Information Security Glossary
* A * B * C * D * E * F * G * H * I * J * K * L * M * N * O * P * Q * R * S * T * U * V * W * X * Y * Z *
A
Access Controlled Environment: A physically secured location with appropriate environmental controls accessible only to authorized personnel with a legitimate business need.
Account: That combination of username and password that provides an individual, group, or service with access to a computer system or computer network.
Affiliates: Select individuals who have been afforded contractual affiliate status by the university. Affiliates do not receive a salary from the university for the duties and services they perform.
Antivirus Software: Software specifically designed for the detection and prevention of known computer viruses. See also Antivirus Updates.
Antivirus Updates: Frequently released definitions that identify new computer viruses. These definitions are used to keep antivirus software effective.
Application Administration Account: An account for the administration of an application (e.g., Oracle database administrator, MS-SQL SA administrator).
Associates: Individuals such as unpaid faculty, principal investigators, visiting scholars, dissertation special members and others who are regularly engaged in activities that directly support the teaching and research mission of the university, but who are not compensated by the university by salary.
Attack: An attempt to gain unauthorized access or deny authorized access to a university information resource.
Attacker: An entity that attempts to gain unauthorized access or deny authorized access to a University information resource.
Authentication: The process of confirming a claimed identity. All forms of authentication are based on something you know, something you have, or something you are:
“Something you know” is some form of information that you can recognize and keep to yourself, such as a personal identification number (PIN) or password.
“Something you have” is a physical item you possess, such as a photo ID or a security token.
“Something you are” is a human characteristic considered to be unique, such as a fingerprint, voice tone, or retinal pattern.
Authorization: The act of granting permission for someone or something to conduct an act. Even when identity and authentication have indicated who someone is, authorization may be needed to establish what actions are permitted.
Authorized User: An individual that is not a UNC Charlotte faculty, staff or student who has been granted permission to access university server, workstation, networked device, or application resources.
Availability: The degree to which information and vital services are accessible for use when required.
B
Business Continuity: The ability to carry out vital business services in a timely manner despite loss of or damage to university information resources.
C
CIO: The University’s Chief Information Officer.
CISO: The University’s Chief Information Security Officer
Compromise: An unauthorized intrusion into a university information resource where unauthorized disclosure, modification or destruction of confidential university data may have occurred.
Confidentiality: The degree to which confidential university data are protected from unauthorized disclosure.
Confidential University Data: Personally identifiable information, proprietary information, confidential non-personally identifiable information, and any other data the disclosure of which could cause significant harm to the University or its constituents.
Confidential Non-Personally Identifiable Information – Information about university-related activities not available to the public by the operation of law. The protection of confidential non-personally identifiable information is governed by the university’s own policies. Examples may include detailed information about some university buildings, activities, or events, information about future university development plans, and research information.
Personally Identifiable Information – Information relating to an individual that reasonably identifies the individual, except where such information is public by operation of university policy or applicable law (e.g., past or present employees’ names, titles, positions, salaries or other information designated as public records under the North Carolina State Personnel Act; student names, local addresses and telephone numbers, email addresses and other “directory” information under FERPA, unless such student has requested nondisclosure consistent with FERPA and University Policy 402, Student Records (FERPA)). Examples may include, but are not limited to: Social Security numbers, payment card numbers, financial account information, NC driver license number, NC non-operating identification license number (State ID card), student grades or disciplinary information, all FERPA non-directory information about students and former students, including citizenship, income tax withholdings, personnel records, relatives’ names and addresses, student and employee identification numbers, donations, patient health information, human subject data, information the university has agreed to keep confidential, and account passwords or encryption keys used to protect access to confidential university data. Confidentiality of personally identifiable information is largely governed by law or contract (e.g., HIPAA, FERPA, GLBA, PCI DSS, and laws governing human subject data).
Proprietary Information – Data, information, or intellectual property in which the university has an exclusive legal interest or ownership right, which, if compromised could cause significant harm to the university. Examples may include, but are not limited to, business planning, financial information, trade secret, copyrighted material, and software or comparable material from a third party when the university has agreed to keep such information confidential.
Contractors: A person who contracts with the university to furnish supplies or perform work at a certain price or rate not paid through Payroll.
Custodian: Guardian or caretaker; the holder of data, the agent charged with implementing the controls specified by the owner. The custodian is responsible for the processing and storage of information. The custodians of information resources, including entities providing outsourced information resources services to the university, must:
Implement the controls specified by the owner(s).
Provide physical and procedural safeguards for the information resources.
Assist owners in evaluating the cost-effectiveness of controls and monitoring.
Implement the monitoring techniques and procedures for detecting, reporting, and investigating incidents.
D
Data: Information that has been translated into a form that is more convenient to move or process.
Data Classification: Data classification is the conscious decision to assign a level of sensitivity to data as it is being created, enhanced, stored, or transmitted. The classification of the data should determine the extent to which the data needs to be controlled and secured.
Data Facilities: Controlled facilities with a primary focus of housing servers, networking equipment and other devices.
Data Owner: Person responsible for managing institutional data owned by the university. The data owner has the responsibility for classifying their data in order to ensure that the appropriate steps are taken to protect the data and that respective standards and guidelines are being properly implemented.
Data Security Officer: An individual designated by Vice Chancellors, Deans, Directors, or other department heads to serve as the primary contact for ensuring secure management of data in his or her functional area. The DSO assists faculty and staff with Data Security Plans and ensures that each Data Security Plan complies with all university policies and procedures.
