Skip Navigation
Information Technology
Member, Texas Tech University System The Princeton Review - 373 Best Colleges, 2011 Edition

Glossary

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Access controls

Access controls are the means by which the ability to use, create, modify, view, etc., is explicitly enabled or restricted in some way (usually through physical and system-based controls).

Account

The combination of user name and password that provides an individual, group, or service with access to a computer system or computer network.

Administrative/special access accounts

Privileged accounts that impact access to an information resource or that allow circumvention of controls in order to administer the information resource.

Anti-malware software

Any software package that detects and/or removes malicious code. This can include anti-virus software and spyware protection.

Authentication

The process of confirming a claimed identity. All forms of authentication are based on something you know, something you have, or something you are.

  • 'Something you know' is some form of information that you can recognize and keep to yourself, such as a personal identification number (PIN) or password.
  • 'Something you have' is a physical item you possess, such as a photo ID or a security token.
  • 'Something you are' is a human characteristic considered to be unique, such as a fingerprint, voice tone, or retinal pattern.

Authorization

The act of granting permission for someone or something to conduct an act. Even when identity and authentication have indicated who someone is, authorization may be needed to establish what actions are permitted.

Availability

The requirement that an asset or resource be accessible to authorized persons, entities, or devices.

Backup

Copy of files and applications made to avoid loss of data and facilitate recovery in the event of a system crash.

Business continuity plan (BCP)

The documentation of a predetermined set of instructions or procedures that describe how an organization's critical business functions will be sustained during and after a significant disruption.

Category-I data

University data protected specifically by federal or state law or Angelo State University rules and regulations (e.g., HIPAA; FERPA; Sarbanes-Oxley, Gramm-Leach-Bliley; the Texas Identity Theft Enforcement and Protection Act; Angelo State University Operating Policy and Procedure; specific donor or employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to university contractual agreements requiring confidentiality considerations (e.g., Non Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.) are also included (see extended list of Category I data classification examples in the Data Classification Standards).

Category-II data

University data not otherwise identified as Category-I data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.) Such data must be appropriately protected to ensure a controlled and lawful release.

Category-III data

University data that are not otherwise identified as Category-I or Category-II data (e.g., publicly available). Such data have no requirement for confidentiality.

Change

Any implementation of new functionality, interruption of service, repair of existing functionality, and/or removal of existing functionality to an information resource.

Change management

The process of controlling modifications to hardware, software, firmware, and documentation to ensure that information resources are protected against improper modification before, during, and after system implementation.

Computer security incident

See Security incident

Confidential

The classification of data of which unauthorized disclosure/use could cause serious damage to an organization or individual.

Confidential information

Information maintained by the university that is exempt from disclosure under the provisions of the Public Records Act or other applicable state and federal laws. The controlling factor for confidential information is dissemination.

Custodian

The Custodian is responsible for the processing and storage of information. Custodians of information resources will:

  • Implement the controls specified by the Information Owner(s) and required by the Information Security Program.
  • Manage system risk and develop policies/procedures required to protect the system in a manner commensurate with risk.
  • Maintain compliance with ASU information security policies
  • Provide physical and procedural safeguards for the information resources.
  • Assist Information Owners in evaluating the cost-effectiveness of controls and monitoring.
  • Implement the monitoring techniques and procedures for detecting, reporting, and investigating incidents.
  • Ensure availability of information resource per requirements of Information Owner.

Data

See Category-I data
See Category-II data
See Category-III data

Data owner

See Information Owner.

Digital data

The subset of Data (as defined above) that is transmitted by, maintained, or made available in electronic media.

Disaster Recovery Plan (DRP)

A written plan for processing critical IT applications in the event of a major hardware or software failure or destruction of facilities. Such plans are designed to restore operability of the target system, application, or computer facility.

Electronic mail (e-mail)

Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system.

Electronic mail system

Any computer software application that allows electronic mail to be communicated from one computing system to another.

Electronic media

Any of the following: a) Electronic storage media including storage devices in computers (hard drives, memory) and any removable/transportable digital storage medium, such as magnetic tape or disk, optical disk, or digital memory card; or b) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, intranet, and the physical movement of removable/transportable electronic storage media.

Emergency change

When an unauthorized immediate response to imminent critical system failure is needed to prevent widespread service disruption.

Encryption

The process of converting data into a cipher or code in order to prevent unauthorized access. Encryption obfuscates data in such a manner that a specific algorithm and key are required to interpret the cipher or code. The keys are binary values that may be interpretable as the codes for text strings, or they may be arbitrary numbers. The purpose of encryption is to prevent unauthorized access to data while it is either in storage or being transmitted.

Escrow

Data decryption keys or passwords held in trust by a third party to be turned over to the user only upon fulfillment of specific authentication conditions.

Firewall

An access control mechanism that acts as a barrier between two or more segments of a computer network or overall client/server architecture, used to protect internal networks or network segments from unauthorized users or processes. Such devices include hardware that is placed in the network to create separate security zones, provide NAT, and create a point of access control.

