of course or program modality. Section 9.01 of the policy states that “all officials of Sam Houston State University will follow a strict policy that information contained in a student’s educational record is confidential and may not be disclosed to third parties without the student’s prior consent (written or electronic).” Section 9 of the policy also establishes limited personnel access to student educational data through the requirement that SHSU officials have access to student data only for legitimate educational purposes. A legitimate educational purpose is established within section 9.04 of the policy as when an official needs to accomplish any of the following:

• Perform an administrative task that is outlined in the official position description or contract of the individual or that is otherwise related to the individual’s position and duties.
• Perform a supervisory or instructional task directly related to the student’s education.
• Perform a service or provide a benefit for the student such as health care, counseling, student job placement, or student financial aid.

To ensure that personnel have access only to that information for which there is a legitimate educational purpose, SHSU has designated key individuals within each division as data owners and custodians [11]. Data Access Review Policy IT-05 charges these data owners and custodians with ensuring that security of information is maintained by establishing controls to confirm compliance with official procedures and policies [12]. Pursuant with the Data Access Review Policy IT-05, the data owners and custodians must adhere to the following:

• No less than annually, document a complete review of parties having access to data under their area of responsibility.
• Ensure data access reviews are performed more periodically, as deemed necessary by the Data Owner, relative to the risk of the data accessed.
• Ensure any staffing changes are reflected as necessary to access authorizations in a timely manner.
• Ensure data access requests are reviewed and granted or denied as appropriate based on essential University documented need in a timely manner.
• Ensure controls are established as required or deemed necessary by the Data Owner to ensure information security is maintained.
• Maintain documentation of compliance with this policy.

For student educational records, the University Registrar is designated as a data custodian and is tasked with the review of data access requests by university personnel [11]. The University Registrar reviews data access requests for student educational records upon initial employee hiring, changes in employee roles, and annually as an ongoing security measure required by the Data Access Review Policy IT-05 [12]. To gain access to student educational records, personnel must submit the Department Request for Access to INB Banner Student Forms request, communicating their role and department and certifying their completion of required FERPA training [23].

Academic Policy Statement 810806 [9] further requires personnel who have a legitimate educational interest in personally identifiable student information to obtain prior written consent from the student prior to disclosure of such information. However, sections 9.05 and 9.06 of the Student Educational Records policy allows for the disclosure of such data without prior written consent for specific reasons (e.g., the student’s enrollment in another college or university, for federal or state audit purposes, to parties providing financial aid to the student, to comply with a judicial order, in situation of a health or medical emergency).

In addition to the student privacy guidelines established by formal policy, the Registrar at SHSU, who serves as the FERPA campus official, publishes additional information and procedures relating to FERPA on the institution’s website. Privacy rights webpages are published for the various audiences that may be impacted by or involved with the protection of student privacy and are intended to emphasize key FERPA-related information in an easily digestible manner. Privacy rights webpages exist for the following topics: Family Education Rights and Privacy Act (FERPA) [13], Responsibilities as a Faculty and Staff Member [14], Responsibilities as a Student Employee [15], and Parental Access to Children’s Education Records [16].

Regarding the privacy rights webpage [13] that details FERPA, the institution clearly articulates its requirement to “maintain the confidentiality of student educational records.” The webpage also reiterates the list of student data that has been established as directory information under FERPA and is included in Academic Policy Statement 810806 [9] and the Student Handbook [10].

In addition to basic FERPA information, the site provides guidance to University personnel in the use of data contained in the institution’s student information system, Banner SIS. Explanations are provided to employees to assist them in recognizing when a student’s directory information has been restricted for release. Further, the webpage [13] details actions that are specifically prohibited and defined as violations of FERPA:

• Removing any document from the office for non-business purposes is in violation of FERPA.
• Releasing confidential student information (non-directory) to another student, University organization, or any person who does not have a legitimate educational interest, or parents of a dependent student, without the student’s written authorization is in violation of FERPA.
• Leaving reports or computer screens containing confidential student information in view of others who do not have a legitimate educational interest in the data or leaving your monitor unattended is in violation of FERPA.
• Making personal use of student information is in violation of FERPA.
• Allowing another person to use your computer access code is in violation of FERPA.
• Putting paperwork that contains a student’s information (e.g., social security number or grades) in the trash is also in violation of FERPA.