Devices: Any apparatus used to access, store, transmit or interface with a university information resource. This includes but is not limited to computers (servers, workstations and laptops), PDAs, printers, network appliances, devices situated behind firewalls, Network Address Translation devices, or use of Virtual Private Networks.
Disaster Recovery: The ability to restore lost or damaged data or systems in a timely manner.
E
Electronic Communication: Transmitting data electronically with or without human interaction (i.e., email, web, instant messaging, etc.).
Encrypted: Transformed using an algorithm to make information unreadable to anyone other than those with special knowledge, usually referred to as a key.
Encryption: The process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.
F
Firewall: A hardware or software device that limits access to a computer or network to help prevent unauthorized access. Also see Firewall Appliance and Host-based Firewall Software.
Firewall Appliance: A physical device that provides firewall protection for a network. Also see Firewall and Host-based Firewall Software.
H
Host-based Firewall Software: A software program that provides firewall protection solely for the system on which it is running. Also see Firewall and Firewall Appliance.
I
Information Security Liaison (ISL): Area associate who serves as the intermediary between his/her respective unit and ITS and assists with implementing information security policy, standards and guidelines.
Incident: An attempted or successful unauthorized access, use, disclosure, modification or destruction of information; interference with information technology operation; or violation of explicit or implied acceptable use policy.
Integrity: The degree to which the accuracy and completeness of information and computer software is safeguarded to protect the business process for the university.
ITS: Information and Technology Services.
L
Local Support Provider: A person with principal responsibility for the installation, configuration, security, and ongoing maintenance of a device (e.g., system administrator or network administrator).
Log: Electronic information about activity recorded by a computer during the course of operation.
M
Merchant: Unit that accepts payment cards in payment for goods, services or gifts.
Merchant Account: The payment card account number assigned by the university’s office of Financial Services to permit payment card payment processing.
N
Network: A logical collection of devices and communication paths.
Networked Device: Any equipment that resides on a network.
Network Manager: See System Administrator.
Non-Compliance: Failure to meet or exceed standards or recommendations set by the University or by individual units.
O
Offsite: Located in a university-approved secure location other than the building in which backups are performed.
P
Password: A string of characters that serves as authentication of a person’s identity, that may be used to grant, or deny, access to private or shared data.
Patches: Updates to operating systems and application software that enhance security and/or operability.
Personally Identifiable Information: See Confidential University Data.
Personal Information: A person’s first name or first initial and last name in combination with any one or more of the following data elements:
The person’s Social Security number
The person’s NC driver license number or non-operating identification license
The person’s financial account number or credit or debit card number in combination with any required security code, access code or password that would permit access to the person’s financial account
Protected Health Information (PHI): Personally Identifiable Information consisting of health information that can be linked to a particular person and that is protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The university’s use and protection of PHI is governed by University Policy 605.2, Privacy and Confidentiality of Individually Identifiable Health Care Information under HIPAA.
Physically Secured Location: An access controlled environment that has any or all of the following control measures in place:
Alarm system installed to detect and report break-ins
Networking equipment (switches, cabling, Internet connection) kept in a locked room and/or cabinet with restricted access
Servers kept in a locked room and/or cabinet with restricted access
Laptops secured with cable locks
Sensitive printed materials stored in locked file cabinets
Use of visitor logs, visitor escorts, visitor badges, entrance controls and employee badges to restrict access
S
Scan: A series of messages or transmissions attempting to access a device to learn what network services and information the device provides in order to identify potential weaknesses.
Security Breach: See Compromise.
Sensitive Information: Information that must be protected from unauthorized access or disclosure because of laws, regulations, university policy, or by agreement, whether the information is in physical or electronic format.
Server: A system that provides services to others outside their local network.
Site-licensed: Licensed for use by the University at low or no cost to the user.
Special Account: An account that is permitted privileges above and beyond those of normal users. Examples of this type of account include: root, super user, administrator, etc.
Strong Password: A strong password is a password that is designed to be hard for a person, program or automated process to discover. It is normally constructed of a sequence of characters, numbers, and special characters, depending on the capabilities of the operation system. Typically, the longer the password the stronger it is. Passwords should never include a proper name, dictionary word in any language, or be linked to any personal information such as birthdate, social security number, etc.
System Administrator: Person responsible for the effective operation and maintenance of university information resources, including implementation of standard procedures and controls to enforce University Policy 311, Information Security. Students, faculty, staff members may be the system administrators for their own machines.
T
Technical Support Person: See System Administrator.
U
UNC Charlotte Community: Any staff, faculty, students, associates, affiliates, contractors, volunteers or visitors who use UNC Charlotte facilities and resources.
University Network: The collection of central and outlying data, voice, and other networks that provides direct access to university information resources.
University Information Resource: Data in any form and recorded in any manner and computer-related resources operated, owned or leased by the university, including but not limited to:
Networks and network appliances
Computers (servers, workstations and laptops)
Printers
Software and applications
Thumb drives, paper, etc.
Any other computer-related equipment, device or hardware used to access, store, transmit or interface with another university information resource
University-Related Persons: University students and applicants for admission, university employees and applicants for employment, Affiliates, Associates, volunteers, alumni, temporary employees of agencies who are assigned to work for the university, and third party contractors engaged by the University and their agents and employees.
V
VPN or Virtual Private Network: An encrypted communication channel between two computers or networks which is intended to prevent eavesdropping between the endpoints. The university offers a free site-licensed VPN to its employees.
Vulnerability: Any flaw in the software, hardware, or configuration of a computing device that can be used to compromise the security of a university information resource.
Vulnerability Assessment: An audit by a responsible party that is intended to identify potential vulnerabilities in a computer system or network.