Information Security Term Definitions

Information security TERM DEFINITIONS


 

Objective

Defines unknown or ambiguous terms used in Information Security policies and standards.

Scope

All Parkland College Information Security policies and standards.

Policy

Section 1 – Terms

TERM

DEFINITION

GOVERNANCE & RISK MANAGEMENT

Policy

Policies are institution-wide directives from Parkland College and its constituents that define an intended and required, high-level course of action for securing systems and data.

Standard

Standards are detailed, institution-wide requirements intended to implement the approved policies. Standards are detailed, agile documents intended to be updated frequently to be current with technology.

Procedure

Specific steps to accomplish a task or series of tasks that facilitate compliance with a Policy or Standard. Implements a Policy or Standard. Mandatory compliance.

Guideline

Recommendations and best practices for safeguarding the confidentiality, integrity, and availability of information. Recommended compliance.

Confidentiality

Concept of preventing disclosure of sensitive information to unauthorized entities.

Integrity

Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

Availability

Ensuring that data, information, or systems are accessible and usable upon demand by an authorized entity.

Change

Modification of systems, data, or information.

Continuity

Ensuring that business and academic functions can continue functioning in some capacity despite adverse events.

Data/System Access

Connection to, or ability to obtain, data and systems.

Data/System Classification

Application of labels to data and systems identifying nature and sensitivity.

Data/System Processing

Collective set of data or system actions including collection, generation, logging, transformation, use, disclosure, sharing, transmission, and disposal.

Data/System Storage

Placing data or systems in a persistent state or location, whether physical, virtual, or cloud-based, whereby they may be held for future use. Often described as At-Rest.

Data/System Transmission

Sending data from one location to another, regardless of medium. Often described as In-Transit.

Data/System Use

Data or systems actively being used for the purpose for which it is intended. For digital data, this means data stored in a non-persistent digital state, such as in computer memory.

Incident

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or data.

Non-Repudiation

Protection against an individual who falsely denies having performed a certain action and provides the capability to determine whether an individual took a certain action.

Personally Identifiable Information (PII)

Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.

Protected Health Information (PHI)

Individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. FERPA and employer-held employment records are excepted.

Recovery

Restoring systems and data to pre-event operations after an adverse event.

Reputation

The societal opinion about an entity as typically formed by an evaluation of a set of criteria, such as behavior or performance.

Risk

A measure of the extent to which an entity is threatened by a potential circumstance or event. Risk is typically a function of the adverse impact, or magnitude of harm, that would arise if the event occurred and the likelihood of event occurrence.

Risk Treatment

The process or means by which a risk is addressed or modified.

Threat

Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, or other organizations through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

COMPLIANCE

CIS Critical Controls

Framework publication of best practices and recommendations for computer security.

COPPA

Children’s Online Privacy Protection Act of 1998 – Governs the online collection of personal information about children under 13 years of age.

FERPA

Family Educational Rights and Privacy Act of 1974 – Governs access to educational information and records.

FOIA

Freedom of Information Act (US) (IL) – Provides disclosure (full or partial) of previously unreleased information and documents held by government agencies.

GDPR

General Data Protection Regulation (EU) – Defines protections and rights for EU nationals to control their data.

GLBA

Gramm-Leach-Bliley Act – Outlines interactions between the banking, securities, and insurance industries.

HIPAA

Health Insurance Portability and Accountability Act of 1996 – Controls the flow and security of healthcare information to protect against fraud and theft

NIST (CSF, etc.)

National Institute of Standards and Technology – Publishes the Cybersecurity Framework (CSF) and many other Special Publications (SP) governing the use of Information Security and Technology measures within the US Government.

PCI-DSS

Payment Card Industry Data Security Standard is an information security standard for organizations that handle major branded credit cards.

ROLES

Role / Job Role

The responsibilities and requirements assigned to a specific position or situation.

Owner

Senior stakeholder accountable for systems and data. Has authority to make and authorize changes to the systems or data.

Steward

Entity responsible for implementing the data usage and security policies.

Custodian

Entity responsible for the technical protection of information assets.

Software Developer

Individual who writes code resulting in an operational program.

OPERATIONS

Accessibility

The practice of making data, content, and systems usable by as many people as possible.

Account / User Account

Unique identifier serving as a representation of an individual, service, process, or system. Typically utilizes credentials to authenticate.

