Access controls are the means by which the ability to use, create, modify, view, etc., is explicitly enabled or restricted in some way (usually through physical and system-based controls).
That combination of user name and password that provides an individual, group, or service with access to a computer system or computer network.
Cryptography in which a pair of keys is used to encrypt and decrypt a message. The sender of the message encrypts the message with the recipient’s public key. The recipient then decrypts the message with his/her private key.
The process of confirming a claimed identity. All forms of authentication are based on something you know, something you have, or something you are.
'Something you know' is some form of information that you can recognize and keep to yourself, such as a personal identification number (PIN) or password.
'Something you have' is a physical item you possess, such as a photo ID or a security token.
'Something you are' is a human characteristic considered to be unique, such as a fingerprint, voice tone, or retinal pattern.
The act of granting permission for someone or something to conduct an act. Even when identity and authentication have indicated who someone is, authorization may be needed to establish what actions are permitted.
Availability represents the requirement that an asset or resource be accessible to authorized person, entity, or device.
Copy of files and applications made to avoid loss of data and facilitate recovery in the event of a system crash.
Business Continuity Plan (BCP)
The documentation of a predetermined set of instructions or procedures that describe how an organization's business functions will be sustained during and after a significant disruption.
Business Impact Analysis (BIA)
An analysis of an IT system's requirements, processes, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.
University data protected specifically by federal or state law or Azusa Pacific University rules and regulations (e.g., HIPAA, FERPA, EAR, ITAR, Sarbanes-Oxley, Gramm-Leach-Bliley; specific donor or employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to university contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.) are also included.
University data not otherwise identified as Category-I data, but which are releasable in accordance with FERPA. Such data must be appropriately protected to ensure a controlled and lawful release.
University data that are not otherwise identified as Category-I or Category-II data (e.g., publicly available). Such data have no requirement for confidentiality, integrity, or availability.
Certificate Authority (CA)
A trusted third party whose purpose is to sign certificates for network entities it has authenticated using secure means. Other network entities can check the signature to verify that a CA has authenticated the bearer of a certificate.
Certificate Management Plan (or Certificate Policy)
The administrative policy for key and certificate management. This plan addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery, and administration of encryption key and digital certificates. For an example, refer to the X.500 Certificate Policy for the Virginia Polytechnic Institute and State University
Certificate Practice Statement (CPS)
A statement of the practices, which a certification authority employs in issuing certificates. See examples at the University of Washington and Virginia Polytechnic Institute and State University.
Includes any implementation of new functionality, any interruption of service, any repair of existing functionality, and any removal of existing functionality.
The process of controlling modifications to hardware, software, firmware, and documentation to ensure that information technology resources are protected against improper modification before, during, and after system implementation.
Computer Incident Response Team (CIRT)
Personnel responsible for coordinating the response to computer security incidents in an organization.
The classification of data of which unauthorized disclosure/use could cause serious damage to an organization or individual.
Information maintained by state agencies and universities that is exempt from disclosure under the provisions of the Public Records Act or other applicable state and federal laws. The controlling factor for confidential information is dissemination.
Confidential Personal Information
Information that alone or in conjunction with other information identifies an individual, including an individual’s name, social security number, date of birth, or government-issued identification number; mother ’s maiden name; unique biometric data, including the individual ’s fingerprint, voice print, and retina or iris image; unique electronic identification number, address, or routing code; and telecommunication access device.
See also: Strong Passwords
Guardian or caretaker; the holder of data, the agent charged with implementing the controls specified by the owner. The custodian is responsible for the processing and storage of information. The custodians of information resources, including entities providing outsourced information resources services to the university, must:
Implement the controls specified by the owner(s).
Provide physical and procedural safeguards for the information resources.
Assist owners in evaluating the cost-effectiveness of controls and monitoring.
Implement the monitoring techniques and procedures for detecting, reporting, and investigating incidents.
Research Data are recorded information, regardless of form in which the information may be recorded, that constitutes the original data that are necessary to support research activities and validate research findings. Research data may include but are not limited to: printed records, observations and notes; electronic data; video and audio records, photographs and negatives, etc.
