UTPA Information Security Glossary

• 'Something you know' is some form of information that you can recognize and keep to yourself, such as a personal identification number (PIN) or password.  
• 'Something you have' is a physical item you possess, such as a photo ID or a security token.  
• 'Something you are' is a human characteristic considered to be unique, such as a fingerprint, voice tone, or retinal pattern.

• Research Data: recorded information, regardless of form in which the information may be recorded, that constitutes the original data that are necessary to support research activities and validate research findings. Research data may include but are not limited to: printed records, observations and notes; electronic data; video and audio records, photographs and negatives, etc.  
• Digital Research Data: defined as the subset of research data as defined below that are transmitted by or maintained in, electronic format and include any of the following:(a) Electronic storage data including storage devices in computers(hard drives, memory) and any removable/transportable digital storage medium, such as magnetic tape or disk, optical disk, or digital memory card; or (b) Transmission data used to exchange information already in electronic storage format. Transmission data include, for example, the Internet (wide-open), extranet (using Internet technology to link a business with information accessible only to collaborating parties),leased lines, dial-up lines, private networks, intranet, and the physical movement of removable/transportable electronic storage data.  
• Sensitive Digital Research Data:data defined by the university as Category-I data.

Electronic mail system: Any computer software application that allows electronic mail to be communicated from one computing system to another.

Electronic mail (email): Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system.

Email: Abbreviation for electronic mail.

Emergency Change: When an unauthorized immediate response to imminent critical system failure is needed to prevent widespread service disruption.

Encryption: The process of converting data into a cipher or code in order to prevent unauthorized access. Encryption obfuscates data in such a manner that a specific algorithm and key are required to interpret the cipher or code. The keys are binary values that may be interpretable as the codes for text strings, or they may be arbitrary numbers. The purpose of encryption isto prevent unauthorized access to data while it is either in storage or being transmitted.

Escrow: Data decryption keys held in trust by a third party to be turned over to the user only upon fulfillment of specific authentication conditions.

Fixed Media: Devices distinguished from those in which the data is stored on a cartridge, disk, or other material that is removable and interchangeable. Hard drives are typically fixed media, with platters sealed inside the drive chassis.

Handling: when users access, manipulate, change, transfer, or delete data.

Information Resources (IR): any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsingWeb sites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources,network environments, telephones, fax machines, printers, and service bureaus. Additionally, it is the procedures, equipment, facilities,software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.

Information Resources facilities:Any location that houses Information Resource equipment (includes servers, hubs, switches, and routers). Facilities are usually dedicated rooms or mechanical/wiring closets in the buildings.

Information Resources Manager (IRM):Responsible to the State of Texas for management of the agency's Information Resources. The designation of an agency Information Resources Manager is intended to establish clear accountability for setting policy for Information Resources management activities, provide for greater coordination of the state agency's information activities,and ensure greater visibility of such activities within and between state agencies. The Information Resource Manager has been given the authority and the accountability by the State of Texas to implement Security Policies, Procedures, Practice Standards, and Guidelines to protect the Information Resources of the agency. If an agency does not designate an Information Resource Manager, the title defaults to the agency's Executive Director, and the Executive Director is responsible for adhering to the duties and requirements of an Information Resource Manager.

Integrity: The accuracy and completeness of information and assets and the authenticity of transactions.

Internet: A global system interconnecting computers and computer networks. The computers and networks are owned separately by a host of organizations, government agencies, companies, and colleges.

Intrusion Detection Systems (IDS):A device that monitors and analyzes network traffic.

Key Management:activities involving the handling of encryption keys and other related security parameters (e.g., passwords) during the entire life cycle of the encryption keys. This includes their generation, storage, establishment, entry and output, and destruction.

Key Management Infrastructure: The framework and services that provide for the generation, production, distribution, control, accounting, and destruction of all cryptographic material, including symmetric keys, as well as public keys and public key certificates. It includes all elements (hardware, software, other equipment, and documentation); facilities; personnel; procedures; standards; and information products that form the system that distributes, manages, and supports the delivery of cryptographic products and services to end users

Key Manager: Controls the generation, storage and distribution of cryptographic keys.

