Information Security Glossary
Produced by the Information Security Office (ISO)
This glossary is provided for our users to help them better work with the ISO and to inform their understanding of information security in general. Terms are derived from NIST controls and other security governance drivers which also provide the framework for university policies. Knowing these terms will help information resource owners, information resource custodians, and Level 2 IRE's in particular but are useful for anyone who wants to know more about how information security is defined.
- Acceptable Risk
The level of Residual Risk that has been determined to be a reasonable level of potential loss/disruption for a specific information system.
The physical or logical capability to view, interact with, or otherwise make use of Information Resources.
- Access Control
The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., data centers, physical plant, mechanical rooms, Network closets, secured buildings, and research laboratories).
A relationship between an information resource (e.g., computer, network, or online service) and a user of that resource. The university assigns and administers a variety of account types, the vast majority being individual user domain accounts. In this policy, the term account refers to accounts of all types, unless a specific type is referenced. The university account types include the following:
- Domain Account – assigned to a single, authorized individual to facilitate access to the Texas State network domain and information resources within that domain.
- Group and Shared Accounts – have more than one authorized user.
- Service Account – assigned to a specific information resource or resource group to facilitate services by an external support provider (a support service account) or to authenticate one system or resource to another (a system service account).
- Privileged (or Super User) Account – assigned to a single university employee for use in administering university information resources.
- Resource Account – assigned to a specific resource (e.g., meeting room) rather than an individual or group of individuals; resource accounts facilitate the reservation and use of shared resources.
- AcquisitionIncludes all stages of the process of acquiring products or services, beginning with the process for determining the need for the product or service and ending with contract completion and closeout.
- Administrative Privileges
Rights granted to a Privileged User.
A claim of a named quality or characteristic inherent in or ascribed to someone or something.
- AuditIndependent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational Procedures.
- Audit Log / Audit Records
A chronological record of Information System activities, including records of system Accesses and operations performed in a given period.
- Auditable Event
Events which are significant and relevant to the security of Information Systems and the environments in which those systems operate in order to meet specific and ongoing Audit needs. Audit events can include, for example, Password changes, failed logons, or failed accesses related to Information Systems, Administrative Privilege usage, or third-party credential usage.
Verifying the Identity of a User, process, or Device, often as a prerequisite to allowing Access to resources in an Information System.
The means used to confirm the Identity of a User, process, or Device (e.g., User Password or token).
The right or a permission that is granted to a system entity to access a system resource.
- Authorization Boundary
All components of an Information System to be authorized for operation by an Authorizing Official and excludes separately authorized systems, to which the Information System is connected.
- Authorization Official (AO)
Official with the authority to formally assume responsibility for operating an Information System at a level of Acceptable Risk to institution operations (including mission, functions, image, or reputation), institution assets, or individuals.
- AvailabilityThe security objective of ensuring timely and reliable Access to and use of information.
- Best Practice
- Business Continuity Plan (BCP)
The documentation of a predetermined set of instructions or Procedures that describe how the institution’s mission/business processes will be sustained during and after a significant disruption.
- Business Function
Process or operation performed routinely to carry out a part of the mission of an institution.
- Business Impact Analysis (BIA)An analysis of an Information System’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.
- Certificate Authority
The entity in a Public Key Infrastructure (PKI) that is responsible for issuing public-key certificates and exacting compliance to a PKI policy. Also known as a Certification Authority.
- Collaborative Computing Device
Tools that facilitate and enhance group work through distributed technology - where individuals collaborate from separate locations. Devices can include but are not limited to Networked white boards, cameras, and microphones.
- Confidential Information
Information that must be protected from unauthorized disclosure or public release based on state or federal law or other legal agreement.
- ConfidentialityThe security objective of preserving authorized restrictions on information Access and disclosure, including means for protecting personal privacy and proprietary information.
- Configuration ControlProcess for controlling modifications to hardware, Firmware, software, and documentation to protect the Information System against improper modifications before, during, and after system implementation.
- Configuration Management
A collection of activities focused on establishing and maintaining the Integrity of information technology products and Information Systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.
- Contingency Plan
Management policy and Procedures used to guide an institution response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the institutional Risk managers to determine what happened, why, and what to do. It may point to the Continuity of Operations Plan (COOP) or disaster recovery plan (DRP) for major disruptions.
- Continuity of Operations Plan (COOP)
See: Business Continuity Plan (BCP)
Relating to the discipline that embodies the principles, means, and methods for the transformation of Data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification.