Digital Research Data are defined as the subset of research data as defined below that are transmitted by or maintained in, electronic format and include any of the following: (a) Electronic storage data including storage devices in computers (hard drives, memory) and any removable/transportable digital storage medium, such as magnetic tape or disk, optical disk, or digital memory card; or (b) Transmission data used to exchange information already in electronic storage format. Transmission data include, for example, the Internet (wide-open), extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, intranet, and the physical movement of removable/transportable electronic storage data.
Sensitive Digital Research Data are data defined by the university as Category-I data.
Category-I data are university data protected specifically by federal or state law or Azusa Pacific University rules and regulations (e.g., HIPAA; FERPA; Sarbanes-Oxley, Gramm-Leach-Bliley; specific donor or employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to university contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.) are also included.
Category-II data are university data not otherwise identified as Category-I data, but which are releasable in accordance with FISMA (e.g., contents of specific e-mail, date of birth, salary, etc.) Such data must be appropriately protected to ensure a controlled and lawful release.
Category-III data are university data that are not otherwise identified as Category-I or Category-II data (e.g., publicly available). Such data have no requirement for confidentiality, integrity, or availability.
Data Encrypting Keys
Keys used with symmetric key algorithms to apply confidentiality protection to information.
University representatives, such as faculty, staff, or researchers, who are tasked with managing administrative and/or research data owned by the university. Such data is to be managed by a data steward as a university resource and asset. The data steward has the responsibility of ensuring that the appropriate steps are taken to protect the data and that respective policies and guidelines are being properly implemented. Data Stewards may delegate the implementation of university policies and guidelines to professionally trained campus or departmental IT custodians.
Data stewardship is the formalization of accountability for the management of the University’s data.
A data structure used in a public key system to bind a particular, authenticated individual to a particular public key.
The subset of Data (as defined above) that is transmitted by or maintained made available in, electronic media.
A digital signature is a type of electronic signature, which cannot be forged. A digital signature provides verification to the recipient that the file came from the user or entity identified as the sender, and that it has not been altered since it was signed.
Disaster Recovery Plan (DRP)
A written plan for processing critical IT applications in the event of a major hardware or software failure or destruction of facilities. Such plans are designed to restore operability of the target system, application, or computer facility at an alternate site after an emergency.
A department that processes online Web credit card payments or uses equipment that has an external facing IP address.
See also: Non-eCommerce Merchant
Any of the following: a) Electronic storage media including storage devices in computers(hard drives, memory) and any removable/transportable digital storage medium, such as magnetic tape or disk, optical disk, or digital memory card; or b) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, intranet, and the physical movement of removable/transportable electronic storage media.
Electronic Mail (e-mail)
Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system.
Electronic Mail System
Any computer software application that allows electronic mail to be communicated from one computing system to another.
When an unauthorized immediate response to imminent critical system failure is needed to prevent widespread service disruption.
The process of converting data into a cipher or code in order to prevent unauthorized access. Encryption obfuscates data in such a manner that a specific algorithm and key are required to interpret the cipher or code. The keys are binary values that may be interpretable as the codes for text strings, or they may be arbitrary numbers. The purpose of encryption is to prevent unauthorized access to data while it is either in storage or being transmitted.
See also: File-level encryption, Recoverability, Whole-disk encryption
Azusa Pacific University
Data decryption keys held in trust by a third party to be turned over to the user only upon fulfillment of specific authentication conditions.
Executive Compliance Committee
A committee, chaired by the President of the university and composed of other executive level members of the faculty and staff, charged with oversight of the university’s institutional compliance program.
A technique where individual files or directories are encrypted by the computer's file system itself. Unlike whole-disk encryption, file-level encryption generally does not encrypt file metadata (e.g., the directory structure, file names, modification timestamps or sizes.)
See also: Encryption, Whole-disk encryption
Fixed media devices are distinguished from those in which the data is stored on a cartridge, disk, or other material that is removable and interchangeable. Hard drives are typically fixed media, with platters sealed inside the drive chassis.
