Secure UD Glossary
The guide below provides definitions and related resources for the terms used in Secure UD. Use it to explore and learn more about Secure UD and what it offers the University.
- Administrative controls
- Checklist test
- Client system
- Council for Data Governance (CDG)
- Data center
- Data custodian
- Data governance
- Data management
- Data Security Advisory Committee (DSAC)
- Data set
- Data steward
- Data stewardship
- Data trustee
- Disruptive event
- Electronic storage media
- End user
- Functional area
- IT device
- IT resource
- IT security incident
- Legitimate interest
- Level I information
- Level II information
- Level III information
- Local support provider (LSP)
- Mission critical
- Mobile device
- Operational controls
- Portable device
- Privacy statement
- Recovery point objective (RPO)
- Recovery time objective (RTO)
- Remote access
- Risk area
- Risk management objective (RMO)
- Secure UD
- Secure UD Compliance and Risk Survey (Secure UD CARS)
- Secure UD Data Governance & Security Program (Secure UD DGSP)
- Secure UD Data Steward Guide
- Secure UD End User Acknowledgement
- Secure UD Toolkit
- Secure UD Inventory Tool
- Secure UD Security Plan Tool
- Secure UD Training
- Security control
- Security standard
- Server system
- Shared data repository
- Structured walkthrough
- Technical controls
- Technology service provider
- Unit head
- Unit information security plan
- University Acceptable Use of IT Resources Policy
- University activities
- University Data Management and Governance Policy
- University information
- University information classification
- University Information Classification Policy
- University Information Security Policy
- University Incident Response Policy
Secure UD Glossary
Security controls that focus on the management of risk and IT resources.
The timeliness and reliability of access to and use of University information.
A test in which a plan or procedure is reviewed to ensure accuracy and consistency.
Any IT device that is a desktop computer or laptop computer.
The preservation of authorized restrictions on University information access and disclosure, including means for protecting personal privacy and proprietary information.
The University council responsible for overseeing the appointment and action of data stewards for each of the University's functional areas. It includes the Chief Information Officer, VP & General Counsel, and other members as appointed by the President and/or his or her delegates.
Important to the business continuity or operational effectiveness of the unit. Loss of integrity or availability of critical IT resources would have moderate short-term impact on business continuity or operational effectiveness.
The combined integrity and availability concerns of University information. Criticality is a reflection of how important data is to business continuity or operational effectiveness.
A group of networked servers used for critical University activities involving data processing, storage, and transmission.
A University entity or employee with operational responsibility to manage a shared data repository on behalf of a data steward.
The responsible oversight of the informational quality, effectiveness, usability, strategic value, and security of data throughout its lifecycle.
The responsible stewardship of data throughout its lifecycle, including acquisition, utilization, maintenance, access, and protection.
The University council responsible for coordinating information security and risk management efforts and monitoring and recommending necessary security actions to the University. It is chaired by the director of IT Security and includes delegates as may be appointed from time to time by data stewards and/or the chair.
A collection of University information used for a University activities.
An individual within the University who is the primary institutional authority for a particular data set and who is principally responsible for the management and security of that data set across the institution.
The responsible oversight of a data set, including principal responsibility for the establishment of standards and guidelines for appropriately managing and securing that data across the institution.
An executive officer of the University with the highest level of strategic planning and policy-setting authority and responsibility for a functional area.
An event that requires the execution of a plan or procedure to recover from operational loss.
The network traffic or files containing user's electronic communications, including telephone conversations, electronic mail or transmission, webpage, or content exchanged with other IP addresses.
Any standalone or integrated electronic media that can be used to store data. Includes optical media, magnetic media, disk drives, and flash drives.
Any individual who accesses and/or utilizes IT resources.
One or more units that have primary responsibility for managing a core University mission or function.
The protection against improper modification or destruction of University information; includes non-repudiation and authenticity.
Any device involved in the processing, storage, or transmission of University information and making use of the University IT infrastructure or attached to the University network. These devices include, but are not limited to, desktop computers, laptop computers, personal digital assistants, server systems, network devices such as routers or switches, and printers.
Any of the full set of University-owned or -controlled IT devices and data involved in the accessing, processing, storage, or transmission of information.
Any event that has or is likely to result in the compromise of the confidentiality, integrity, or availability of an IT resource, including, but not limited to, breaches or loss or theft of devices.
A requirement to access University information commensurate with an end user's conduct of official University activities.
Also called Low Risk information; University information for which unintentional, unlawful, or unauthorized disclosure would have limited or no adverse effect on organizational operations, organizational assets, individuals, other organizations, or the nation.
