ISO Technical and Security Glossary

Definitions

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A

access controls

Access controls are the means by which the ability to use, create, modify, view, etc., is explicitly enabled or restricted in some way (usually through physical and system-based controls).

account

That combination of user name and password that provides an individual, group, or service with access to a computer system or computer network.

asymmetric encryption

Cryptography in which a pair of keys is used to encrypt and decrypt a message. The sender of the message encrypts the message with the recipient’s public key. The recipient then decrypts the message with his/her private key.

authentication

The process of confirming a claimed identity. All forms of authentication are based on something you know, something you have, or something you are.

'Something you know' is some form of information that you can recognize and keep to yourself, such as a personal identification number (PIN) or password.
'Something you have' is a physical item you possess, such as a photo ID or a security token.
'Something you are' is a human characteristic considered to be unique, such as a fingerprint, voice tone, or retinal pattern.

authorization

The act of granting permission for someone or something to conduct an act. Even when identity and authentication have indicated who someone is, authorization may be needed to establish what actions are permitted.

availability

Availability represents the requirement that an asset or resource be accessible to authorized person, entity, or device.

B

backup: Copy of files and applications made to avoid loss of data and facilitate recovery in the event of a system crash.
business continuity plan (BCP): The documentation of a predetermined set of instructions or procedures that describe how an organization's business functions will be sustained during and after a significant disruption.
business impact analysis (BIA): An analysis of an IT system's requirements, processes, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.

C

category-I data

University data protected specifically by federal or state law or University of Texas rules and regulations (e.g., HIPAA; FERPA; Sarbanes-Oxley, Gramm-Leach-Bliley; the Texas Identity Theft Enforcement and Protection Act; University of Texas System Business Procedure Memoranda; specific donor or employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to university contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.) are also included (see extended list of Category I data classification examples)

category-II data

University data not otherwise identified as Category-I data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.) Such data must be appropriately protected to ensure a controlled and lawful release.

category-III data

University data that are not otherwise identified as Category-I or Category-II data (e.g., publicly available). Such data have no requirement for confidentiality, integrity, or availability.

certificate authority (CA)

A trusted third party whose purpose is to sign certificates for network entities it has authenticated using secure means. Other network entities can check the signature to verify that a CA has authenticated the bearer of a certificate.

certificate management plan (or certificate policy)

The administrative policy for key and certificate management. This plan addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery, and administration of encryption key and digital certificates. For an example, refer to the X.500 Certificate Policy for the Virginia Polytechnic Institute and State University.

certificate practice statement (CPS)

A statement of the practices, which a certification authority employs in issuing certificates. See examples at the University of Washington and Virginia Polytechnic Institute and State University.

change

Includes any implementation of new functionality, any interruption of service, any repair of existing functionality, and any removal of existing functionality.

change management

The process of controlling modifications to hardware, software, firmware, and documentation to ensure that information technology resources are protected against improper modification before, during, and after system implementation.

computer incident response team (CIRT)

Personnel responsible for coordinating the response to computer security incidents in an organization.

confidential

The classification of data of which unauthorized disclosure/use could cause serious damage to an organization or individual.

confidential information

Information maintained by state agencies and universities that is exempt from disclosure under the provisions of the Public Records Act or other applicable state and federal laws. The controlling factor for confidential information is dissemination.

custodian

Guardian or caretaker; the holder of data, the agent charged with implementing the controls specified by the owner. The custodian is responsible for the processing and storage of information. The custodians of information resources, including entities providing outsourced information resources services to the university, must:

Implement the controls specified by the owner(s).
Provide physical and procedural safeguards for the information resources.
Assist owners in evaluating the cost-effectiveness of controls and monitoring.
Implement the monitoring techniques and procedures for detecting, reporting, and investigating incidents.

D

data: Research Data are recorded information, regardless of form in which the information may be recorded, that constitutes the original data that are necessary to support research activities and validate research findings. Research data may include but are not limited to: printed records, observations and notes; electronic data; video and audio records, photographs and negatives, etc.

Digital Research Data are defined as the subset of research data as defined below that are transmitted by or maintained in, electronic format and include any of the following: (a) Electronic storage data including storage devices in computers (hard drives, memory) and any removable/transportable digital storage medium, such as magnetic tape or disk, optical disk, or digital memory card; or (b) Transmission data used to exchange information already in electronic storage format. Transmission data include, for example, the Internet (wide-open), extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, intranet, and the physical movement of removable/transportable electronic storage data.

Sensitive Digital Research Data are data defined by the university as Category-I data.

Category-I data are university data protected specifically by federal or state law or University of Texas rules and regulations (e.g., HIPAA; FERPA; Sarbanes-Oxley, Gramm-Leach-Bliley; the Texas Identity Theft Enforcement and Protection Act; University of Texas System Business Procedure Memoranda; specific donor or employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to university contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.) are also included (see extended list of Category I data classification examples).