Information Owner

Responsible for specified information and establishing the controls for its collection, creation, processing, access, dissemination, and disposal. The owner is usually the head of the respective school or department, unless delegated. The owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared by managers of different departments. The owner or his designated representatives are responsible for and authorized to:

  • Evaluate and classify sensitivity of the data based upon university data classification standards.
  • Define protection requirements for the data outside of those specified for the classification of the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs.
  • Determine the asset's value.
  • Assign custody of information resources and provide appropriate authority to implement security controls and procedures.
  • Define requirements for access to the data and approve access to information resources.
  • Communicate data protection requirements to the Custodian that processes the data.
  • Specify appropriate controls, based on risk assessment, to protect information resources from unauthorized modification, deletion, or disclosure to meet business needs and compliance requirements.

Information resources

The equipment and software used to collect, record, process, display, and transmit information.

Information resources facilities

Any location that houses information resource equipment (includes servers, hubs, switches, and routers). Facilities are usually dedicated rooms or mechanical/wiring closets in the buildings.

Information Resources Manager (IRM)

Authorized and accountable to the State of Texas for management of the university's information resources to implement security policies, procedures, and guidelines to protect the information resources of the university. The Associate Vice President of Information Technology is designated as the university's IRM. The IRM will:

  • Maintain information as a strategic asset of the university.
  • Provide the resources to enable employees to carry out their responsibilities for securing information resources and data.
  • Review and approve Information Owners and associated responsibilities.

Information Security Officer (ISO)

Responsible for administering the information security functions within the university. The ISO is the university's internal and external point of contact and internal resource for all information security matters. The ISO will:

  • Develop, coordinate and administer the ASU Information Security Program and periodically assess whether the program is implemented in accordance with ASU IT Security policies.
  • Provide consultation on balancing effective IT security with business needs.
  • Develop and maintain an information security awareness program.
  • Provide solutions, guidance, and expertise in IT security.
  • Maintain written IT security policies, standards and procedures as appropriate.
  • Collecting data relative to the state of IT security at ASU and communicating as needed.
  • Provide guidance on the information security requirements of federal, state and local privacy regulations.

Information security program

The elements, structure, objectives, and resources that establish an information resources security function within the university.

Integrity

The accuracy and completeness of information and assets and the authenticity of transactions.

Intellectual property (IP)

Ideas for which property rights are recognized under patent, trademark, or copyright law. Usually a work originating from thought or an idea that is distinct, separate, clearly definable, and novel.

Internet

A global system interconnecting computers and computer networks. The computers and networks are owned separately by a host of organizations, government agencies, companies, and colleges.

Intrusion detection systems (IDS)

Hardware or a software application that can be installed on network devices or host operating systems to monitor network traffic and host log entries for signs of known and likely methods of intruder activity and attacks. Suspicious activities trigger administrator alarms and other configurable responses.

Lawful intercept

The interception of data on the university network by ISO and IT Networking and Telecommunications staff, in accordance with local law and after following due process and receiving proper authorization from the appropriate authorities.

Local area network (LAN)

A data communications network spanning a limited geographical area. It provides communication between computers and peripherals at relatively high data rates and relatively low error rates.

Malicious code

Software designed to infiltrate or damage a computer system without the owner’s informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code including spyware, Trojan horses, viruses, and worms.

Mission critical information resources

Information resources defined to be essential to the University’s function and which, if made unavailable, will inflict substantial harm to the University and the University’s ability to meet its instructional, research, patient care, or public service missions. Mission critical information resources include confidential information and sensitive information.

Network

All associated equipment and media creating electronic transmission between any information resource(s), such as wired, optical, wireless, IP, synchronous serial, telephony, etc.

Offsite storage

Based on data criticality, offsite storage should be in a geographically different location from the campus that does not share the same disaster threat event. Based on an assessment of the data backed up, removing the backup media from the building and storing it in another secured location on the campus may be appropriate.

Owner

See Data Owner

Password

A string of characters used to verify or “authenticate” a person’s identity.

Perimeter security controls

The first layer of defense against malicious traffic that filters information between university internal networks and the internet.

Personally identifiable information

Any information that alone or in conjunction with other information identifies an individual, including Social Security Numbers, driver's license numbers, military ID numbers, passport ID numbers, passwords/PINs, personal accounts, credit card numbers, protected health information, financial information, criminal history records, unpublished home addresses or phone numbers, biometric data, and any other information that is deemed confidential by law or university policy.

Physical security controls

Devices and means to control physical access to sensitive information and to protect the availability of the information. Examples are physical access systems (fences, mantraps, guards); physical intrusion detection systems (motion detector, alarm system); and physical protection systems (sprinklers, backup generator).

Portable computing devices

Any easily portable device that is capable of receiving and/or transmitting data. These include, but are not limited to, notebook computers, handheld computers, PDAs (personal digital assistants), pagers, and cell phones.

Production system

Any University system, software, or application that is used in the daily operations of the University.