- Cryptographic Module
Any combination of hardware, Firmware or software that implements Cryptographic functions such as Encryption, Decryption, Digital Signatures, Authentication techniques and random number generation.
- Cryptographic Module Authentication
The set of hardware, software, Firmware, or some combination thereof that implements Cryptographic logic or processes, including Cryptographic algorithms, and is contained within the cryptographic boundary of the module.
See: Information Custodian
Information in a specific representation, usually as a sequence of symbols that have meaning.
The process of changing ciphertext into plaintext using a Cryptographic algorithm and key.
Any hardware component involved with the processing, storage, or forwarding of information making use of the institutional information technology infrastructure or attached to the Institutional Network. These Devices include, but are not limited to, laptop computers, desktop computers, Servers, and Network Devices such as routers, switches, wireless access points, and printers.
- Device AdministratorAn individual with principal responsibility for the installation, configuration, registration, security, and ongoing maintenance of a Network-connected Device.
- Device Owner
The department head charged with overall responsibility for the Networking component in the institution’s inventory records. The Device Owner must designate an individual to serve as the primary Device Administrator and may designate a backup Device Administrator. All Network Infrastructure Devices, (e.g., Network cabling, routers, switches, wireless access points, and in general, any non-endpoint Device) shall be centrally owned and administered.
- Digital SignatureThe result of a Cryptographic transformation of Data which, when properly implemented, provides the services of: 1. origin Authentication, 2. Data Integrity, and 3. signer non-repudiation.
- DIR CC
The security control catalog (CC) authored by the Texas Department of Information Resources (DIR) which provides state agencies and higher education institutions specific guidance for implementing security controls in a format that easily aligns with the National Institute of Standards and Technology Special Publication 800-53 Version 4 (NIST SP 800-53 Rev. 4).
The conversion of plaintext information into a code or cipher text using a variable called a "key" and processing those items through a fixed algorithm to create the Encrypted text that conceals the Data's original meaning.
- Execution Domain
Each Information System process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process.
- External Information System Service
An Information System service that is implemented outside of the Authorization Boundary of the institutional Information System (i.e., a service that is used by, but not a part of, the institutional Information System) and for which the institution typically has no direct control over the application of required security controls or the assessment of security control effectiveness. Examples include but are not limited to externally hosted or cloud-based Information Systems.
- External Network
A network not controlled by the institution.
- Federal Information Processing Standards (FIPS)
A standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability.
An inter-network connection device that restricts data communication traffic between two connected networks. A firewall may be either an application installed on a general-purpose computer or a dedicated platform (appliance), which forwards or rejects/drops packets on a Network. Typically, firewalls are used to define zone borders. Firewalls generally have rules restricting which ports are open.
Computer programs and Data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and Data cannot be dynamically written or modified during execution of the programs.
Guidelines provide guidance for achieving additional positive outcomes. Guidelines are not compulsory unless explicitly stated, but they should still be followed when practicable. Guidelines can also be used as prescriptive or informational documents.
The process of discovering the true Identity (i.e., origin, initial history) of a person or item from the entire collection of similar persons or items.
- IdentifierUnique Data used to represent a person’s Identity and associated Attributes. A name or a card number are examples of Identifiers. Note: This also encompasses non-person entities.
- IdentityThe set of Attributes by which an entity is recognizable and that, within the scope of an Identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.
- Incident Response
The mitigation of violations of security policies by using Best Practices.
- Information CustodianA department, agency, or Third-Party Provider responsible for implementing the Information Owner-defined controls and Access to an Information Resource.
- Information OwnerA person(s) with statutory or operational authority for specified information or Information Resources.
- Information Resource EmployeeAgency employees performing administrative, security, governance, or compliance activities on information technology systems. These types of employees generally have an occupational Category of “Information Technology” per the Texas State Auditor’s Office or similar duties.
- Information Resources
the Procedures, equipment, and software that are employed, designed, built, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information, and associated personnel including consultants and contractors. Information Resources include but are not limited to:
- all physical and logical components, wired or wireless, of the Institutional Network;
- any Device that connects to or communicates electronically via the Institutional Network, including computers, printers, and communication Devices, both portable and fixed;
- any fixed or portable storage Device or media, regardless of ownership, that contains institution Data;
- all Data created, collected, recorded, processed, stored, retrieved, displayed, or transmitted using Devices connected to the Institutional Network;
- all computer software and services licensed by the institution;
- support staff and services employed or contracted by the institution to deploy, administer, or operate the above-described resources or to assist the community in effectively using these resources;
- Devices, software, or services that support the operations of the institution, regardless of physical location (e.g., SAAS, PAAS, IAAS, cloud services); and
- telephones, audio and video conferencing systems, phone lines, and communications systems provided by the institution.