Also called Moderate Risk information; University information for which unintentional, unlawful, or unauthorized disclosure would have a moderate adverse effect on organizational operations, organizational assets, individuals, other organizations, or the nation.
Also called High Risk information; University information for which unintentional, unlawful, or unauthorized disclosure would have a significant adverse effect on organizational operations, organizational assets, individuals, other organizations, or the nation.
An individual or unit with primary responsibility for the installation, configuration, security, and ongoing maintenance of an IT device.
Vital to the business continuity or operational effectiveness of the unit. Loss of integrity or availability of mission critical IT resources would have significant short-term impact on business continuity or operational effectiveness.
Any IT device that is a mobile phone or tablet.
Necessary to the business continuity or operational effectiveness of the unit. Loss of integrity or availability of non-critical IT resources would have limited or no short-term impact on business continuity or operational effectiveness.
Security controls that are implemented primarily by people rather than by IT devices.
Any IT device that is a laptop computer, mobile device, or removable electronic storage media.
- Secure UD Data Governance & Security Program (SC 1, SC 2)
A posted notice of website practices for obtaining and using data from visitors to that website.
The targeted maximum time period for which data might be lost as a result of a disruptive event before incurring unacceptable consequences associated with a break in business continuity. Simplified: the acceptable extent of data loss due to a disruptive event.
- Secure UD Data Governance & Security Program (CP 2.1.1, CP 2.2.1)
The targeted duration of time and degree of business process resumption required following a disruptive event to avoid unacceptable consequences associated with a break in business continuity. Simplified: the acceptable duration of downtime following a disruptive event.
- Secure UD Data Governance & Security Program (CP 2.1.1, CP 2.2.1)
Access to an IT resource through an off-network connection.
One of 10 broad groups of IT security risks posed to the University.
One of 25 specific goals for managing and mitigating risk to the University.
The University's comprehensive, risk-driven information security initiative.
A lightweight, streamlined unit compliance and risk assessment tool based on the requirements of the Secure UD DGSP.
The University's comprehensive plan for IT and information-related information security and risk management.
A tool to assist data stewards in identifying, classifying, and defining protection requirements for the data sets from their functional areas.
A written acknowledgement of every individual's responsibility to safeguard the confidentiality of University information in their care.
A tool to assist units in inventorying their IT resources; contains both a business process and data inventory and an IT device inventory.
A tool to assist unit heads in developing and writing unit information security plans.
A bundle containing the Secure UD tools and resources necessary for unit heads to begin implementing Secure UD within their units.
The University's modular, online, self-paced, comprehensive information security and awareness training program.
An administrative, operational, and/or technical requirement or recommendation for meeting security standards.
A requirement for achieving risk management objectives and compliance with laws, regulations, and policies.
Any IT device that provides application, system, or network services to other information systems.
A collection of University information to which multiple individuals or entities have access.
A test in which a plan or procedure is executed during a mock disruptive event to ensure its function.
A test in which a plan or procedure is reviewed step by step with the individuals responsible for its execution to ensure accuracy and consistency.
Security controls that are implemented primarily by IT devices according to their hardware, software, and firmware.
A University unit or third-party vendor that provides online services for the University.
A University department, school, institute, program, office, initiative, center, or other operating unit.
A University official with the highest level of authority over the day-to-day management or oversight of a unit's operation.
A document that describes a unit's requirements, including the security controls and processes, for compliance with the Secure UD DGSP and applicable laws, policies, regulations, and contractual obligations.
The University policy that establishes the governing philosophy and general rules for regulating use of the University's IT resources.
Actions, processes, and procedures that support University missions, administration, or operation. For the purposes of policy, University activities fo not include an individual's personal scholarship, pedagogy, or academic research.
Either: required or permitted by a University contract; or approved by a unit head in the interests of facilitating the unit's administrative, operational, or technical ability to fulfill its missions or functions.
The University policy that establishes the rules, roles, and responsibilities for data management at the University.
The University policy that establishes privacy requirements for e-communications and IT data.
Any information from the University's purview, including information that the University may not own but that is governed by laws and regulations to which the University is held accountable. Encompasses all data that pertains to or supports the administration and missions, including research, of the University.
Any of the three categories of University information that have different security requirements based on their potential impact due to a loss of confidentiality, integrity, or availability.
The University policy that establishes the University information classifications and requires that all University information be classified.
The University policy that establishes a University-wide information security framework and the administrative, operational, and technical requirements for information security and risk management.
The University policy that establishes rules, responsibilities, and procedures for reporting, investivating, and responding to IT security incidents.
The University policy that establishes requirements for posting privacy statements on University websites.
Any user of a University website.