Additional student privacy guidelines for institutional personnel are detailed within the Responsibilities as a Faculty and Staff Member privacy rights webpage [14]. The webpage reminds faculty and staff that the confidentiality, use, and release of student records are governed by FERPA. In addition, the guidelines inform the faculty and staff of the following:

. . . all student information must be treated as confidential. Even public or “directory” information is subject to restriction on an individual basis. Unless your job involves the release of information and you have been trained in that function, any requests for disclosure of information, especially from outside the University, should be referred to the Registrar’s Office.

The Responsibilities as a Faculty and Staff Member privacy rights webpage also reminds faculty and staff of their responsibility for the proper use of their employee computer accounts, passwords, and personal identification numbers in relation to data security [14]. Data security protocols will be addressed in greater depth in the following sections of this narrative.

Much like the privacy rights webpage for faculty and staff, the Responsibilities as a Student Employee webpage exists for student employees [15]. The webpage details the following student privacy expectations:

• No one may make or permit unauthorized use of any information in files maintained, stored, or processed by the office in which they are employed.
• No one is permitted to seek personal benefit or to allow others to benefit personally by knowledge of any confidential information which has come to them by virtue of their work assignment.
• No one is to exhibit or divulge the contents of any record or report to any person except in the conduct of their work assignment and in accordance with University policies and procedures.
• No one may knowingly include, or cause to be included, in any record or report, a false, inaccurate, or misleading entry. No one may knowingly expunge, or cause to be expunged, in any record or report, a data entry.
• No official record or report, or copy thereof, may be removed from the office where it is maintained except in the performance of a person’s duties.
• No one is to aid, abet, or act in conspiracy with another to violate any part of this code.
• Any knowledge of a violation must be immediately reported to the person’s supervisor.

In addition to faculty, staff, and student employee expectations, a privacy rights webpage addresses parental access to student educational records. The Parental Access to Children’s Education Records informs parents and employees that parents have no inherent right to inspect a student’s education records [16].

Although academic policy statements and FERPA guidelines define the protected student data and related FERPA regulations and establish expectations for University personnel in the use of student data, information technology policies and guidelines provide for a system of accountability and continued monitoring of the institution’s ongoing commitment to the privacy of all SHSU students, regardless of learning modality. Specifically, the Division of Information Technology publishes the Information Security Program, [17] designed to “provide direction for managing and protecting the confidentiality, integrity and availability of SHSU information technology resources” and specifies the measures to be taken “to protect these resources against accidental or unauthorized access, disclosure, modification, or destruction, as well as to assure the availability, integrity, utility, authenticity, and confidentiality of information.”

The policies in the Information Security Program apply equally to all individuals granted access privileges to any SHSU information technology resource, to include the following individuals and resources:

• Central and departmentally managed University information technology resources.
• All users employed by SHSU, contractors, vendors, or any other person with access to SHSU’s information technology resources.
• Non-SHSU-owned computing devices that may store protected SHSU information.
• All categories of information, regardless of the medium in which the information asset is held or transmitted (e.g., physical or electronic).
• Information technology facilities, applications, hardware systems, network resources owned or managed by SHSU. This includes third party service providers’ systems that access or store SHSU’s protected information.
• Auxiliary organizations and external businesses and organizations that use University information technology resources must operate those assets in conformity with the SHSU Information Security Program [17].

As on overall goal, the Information Security Program “combines multiple security elements into a management framework that supports the objectives of confidentiality, integrity, and availability” [17]. The Information Security Program addresses the following data security elements:

• Identifying system data owners, providing the data classification standard, and identifying the category of its data.
• Reviewing all authorized users and their security access for each system.
• Providing security awareness training for all employees.
• Performing the risk assessment process and developing the risk mitigation plan.
• Reviewing and updating the disaster recovery plan.
• Reviewing current policies and training programs.
• Creating a security effectiveness report for the President.
• Reviewing the current process and implementing changes as necessary.

As required by the Information Security Program, University personnel are required to maintain compliance with all Information Technology policy statements. Two such policy statements, Technology Security Training Policy IT-13 [18] and User Accounts Password Policy IT-02 [19] serve as key elements in the protection of student educational records.

