Information Security

Glossary

AAT
Stands for the Association of Accounting Technicians. Membership entitles those who have completed the examinations and obtained relevant supervised work experience to call themselves associate accounting technicians.

Affiliation
The definition of an individual's relationship to the University, such as student, faculty, or staff

Alias
A term used by telecommunications professionals to describe two directory numbers going to a single voicemail box.

Anti-virus Software
Software that detects or prevents malicious software.

Application
A software program designed to perform a specific function for a user. Applications include, but are not limited to, word processors, database programs, development tools, image editing programs, and communication programs.

Authentication
The process of confirming that a known individual is correctly associated with a given electronic credential; for example, by use of passwords to confirm correct association with a user or account name (is a term that is also used to verify the identity of network nodes, programs, or messages).

Authorized
The process of determining whether or not an identified individual or class has been granted access rights to an information assets, determining what type of access is allowed; e.g., read-only, create, delete, and/or modify.

Availability
Ensuring that information assets are available and ready for use when they are needed.

Biometric Devices
An instrument intended to validate the identity of an individual through comparison of a demonstrated intrinsic physical or behavioral trait with a record of the same information previously captured.  For example; fingerprint, retina scan, voice recognition.

Bit9
An application white listing program protects desktop computers by comparing any request to install software against a list of known good applications.

Blogger
The Google Apps blog creation program

Business Continuity Planning
See  CSU BCP Executive Order.

CAB
Change Action Board (CAB) that oversees major technology changes that impact campus services.

Campus Limited Access Area
Physical area such as a human resource office, data center, or Network Operations Center (NOC) that has a defined security perimeter that has a card controlled entry door or a staffed reception desk.

Campus Managers
Responsible for (1) specifying and monitoring the integrity and security of information assets and the use of those assets within their areas of program responsibility and (2) ensuring that program staff and other users of the information asset are informed of and carry out information security and privacy responsibilities.

Catastrophic Event
An event that causes substantial harm or damage to significant CSU information assets. For example: earthquake, fire, extended power outage, equipment failure, or a significant computer virus outbreak.

Central Web
The official, public CSU, Chico Website at www.csuchico.edu

CFS
PeopleSoft CFS is the financial application element of the Common Management System implemented by the CSU to manage University financial systems

CMS
Common Management Systems (CMS) is a mandated CSU initiative to improve services through integrated administrative systems for human resources, financials and student information.

Computer Security Incident Response Team (CSIRT)
The name given to the team that handles security incidents.

Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information [44 U.S.C, SEC. 3542].

Control
Countermeasures (administrative, physical, and technical) used to manage risks.

Conversation
The term used by GMail to describe a series of e-mails with the same subject line between two or more individuals

Critical Asset
An asset that is so important to the campus that its loss or unavailability is unacceptable.

CSU Network
Any CSU administratively controlled communications network that is within the CSU managed physical space.  Such networks may interconnect with other networks or contain sub networks.

Dashboard
A set of predefined, interactive reports in  OBI.

Data Dictionary
A centralized store of information about data such as its meaning, relationships to other data, origin, usage, and format.

Data
Individual facts, statistics, or items of information represented in either electronic or non-electronic forms.

Data Center
A facility used to house information processing or telecommunications equipment that handle protected or critical information assets.

Data Marts
A data mart is a subset of a data warehouse that is intended for use by a specific team or line-of-business unit. CSU, Chico data marts contain subject areas, dashboards, and reports pertaining to a specific subset of data.

Data Owner
Person identified by law, contract, or policy with responsibility for granting access to and ensuring appropriate controls are in place to protect information assets.  The duties include but are not limited to classifying, defining controls, authorizing access, monitoring compliance with CSU/campus security policies and standards, and identifying the level of acceptable risk for the information asset.  A Data Owner is usually a member of management, in charge of a specific business unit, and is ultimately responsible for the protection and use of information within that unit.

Data Steward
(also known as “Data Custodian”) An individual who is responsible for the maintenance and protection of the data.  The duties include but are not limited to performing regular backups of the data, implementing security mechanisms, periodically validating the integrity of the data, restoring data from backup media, and fulfilling the requirements specified in CSU campus security policies and standards.

DMZ
DMZ (De-Militarized Zone) is a set of one or more information assets logically located outside of a protected network that is accessible from the Internet (open to the world) with limited controlled data exchanges with the protected environment.

DNS
The Domain Name System (DNS) is the naming system for computers, services, and other resources connected to the Internet or a private network. Most importantly, it translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide.