Lawful Intercept: the interception of data on the university network by the Information Security Office and Network Services, in accordance with local law and after following due process and receiving proper authorization from the appropriate authorities.

Local Area Network (LAN): A data communications network spanning a limited geographical area, a few miles at most. It provides communication between computers and peripherals at relatively high data rates and relatively low error rates.

Merchant: University unit that accepts credit card payment for goods, services,or gifts.

Merchant Account: The credit card account number assigned by the credit card processor, Global Payments, to permit credit card payment processing.

Network: All associated equipment and media creating electronic transmission between any information resource(s), such as wired, optical, wireless, IP, synchronous serial, telephony, etc.

Network Flow: The sequence of packets between given source and destination end points.

Network Operations Center (NOC): Monitors the health of critical services and provides the central coordination of data services for campus.

Networking Custodian: Network manager or analyst; the holder of network configuration data, the agent charged with implementing the network controls and services specified by the owner or the university. This custodian is responsible for the transfer of information. These custodians, including entities providing outsourced information resources services to the university, must:

• Implement the network controls specified by the owner or the university.
 
• Provide physical and procedural safeguards for the network infrastructure.
 
• Assist owners in evaluating the cost-effectiveness of controls and monitoring.
 
• Implement the monitoring techniques and procedures for detecting, reporting, and investigating or troubleshooting network incidents

Non-eCommerce Merchant: a department that processes credit card payments with equipment that does not utilize an external facing IP address, such as point-of-sale terminals, cash registers and other types of equipment.

Offsite Storage: Based on data criticality, offsite storage should be in a geographically different location from the campus and a location that does not share the same disaster threat event. Based on an assessment of the data backed up, removing the backup media from the building and storing it in another secured location on the Campus may be required.

Owner: The manager or agent responsible for the function that is supported by the resource or the individual upon whom responsibility rests for carrying out the program that uses the resources. The owner is responsible for establishing thecontrols that provide the security. The owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate,ownership may be shared by managers of different departments.

Packet: an electronic unit of data that is routed between an origin and a destination on a network.

Packet Data: The part of the packet containing user data and other data or information used by applications.

Packet Header: The part of the packet that contains protocol, source address, destination address, and other controlling information (including tunneling information).

Password: A string of characters used to verify or authenticate a user's access.

Physical Security Controls: Devices and means to control physical access to sensitive information and to protect the availability of the information. Examples are physical access systems (fences, mantraps, guards); physical intrusion detection systems (motion detector, alarm system); and physical protection systems (sprinklers, backup generator).

Portable Computing Devices: Any easily portable device that is capable of receiving and/or transmitting data. These include, but are not limited to, notebook computers, handheld computers, PDAs (personal digital assistants), pagers, and cell phones.

Private Key: the secret key of a signature key pair used to create a digital signature and/or to decrypt confidential information.

Production System: The system environment comprised of hardware, software and data in which an organization’s data processing is accomplished.

Promiscuous Mode: mode ofoperation in which every data packet transmitted is received and read by every network adapter. Promiscuous mode is often used to monitor network activity.

Public Key: the publicly available key of a signature key pair used to validate a digital signature and/or to encrypt confidential information.

Removable Media:Removable media devices permit data to be stored on media that is removable and interchangeable. CDs, DVDs, flash memory, and floppy disks are examples of removable media.

Scheduled Change: Formal notification received, reviewed, and approved by the review process in advance of the change being made.

Strong Passwords: A strong password is constructed so that it cannot be easily guessed by another User or a "hacker" program. It is typically a minimum number of positions in length and contains a combination of alphabetic, numeric,or special characters.

Security Administrator: The person charged with monitoring and implementing security controls and procedures for a system. Whereas each agency will have one Information Security Officer, technical management may designate a number of security administrators.

Security Incident: In information operations, an assessed event of attempted entry, unauthorized entry,or an information attack on an automated information system. It includes unauthorized probing and browsing; disruption or denial of service; altered or destroyed input, processing, storage, or output of information; or changes to information system hardware, firmware, or software characteristics with or without the Users' knowledge, instruction, or intent.