- Information resources Management (IRM)The planning, budgeting, organizing, directing, training, controlling, and management activities associated with the burden, collection, creation, use, and dissemination of information by institutions.
- Information SecurityThe protection of information and Information Systems from Unauthorized Access, use, disclosure, disruption, modification, or destruction in order to provide Confidentiality, Integrity, and Availability.
- Information Security Officer
The individual designated by the institution head who has the explicit authority and the duty to administer Information Security requirements institution wide.
- Information SystemAn interconnected set of Information Resources that share a common functionality. An Information System normally includes, but is not limited to, hardware, software, Network Infrastructure, information, applications, communications and people.
- Information System ComponentsAll components of an Information System to be authorized for operation by an Authorizing Official and excludes separately authorized systems, to which the Information System is connected.
- Information System Entry and Exit PointsThese include but are not limited to Firewalls, electronic mail Servers, web Servers, proxy Servers, Remote Access Servers, workstations, notebook computers, and mobile Devices.
- Information System OwnerSee: Information Custodian
- Institutional ElementsOrganizations, departments, facilities, or personnel responsible for a particular system’s process.
- Institutional Network
The Data transport and communications infrastructure at the institution. It includes the campus backbone, local area networks, and all equipment connected to those Networks (independent of ownership).
- IntegrityThe security objective of guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity. See also: Confidentiality, Availability
- Interconnection Security AgreementA document that regulates security-relevant aspects of an intended connection between an agency and an external system. It regulates the security interface between any two systems operating under two different distinct authorities. It includes a variety of descriptive, technical, procedural, and planning information. It is usually preceded by a formal MOA/MOU that defines high- level roles and responsibilities in management of a cross-domain connection.
- InternetThe single, interconnected, worldwide system of commercial, governmental, educational, and other computer Networks that share (a) the protocol suite specified by the Internet Architecture Board (IAB) and (b) the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN).
- IntranetA computer Network, especially one based on Internet technology, that the institution uses for its own internal (and usually private) purposes and that is closed to outsiders.
- Least PrivilegeThe principle that a security architecture should be designed so that each entity is granted the minimum system resources and Authorizations that the entity needs to perform its function.
- Malicious CodeRogue computer programs designed to inflict a magnitude of harm by diminishing the Confidentiality, Integrity and Availability of Information Systems and information.
- MalwareSoftware or Firmware intended to perform an unauthorized process that will have adverse impact on the Confidentiality, Integrity, or Availability of an Information System. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of Malware.
- Managed InterfacesAn interface within an Information System that provides boundary protection capability using automated mechanisms or Devices.
- Management ControlsThe security controls (i.e., safeguards or countermeasures) for an Information System that focus on Risk Management and the management of Information System security.
- MetricsTools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related Data.
- Mission CriticalInformation Resources defined by the owner or by the institution to be crucial to the continued performance of the mission. Unavailability of such Information Resources would result in more than an inconvenience. An event causing the unavailability of Mission Critical Information Resources would result in consequences such as: significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations.
- NetworkInformation System(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control Devices.
- Network AddressA unique number associated with a Device’s Network connection used for the routing of traffic across the Internet or another Network. Also known as Internet Protocol Address or IP Address.
- Network Identifier (NetID)
A unique identifier assigned by the university to an account and its owner. The NetID is used with its associated password to authenticate the account owner’s identity when accessing Texas State information resources
- Network InfrastructureThe hardware and software resources of an entire Network that enable Network connectivity, communication, operations and management of an enterprise Network. It provides the communication path and services between Users, processes, applications, services and External Networks/the Internet. These include but are not limited to cabling, routers, switches, hubs, Firewall appliances, wireless access points, virtual private network (VPN) Servers, network address translators (NAT), proxy Servers, and dial-up Servers.
Acronym: National Institute of Standards and Technology is a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve overall quality of life.
- NodeA Device or object connected to a Network.
- Non-organizational userA User who is not an institutional User (including public Users).
- Organizational userAn institutional User that the institution deems to have an affiliation including, for example, faculty, staff, student, contractor, guest researcher, or individual detailed from another organization.
- PasswordA type of Authenticator comprised of a string of characters (letters, numbers, and other symbols) used to authenticate an Identity or to verify Authorization.
- Penetration TestingA test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of a system.
- Personally Identifiable Information (PII)A category of personal Identity information as defined by §521.002(a)(1), Business and Commerce Code.