Account Termination

The removal of permissions and access performed in advance of, or in addition to, an account being removed or deleted.

Administrator

An individual with elevated permissions responsible for the maintenance and configuration of an information system.

Application

A computer program or series of programs designed to fulfill a specific purpose or need.

Asset

Any item requiring protection from an information security prgra

Authentication

Act of verifying the identity of an individual.

Authentication Mechanism

Hardware or software through which a user proves identity using a credential prior to granting access.

Authorization

Act of verifying what resources an individual is allowed to use or access.

Backup

A copy of systems and data that can be used to restore after an undesired event.

Biometrics

Physical characteristics (such as a fingerprint or retinal pattern) of a human. Fulfills the “something you are” component of multifactor authentication (MFA)

Containment

In incident management: Ensuring an undesirable or adverse event does not spread beyond the current impacted footprint. Limiting the impact of an adverse event.

Controls

Specific actions, processes, technologies, or other related items implemented to address or modify risk.

Credential

A token or digital identity (typically with a username and some other form of secret, such as a passphrase, or biometric) used to authenticate a user.

DMZ

"Demilitarized Zone." This refers to a separate network segment that is isolated from the internal network and is used to host servers and services that need to be publicly accessible.

Electronic Communications

Correspondence between 2 entities performed using a digital medium.

Elevated Privileges

Privileges that exceed those of a standard user for the purpose of performing maintenance or other administrative functions.

Encryption / Decryption

Encryption is rendering data unreadable by encipherment. Two-way encryption is paired with a key for decryption. One-way encryption is used for integrity monitoring in forms such as hashing.

Decryption is reversing encryption from enciphered data back into plain text.

Endpoint

Any computing device or equipment that is connected to a network and is capable of transmitting or receiving data. Endpoints can include desktop computers, laptops, smartphones, tablets, servers, printers, and other network-connected devices.

Eradication

In incident management: The removal of an adverse event or unwanted software such as viruses and malware.

Hardware

Physical components of computers. Examples include servers, laptops, workstations, hard drives, video cards, monitors, etc.

Impact

Measurement of how much an entity is affected by an event, both positive and negative.

Least Privilege

Security principle in which a user is given the minimum levels of access or permissions needed to perform their job.

Media (Physical or Digital)

Container in which data is stored. Digital media include virtual hard disks, cloud storage, etc. Physical media include paper, hard drives, DVDs, signage, printed materials, etc.

Mitigation

Risk treatment that involves the implementation of controls to reduce risk associated with a threat.

Mobile Device

Any electronic device that is non-stationary. Examples include mobile phones, smartphones, laptops, tablets, etc.

Need-to-know

Security principle stating that a user shall only have access to the information that their job function requires, regardless of their security clearance level or other approvals.

Network

Interconnection of computers facilitating digital communication.

Password / Passphrase

A factor of authentication consisting of a string of characters. Fulfills the “something you know” component of multifactor authentication (MFA)

PIN

A string of characters, usually digits. Similar to a password/passphrase. Fulfills the “something you know” component of multifactor authentication (MFA)

Program

A set of instructions, data or programs used to operate computers and execute specific tasks, usually in the form of computer code.

Remediate

Vulnerability management: To correct a vulnerability found on or in a system.

Resources

Physical, Digital, Personnel, or Time components of a project, program, or system.

IT Resources

Computer systems, software, hardware, and services, including their configurations and constituent components.

Security Awareness

Education and training on the appropriate measures to take to prevent adverse events or undesired behavior.

Separation of Duties

Security concept that splits the duties related to a function or process between multiple people to ensure accountability and integrity.

Software

Code, either compiled or used with a framework, running on a computer

System

Series of processes, personnel, or components of hardware and software working together towards a common goal. Also refers to a fully assembled computer or series of programs in a computer.

Validation

The process of ensuring a specification, system, process, or other item meets a set of defined requirements.

Vendor / Supplier

An external, 3rd-party entity that sells, manages, maintains, or otherwise provides services to the college.

VPN

Virtual Private Network: A method by which an entity gains access to network systems and resources by establishing an encrypted electronic connection with the campus network.

Vulnerability

A weakness in processes, software, hardware or other system causing risk.

DATA CENTER TERMINOLOGY

Data Center Coordinator (DCC)

Individuals responsible for securing Parkland College Data Centers.

Authorized Individuals

Individuals granted unescorted access to the Parkland College Data Centers.

