Secure UD Glossary
The guide below provides definitions and related resources for the terms used in Secure UD. Use it to explore and learn more about Secure UD and what it offers the University.
Glossary
- Administrative controls
- Availability
- Checklist test
- Clear
- Client system
- Confidentiality
- Council for Data Governance (CDG)
- Critical
- Criticality
- Cryptographic Erase
- Data center
- Data custodian
- Data governance
- Data management
- Data Security Advisory Committee (DSAC)
- Data set
- Data steward
- Data stewardship
- Data trustee
- Degauss
- Destroy
- Disposal
- Disruptive event
- E-communications
- Electronic storage media
- End user
- Functional area
- Integrity
- IT device
- IT resource
- IT security incident
- Legitimate interest
- Level I information
- Level II information
- Level III information
- Local support provider (LSP)
- Media Sanitization
- Mission critical
- Mobile device
- Non-critical
- Operational controls
- Portable device
- Privacy statement
- Purge
- Recovery point objective (RPO)
- Recovery time objective (RTO)
- Remote access
- Risk area
- Risk management objective (RMO)
- Risk management objective (RMO)
- Secure UD
- Secure UD Compliance and Risk Survey (Secure UD CARS)
- Secure UD Data Governance & Security Program (Secure UD DGSP)
- Secure UD Data Steward Guide
- Secure UD End User Acknowledgement
- Secure UD Toolkit
- Secure UD Inventory Tool
- Secure UD Security Plan Tool
- Secure UD Training
- Security control
- Security standard
- Server system
- Shared data repository
- Simulation
- Structured walkthrough
- Technical controls
- Technology service provider
- Unit
- Unit head
- Unit information security plan
- University Acceptable Use of IT Resources Policy
- University activities
- University-approved
- University Data Management and Governance Policy
- University E-Communications Privacy Policy
- University information
- University information classification
- University Information Classification Policy
- University Information Security Policy
- University Incident Response Policy
- University Web Privacy Policy
- Visitor
Secure UD Glossary
Term
Definition
More Information
Security controls that focus on the management of risk and IT resources.
The timeliness and reliability of access to and use of University information.
A test in which a plan or procedure is reviewed to ensure accuracy and consistency.
- Secure UD Data Governance & Security Program (CP 1.1.2, CP 2.1.2)
A method of sanitization that applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple, non-invasive data recovery techniques using the same interface that is available to the user. Typically applied through the standard read and write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state, where rewriting is not supported.
A purge sanitization technique in which the encryption key (i.e., either the MEK or the KEK protecting the MEK) for encrypted target data is sanitized, making recovery of the decrypted target data infeasible.
Any IT device that is a desktop computer or laptop computer.
The preservation of authorized restrictions on University information access and disclosure, including means for protecting personal privacy and proprietary information.
The University council responsible for overseeing the appointment and action of data stewards for each of the University's functional areas. It includes the Chief Information Officer, VP & General Counsel, and other members as appointed by the President and/or his or her delegates.
Important to the business continuity or operational effectiveness of the unit. Loss of integrity or availability of critical IT resources would have moderate short-term impact on business continuity or operational effectiveness.
The combined integrity and availability concerns of University information. Criticality is a reflection of how important data is to business continuity or operational effectiveness.
A group of networked servers used for critical University activities involving data processing, storage, and transmission.
A University entity or employee with operational responsibility to manage a shared data repository on behalf of a data steward.
The responsible oversight of the informational quality, effectiveness, usability, strategic value, and security of data throughout its lifecycle.
The responsible stewardship of data throughout its lifecycle, including acquisition, utilization, maintenance, access, and protection.
The University council responsible for coordinating information security and risk management efforts and monitoring and recommending necessary security actions to the University. It is chaired by the director of IT Security and includes delegates as may be appointed from time to time by data stewards and/or the chair.
A collection of University information used for a University activities.
An individual within the University who is the primary institutional authority for a particular data set and who is principally responsible for the management and security of that data set across the institution.
The responsible oversight of a data set, including principal responsibility for the establishment of standards and guidelines for appropriately managing and securing that data across the institution.
An executive officer of the University with the highest level of strategic planning and policy-setting authority and responsibility for a functional area.
To reduce the magnetic flux to virtual zero by applying a reverse magnetizing field. Degaussing any current generation hard disk will render the drive permanently unusable since these drives store location information on the hard drive. Also called “demagnetizing.”
A method of sanitization that renders target data recovery infeasible using state-of-the-art laboratory techniques and results in the subsequent inability to use the media to store data.
A release outcome following the decision that media does not contain sensitive data. This occurs if the media never contained sensitive data or after sanitization techniques are applied and the media no longer contains sensitive data.
An event that requires the execution of a plan or procedure to recover from operational loss.
- Secure UD Data Governance & Security Program (CP 1.1.2, CP 2.1.2)
The network traffic or files containing user's electronic communications, including telephone conversations, electronic mail or transmission, webpage, or content exchanged with other IP addresses.
Any standalone or integrated electronic media that can be used to store data. Includes optical media, magnetic media, disk drives, and flash drives.
Any individual who accesses and/or utilizes IT resources.
One or more units that have primary responsibility for managing a core University mission or function.
The protection against improper modification or destruction of University information; includes non-repudiation and authenticity.
Any device involved in the processing, storage, or transmission of University information and making use of the University IT infrastructure or attached to the University network. These devices include, but are not limited to, desktop computers, laptop computers, personal digital assistants, server systems, network devices such as routers or switches, and printers.
Any of the full set of University-owned or -controlled IT devices and data involved in the accessing, processing, storage, or transmission of information.
Any event that has or is likely to result in the compromise of the confidentiality, integrity, or availability of an IT resource, including, but not limited to, breaches or loss or theft of devices.