Category-II data are university data not otherwise identified as Category-I data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.) Such data must be appropriately protected to ensure a controlled and lawful release.

Category-III data are university data that are not otherwise identified as Category-I or Category-II data (e.g., publicly available). Such data have no requirement for confidentiality, integrity, or availability.
data encrypting keys: Keys used with symmetric key algorithms to apply confidentiality protection to information.
data steward: University representatives, such as faculty, staff, or researchers, who are tasked with managing administrative and/or research data owned by the university. Such data is to be managed by a data steward as a university resource and asset. The data steward has the responsibility of ensuring that the appropriate steps are taken to protect the data and that respective policies and guidelines are being properly implemented. Data Stewards may delegate the implementation of university policies and guidelines to professionally trained campus or departmental IT custodians.
data stewardship: Data stewardship is the formalization of accountability for the management of the university’s data.
database: A collection of records stored in a computer in a systematic way, such that a computer program can consult it to answer questions. Each record is often organized as a set of data elements to facilitate retrieval and sorting. The data retrieved in answer to queries become are then used to make decisions.
digital certificate: A data structure used in a public key system to bind a particular, authenticated individual to a particular public key.
digital signature: A digital signature is a type of electronic signature, which cannot be forged. A digital signature provides verification to the recipient that the file came from the user or entity identified as the sender, and that it has not been altered since it was signed. (See Digital Signature Standard [DSS].)
disaster recovery plan (DRP): A written plan for processing critical IT applications in the event of a major hardware or software failure or destruction of facilities. Such plans are designed to restore operability of the target system, application, or computer facility at an alternate site after an emergency.

E

eCommerce Merchant: A department that processes online Web credit card payments or uses equipment that has an external facing IP address. See also non-eCommerce merchant.
electronic mail system: Any computer software application that allows electronic mail to be communicated from one computing system to another.
electronic mail (e-mail): Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system.
emergency change: When an unauthorized immediate response to imminent critical system failure is needed to prevent widespread service disruption.
encryption: The process of converting data into a cipher or code in order to prevent unauthorized access. Encryption obfuscates data in such a manner that a specific algorithm and key are required to interpret the cipher or code. The keys are binary values that may be interpretable as the codes for text strings, or they may be arbitrary numbers. The purpose of encryption is to prevent unauthorized access to data while it is either in storage or being transmitted.
escrow: Data decryption keys held in trust by a third party to be turned over to the user only upon fulfillment of specific authentication conditions.
Executive Compliance Committee: A committee, chaired by the President of the university and composed of other executive level members of the faculty and staff, charged with oversight of the university’s institutional compliance program.

F

fixed media: Fixed media devices are distinguished from those in which the data is stored on a cartridge, disk, or other material that is removable and interchangeable. Hard drives are typically fixed media, with platters sealed inside the drive chassis.

H

handling: Handling data relates to when users access, manipulate, change, transfer, or delete data.
hardware security module (HSM): A hardware-based security device that generates, stores and protects cryptographic keys. It provides the foundation for a high-level secure campus certification authority.

I

information security officer (ISO): Responsible to the Information Resource Manager (IRM) for administering the information security functions within the university. The ISO is the university’s internal and external point of contact and internal resource for all information security matters. The ISO leads the Computer Incident Response Team when security incidents occur and reports to the IRM. If an ISO is not designated, the IRM serves in this capacity.
information technology resources: Any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving e-mail, browsing web sites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, PDAs, pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (that is, embedded technology), telecommunication resources, network environments, telephones, fax machines, printers, and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
information technology resources facilities: Any location that houses information technology resource equipment (includes servers, hubs, switches, and routers). Facilities are usually dedicated rooms or mechanical/wiring closets in the buildings.
information technology resources manager (IRM): Responsible to the State of Texas for management of the university’s information technology resources. The designation of a university IRM is intended to establish clear accountability for setting policy for information technology resources management activities, provide for greater coordination of the university’s information activities, and ensure greater visibility of such activities within and between state agencies. The IRM has been given the authority and the accountability by the State of Texas to implement Security Policies, Procedures, Practice Standards, and Guidelines to protect the information technology resources of the university. If the university does not designate an Information Resource Manager, the title defaults to the university's Vice President of Information Technology, and the Vice President of Information Technology is responsible for adhering to the duties and requirements of an IRM.
integrity: The accuracy and completeness of information and assets and the authenticity of transactions.
Internet: A global system interconnecting computers and computer networks. The computers and networks are owned separately by a host of organizations, government agencies, companies, and colleges.
intrusion detection systems (IDS): A device that monitors and analyzes network traffic. An IDS can be used legitimately or illegitimately to capture data being transmitted on a network. Specific signatures or promiscuous sniffing are available options for IDS monitoring.