Authorized Access

Access to a Parkland College Data Center that has been approved by the appropriate DCC.

Class BC Fire Extinguisher

A portable, regular dry chemical fire extinguisher that meets the requirements set forth by the U.S. Department of Labor Occupational Safety and Health Administration to handle a range of fires caused by Energized Electrical Equipment or flammable liquids, greases, or gases.

Parkland College Data Center

A facility, or portion of a facility, with the primary function to house data processing equipment in a fault-tolerant environment with the capability to undergo routine maintenance without affecting operation.

Conditioned Power

An electrical component intended to improve the quality of the power supplied to the Data Center Assets. Conditioned Power is provisioned through one or more UPS system(s) or a DC battery plant and is further supported by one or more standby diesel generators.

Data Center Asset

A component located within a Parkland College Data Center including, but not limited to, servers, blade systems, network devices, storage devices, racks, and rack power distribution units (“PDUs”).

Data Center Asset Inventory

An inventory that provides detailed information of the Data Center Assets located within a Parkland College Data Center and classifies the assets in accordance with business criticality. Each DCC may determine how to maintain a data center’s inventory, provided it offers the ability to add, assign, locate, and remove all assets within the DCC’s responsibility.

Energized Electrical Equipment

Electrical equipment such as computers, servers, motors, transformers, appliances, wiring, circuit breakers, and outlets connected to a power supply.

Enterprise Activities

The activities that support the academic, administrative, outreach, and research missions of Parkland College that are supported by Campus Technologies.

Mission Critical Services

Services essential to the academic, administrative, research, and outreach missions of Parkland College.

Unauthorized Access

Access to a Parkland College Data Center that has not been approved by the appropriate DCC.

Uninterruptible Power Supply (UPS)

A system that provides a continuous supply of power to a load, utilizing stored energy when the normal source of energy is not available or is of unacceptable quality. A UPS will provide power until the stored energy of the system has been depleted or an alternative or the normal source of power of acceptable quality becomes available.

Visitor

A person with approved, escorted access to a Parkland College Data Center.

RACI Matrix Key / Legend

R - Responsible

Responsible for performing an action or process

A - Accountable

Accountable for the results of an action or process

C - Consulted

Consulted or providing advice or guidance on an action or process

I - Informed

Informed on the progress or results of an action or process

ACRONYMS

SIRT

Security Incident Response Team

DDoS

Distributed Denial of Service

IDS

Intrusion Detection System

IPS

Intrusion Prevention System

APT

Advanced Persistent Threat


 


 


 

Details

Article ID: 156049
Created
Wed 5/31/23 4:26 PM
Modified
Wed 9/13/23 5:39 PM

Related Articles (14)

ISP-01 - Information Security Roles and Responsibilities
This policy outlines information security roles and responsibilities at Parkland College, assigning specific duties to various stakeholders to ensure compliance and protect data.
ISP-02 - Responsible Use Policy
Outlines the accountability for all individuals at Parkland College to engage in responsible conduct when using Parkland's information systems.
ISP-03 - Information Security Risk Management Policy
Managing Information Security Risk at Parkland College
ISP-04 - Access Control and Authentication Policy
Governs the control of access and authentication methods
ISP-05 - Information Security Awareness and Training Policy
Support and direction for developing and managing the information security awareness and training program
ISP-06 - Incident Management and Response Policy
Defines requirements regarding the management of, and response to, information security incidents at Parkland College.
ISP-08 - Vulnerability Management Policy
Governs the management and treatment of vulnerabilities in information systems at Parkland College.
ISP-09 - Data Classification Policy
Classification of data at Parkland College
ISP-10 - IT Asset Management Policy
Governs the management of Technology Assets
ISP-11 - Backup, Disaster Recovery, and Business Continuity Policy
Governs requirement for Backups, Disaster Recovery, and Business Continuity
ISP-12 - Vendor, Supplier, and Third-Party Security Policy
Ensures secure engagement with vendors, suppliers, and third parties through evaluation, assessing risks, managing contracts, controlling access, and maintaining documentation.
ISP-13 - Email and Electronic Communications Security Policy
Ensuring the secure, effective, and responsible use of electronic communications in and for Parkland College.
ISP-15 - Mobile Device Policy
Ensures data protection on Mobile Devices
ISP-16 - Information Lifecycle Policy
Governs the lifecycle of information and information assets