Handling data relates to when users access, manipulate, change, transfer, or delete data.
Hardware Security Module (HSM)
A hardware-based security device that generates, stores and protects cryptographic keys. It provides the foundation for a high-level secure campus certification authority.
Information Security Officer (ISO)
Responsible to the Chief Technology Officer (CTO) for administering the information security functions within the university. The ISO is the university’s internal and external point of contact and internal resource for all information security matters. The ISO leads the Computer Incident Response Team when security incidents occur and reports to the CTO. If an ISO is not designated, the CTO serves in this capacity.
An interconnected set of information resources under the same direct management control that shares common functionality. An Information System normally includes hardware, software, information, data, applications, communications and people.
Information Technology Resources
Any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving e-mail, browsing web sites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, PDAs, pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (that is, embedded technology), telecommunication resources, network environments, telephones, fax machines, printers, and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
Information Technology Resources Facilities
Any location that houses information technology resource equipment (includes servers, hubs, switches, and routers). Facilities are usually dedicated rooms or mechanical/wiring closets in the buildings.
The accuracy and completeness of information and assets and the authenticity of transactions.
A global system interconnecting computers and computer networks. The computers and networks are owned separately by a host of organizations, government agencies, companies, and colleges.
Intrusion Detection Systems (IDS)
A device that monitors and analyzes network traffic. An IDS can be used legitimately or illegitimately to capture data being transmitted on a network. Specific signatures or promiscuous sniffing are available options for IDS monitoring.
Key Encrypting Keys
Keys used to encrypt other keys using symmetric key algorithms. Key encryption keys are also known as key wrapping keys.
The activities involving the handling of encryption keys and other related security parameters (e.g., passwords) during the entire life cycle of the encryption keys, including their generation, storage, establishment, entry and output, and destruction.
Key Management Infrastructure
The framework and services that provide for the generation, production, distribution, control, accounting, and destruction of all cryptographic material, including symmetric keys, as well as public keys and public key certificates. It includes all elements (hardware, software, other equipment, and documentation); facilities; personnel; procedures; standards; and information products that form the system that distributes, manages, and supports the delivery of cryptographic products and services to end users.
Controls the generation, storage and distribution of cryptographic keys.
The interception of data on the university network by ISO and other IMT representatives, in accordance with local law and after following due process and receiving proper authorization from the appropriate authorities.
The person engaged in the conduct of Research with primary responsibility for stewardship of Research Data on behalf of an Entity.
Local Area Network (LAN)
A data communications network spanning a limited geographical area, a few miles at most. It provides communication between computers and peripherals at relatively high data rates and relatively low error rates.
Malware, short for malicious (or malevolent) software, is software used or created by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software.
Keys used to derive other symmetric keys (e.g., data encryption keys, key encrypting keys) using symmetric cryptographic methods.
University unit that accepts credit card payment for goods, services, or gifts.
See also: eCommerce Merchant, Non-eCommerce Merchant
The credit card account number assigned by the credit card processor to permit credit card payment processing.
Mission Critical Information Resources
Information Resources defined by an institution of higher education or state agency to be essential to the Entity’s function and which if made unavailable will inflict substantial harm to the Entity and the Entity’s ability to meet its instructional, research, patient care, or public service missions. Mission Critical Information Resources include Confidential Data and Sensitive Data.
All associated equipment and media creating electronic transmission between any information resource(s), such as wired, optical, wireless, IP, synchronous serial, telephony, etc.
The sequence of packets between given source and destination endpoints.
Network Operations Center (NOC)
Monitors the health of critical services and provides the central coordination of data services for campus.
Network manager or analyst; the holder of network configuration data, the agent charged with implementing the network controls and services specified by the owner or the university. This custodian is responsible for the transfer of information. These custodians, including entities providing outsourced information resources services to the university, must:
Implement the network controls specified by the owner or the university.
Provide physical and procedural safeguards for the network infrastructure.
Assist owners in evaluating the cost-effectiveness of controls and monitoring.
Implement the monitoring techniques and procedures for detecting, reporting, and investigating or troubleshooting network incidents.
