Profile

CommunityPlatform_1350x900.jpg

Chris Gregg

Edit My Profile

My Content

1 to 20 of 39 total

RE: Policy for lost or broken equipment

Posted By Chris Gregg 03-01-2024 05:33:02 AM
Found In Egroup: CIO \ view thread
+1. This is what we do as well. Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Innovation & Technology Services (ITS) csgregg@stthomas.edu p 1 (651) 962-6265 University of St. Thomas | stthomas.edu

Google Consent Mode V2 & Cookie Banners

Posted By Chris Gregg 01-25-2024 02:55:00 PM
Found In Egroup: HEISC Privacy \ view thread
Apologies if this has been covered but I didn't see anything in the archives. How are you preparing for the new Google Consent Mode V2 that is coming in March 2024? The new rules will change how Google Analytics data is collected and for us one of the biggest changes appears to be a requirement for a ...

RE: Domain Name collecting

Posted By Chris Gregg 01-24-2024 09:01:18 AM
Found In Egroup: CIO \ view thread
We're not grabbing adjacent domains at this time. We've decided that is too much of a whack-a-mole game given all of the TLD's and possible spelling variations. Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Innovation & Technology Services ...

RE: Bing Chat ( Microsoft Copilot)

Posted By Chris Gregg 01-19-2024 07:37:36 AM
Found In Egroup: Cybersecurity \ view thread
We have not blocked Bing Chat or any of the specific AI sites/tools at this point. We have shared some initial guidance about using AI tools safely and properly with some early adopters, and are in the process of re-sharing that more broadly with campus. Another thing we are pointing out in the process ...

RE: Best Practices Regarding Purchasing Thresholds

Posted By Chris Gregg 01-03-2024 09:09:08 AM
Found In Egroup: CIO \ view thread
We have a fairly new technology intake process in place here, and cost is just one component of the equation. We're trying to cast a wide net now, and may refine things as we go since we probably don't have the capacity to thoroughly review everything. The current examples we list on Technology ...

RE: Otter.ai

Posted By Chris Gregg 11-01-2023 09:42:55 AM
Found In Egroup: Cybersecurity \ view thread
I need to look into this myself, but does the BAA for HIPAA apply to you entire Zoom environment? We have one as well and it was my understanding that we have a separate instance for that and the BAA applies to only that "HIPAA" instance. Chris Chris Gregg Associate Vice President of ...

RE: Otter.ai

Posted By Chris Gregg 10-31-2023 07:53:57 AM
Found In Egroup: Cybersecurity \ view thread
Funny you mention that. Last week we were discussing our stance on the new Zoom AI features and whether we wanted to enable them. And then just yesterday I was in a meeting where a colleague used Otter.ai to take notes. It turns out our Zoom admins had allowed the plugin quite awhile ago and we have ...

RE: Compliant Communication Platforms (VOIP, Zoom, Teams..)

Posted By Chris Gregg 09-06-2023 09:27:42 AM
Found In Egroup: HEISC 800-171 Compliance \ view thread
We'd be interested in hearing more about this as well. Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Innovation & Technology Services (ITS) csgregg@stthomas.edu p 1 (651) 962-6265 University of St. Thomas | stthomas.edu

RE: Retention of SSNs in Student ERP

Posted By Chris Gregg 08-30-2023 06:28:03 AM
Found In Egroup: HEISC Privacy \ view thread
That makes sense, and we've dealt with that a little from an account termination perspective and getting people back into Banner Self-Service for tax forms. For data retention, I wish we were negotiating in terms of months rather than years, or at least not "forever" as it is in some cases. C ...

RE: Retention of SSNs in Student ERP

Posted By Chris Gregg 08-29-2023 09:16:19 AM
Found In Egroup: HEISC Privacy \ view thread
We're just starting down the path so no insights just yet. We're just in the process of updating our data retention policies and schedules and plan to use that as the impetus for making changes. Chris

RE: Retention of SSNs in Student ERP

Posted By Chris Gregg 08-29-2023 07:31:44 AM
Found In Egroup: HEISC Privacy \ view thread
I can only say that we are exploring this as well, and are also a Banner school. In the mix in our discussions is also how to think about ID#'s for constituents since our current practice is to use the same Banner assigned ID# for everyone. This means that alumni all still technically use their "StudentID" ...

