Information Security Glossary

The level of Residual Risk that has been determined to be a reasonable level of potential loss/disruption for a specific information system.

The physical or logical capability to view, interact with, or otherwise make use of Information Resources.

The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., data centers, physical plant, mechanical rooms, Network closets, secured buildings, and research laboratories).

A relationship between an information resource (e.g., computer, network, or online service) and a user of that resource. The university assigns and administers a variety of account types, the vast majority being individual user domain accounts. In this policy, the term account refers to accounts of all types, unless a specific type is referenced. The university account types include the following:

• Domain Account – assigned to a single, authorized individual to facilitate access to the Texas State network domain and information resources within that domain.
• Group and Shared Accounts – have more than one authorized user.
• Service Account – assigned to a specific information resource or resource group to facilitate services by an external support provider (a support service account) or to authenticate one system or resource to another (a system service account). 
• Privileged (or Super User) Account – assigned to a single university employee for use in administering university information resources.
• Resource Account – assigned to a specific resource (e.g., meeting room) rather than an individual or group of individuals; resource accounts facilitate the reservation and use of shared resources.
   

Includes all stages of the process of acquiring products or services, beginning with the process for determining the need for the product or service and ending with contract completion and closeout.

Rights granted to a Privileged User.

A claim of a named quality or characteristic inherent in or ascribed to someone or something.

Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational Procedures.

A chronological record of Information System activities, including records of system Accesses and operations performed in a given period.

Events which are significant and relevant to the security of Information Systems and the environments in which those systems operate in order to meet specific and ongoing Audit needs. Audit events can include, for example, Password changes, failed logons, or failed accesses related to Information Systems, Administrative Privilege usage, or third-party credential usage.

Verifying the Identity of a User, process, or Device, often as a prerequisite to allowing Access to resources in an Information System.

The means used to confirm the Identity of a User, process, or Device (e.g., User Password or token).

The right or a permission that is granted to a system entity to access a system resource.

All components of an Information System to be authorized for operation by an Authorizing Official and excludes separately authorized systems, to which the Information System is connected.

Official with the authority to formally assume responsibility for operating an Information System at a level of Acceptable Risk to institution operations (including mission, functions, image, or reputation), institution assets, or individuals.

The security objective of ensuring timely and reliable Access to and use of information.

See: Guideline

The documentation of a predetermined set of instructions or Procedures that describe how the institution’s mission/business processes will be sustained during and after a significant disruption.

Process or operation performed routinely to carry out a part of the mission of an institution.

An analysis of an Information System’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.

The entity in a Public Key Infrastructure (PKI) that is responsible for issuing public-key certificates and exacting compliance to a PKI policy. Also known as a Certification Authority.

Tools that facilitate and enhance group work through distributed technology - where individuals collaborate from separate locations.  Devices can include but are not limited to Networked white boards, cameras, and microphones.

Information that must be protected from unauthorized disclosure or public release based on state or federal law or other legal agreement.

The security objective of preserving authorized restrictions on information Access and disclosure, including means for protecting personal privacy and proprietary information.

Process for controlling modifications to hardware, Firmware, software, and documentation to protect the Information System against improper modifications before, during, and after system implementation.

A collection of activities focused on establishing and maintaining the Integrity of information technology products and Information Systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.

Management policy and Procedures used to guide an institution response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the institutional Risk managers to determine what happened, why, and what to do. It may point to the Continuity of Operations Plan (COOP) or disaster recovery plan (DRP) for major disruptions.

See: Business Continuity Plan (BCP)

Relating to the discipline that embodies the principles, means, and methods for the transformation of Data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification.

Any combination of hardware, Firmware or software that implements Cryptographic functions such as Encryption, Decryption, Digital Signatures, Authentication techniques and random number generation.

The set of hardware, software, Firmware, or some combination thereof that implements Cryptographic logic or processes, including Cryptographic algorithms, and is contained within the cryptographic boundary of the module.

See: Information Custodian

Information in a specific representation, usually as a sequence of symbols that have meaning.