A requirement to access University information commensurate with an end user's conduct of official University activities.
Also called Low Risk information; University information for which unintentional, unlawful, or unauthorized disclosure would have limited or no adverse effect on organizational operations, organizational assets, individuals, other organizations, or the nation.
Also called Moderate Risk information; University information for which unintentional, unlawful, or unauthorized disclosure would have a moderate adverse effect on organizational operations, organizational assets, individuals, other organizations, or the nation.
Also called High Risk information; University information for which unintentional, unlawful, or unauthorized disclosure would have a significant adverse effect on organizational operations, organizational assets, individuals, other organizations, or the nation.
An individual or unit with primary responsibility for the installation, configuration, security, and ongoing maintenance of an IT device.
Vital to the business continuity or operational effectiveness of the unit. Loss of integrity or availability of mission critical IT resources would have significant short-term impact on business continuity or operational effectiveness.
The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.
Any IT device that is a mobile phone or tablet.
Necessary to the business continuity or operational effectiveness of the unit. Loss of integrity or availability of non-critical IT resources would have limited or no short-term impact on business continuity or operational effectiveness.
Security controls that are implemented primarily by people rather than by IT devices.
Any IT device that is a laptop computer, mobile device, or removable electronic storage media.
- Secure UD Data Governance & Security Program (SC 1, SC 2)
A posted notice of website practices for obtaining and using data from visitors to that website.
- University Web Privacy Policy
- Secure UD Data Governance & Security Program (DM 1.2.1, DM 2.2.1)
A method of sanitization that applies physical or logical techniques to render target data recovery infeasible using state-of-the-art laboratory techniques.
The targeted maximum time period for which data might be lost as a result of a disruptive event before incurring unacceptable consequences associated with a break in business continuity. Simplified: the acceptable extent of data loss due to a disruptive event.
- Secure UD Data Governance & Security Program (CP 2.1.1, CP 2.2.1)
The targeted duration of time and degree of business process resumption required following a disruptive event to avoid unacceptable consequences associated with a break in business continuity. Simplified: the acceptable duration of downtime following a disruptive event.
- Secure UD Data Governance & Security Program (CP 2.1.1, CP 2.2.1)
Access to an IT resource through an off-network connection.
One of 10 broad groups of IT security risks posed to the University.
One of 25 specific goals for managing and mitigating risk to the University.
To render access to target data on the media infeasible for a given level of effort.
A lightweight, streamlined unit compliance and risk assessment tool based on the requirements of the Secure UD DGSP.
- Secure UD Compliance and Risk Survey
- Secure UD Data Governance & Security Program (IS 1.1.1, IS 3.1.1)
The University's comprehensive plan for IT and information-related information security and risk management.
A tool to assist data stewards in identifying, classifying, and defining protection requirements for the data sets from their functional areas.
A written acknowledgement of every individual's responsibility to safeguard the confidentiality of University information in their care.
A tool to assist units in inventorying their IT resources; contains both a business process and data inventory and an IT device inventory.
- Secure UD Inventory Tool
- Secure UD Data Governance & Security Program (DM 3.2.1, DM 3.2.2)
A tool to assist unit heads in developing and writing unit information security plans.
- Secure UD Security Plan Tool
- Secure UD Data Governance & Security Program (IS 2.1.1, IS 2.2.2)
A bundle containing the Secure UD tools and resources necessary for unit heads to begin implementing Secure UD within their units.
The University's modular, online, self-paced, comprehensive information security and awareness training program.
An administrative, operational, and/or technical requirement or recommendation for meeting security standards.
A requirement for achieving risk management objectives and compliance with laws, regulations, and policies.
Any IT device that provides application, system, or network services to other information systems.
A collection of University information to which multiple individuals or entities have access.
A test in which a plan or procedure is executed during a mock disruptive event to ensure its function.
- Secure UD Data Governance & Security Program (CP 1.1.2, CP 2.1.2)
A test in which a plan or procedure is reviewed step by step with the individuals responsible for its execution to ensure accuracy and consistency.
- Secure UD Data Governance & Security Program (CP 1.1.2, CP 2.1.2)
Security controls that are implemented primarily by IT devices according to their hardware, software, and firmware.
A University unit or third-party vendor that provides online services for the University.
A University department, school, institute, program, office, initiative, center, or other operating unit.
A University official with the highest level of authority over the day-to-day management or oversight of a unit's operation.
A document that describes a unit's requirements, including the security controls and processes, for compliance with the Secure UD DGSP and applicable laws, policies, regulations, and contractual obligations.
The University policy that establishes the governing philosophy and general rules for regulating use of the University's IT resources.
Actions, processes, and procedures that support University missions, administration, or operation. For the purposes of policy, University activities fo not include an individual's personal scholarship, pedagogy, or academic research.
Either: required or permitted by a University contract; or approved by a unit head in the interests of facilitating the unit's administrative, operational, or technical ability to fulfill its missions or functions.
The University policy that establishes the rules, roles, and responsibilities for data management at the University.
The University policy that establishes privacy requirements for e-communications and IT data.
Any information from the University's purview, including information that the University may not own but that is governed by laws and regulations to which the University is held accountable. Encompasses all data that pertains to or supports the administration and missions, including research, of the University.
Any of the three categories of University information that have different security requirements based on their potential impact due to a loss of confidentiality, integrity, or availability.
The University policy that establishes the University information classifications and requires that all University information be classified.
The University policy that establishes a University-wide information security framework and the administrative, operational, and technical requirements for information security and risk management.
The University policy that establishes rules, responsibilities, and procedures for reporting, investivating, and responding to IT security incidents.
The University policy that establishes requirements for posting privacy statements on University websites.