RE: IT Risk Management software

Posted By Chris Gregg 08-22-2023 12:18:37 PM
Found In Egroup: Cybersecurity \ view thread
We're still using spreadsheets at this point, but we've started to look at getting an actual tool to manage all of our risk and compliance items. As part of that effort, we recently reviewed Isora by SaltyCloud. It looks really good, being higher ed focused and scoped. Chris Chris Gregg Associate Vice ...

RE: How long do unenrolled students retain access

Posted By Chris Gregg 04-26-2023 06:39:28 AM
Found In Egroup: Identity and Access Management \ view thread
We deactivate accounts one year from when the student is marked inactive in the SIS (Banner), due to graduation or inactivity/withdrawal, with countdown communications as the date approaches. Our registrar's office marks students inactive/withdrawn after approximately a year without taking a class. So ...

RE: MFA For Administrative Access

Posted By Chris Gregg 04-19-2023 11:50:12 AM
Found In Egroup: Cybersecurity \ view thread
We're figuring this out as well. Our plan for now is to use a VPN + MFA. Long term, I think we'd like to move towards a secure virtual workstation / jump host solution. Chris Chris Gregg Associate Vice President of Information Security & Risk Management, CISO Innovation & Technology Services ...

RE: Email after retirement... What does your institution provide?

Posted By Chris Gregg 03-07-2023 07:34:19 AM
Found In Egroup: CIO \ view thread
We have a specific process in the faculty handbook for faculty who are designated emeritus faculty in which case they keep their account indefinitely. Otherwise we do not provide e-mail services for retired employees. Thanks, Chris Chris Gregg Associate Vice President of Information Security ...

RE: Options for providing MFA to individuals logging in from countries on OFAC list

Posted By Chris Gregg 03-03-2023 07:43:27 AM
Found In Egroup: Identity and Access Management \ view thread
Am I correct in understanding though that Microsoft is leaving these decisions up to the customer? Azure support for export controls - Azure Government | Microsoft Learn Excerpt from the OFAC section of this page: "Therefore, it would be your responsibility to exclude sanctions targets from ...

RE: GDPR Consent Form for Study Abroad

Posted By Chris Gregg 03-02-2023 07:14:24 AM
Found In Egroup: HEISC Privacy \ view thread
We're still sorting through this. We actually have two different GDPR issues in the works. How to handle GDPR language in contracts with EU based study abroad program sites. If/how to include GDPR language in any kind of consent form for students traveling to the EU for study abroad programs. Clearly ...

GDPR Consent Form for Study Abroad

Posted By Chris Gregg 02-24-2023 08:57:00 AM
Found In Egroup: HEISC Privacy \ view thread
I am actually a little surprised this has taken so long to come up for us, but are your study abroad students going to EU countries signing GDPR compliant consent forms to share their data with partner organizations . Our study abroad program is being asked by a host program in Italy to have our students ...

Privacy Policy & Life Safety Exceptions

Posted By Chris Gregg 02-22-2023 09:24:07 AM
Found In Egroup: HEISC Privacy \ view thread
I am curious if anyone here has language they like and would share from their privacy policy as it relates to their campus security/safety organization and cases of imminent life safety? Normally we require the Dean of Students to approve access to student information such as contents of their mailbox, ...

RE: Password reset policy

Posted By Chris Gregg 02-22-2023 08:11:01 AM
Found In Egroup: Cybersecurity \ view thread
FWIW, I have used this same NIST 800-63B justification and language to push back with our auditors and explain to the board why we don't cycle passwords for non-privileged accounts and that has satisfied them. Thanks, Chris Chris Gregg Associate Vice President of Information Security & Risk ...