The process of changing ciphertext into plaintext using a Cryptographic algorithm and key.

Any hardware component involved with the processing, storage, or forwarding of information making use of the institutional information technology infrastructure or attached to the Institutional Network. These Devices include, but are not limited to, laptop computers, desktop computers, Servers, and Network Devices such as routers, switches, wireless access points, and printers.

An individual with principal responsibility for the installation, configuration, registration, security, and ongoing maintenance of a Network-connected Device.

The department head charged with overall responsibility for the Networking component in the institution’s inventory records. The Device Owner must designate an individual to serve as the primary Device Administrator and may designate a backup Device Administrator. All Network Infrastructure Devices, (e.g., Network cabling, routers, switches, wireless access points, and in general, any non-endpoint Device) shall be centrally owned and administered.

The result of a Cryptographic transformation of Data which, when properly implemented, provides the services of: 1. origin Authentication, 2. Data Integrity, and 3. signer non-repudiation.

The security control catalog (CC) authored by the Texas Department of Information Resources (DIR) which provides state agencies and higher education institutions specific guidance for implementing security controls in a format that easily aligns with the National Institute of Standards and Technology Special Publication 800-53 Version 4 (NIST SP 800-53 Rev. 4).

The conversion of plaintext information into a code or cipher text using a variable called a "key" and processing those items through a fixed algorithm to create the Encrypted text that conceals the Data's original meaning.

Each Information System process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process.

An Information System service that is implemented outside of the Authorization Boundary of the institutional Information System (i.e., a service that is used by, but not a part of, the institutional Information System) and for which the institution typically has no direct control over the application of required security controls or the assessment of security control effectiveness. Examples include but are not limited to externally hosted or cloud-based Information Systems.

A network not controlled by the institution.

A standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability.

An inter-network connection device that restricts data communication traffic between two connected networks. A firewall may be either an application installed on a general-purpose computer or a dedicated platform (appliance), which forwards or rejects/drops packets on a Network. Typically, firewalls are used to define zone borders. Firewalls generally have rules restricting which ports are open.

Computer programs and Data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and Data cannot be dynamically written or modified during execution of the programs.

Guidelines provide guidance for achieving additional positive outcomes. Guidelines are not compulsory unless explicitly stated, but they should still be followed when practicable. Guidelines can also be used as prescriptive or informational documents.

The process of discovering the true Identity (i.e., origin, initial history) of a person or item from the entire collection of similar persons or items.

Unique Data used to represent a person’s Identity and associated Attributes. A name or a card number are examples of Identifiers. Note: This also encompasses non-person entities.

The set of Attributes by which an entity is recognizable and that, within the scope of an Identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.

The mitigation of violations of security policies by using Best Practices.

A department, agency, or Third-Party Provider responsible for implementing the Information Owner-defined controls and Access to an Information Resource.

A person(s) with statutory or operational authority for specified information or Information Resources.

Agency employees performing administrative, security, governance, or compliance activities on information technology systems. These types of employees generally have an occupational Category of “Information Technology” per the Texas State Auditor’s Office or similar duties.

the Procedures, equipment, and software that are employed, designed, built, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information, and associated personnel including consultants and contractors.  Information Resources include but are not limited to:

• all physical and logical components, wired or wireless, of the Institutional Network;
• any Device that connects to or communicates electronically via the Institutional Network, including computers, printers, and communication Devices, both portable and fixed;
• any fixed or portable storage Device or media, regardless of ownership, that contains institution Data;
• all Data created, collected, recorded, processed, stored, retrieved, displayed, or transmitted using Devices connected to the Institutional Network;
• all computer software and services licensed by the institution;
• support staff and services employed or contracted by the institution to deploy, administer, or operate the above-described resources or to assist the community in effectively using these resources;
• Devices, software, or services that support the operations of the institution, regardless of physical location (e.g., SAAS, PAAS, IAAS, cloud services); and
• telephones, audio and video conferencing systems, phone lines, and communications systems provided by the institution.