DPR
The Degree Progress Report for Students is a comprehensive academic audit that matches a student’s academic history with his/her degree requirements. It can be accessed through Faculty Center and Student Center.

Dreamweaver
An application published by Adobe Systems that can be used to generate web pages

Electronic Media
Electronic or optical data storage media or devices that include, but are not limited to, the following: magnetic disks, CDs, DVDs, flash drives, memory sticks, and tapes.

Encryption
The process of encoding data so that it can be read only by the sender and the intended recipient.  Encryption is the standard approach to protecting confidential information from unauthorized viewing by humans or computers.

Encrypted Protocol
An agreed to secure means of data transmission over a network (wired or wireless).

Excessive Authority
Assignment of a single individual to overlapping administrative or management job functions for a critical information asset without appropriate compensating controls such as added reviews or logging.

FERPA
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. The law applies to all schools receiving public funds under an applicable program of the US Department of Education.

Firewall
A firewall is a hardware or software network security device that sits between two networks - one of which is usually the Internet - to control what information is allowed to pass between those networks.

Free/busy time
Your free/busy time shows people if you are available when they invite you to a meeting. They can't see what you are doing, only whether you are free or busy.

Global Address List
A list of all CSU, Chico e-mail addresses on the mail system.

Gmail
Google's web-based e-mail system, adopted campus-wide at CSU, Chico.

Google Apps
CSU, Chico uses and supports a number of Google applications, or Apps: GMail, Google Calendar, Google Groups, Google Docs, Blogger, and Google Sites. All are accessible through the GMail interface.

Google Apps Sync
A plug-in for Microsoft Outlook that allows you to access your   Google Apps mail, calendar, and contacts from within Outlook.

Google Docs
An online tool to create and share work online. Part of   Google Apps.

Google Groups
The   Google Apps  implementation of a mailing list enables users to establish lists of recipients for different types of communications with different access/privacy levels.

Google Sites
A   Google Apps  program that can be used to generate small personal websites. May not be used to generate CSU Chico instructional sites.

Hardening
A defensive strategy to protect against attacks by removing vulnerable and unnecessary services, patching security holes, and securing access controls.

Hardware
Physical devices including, but is not limited to, portable and non-portable workstations, laptops, servers, copiers, printers, faxes, and PDAs.

HCM
Human Capital Management is the PeopleSoft application used by CSU, Chico as part of the Common Management System to manage personnel and other human resources-related functions.

ICA
Short for Independent Computing Architecture, ICA is a protocol designed specifically for transmitting Windows graphical display data as well as keyboard and mouse input over a network. It's used by Citrix in the program you download to your local PC in order to access  VLab.

Identity registry
The system that reconciles and maintains information about people and their relationship to the University and makes this information available to other systems.

IdM
Identity and access management - the management of individual identifiers, their authentication, authorization, and privileges with or across system and enterprise boundaries. The goal is to increase security and productivity while decreasing cost, downtime, and repetitive tasks.

Information Assets
Information systems, data, and network resources to include automated files and databases.

Information Security Program
An organizational effort that includes, but is not limited: to security policies, standards, procedures, and guidelines plus administrative, physical, and technical controls. The effort may be implemented in either a centralized or a decentralized manner.

Information Systems
A combination of hardware, network and other resources that are used to support applications and/or to process, transmit and store data.

Integrity
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.  [44 U.S.C., SEC. 3542]

Instance Management
Instance management is the term used by PeopleSoft applications to describe the different databases available to the system and their use, enabling users to choose the most appropriate database for their requirements.

IP
The Internet Protocol (IP) is the principal communications protocol used for relaying information across the Internet. To enable information to reach its destination, every computer connected to the Internet has a unique IP address.

ITC
An ITC, or Information Technology Consultant, is a member of the IT Services department with responsibility for a specific department.

ITSS
Information Technology Support Services is the over-arching name for the Desktop Management, Help Desk, and Technology Shop teams.  They are located in MLIB 142 and can be reached at 898-4357.

Key Advisor
Each department has a Key Advisor, who is the department's primary point of contact for Telecommunication & Network Service needs (phone and network). This person is authorized to make additions, changes, and deletions to these services for your department. If your Key Advisor is unavailable and you have an urgent need, please obtain authorization from your Department Dean, Chair or Director.

Label
Similar to tagging in social networks, a label is the function you use in  Gmail to categorize a message. Unlike folder storage, messages can have multiple tags.

Least Privilege
A concept of information security by which users and their associated applications execute with the minimum amount of access required to perform their assigned duty or task.