The Technology Security Training Policy IT-13 [18] establishes the requirement that all SHSU employees complete the SHSU Security Awareness Training within 30 days of obtaining initial access to SHSU information technology resources and annually as an ongoing security measure. The Security Awareness Training is delivered in an online format to University personnel and addresses the laws and policies that govern the SHSU security program, the responsibilities of the institution in relation to information security training and education, the responsibilities of University personnel in the use of information technology resources, and the acceptable use basics of being a responsible employee of SHSU. Specific to FERPA expectations, SHSU employees are educated on the regulations established by FERPA, the student-related data that is covered by FERPA, and the expectations of data confidentiality under FERPA [20].

In addition to ongoing training and education, the Division of Information Technology works to ensure the protection of information technology resources, including student educational records, through a user verification account process. All access to information technology resources at SHSU requires an SHSU user account. The User Accounts Password Policy IT-02 [19] requires that SHSU user accounts be protected by passwords, establishes the confidentiality and strength expectations of the user account credentialing process, and outlines the explicit responsibilities of the account holder [19]. Special emphasis is placed on the importance of creating a secured password that is difficult to decode, as well as the critical nature of safeguarding the account.

The Division of Information Technology also works to ensure the protection of student records through the protection of its telecommunications network infrastructure by assuring the reliability, security, integrity, and availability of data. The Network Use and Vulnerability Assessment Policy IT-12 specifies that SHSU will perform periodic vulnerability assessments and network scans to determine if assets hosted on SHSU’s network are vulnerable to any known flaws in the operating system, services, or application [21]. In addition, the Firewall Policy IT-21 establishes that SHSU will have a firewall to filter traffic in order to mitigate risks and to provide a secure environment and secure communications with University information technology resources [22]. SHSU’s firewall policy is a key component of the University’s network security architecture and protects SHSU’s information technology resources from hacking and virus attacks by restricting access to information technology resources.

Technical Pop-Up Reminders

In addition to training efforts and widely posted information regarding FERPA, employees who enter a Student ID into a University system, such as Banner SIS, will receive a pop-up warning message [24]. Additionally, employees are instructed that if the word, “Confidential” is displayed on the top of a Banner form, the employee cannot release any information about that student.

Notifying Students at Time of Registration or Enrollment of any Projected Additional Student Charges Associated With Verification of Student Identity

SHSU does not require distance education or correspondence education students to utilize identity verification services for which they are required to pay an additional charge or fee [25]. Instead, the University makes available to its distance and correspondence education students a number of free identity-verification options. Faculty members are advised to include information regarding these options within course syllabi, and information is also available through Blackboard (the LMS for SHSU) and the SHSU Online website. A list of the identity-verification options utilized by SHSU is provided below.

Testing Center in Local Area

At times, a student may need to attend a physical testing lab for an examination. These official testing centers require students to produce, prior to the exam, an original and current ID issued by a city/state/federal government agency or the University. Electronic forms of identification in a physical lab are not acceptable. Additionally, the student’s first and last names must match the testing request submitted by the instructor, and the photo on the ID must be clearly recognizable as the student entering the lab.

Public Library Agreement

Another methodology utilized by SHSU in assisting learners who require a physical testing setting is to connect the student with a public library in her/her geographical region that will proctor an exam at no cost. On the rare occasion that this need arises, SHSU Online works on behalf of the learner with a public library in the appropriate geographical region to make testing arrangements. Public libraries adhere to common test proctoring protocols when it comes to the verification of the test taker’s identity, including the authentication of a valid, government- issued ID.

Supplementary Proctoring Services

Faculty members are strongly advised to utilize the testing services that are provided, licensed, and paid for by SHSU Online, such as ProctorFree, an on-demand, automated online proctoring service that deters cheating in an online testing environment and provides identity verification at no cost to the learner. Using biometric and machine learning technologies, this innovative technology leverages facial and voice recognition software for identity verification of distance education and correspondence students. The ProctorFree identity verification software is also Americans with Disabilities Act (ADA) compliant and works with the Freedom Scientific JAWS screen reader.

Faculty members are advised to notify learners via the course syllabus of any potential additional cost for proctoring services rendered outside of the free options provided by SHSU Online, with an emphasis on alternative options, including the Public Library Agreements. In no instance will students’ only option be to solicit a supplementary proctoring service with associated fees.

Supporting Documentation