K

key encrypting keys: Keys used to encrypt other keys using symmetric key algorithms. Key encryption keys are also known as key wrapping keys.
key management: The activities involving the handling of encryption keys and other related security parameters (e.g., passwords) during the entire life cycle of the encryption keys, including their generation, storage, establishment, entry and output, and destruction.
key management infrastructure: The framework and services that provide for the generation, production, distribution, control, accounting, and destruction of all cryptographic material, including symmetric keys, as well as public keys and public key certificates. It includes all elements (hardware, software, other equipment, and documentation); facilities; personnel; procedures; standards; and information products that form the system that distributes, manages, and supports the delivery of cryptographic products and services to end users.
key manager: Controls the generation, storage and distribution of cryptographic keys.

L

lawful intercept: The interception of data on the university network by ISO and ITS-Telecommunications and Networking (ITS-TN), in accordance with local law and after following due process and receiving proper authorization from the appropriate authorities.
local area network (LAN): A data communications network spanning a limited geographical area, a few miles at most. It provides communication between computers and peripherals at relatively high data rates and relatively low error rates.

M

master keys: Keys used to derive other symmetric keys (e.g., data encryption keys, key encrypting keys) using symmetric cryptographic methods.
merchant: University unit that accepts credit card payment for goods, services, or gifts. See also eCommerce merchant and non-eCommerce merchant.
merchant account: The credit card account number assigned by the credit card processor, Global Payments, to permit credit card payment processing.

N

network

All associated equipment and media creating electronic transmission between any information resource(s), such as wired, optical, wireless, IP, synchronous serial, telephony, etc.

network flow

The sequence of packets between given source and destination endpoints.

network operations center (NOC)

Monitors the health of critical services and provides the central coordination of data services for campus.

networking custodian

Network manager or analyst; the holder of network configuration data, the agent charged with implementing the network controls and services specified by the owner or the university. This custodian is responsible for the transfer of information. These custodians, including entities providing outsourced information resources services to the university, must:

Implement the network controls specified by the owner or the university.
Provide physical and procedural safeguards for the network infrastructure.
Assist owners in evaluating the cost-effectiveness of controls and monitoring.
Implement the monitoring techniques and procedures for detecting, reporting, and investigating or troubleshooting network incidents.

non-eCommerce merchant

A department that processes credit card payments with equipment that does not utilize an external facing IP address, such as point-of-sale terminals, cash registers and other types of equipment.

O

offsite storage

Based on data criticality, offsite storage should be in a geographically different location from the campus and a location that does not share the same disaster threat event. Based on an assessment of the data backed up, removing the backup media from the building and storing it in another secured location on the campus may be required.

owner

The authoritative head of the respective college, school, or unit. The owner is responsible for the function that is supported by the resource or for carrying out the program that uses the resources. The owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared by managers of different departments. The owner or his designated representatives are responsible for and authorized to:

Approve access and formally assign custody of an information resources asset.
Determine the asset's value.
Specify and establish data control requirements that provide security, and convey them to users and custodians.
Specify appropriate controls, based on risk assessment, to protect the state's information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources outsourced by the university.
Confirm that controls are in place to ensure the accuracy, authenticity, and integrity of data.
Confirm compliance with applicable controls.
Assign custody of information resources assets and provide appropriate authority to implement security controls and procedures.
Review access lists based on documented security risk management decisions.

P

packet: An electronic unit of data that is routed between an origin and a destination on a network.
packet data: The part of the packet containing user data and other data or information used by applications.
packet header: The part of the packet that contains protocol, source address, destination address, and other controlling information (including tunneling information).
password: See also strong password. A string of characters used to verify or "authenticate" a person's identity.
physical security controls: Devices and means to control physical access to sensitive information and to protect the availability of the information. Examples are physical access systems (fences, mantraps, guards); physical intrusion detection systems (motion detector, alarm system); and physical protection systems (sprinklers, backup generator).
portable computing devices: Any easily portable device that is capable of receiving and/or transmitting data. These include, but are not limited to, notebook computers, handheld computers, PDAs (personal digital assistants), pagers, and cell phones.
private key: The secret key of a signature key pair used to create a digital signature and/or to decrypt confidential information.
production system: The system environment comprised of hardware, software, and data in which an organization’s data processing is accomplished.
promiscuous mode: Mode of operation in which every data packet transmitted is received and read by every network adapter. Promiscuous mode is often used to monitor network activity.
public key: The publicly available key of a signature key pair used to validate a digital signature and/or to encrypt confidential information.