A department that processes credit card payments with equipment that does not utilize an external facing IP address, such as point-of-sale terminals, cash registers and other types of equipment.
Based on data criticality, offsite storage should be in a geographically different location from the campus and a location that does not share the same disaster threat event. Based on an assessment of the data backed up, removing the backup media from the building and storing it in another secured location on the campus may be required.
The authoritative head of the respective college, school, or unit. The owner is responsible for the function that is supported by the resource or for carrying out the program that uses the resources. The owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared by managers of different departments. The owner or his designated representatives are responsible for and authorized to:
Approve access and formally assign custody of an information resources asset.
Determine the asset's value.
Specify and establish data control requirements that provide security, and convey them to users and custodians.
Specify appropriate controls, based on risk assessment, to protect the state's information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources outsourced by the university.
Confirm that controls are in place to ensure the accuracy, authenticity, and integrity of data.
Confirm compliance with applicable controls.
Assign custody of information resources assets and provide appropriate authority to implement security controls and procedures.
Review access lists based on documented security risk management decisions
An electronic unit of data that is routed between an origin and a destination on a network.
The part of the packet containing user data and other data or information used by applications.
The part of the packet that contains protocol, source address, destination address, and other controlling information (including tunneling information).
A string of characters used to verify or "authenticate" a person's identity.
See also: Strong Passwords
Personal Identifying Information (PII)
Information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.
See also: Strong Passwords
Physical Security Controls
Devices and means to control physical access to sensitive information and to protect the availability of the information. Examples are physical access systems (fences, mantraps, guards); physical intrusion detection systems (motion detector, alarm system); and physical protection systems (sprinklers, backup generator).
Pop-up Messages or Ads
Unsolicited advertising that "pops up" in its own browser window. Adware programs can overrun a computer with pop- up ads or messages. If you are receiving a huge amount of pop- ups in your online sessions, your computer may be infected with adware, spyware or a virus.
Portable Computing Devices
Any easily portable device that is capable of receiving and/or transmitting data. These include, but are not limited to, notebook computers, handheld computers, PDAs (personal digital assistants), pagers, and cell phones.
The secret key of a signature key pair used to create a digital signature and/or to decrypt confidential information.
Mode of operation in which every data packet transmitted is received and read by every network adapter. Promiscuous mode is often used to monitor network activity.
The publicly available key of a signature key pair used to validate a digital signature and/or to encrypt confidential information.
Ransomware (also referred to in some cases as cryptoviruses, cryptotrojans, cryptoworms or scareware) comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive, while some may simply lock the system and display messages intended to coax the user into paying.
A capability provided to a user or a department in the event access to encrypted data is required but the normal decryption capability is not available (e.g., a pass phrase is forgotten, a user is no longer affiliated with the university, etc.) Services escrowing the encryption keys are capable of providing such a recovery function. Recoverability may be less essential to some user's encrypting data if an original copy is stored on a central file server with reliable backup procedures in place.
See also: Encryption
Removable media devices permit data to be stored on media that is removable and interchangeable. CDs, DVDs, flash memory, and floppy disks are examples of removable media.
Systematic investigation designed to develop and contribute to knowledge and may include all stages of development, testing and evaluation.
Formal notification received, reviewed, and approved by the review process in advance of the change being made.
The person charged with monitoring and implementing security controls and procedures for a system. Whereas the university will have one Information Security Officer, technical management may designate a number of security administrators.
In information operations, an assessed event of attempted entry, unauthorized entry, or an information attack on an automated information system. It includes unauthorized probing and browsing; disruption or denial of service; altered or destroyed input, processing, storage, or output of information; or changes to information system hardware, firmware, or software characteristics with or without the users' knowledge, instruction, or intent.
Information maintained by the university that requires special precautions to protect it from unauthorized modification or deletion. Sensitive information may be either public or confidential. It is information that requires a higher than normal assurance of accuracy and completeness. The controlling factor for sensitive information is that of integrity.
Any computer providing a service over the network. Services include, but are not limited to: Web site publishing, SSH, chat, printing, wireless access, and file sharing.
The interception of data packets traversing a network.