The planning, budgeting, organizing, directing, training, controlling, and management activities associated with the burden, collection, creation, use, and dissemination of information by institutions.

The protection of information and Information Systems from Unauthorized Access, use, disclosure, disruption, modification, or destruction in order to provide Confidentiality, Integrity, and Availability.

The individual designated by the institution head who has the explicit authority and the duty to administer Information Security requirements institution wide.

An interconnected set of Information Resources that share a common functionality. An Information System normally includes, but is not limited to, hardware, software, Network Infrastructure, information, applications, communications and people.

All components of an Information System to be authorized for operation by an Authorizing Official and excludes separately authorized systems, to which the Information System is connected.

These include but are not limited to Firewalls, electronic mail Servers, web Servers, proxy Servers, Remote Access Servers, workstations, notebook computers, and mobile Devices.

See: Information Custodian

Organizations, departments, facilities, or personnel responsible for a particular system’s process.

The Data transport and communications infrastructure at the institution. It includes the campus backbone, local area networks, and all equipment connected to those Networks (independent of ownership).

The security objective of guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity. See also: Confidentiality, Availability

A document that regulates security-relevant aspects of an intended connection between an agency and an external system. It regulates the security interface between any two systems operating under two different distinct authorities. It includes a variety of descriptive, technical, procedural, and planning information. It is usually preceded by a formal MOA/MOU that defines high- level roles and responsibilities in management of a cross-domain connection.

The single, interconnected, worldwide system of commercial, governmental, educational, and other computer Networks that share (a) the protocol suite specified by the Internet Architecture Board (IAB) and (b) the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN).

A computer Network, especially one based on Internet technology, that the institution uses for its own internal (and usually private) purposes and that is closed to outsiders.

The principle that a security architecture should be designed so that each entity is granted the minimum system resources and Authorizations that the entity needs to perform its function.

Rogue computer programs designed to inflict a magnitude of harm by diminishing the Confidentiality, Integrity and Availability of Information Systems and information.

Software or Firmware intended to perform an unauthorized process that will have adverse impact on the Confidentiality, Integrity, or Availability of an Information System. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of Malware.

An interface within an Information System that provides boundary protection capability using automated mechanisms or Devices.

The security controls (i.e., safeguards or countermeasures) for an Information System that focus on Risk Management and the management of Information System security.

Tools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related Data.

Information Resources defined by the owner or by the institution to be crucial to the continued performance of the mission. Unavailability of such Information Resources would result in more than an inconvenience. An event causing the unavailability of Mission Critical Information Resources would result in consequences such as: significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations.

a portable computing device that has a small form factor such that it can easily be carried by a single individual; designed to operate without a physical connection (e.g., wirelessly transmit or receive information); and powered on for extended periods of time with a self-contained power source. Mobile Devices may also include voice communication capabilities, on-board sensors that allow the device to capture (e.g., photograph, video, record, or determine location) information, and/or built-in features for synchronizing local data with remote locations.

Information System(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control Devices.

A unique number associated with a Device’s Network connection used for the routing of traffic across the Internet or another Network. Also known as Internet Protocol Address or IP Address.

A unique identifier assigned by the university to an account and its owner. The NetID is used with its associated password to authenticate the account owner’s identity when accessing Texas State information resources

The hardware and software resources of an entire Network that enable Network connectivity, communication, operations and management of an enterprise Network. It provides the communication path and services between Users, processes, applications, services and External Networks/the Internet. These include but are not limited to cabling, routers, switches, hubs, Firewall appliances, wireless access points, virtual private network (VPN) Servers, network address translators (NAT), proxy Servers, and dial-up Servers.

Acronym: National Institute of Standards and Technology is a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve overall quality of life.

A Device or object connected to a Network.

A User who is not an institutional User (including public Users).

An institutional User that the institution deems to have an affiliation including, for example, faculty, staff, student, contractor, guest researcher, or individual detailed from another organization.