Level 1 Protected Data
Level 1 data, sometimes also referred to as Level 1 protected data, is confidential information that is in most cases protected by statutes, regulations, or other legal mandates. Level 1 data includes  PII (social security numbers, credit card numbers, driver’s license numbers, etc) as well as medical records, passwords, and sealed bids.

Level 2  Private Data
Level 2 data is information which could raise ethical or other privacy concerns if shared with individuals or entities that do not have the legal right to require sight of such information. Examples include  FERPA protected student grade data and disciplinary action records, as well as employee personal information such as home address and telephone number.

Level 3 Public Data
This information is regarded as publicly available. These data values are either explicitly defined as public information (e.g. state employee salary ranges, intended to be readily available to individuals both on- and off- campus (e.g., an employee's work e-mail addresses), or not specifically classified elsewhere in the protected data classification standard.
Publicly available data may still subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure.


Logical Access
The connection of one device or system to another through the use of software.

Lockout Time
The amount of time for which logins to an account are disabled.  Usually invoked once a threshold of invalid login attempts has been reached

Malicious Software
Software designed to damage or disrupts information assets.

Malware
Short for malicious software, malware is a generic term for any type of software designed to do damage to or otherwise adversely affect the integrity of a computer system and/or the data stored on that system

Mobile Devices
Devices containing electronic CSU data which are easily transported. Such devices include, but are not limited to: laptop computers, personal digital assistants (PDAs), and “smart” phones.

MySQL
MySQL is a commonly-used database system that's often combined for web use with the widely-used PHP scripting language.

Network Address Translation (NAT)
Network Address Translation (NAT) is usually implemented to enable multiple hosts on a private network to access the Internet using a single public  IPaddress. It can pose significant security risks and so systems running NAT are not permitted to connect to the HSU wireless network.

Network Resources
Resources that include, but are not limited to: network devices (such as routers and switches), communication links, and network bandwidth.

Nolij
Nolij is a data management system that enables PeopleSoft users to save time and improve efficiency by automating manual business processes.

Non-public
A service or information intended only for the internal use of the organization.

Notice-triggering Information
Specific items of personal information identified in California Civil Code Sections 1798.29 and 1798.3.

OBI
OBI, or Oracle Business Intelligence, is the reporting and analysis tool used to extract information from the PeopleSoft databases.

Operating System
Software that is primarily or entirely concerned with controlling a computer and its associated hardware, rather than with processing work for users.

P2P
The P2P (peer-to-peer) application structure was popularized by file sharing systems like Napster. In P2P networks, peers are both suppliers and consumers of resources, unlike the traditional client–server model where only servers supply (send) and clients consume (receive).

Patch (Patching)
The installation of a software update designed to fix problems, improve usability, or enhance performance.

Peer-to-Peer
The peer-to-peer (P2P) application structure was popularized by file sharing systems like Napster. In P2P networks, peers are both suppliers and consumers of resources, unlike the traditional client–server model where only servers supply (send), and clients consume (receive).

Personally Identifiable Information
Any information that identifies or describes an individual, including, but not limited to name, Social Security number, physical description, address, phone number, financial matters, medical or employment history (California Information Practices Act).

Phishing
Sometimes referred to as social engineering, phishing is an attempt to get computer users to provide valuable information, particularly user names and passwords, by providing a convincing-looking but false context such as a recreation of a bank's login page or email.

Physical Access
Being able to physically touch, use, and interact with information systems and network devices.

PII
PII, or Personally Identifiable Information, is information about an individual that can be used to facilitate identity theft. It includes social security numbers, driver’s license numbers, and credit card numbers. The CSU has classified PII as  Level 1 Data.

Policy Key
The Policy Key is a small piece of software installed on end user computers as part of our Network Access Control system. Its role is to ensure that those computers meet CSU, Chico security requirements whenever they connect to the Internet using the CSU, Chico wireless network or  ResNet.

Primary Calendar
In   Google Apps, your primary calendar is the one created by default. By default, it's your CSU Chico e-mail address.

Protected Asset
Information asset containing protected data.

Protected Data
Level 1 and  Level 2 data which are defined in the CSU Data Classification Standard. This data has been categorized according to its risk to loss or harm from disclosure.

Project Sponsor
The Project Sponsor defines the project objectives, has the authority to commit financial and human resources, and evaluates the results.

Proxy
Proxy systems were developed in the early days of distributed systems as a way to simplify and control complexity. Today, most proxies are used to filter and manage access to content on the World Wide Web.