Sensitive Information: Information maintained by state agencies that requires special precautions to protect it from unauthorized modification or deletion. Sensitive information may be either public or confidential. It is information that requires a higher than normal assurance of accuracy and completeness. The controlling factor for sensitive information is that of integrity.

Server: A computer program that provides services to other computer programs in the same, or another, computer. A computer running a server program is frequently referred toas a server, though it may also be running other client (and server) programs.

Sniffing: The interception of data packets traversing a network

Strong Passwords: constructed so that it cannot be easily guessed by another user or a "hacker" program.It is typically a minimum number of positions in length and contains a combination of alphabetic, numeric, or special characters. UTPA requires the following:

1. Character length-Minimum of 10 characters
 
2. Complex word not found in a dictionary
 
3. Alphanumeric-numbers and characters i.e.: A thru Z, a thruz, and 0-9
 
4. Case-mixture of upper and lower case i.e.: 1 English Uppercase character and 1 English Lowercase character

System: Any device capable of receiving e-mail, browsing web sites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, Personal Data Assistants, pagers,distributed processing systems, network attached and computer controlled medical and laboratory equipment (that is, embedded technology), telecommunication resources, network environments, telephones, fax machines, printers, and service bureaus.

System Administrator: Person responsible for the effective operation and maintenance of Information Resources, including implementation of standard procedures and controls, to enforce an organization's security policy.

System Development Life Cycle (SDLC): the scope of activities associated with a system, encompassing the system's initiation, development and acquisition, implementation,operation and maintenance, and ultimately its disposal.

System Security Plan: Provides a baseline of a system's security. A comprehensive system security plan describes the security controls that are in use, or plan to be used to protect all aspects of the system. Security plans are supported by security policy and can be essential tools that identify weaknesses in the system and document what controls will be added to combat the weaknesses.

Trojan Horse: Destructive programs-usually viruses or worms-that are hidden in an attractive or innocent-looking piece of software, such as a game or graphics program. Victims may receive a Trojan horse program by email or on a diskette or CD, often from another unknowing victim, or may be urged to download a file from a Web site or bulletin board.

Unauthorized Disclosure: the intentional or unintentional revealing of restricted information to people who do not have a legitimate need to access that information.

Unscheduled Change: Failure to present notification through the review process in advance of the change being made. Unscheduled changes will only be acceptable in the event of a system failure or the discovery of a security vulnerability.

User: An individual, automated application or process that is authorized by the owner to access the resource, in accordance with the owner's procedures and rules. Has the responsibility to (1) use the resource only for the purpose specifiedby the owner, (2) comply with controls established by the owner, and(3) prevent disclosure of confidential or sensitive information. The user is any person who has been authorized by the owner of the information to read, enter, or update that information. The user is the single most effective control for providing adequate security.

Vendor: someone outside UTPA who exchanges goods or services for money.

Virus: A program that attaches itself to an executable file or vulnerable application and delivers a payload that ranges from annoying to extremely destructive. A file virus executes when an infected file is accessed. A macro virus infects the executable code embedded in Microsoft Office programs that allows users to generate macros.

Web page: A document on the World Wide Web. Every Web page is identified by a unique URL (Uniform Resource Locator).

Web server: A computer that delivers (serves up) web pages.

Website: A location on the World Wide Web, accessed by typing its address (URL) into a Web browser. AWeb site always includes a home page and may contain additional documents or pages

World Wide Web: Also referred to as the Web is a system of Internet hosts that supports documentsformatted in HTML (Hypertext Markup Language), which contains links to other documents (hyperlinks) and to audio, video, and graphic images. Users can access the Web with special applications called browsers, such as Firefox, and Microsoft Internet Explorer.

Worm: A program that makes copiesof itself elsewhere in a computing system. These copies may be createdon the same computer or may be sent over networks to other computers.The first use of the term described a program that copied itselfbenignly around a network, using otherwise-unused resources on networked machines to perform distributed computation. Some worms are security threats, using networks to spread themselves against the wishes of the system owners and disrupting networks by overloading them. A worm is similar to a virus in that it makes copies of itself, but different in that it need not attach to particular files or sectors at all.