|
TERM
|
DEFINITION
|
|
GOVERNANCE & RISK MANAGEMENT
|
|
Policy
|
Policies are institution-wide directives from Parkland College and its constituents that define an intended and required, high-level course of action for securing systems and data.
|
|
Standard
|
Standards are detailed, institution-wide requirements intended to implement the approved policies. Standards are detailed, agile documents intended to be updated frequently to be current with technology.
|
|
Procedure
|
Specific steps to accomplish a task or series of tasks that facilitate compliance with a Policy or Standard. Implements a Policy or Standard. Mandatory compliance.
|
|
Guideline
|
Recommendations and best practices for safeguarding the confidentiality, integrity, and availability of information. Recommended compliance.
|
|
Confidentiality
|
Concept of preventing disclosure of sensitive information to unauthorized entities.
|
|
Integrity
|
Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.
|
|
Availability
|
Ensuring that data, information, or systems are accessible and usable upon demand by an authorized entity.
|
|
Change
|
Modification of systems, data, or information.
|
|
Continuity
|
Ensuring that business and academic functions can continue functioning in some capacity despite adverse events.
|
|
Data/System Access
|
Connection to, or ability to obtain, data and systems.
|
|
Data/System Classification
|
Application of labels to data and systems identifying nature and sensitivity.
|
|
Data/System Processing
|
Collective set of data or system actions including collection, generation, logging, transformation, use, disclosure, sharing, transmission, and disposal.
|
|
Data/System Storage
|
Placing data or systems in a persistent state or location, whether physical, virtual, or cloud-based, whereby they may be held for future use. Often described as At-Rest.
|
|
Data/System Transmission
|
Sending data from one location to another, regardless of medium. Often described as In-Transit.
|
|
Data/System Use
|
Data or systems actively being used for the purpose for which it is intended. For digital data, this means data stored in a non-persistent digital state, such as in computer memory.
|
|
Incident
|
An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or data.
|
|
Non-Repudiation
|
Protection against an individual who falsely denies having performed a certain action and provides the capability to determine whether an individual took a certain action.
|
|
Personally Identifiable Information (PII)
|
Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
|
|
Protected Health Information (PHI)
|
Individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. FERPA and employer-held employment records are excepted.
|
|
Recovery
|
Restoring systems and data to pre-event operations after an adverse event.
|
|
Reputation
|
The societal opinion about an entity as typically formed by an evaluation of a set of criteria, such as behavior or performance.
|
|
Risk
|
A measure of the extent to which an entity is threatened by a potential circumstance or event. Risk is typically a function of the adverse impact, or magnitude of harm, that would arise if the event occurred and the likelihood of event occurrence.
|
|
Risk Treatment
|
The process or means by which a risk is addressed or modified.
|
|
Threat
|
Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, or other organizations through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
|
|
COMPLIANCE
|
|
CIS Critical Controls
|
Framework publication of best practices and recommendations for computer security.
|
|
COPPA
|
Children’s Online Privacy Protection Act of 1998 – Governs the online collection of personal information about children under 13 years of age.
|
|
FERPA
|
Family Educational Rights and Privacy Act of 1974 – Governs access to educational information and records.
|
|
FOIA
|
Freedom of Information Act (US) (IL) – Provides disclosure (full or partial) of previously unreleased information and documents held by government agencies.
|
|
GDPR
|
General Data Protection Regulation (EU) – Defines protections and rights for EU nationals to control their data.
|
|
GLBA
|
Gramm-Leach-Bliley Act – Outlines interactions between the banking, securities, and insurance industries.
|
|
HIPAA
|
Health Insurance Portability and Accountability Act of 1996 – Controls the flow and security of healthcare information to protect against fraud and theft
|
|
NIST (CSF, etc.)
|
National Institute of Standards and Technology – Publishes the Cybersecurity Framework (CSF) and many other Special Publications (SP) governing the use of Information Security and Technology measures within the US Government.
|
|
PCI-DSS
|
Payment Card Industry Data Security Standard is an information security standard for organizations that handle major branded credit cards.
|
|
ROLES
|
|
Role / Job Role
|
The responsibilities and requirements assigned to a specific position or situation.