Spyware refers to a software program that slips into your computer without your consent to track your online activity. These programs tend to piggyback on another software program. When the user downloads and installs the software, the spyware is also installed without the user's knowledge. There are different forms of spyware that track different types of activity. Some programs monitor what Web sites you visit, while others record key stokes to steal personal information, such as credit card numbers, bank account information or passwords.
What to do: Consider the reliability of the site offering the software download. Be careful if a download prompts you to accept the installation of additional software. Scan the fine print before downloading. If you see anything that refers to monitoring browsing sessions or collecting information, consider this your "red flag" that you may be installing spyware.
See also: Adware
A strong password is constructed so that it cannot be easily guessed by another user or a "hacker" program. It is typically a minimum number of positions in length and contains a combination of alphabetic, numeric, or special characters.
See also: Password
An individual who is the subject or entity designee named or identified in a certificate issued to that individual and possesses a private key, which corresponds to the public key listed in the certificate.
Cryptography in which the same key is used to both encrypt and decrypt the message. Requires a separate secure channel to exchange keys.
Any device capable of receiving e-mail, browsing web sites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, PDAs, pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (that is, embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus.
Person responsible for the effective operation and maintenance of Information Technology Resources, including implementation of standard procedures and controls, to enforce the university’s security policy.
System Development Life Cycle(SDLC)
The scope of activities associated with a system, encompassing the system's initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal.
System Security Plan
Provides a baseline of a system's security. A comprehensive system security plan describes the security controls that are in use, or plan to be used to protect all aspects of the system. Security plans are supported by security policy and can be essential tools that identify weaknesses in the system and document what controls will be added to combat the weaknesses.
Destructive programs--usually viruses or worms--that are hidden in an attractive or innocent-looking piece of software, such as a game or graphics program. Victims may receive a Trojan horse program by e-mail or on a diskette or CD, often from another unknowing victim, or may be urged to download a file from a web site or bulletin board.
See also: Pop-up Messages or Ads, Spyware
The intentional or unintentional revealing of restricted information to people who do not have a legitimate need to access that information.
Failure to present notification through the review process in advance of the change being made. Unscheduled changes will only be acceptable in the event of a system failure or the discovery of a security vulnerability.
An individual, automated application or process that is authorized by the owner to access the resource, in accordance with the owner's procedures and rules. Has the responsibility to (1) use the resource only for the purpose specified by the owner, (2) comply with controls established by the owner, and (3) prevent disclosure of confidential or sensitive information. The user is any person who has been authorized by the owner of the information to read, enter, or update that information. The user is the single most effective control for providing adequate security.
Any person or company that sells goods or services involving information technology resources to Azusa Pacific University.
A program that attaches itself to an executable file or vulnerable application and delivers a payload that ranges from annoying to extremely destructive. A file virus executes when an infected file is accessed. A macro virus infects the executable code embedded in Microsoft Office programs that allows users to generate macros.
A document on the World Wide Web. Every Web page is identified by a unique URL.
A computer that delivers (serves up) Web pages.
A location on the World Wide Web, accessed by entering its address (URL) into a Web browser. A Web site always includes a home page and may contain additional documents or pages
A technique where software or hardware encrypts every bit of data that is stored on a disk (e.g., everything on the hard drive including the operating system.)
See also: Encryption, File-level encryption
World Wide Web
Also referred to as “the Web.” A system of Internet hosts that supports documents formatted in HTML, which contain links to other documents (hyperlinks) and to audio, video, and graphic images. Users can access the Web with special applications called browsers, such as Netscape Navigator and Microsoft Internet Explorer.
A program that makes copies of itself elsewhere in a computing system. These copies may be created on the same computer or may be sent over networks to other computers. The first use of the term described a program that copied itself benignly around a network, using otherwise-unused resources on networked machines to perform distributed computation. Some worms are security threats, using networks to spread themselves against the wishes of the system owners and disrupting networks by overloading them. A worm is similar to a virus in that it makes copies of itself, but different in that it does not attach to particular files or sectors.
See also: Pop-up Messages or Ads, Spyware