- Plan of Action and Milestones (POA&M)
A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
- Private KeyA Cryptographic key, used with a Cryptographic algorithm, that is uniquely associated with an entity and is not made public.
- Privileged AccountAn Information System account with approved Authorizations of a Privileged User.
- Privileged UserA User that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary Users are not authorized to perform.
- ProcedureAn operational-level document that details actions needed to implement a security control, configure a solution, or complete a task. Some Procedures may be compulsory, and other Procedures may just be one way of doing something. Procedures specify “how” things need to be done.
- Protected Health Information (PHI)Individually identifiable health information about an individual, including demographic information, which relates to the individual's past, present, or future physical or mental health condition, provision of health care, or payment for the provision of health care.
- Public KeyA cryptographic key used with a cryptographic algorithm that is uniquely associated with an entity and that may be made public.
- Public Key CertificateA digital representation of information which at least (1) identifies the Certification Authority issuing it, (2) names or identifies its subscriber, (3) contains the subscriber's Public Key, (4) identifies its operational period, and (5) is digitally signed by the Certification Authority issuing it.
- ReconstitutionReturning Information Systems to fully operational states.
- Recovery Point Objective (RPO)The point in time to which Data must be recovered after an outage.
- Recovery Time ObjectiveThe overall length of time an Information System’s components can be in the recovery phase before negatively impacting the institution’s mission or mission/business processes.
- Remote AccessAccess to an institutional Information System by a User (or an Information System) communicating through an External Network (e.g., the Internet).
- Residual RiskPortion of Risk remaining after security measures have been applied.
- RiskA measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
- Risk AssessmentThe process of identifying Risks to institutional operations (including mission, functions, image, reputation), institutional assets, individuals, other institutions, resulting from the operation of a system. Part of Risk Management, incorporates threat and Vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with Risk analysis.
- Risk ManagementThe total process of identifying, controlling, and eliminating or minimizing uncertain events that may adversely affect system resources. It includes Risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review.
- Risk ToleranceThe degree of Risk or uncertainty that is acceptable to an institution.
- Role-Based Access Control (RBAC)Access Control based on User roles (i.e., a collection of Authorizations a User receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an institution. A given role may apply to a single individual or to several individuals.
- Security AssessmentThe testing and/or evaluation of the management, operational, and technical security controls in an Information System to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
- Security CategorizationThe characterization of information or an Information System as high, moderate, or low based on an assessment of the potential impact that a loss of Confidentiality, Integrity, or Availability of such information or Information System would have on institutional operations, institutional assets, or individuals.
- Security ClassificationThe categorization of information based on its need for Confidentiality, as determined by federal, state, local laws, policies or regulations.
- Security Control AssessmentsSee: Security Assessment
- Sensitive Personal InformationA category of personal Identity information as defined by §521.002(a)(2), Texas Business and Commerce Code.
- Separation of DutyA security principle that divides critical functions among different staff members in an attempt to ensure that no one individual has enough information or Access privilege to perpetrate damaging fraud.
- ServerA physical or virtual Device that performs a specific service or function on behalf of other Network Devices or Users.
- Server AdministrationA type of Information Custodian designated by the Server Owner as responsible for performing Server Management functions.
- Server ManagementFunctions associated with the oversight of Server operations. These include controlling User Access, establishing/maintaining security measures, monitoring Server configuration and performance, and Risk Assessment and mitigation.
- Server OwnerAn institution employee charged with overall responsibility for the Server asset in the university’s inventory records.
- StandardA tactical-level, compulsory requirement to use the same technology, method, security control, baseline, or course of action to uniformly achieve the goals set by policies. Standards specify “what” needs to be done.
- Suspected Data BreachIs any incident in which sensitive, confidential or otherwise protected Data in human or machine-readable form is put at Risk because of exposure to unauthorized individuals.
- System Level InformationInformation that includes but is not limited to, system-state information, operating system and application software, and licenses.
- System Security PlanFormal document that provides an overview of the security requirements for an Information System and describes the security controls in place or planned for meeting those requirements.
- Third-Party ProvidersService providers, staffing, integrators, vendors, telecommunications, and infrastructure support that are external to the institution.
- Unauthorized AccessA person gains logical or physical Access without permission to institutional Information Resources.
- UserAn individual, process, or automated application authorized to access an Information Resource in accordance with federal and state law, institution policy, and the Information Owner's Procedures and rules.
- User Level InformationAny information other than System Level Information.
- Vulnerability AssessmentSystematic examination of an Information System or product to determine the adequacy of security measures, identify security deficiencies, provide Data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.