Public Information
Any information prepared, owned, used or retained by a campus and not specifically exempt from disclosure requirements of the California Public Records Act (Government Code Sections 6250-6265) or other applicable state or federal laws.

RDP
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer. Clients exist for most versions of Microsoft Windows (including Windows Mobile), Linux, Unix, Mac OS X, and Android.

Reformat
Deleting the partition and creating a new partition or using “Ghost” or another sector-based imaging program.

Remote Access
Any connection from an external, non-campus network to any campus information system, data, or network resource.

ResNet
The network in the halls of residence, which is separate from the campus business network. There is also a ResNet wireless network. More details on the ResNet website at http://www.csuchico.edu/resnet.

RFB
RFB (remote frame buffer) is a simple protocol for remote access to graphical user interfaces. It can be used with any windowing system or application, including Windows and Macintosh.

Risk
The likelihood of a given threat exercising a particular potential vulnerability, and the resulting impact of that adverse event on an organization.

Risk Assessment
A process by which quantitatively and/or qualitatively, risks are identified and the impacts of those risks are determined. The initial step of risk management.

Risk Management
A structured process which identifies risks, prioritizes them, and then manages them to appropriate and reasonable levels.

Risk Mitigation
Reduce the adverse effect of an event by reducing the probability of the event occurring and/or limiting the impact of the event if it does occur

Security Awareness
Awareness of security and controls, in non-technical terms, conveyed to motivate and educate users about important security protections that they can either directly control or be subjected to.

Secure Destruction
Removing drive media from enclosures and utilizing the campus-approved secure destruction contract

Security Incident
An event that results in any of the following:
Unauthorized access or modification to the CSU information assets. An intentional denial of authorized access to the CSU information assets. Inappropriate use of the CSU’s information systems or network resources. The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.

Secure Location
A room or other enclosed space with controlled access or a locked cabinet

Security Training
Specific technical understanding of how to secure the confidentiality, integrity and availability of applications, operating systems and information assets to prevent or detect security incidents

System Administrator  (also known as “System Personnel” or “Service Providers”)
Individuals, who manage, operate, support campus information systems; or manage networks.

SFTP
Secure File Transfer Protocol is a way to transfer a file over an Internet connection directly from one computer to another that's safer and more secure than attaching it to an e-mail message. It's particularly appropriate for large files and for executable program files that CSU, Chico does not permit to be sent via e-mail.

Smart Classrooms
Smart Classrooms are classrooms equipped with a wide range of instructional technologies to enhance students' learning experience.

Sponsor
In the context of the voicemail system, a privilege level that permits the recording of call processor messages. In the context of an ITS project, the name of the individual authorizing the submission of the project proposal.

Third Parties
For the purposes of the CSU Security Program, third parties include, but are not limited to, contractors, service providers, vendors, and those with special contractual agreements or proposals of understanding.

Threat
A person or agent that can cause harm to an organization or its resources. The agent may include other individuals or software (e.g. worms, viruses) acting on behalf of the original attacker.

Turning Point
Turning Point is the system, distributed by Turning Technology, that's used in Smart Classrooms to incorporate interactivity into instructional sessions. Each installation comprises a receiver and hand-held devices ('clickers').

User
Anyone or any system which accesses the CSU information assets. Individuals who need and use University data as part of their assigned duties or in fulfillment of assigned roles or functions within the University community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data.

Virus
Often used interchangeably with malware, a virus is a piece of software designed to do damage to or otherwise adversely affect the integrity of a computer system and/or the data stored on that system. Strictly-speaking a virus, unlike other types of malware, can spread of its own accord without requiring human intervention.

VLab
The CSU, Chico VLab (Virtual Lab) is an online service that enables students, staff, and faculty to access on-campus software when they're away from campus or can't get access to a physical lab when they need it.

VNC
Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the RFB (remote frame buffer) protocol to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction, over a network.

VPN
A virtual private network (VPN) enables users to privately and securely share information between remote locations, or between a remote location and an organization's internal network.

Vulnerability
A flaw within an environment which can be exploited to cause harm.

Wiping
Use of a NIST or DoD 53330.22M approved method such as three-pass wipes, DBAN, degaussing to NIST standards, or firmware-based purge.

WPA2
WPA2 is the primary encryption standard used for wireless communications; it requires testing and certification by the Wi-Fi Alliance. Since March 13, 2006, WPA2 certification has been mandatory for any new device to bear the Wi-Fi trademark

802.11
Is essentially the technical term for wi-fi.  It is a set of standards that govern wireless networking transmission methods used to provide wireless connectivity in the home, office and some commercial establishments.