A type of Authenticator comprised of a string of characters (letters, numbers, and other symbols) used to authenticate an Identity or to verify Authorization.

A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of a system.

A category of personal Identity information as defined by §521.002(a)(1), Business and Commerce Code.

A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.

A Cryptographic key, used with a Cryptographic algorithm, that is uniquely associated with an entity and is not made public.

An Information System account with approved Authorizations of a Privileged User.

A User that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary Users are not authorized to perform.

An operational-level document that details actions needed to implement a security control, configure a solution, or complete a task. Some Procedures may be compulsory, and other Procedures may just be one way of doing something. Procedures specify “how” things need to be done.

Individually identifiable health information about an individual, including demographic information, which relates to the individual's past, present, or future physical or mental health condition, provision of health care, or payment for the provision of health care.

A cryptographic key used with a cryptographic algorithm that is uniquely associated with an entity and that may be made public.

A digital representation of information which at least (1) identifies the Certification Authority issuing it, (2) names or identifies its subscriber, (3) contains the subscriber's Public Key, (4) identifies its operational period, and (5) is digitally signed by the Certification Authority issuing it.

Returning Information Systems to fully operational states.

The point in time to which Data must be recovered after an outage.

The overall length of time an Information System’s components can be in the recovery phase before negatively impacting the institution’s mission or mission/business processes.

Access to an institutional Information System by a User (or an Information System) communicating through an External Network (e.g., the Internet).

Portion of Risk remaining after security measures have been applied.

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

The process of identifying Risks to institutional operations (including mission, functions, image, reputation), institutional assets, individuals, other institutions, resulting from the operation of a system. Part of Risk Management, incorporates threat and Vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with Risk analysis.

The total process of identifying, controlling, and eliminating or minimizing uncertain events that may adversely affect system resources. It includes Risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review.

The degree of Risk or uncertainty that is acceptable to an institution.

Access Control based on User roles (i.e., a collection of Authorizations a User receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an institution. A given role may apply to a single individual or to several individuals.

The testing and/or evaluation of the management, operational, and technical security controls in an Information System to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

The characterization of information or an Information System as high, moderate, or low based on an assessment of the potential impact that a loss of Confidentiality, Integrity, or Availability of such information or Information System would have on institutional operations, institutional assets, or individuals.

The categorization of information based on its need for Confidentiality, as determined by federal, state, local laws, policies or regulations.

See: Security Assessment

A category of personal Identity information as defined by §521.002(a)(2), Texas Business and Commerce Code.

A security principle that divides critical functions among different staff members in an attempt to ensure that no one individual has enough information or Access privilege to perpetrate damaging fraud.

A physical or virtual Device that performs a specific service or function on behalf of other Network Devices or Users.

A type of Information Custodian designated by the Server Owner as responsible for performing Server Management functions.

Functions associated with the oversight of Server operations. These include controlling User Access, establishing/maintaining security measures, monitoring Server configuration and performance, and Risk Assessment and mitigation.

An institution employee charged with overall responsibility for the Server asset in the university’s inventory records.

A tactical-level, compulsory requirement to use the same technology, method, security control, baseline, or course of action to uniformly achieve the goals set by policies. Standards specify “what” needs to be done.

Is any incident in which sensitive, confidential or otherwise protected Data in human or machine-readable form is put at Risk because of exposure to unauthorized individuals.

Information that includes but is not limited to, system-state information, operating system and application software, and licenses.

Formal document that provides an overview of the security requirements for an Information System and describes the security controls in place or planned for meeting those requirements.

Service providers, staffing, integrators, vendors, telecommunications, and infrastructure support that are external to the institution.

A person gains logical or physical Access without permission to institutional Information Resources.

An individual, process, or automated application authorized to access an Information Resource in accordance with federal and state law, institution policy, and the Information Owner's Procedures and rules.

Any information other than System Level Information.

Weakness in an Information System, system security Procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Systematic examination of an Information System or product to determine the adequacy of security measures, identify security deficiencies, provide Data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.