Removable media

Removable media devices permit data to be stored on media that is removable and interchangeable. CDs, DVDs, flash memory, and floppy disks are examples of removable media.

Risk assessment

The process of identifying, evaluating, and documenting the level of impact that may result from the operation of an information system on an organization's mission, functions, image, reputation, assets, or individuals. Risk assessment incorporates threat and vulnerability analyses and considers mitigations provided by planned or in-place security controls.

Risk management

Decisions to accept risk exposures or to reduce vulnerabilities and to align information resources risk exposure with the organization's risk tolerance.

Scheduled change

Formal notification received, reviewed, and approved by the review process in advance of the change being made.

Security administrator

The person charged with monitoring and implementing security controls and procedures for a system. Whereas each university will have one information security officer, technical management may designate a number of security administrators.

Security incident

An event which results in accidental or deliberate unauthorized access, loss, disclosure, modification, disruption, or destruction of information resources. It includes unauthorized probing and browsing; disruption or denial of service; altered or destroyed input, processing, storage, or output of information; or changes to information system hardware, firmware, or software characteristics with or without the users' knowledge, instruction, or intent; viruses and other malicious code; complaints of improper use of information resources; or misrepresentation of identity to gain access to or ownership of an information or communications resource.

Sensitive information

Information maintained by the university that requires special precautions to protect it from unauthorized modification or deletion. Sensitive information may be either public or confidential. It is information that requires a higher than normal assurance of accuracy and completeness. The controlling factor for sensitive information is that of integrity.

Server

Any computer providing a service over the network. Services include, but are not limited to: website publishing, SSH, chat, printing, wireless access, and file sharing.

Single sign-on

A system that allows a user to log in once and access all associated systems without being prompted to log in again.

Spyware

Software that is installed surreptitiously on a computer to intercept or take partial control over the user’s interaction with the computer, without the user’s informed consent. While the term suggests software that secretly monitors the user’s behavior, the functions of spyware include collecting various types of personal information, interfere with control of the computer, changing computer settings, and redirecting web browser activity.

Strong passwords

A strong password is constructed so that it cannot be easily guessed by another user or a "hacker" program. It is typically a minimum number of positions in length and contains a combination of alphabetic, numeric, or special characters and should not be linked to any personal information such as a birth date, social security number, and so on.

System administrator

Person responsible for the effective operation and maintenance of information resources, including implementation of standard procedures and controls, to enforce a university's security policy.

Trojan horse

Destructive programs-usually viruses or worms-that are hidden in an attractive or innocent-looking piece of software, such as a game or graphics program. Victims may receive a Trojan horse program by e-mail or on portable media, often from another unknowing victim, or may be urged to download a file from a website.

Unauthorized disclosure

The intentional or unintentional revealing of restricted information to people who do not have a legitimate need to access that information.

Unscheduled change

Failure to present notification to the formal process in advance of the change being made. Unscheduled changes will only be acceptable in the event of a system failure or the discovery of a security vulnerability.

User

An individual, automated application or process that is authorized by the Information Owner to access the resource, in accordance with the Information Owner's procedures and rules. The user is any person who has been authorized by the Information Owner to read, enter, or update that information. The user is the single most effective control for providing adequate security. The user has the responsibility to:

  • Read and comply with university IT security policies
  • Report breaches of information security, actual or suspected, to the Information Security Office.
  • Take reasonable and prudent steps to protect the security of information resources and data to which access has been granted.
  • Use the resource only for the purpose specified by the Information Owner.
  • Comply with controls established by the Information Owner or Custodian.

Virtual private network (VPN)

Encrypted connections over a larger network, typically over the Internet, which simulates the behavior of direct, local connections.

Virus

A computer virus refers to a program that enters your computer—often through e-mail or Internet downloads—and makes copies of itself, spreading throughout your computer and files. There is a wide range of computer viruses out there. They can be anything from merely annoying to horribly damaging—deleting files or making your computer inoperable. Viruses attach themselves to an application on a computer and aren't actually executed until that application is accessed or run.

Web page

A document on the World Wide Web. Every web page is identified by a unique URL (uniform resource locator).

Web server

A computer that delivers (serves up) web pages.

Website

A location on the World Wide Web, accessed by typing its address (URL) into a web browser. A website always includes a home page and may contain additional documents or pages.

World Wide Web

Also referred to as “the Web.” A system of Internet hosts that supports documents formatted in HTML (hypertext markup language), which contain links to other documents (hyperlinks) and to audio, video, and graphic images. Users can access the Web with special applications called browsers, such as Firefox and Microsoft Internet Explorer.

Worm

A program that makes copies of itself elsewhere in a computing system. These copies may be created on the same computer or may be sent over networks to other computers. The first use of the term described a program that copied itself benignly around a network, using otherwise-unused resources on networked machines to perform distributed computation. Some worms are security threats, using networks to spread themselves against the wishes of the system owners and disrupting networks by overloading them. A worm is similar to a virus in that it makes copies of itself, but different in that it need not attach to particular files or sectors at all.