R

removable media: Removable media devices permit data to be stored on media that is removable and interchangeable. CDs, DVDs, flash memory, and floppy disks are examples of removable media.

S

scheduled change: Formal notification received, reviewed, and approved by the review process in advance of the change being made.
security administrator: The person charged with monitoring and implementing security controls and procedures for a system. Whereas each university will have one Information Security Officer, technical management may designate a number of security administrators.
security incident: In information operations, an assessed event of attempted entry, unauthorized entry, or an information attack on an automated information system. It includes unauthorized probing and browsing; disruption or denial of service; altered or destroyed input, processing, storage, or output of information; or changes to information system hardware, firmware, or software characteristics with or without the users' knowledge, instruction, or intent.
sensitive information: Information maintained by the university that requires special precautions to protect it from unauthorized modification or deletion. Sensitive information may be either public or confidential. It is information that requires a higher than normal assurance of accuracy and completeness. The controlling factor for sensitive information is that of integrity.
server: Any computer providing a service over the network. Services include, but are not limited to: Web site publishing, SSH, chat, printing, wireless access, and file sharing.
sniffing: The interception of data packets traversing a network.
strong passwords: See also password. A strong password is constructed so that it cannot be easily guessed by another user or a "hacker" program. It is typically a minimum number of positions in length and contains a combination of alphabetic, numeric, or special characters.
subscriber: An individual who is the subject or entity designee named or identified in a certificate issued to that individual and possesses a private key, which corresponds to the public key listed in the certificate.
symmetric encryption: Cryptography in which the same key is used to both encrypt and decrypt the message. Requires a separate secure channel to exchange keys.
system: Any device capable of receiving e-mail, browsing web sites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, PDAs, pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (that is, embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus.
system administrator: Person responsible for the effective operation and maintenance of Information Technology Resources, including implementation of standard procedures and controls, to enforce the university’s security policy.
system development life cycle (SDLC): The scope of activities associated with a system, encompassing the system's initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal.
system security plan: Provides a baseline of a system's security. A comprehensive system security plan describes the security controls that are in use, or plan to be used to protect all aspects of the system. Security plans are supported by security policy and can be essential tools that identify weaknesses in the system and document what controls will be added to combat the weaknesses.

T

Trojan horse: Destructive programs--usually viruses or worms--that are hidden in an attractive or innocent-looking piece of software, such as a game or graphics program. Victims may receive a Trojan horse program by e-mail or on a diskette or CD, often from another unknowing victim, or may be urged to download a file from a web site or bulletin board.

U

unauthorized disclosure: The intentional or unintentional revealing of restricted information to people who do not have a legitimate need to access that information.

University of Texas at Austin networks (UTnet): The physical and electronic network infrastructure, currently under the operational administration of Information Technology Services-Telecommunications and Networking (ITS-TN), allowing for inter-network communications between Local Area Networks (LANs) and virtual LANs (VLANs), including access to Internet and advanced research networks.
unscheduled change: Failure to present notification through the review process in advance of the change being made. Unscheduled changes will only be acceptable in the event of a system failure or the discovery of a security vulnerability.
user: An individual, automated application or process that is authorized by the owner to access the resource, in accordance with the owner's procedures and rules. Has the responsibility to (1) use the resource only for the purpose specified by the owner, (2) comply with controls established by the owner, and (3) prevent disclosure of confidential or sensitive information. The user is any person who has been authorized by the owner of the information to read, enter, or update that information. The user is the single most effective control for providing adequate security.

V

vendor: Any person or company that sells goods or services involving information technology resources to The University of Texas at Austin.
virus: A program that attaches itself to an executable file or vulnerable application and delivers a payload that ranges from annoying to extremely destructive. A file virus executes when an infected file is accessed. A macro virus infects the executable code embedded in Microsoft Office programs that allows users to generate macros.

W

web page: A document on the World Wide Web. Every Web page is identified by a unique URL.
web server: A computer that delivers (serves up) Web pages.
web site: A location on the World Wide Web, accessed by entering its address (URL) into a Web browser. A Web site always includes a home page and may contain additional documents or pages
World Wide Web: Also referred to as “the Web.” A system of Internet hosts that supports documents formatted in HTML, which contain links to other documents (hyperlinks) and to audio, video, and graphic images. Users can access the Web with special applications called browsers, such as Netscape Navigator and Microsoft Internet Explorer.
worm: A program that makes copies of itself elsewhere in a computing system. These copies may be created on the same computer or may be sent over networks to other computers. The first use of the term described a program that copied itself benignly around a network, using otherwise-unused resources on networked machines to perform distributed computation. Some worms are security threats, using networks to spread themselves against the wishes of the system owners and disrupting networks by overloading them. A worm is similar to a virus in that it makes copies of itself, but different in that it does not attach to particular files or sectors.