|
|
Owner
|
Senior stakeholder accountable for systems and data. Has authority to make and authorize changes to the systems or data.
|
|
Steward
|
Entity responsible for implementing the data usage and security policies.
|
|
Custodian
|
Entity responsible for the technical protection of information assets.
|
|
Software Developer
|
Individual who writes code resulting in an operational program.
|
|
OPERATIONS
|
|
Accessibility
|
The practice of making data, content, and systems usable by as many people as possible.
|
|
Account / User Account
|
Unique identifier serving as a representation of an individual, service, process, or system. Typically utilizes credentials to authenticate.
|
|
Account Termination
|
The removal of permissions and access performed in advance of, or in addition to, an account being removed or deleted.
|
|
Administrator
|
An individual with elevated permissions responsible for the maintenance and configuration of an information system.
|
|
Application
|
A computer program or series of programs designed to fulfill a specific purpose or need.
|
|
Asset
|
Any item requiring protection from an information security prgra
|
|
Authentication
|
Act of verifying the identity of an individual.
|
|
Authentication Mechanism
|
Hardware or software through which a user proves identity using a credential prior to granting access.
|
|
Authorization
|
Act of verifying what resources an individual is allowed to use or access.
|
|
Backup
|
A copy of systems and data that can be used to restore after an undesired event.
|
|
Biometrics
|
Physical characteristics (such as a fingerprint or retinal pattern) of a human. Fulfills the “something you are” component of multifactor authentication (MFA)
|
|
Containment
|
In incident management: Ensuring an undesirable or adverse event does not spread beyond the current impacted footprint. Limiting the impact of an adverse event.
|
|
Controls
|
Specific actions, processes, technologies, or other related items implemented to address or modify risk.
|
|
Credential
|
A token or digital identity (typically with a username and some other form of secret, such as a passphrase, or biometric) used to authenticate a user.
|
|
DMZ
|
"Demilitarized Zone." This refers to a separate network segment that is isolated from the internal network and is used to host servers and services that need to be publicly accessible.
|
|
Electronic Communications
|
Correspondence between 2 entities performed using a digital medium.
|
|
Elevated Privileges
|
Privileges that exceed those of a standard user for the purpose of performing maintenance or other administrative functions.
|
|
Encryption / Decryption
|
Encryption is rendering data unreadable by encipherment. Two-way encryption is paired with a key for decryption. One-way encryption is used for integrity monitoring in forms such as hashing.
Decryption is reversing encryption from enciphered data back into plain text.
|
|
Endpoint
|
Any computing device or equipment that is connected to a network and is capable of transmitting or receiving data. Endpoints can include desktop computers, laptops, smartphones, tablets, servers, printers, and other network-connected devices.
|
|
Eradication
|
In incident management: The removal of an adverse event or unwanted software such as viruses and malware.
|
|
Hardware
|
Physical components of computers. Examples include servers, laptops, workstations, hard drives, video cards, monitors, etc.
|
|
Impact
|
Measurement of how much an entity is affected by an event, both positive and negative.
|
|
Least Privilege
|
Security principle in which a user is given the minimum levels of access or permissions needed to perform their job.
|
|
Media (Physical or Digital)
|
Container in which data is stored. Digital media include virtual hard disks, cloud storage, etc. Physical media include paper, hard drives, DVDs, signage, printed materials, etc.
|
|
Mitigation
|
Risk treatment that involves the implementation of controls to reduce risk associated with a threat.
|
|
Mobile Device
|
Any electronic device that is non-stationary. Examples include mobile phones, smartphones, laptops, tablets, etc.
|
|
Need-to-know
|
Security principle stating that a user shall only have access to the information that their job function requires, regardless of their security clearance level or other approvals.
|
|
Network
|
Interconnection of computers facilitating digital communication.
|
|
Password / Passphrase
|
A factor of authentication consisting of a string of characters. Fulfills the “something you know” component of multifactor authentication (MFA)
|
|
PIN
|
A string of characters, usually digits. Similar to a password/passphrase. Fulfills the “something you know” component of multifactor authentication (MFA)
|
|
Program
|
A set of instructions, data or programs used to operate computers and execute specific tasks, usually in the form of computer code.
|
|
Remediate
|
Vulnerability management: To correct a vulnerability found on or in a system.
|
|
Resources
|
Physical, Digital, Personnel, or Time components of a project, program, or system.
|
|
IT Resources
|
Computer systems, software, hardware, and services, including their configurations and constituent components.
|
|
Security Awareness
|
Education and training on the appropriate measures to take to prevent adverse events or undesired behavior.
|
|
Separation of Duties
|
Security concept that splits the duties related to a function or process between multiple people to ensure accountability and integrity.
|
|
Software
|
Code, either compiled or used with a framework, running on a computer
|
|
System
|
Series of processes, personnel, or components of hardware and software working together towards a common goal. Also refers to a fully assembled computer or series of programs in a computer.
|
|
Validation
|
The process of ensuring a specification, system, process, or other item meets a set of defined requirements.
|
|
Vendor / Supplier
|
An external, 3rd-party entity that sells, manages, maintains, or otherwise provides services to the college.
|
|
VPN
|
Virtual Private Network: A method by which an entity gains access to network systems and resources by establishing an encrypted electronic connection with the campus network.
|
|
Vulnerability
|
A weakness in processes, software, hardware or other system causing risk.
|
|
DATA CENTER TERMINOLOGY
|
|
Data Center Coordinator (DCC)
|
Individuals responsible for securing Parkland College Data Centers.
|
|
Authorized Individuals
|
Individuals granted unescorted access to the Parkland College Data Centers.
|
|
Authorized Access
|
Access to a Parkland College Data Center that has been approved by the appropriate DCC.
|
|
Class BC Fire Extinguisher
|
A portable, regular dry chemical fire extinguisher that meets the requirements set forth by the U.S. Department of Labor Occupational Safety and Health Administration to handle a range of fires caused by Energized Electrical Equipment or flammable liquids, greases, or gases.
|
|
Parkland College Data Center
|
A facility, or portion of a facility, with the primary function to house data processing equipment in a fault-tolerant environment with the capability to undergo routine maintenance without affecting operation.
|
|
Conditioned Power
|
An electrical component intended to improve the quality of the power supplied to the Data Center Assets. Conditioned Power is provisioned through one or more UPS system(s) or a DC battery plant and is further supported by one or more standby diesel generators.
|
|
Data Center Asset
|
A component located within a Parkland College Data Center including, but not limited to, servers, blade systems, network devices, storage devices, racks, and rack power distribution units (“PDUs”).
|
|
Data Center Asset Inventory
|
An inventory that provides detailed information of the Data Center Assets located within a Parkland College Data Center and classifies the assets in accordance with business criticality. Each DCC may determine how to maintain a data center’s inventory, provided it offers the ability to add, assign, locate, and remove all assets within the DCC’s responsibility.
|
|
Energized Electrical Equipment
|
Electrical equipment such as computers, servers, motors, transformers, appliances, wiring, circuit breakers, and outlets connected to a power supply.
|
|
Enterprise Activities
|
The activities that support the academic, administrative, outreach, and research missions of Parkland College that are supported by Campus Technologies.
|
|
Mission Critical Services
|
Services essential to the academic, administrative, research, and outreach missions of Parkland College.
|
|
Unauthorized Access
|
Access to a Parkland College Data Center that has not been approved by the appropriate DCC.
|
|
Uninterruptible Power Supply (UPS)
|
A system that provides a continuous supply of power to a load, utilizing stored energy when the normal source of energy is not available or is of unacceptable quality. A UPS will provide power until the stored energy of the system has been depleted or an alternative or the normal source of power of acceptable quality becomes available.
|
|
Visitor
|
A person with approved, escorted access to a Parkland College Data Center.
|
|
RACI Matrix Key / Legend
|
|
R - Responsible
|
Responsible for performing an action or process
|
|
A - Accountable
|
Accountable for the results of an action or process
|
|
C - Consulted
|
Consulted or providing advice or guidance on an action or process
|
|
I - Informed
|
Informed on the progress or results of an action or process
|
|
ACRONYMS
|
|
SIRT
|
Security Incident Response Team
|
|
DDoS
|
Distributed Denial of Service
|
|
IDS
|
Intrusion Detection System
|
|
IPS
|
Intrusion Prevention System
|
|
APT
|
Advanced Persistent Threat
|