Standards Lexicon

Standards Lexicon

The table below provides definitions for terms used in the Information Security Standards, including any draft standards. We will update these definitions as needed.

A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z

Term

Definition

Standard(s)

Academic/Business Continuity The ability of an organization to respond to the impact of a disaster and continue to provide a minimum acceptable level of processes/functions in the immediate aftermath of the disaster and thereafter return conditions to a level that is acceptable to the organization.  Academic/Business Continuity and Disaster Recovery
Academic/Business Continuity Plan The management-approved document that defines the resources and actions required to manage the process/function recovery effort.   Academic/Business Continuity and Disaster Recovery
Academic/Business Continuity System

Web-based software used to create, manage and distribute academic/business continuity and disaster recovery plans. The software houses information related to processes/functions including:

  • Sites, personnel and resources that support the process/function.
  • Resources and actions required to manage the recovery effort
Academic/Business Continuity and Disaster Recovery
Access Control Controls provide reasonable assurance that physical access to the data center and the information technology systems infrastructure is limited to authorized individuals. Data Center
Account A combination of a unique username and password or other authentication combination, which allows a user to authenticate to a system or service and be granted authorization to access them. Account Management
Administrative Access (server and services) The use, interactive or automated, of an account that has the ability to read, write, or execute files or fdirectories that can affect all other users. Servers, Server-based Applications and Databases
Administrative Account An account with full privileges that has as its primary purpose the administration of an RIT information resource. Account Management
Alternate site An alternative operating location to be used to continue academic/business processes/functions or recovery/restoration when the primary facilities are inaccessible. Academic/Business Continuity and Disaster Recovery
Approved Encryption Methods Any encryption method evaluated and approved for use by the Information Security Office, as listed on the Information Security Web site. Network
Authoritative Source The information source with the highest level of information verification or data integrity. Servers, Server-based Applications and Databases
Authorized User Anyone who has been granted permission to read or access a given set of data or system. This may or may not entail the modification of the data or system. Desktop and Portable Computers
Central Identity and Account Management A centralized organization with responsibility for identity, authentication and authorization services. Account Management
Common Vulnerability Scoring System (CVSS) An industry standard for assessing the severity of computer system security vulnerabilities. It is structured on a 10 point scale, where 0-3.9 is a low score, 4-6.9 is a medium score, and 7-10 is a high score. Servers, Server-based Applications and Databases
Confidential A classification for information that is restricted on a need to know basis, that, because of legal, contractual, ethical, or other constraints, may not be accessed or communicated without specific authorization. Confidential information includes: Educational records governed by the Family Educational Rights & Privacy Act (FERPA) that are not defined as directory information, Refer to the RIT Educational Records Policy D15.0. University Identification Numbers (UIDs), Employee and student health information as defined by Health Insurance Portability and Accountability Act (HIPAA), Alumni and donor information, Employee personnel records, Employee personal information including: home address and telephone number; personal e-mail addresses, usernames, or passwords; and parent’s surname prior to marriage Management information, including communications or records of the Board of Trustees and senior administrators, designated as Confidential, Faculty research or writing before publication or during the intellectual, property protection process. Refer to the RIT Intellectual Property Policy C3.0., Third party information that RIT has agreed to hold confidential under a contract Information Access and Protection, Solutions Life Cycle Management
Controls Depends on the system, its capabilities, and expected usage, as well as anticipated threats against the information. Information Security Policy
Core Network Equipment Any Network Device that is required for the functioning of the network backbone. Network
Corrective controls Include recovery plans for handling isolated information safeguard failure incidents to business continuity plans. Information Security Policy
Critical Information or a process/function which if corrupted, lost, interrupted or made inaccessible during a disruption would pose a significant life, safety, financial, reputation or other risk to RIT. Academic/Business Continuity and Disaster Recovery
Critical Business Process Any process/function whose loss would severely impact the ability of RIT to provide essential services Solutions Life Cycle Management
Detective controls Include network and information access monitoring, and intrusion detection (host based or network based), manual or automated review of security logs. Information Security Policy
Disaster An event that compromises an organization’s ability to provide critical processes/functions for some unacceptable period of time. Academic/Business Continuity and Disaster Recovery
Disaster Recovery The ability of an organization to restore information resources required to support a process/function.   Academic/Business Continuity and Disaster Recovery
Disaster Recovery Plan The management-approved document that defines the resources and actions required to manage the information resources recovery effort that supports the broader process/function recovery effort. The Disaster Recovery Plan is a component of the overall Academic/business Continuity Plan. Academic/Business Continuity and Disaster Recovery
Disruption An interruption to normal operations that compromises an organization’s ability to provide critical processes/functions for some unacceptable period of time. Academic/Business Continuity and Disaster Recovery
Encryption The conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people. Password protection does not equal encryption. RIT-approved encryption methods are listed at https://www.rit.edu/security/content/encryption-rit. Information Access and Protection
Event A change to the normal behavior of a system, environment, process, workflow or person that is suspected to be an incident Computer Incident Handling Process
Form Spam The posting of unrelated comments or promoting commercial services to blogs, wikis, guestbooks, or other publicly accessible online discussion boards. Web
Generic Account An account that does not require specific information associated with a unique individual but instead accept some nonspecific identification information to enable access. Account Management
Grid Computing A large system of networked computers whose collective processing power is used to solve difficult and time-consuming tasks. Servers, Server-based Applications and Databases
Host-based Intrusion Prevention System (HIPS) A security application which typically resides on an individual computer or system. Its main purpose is to monitor system activities - Particularly those relating to network connections - for malicious or unwanted behavior and react in real time to block or prevent those compromises. Desktop and Portable Computers
Hypervisor A hypervisor is a platform that allows one or more VMs to use a single “host.” The hypervisor controls the host processor and resources and allocates what is needed to each VM.  Servers, Server-based Applications and Databases
IDS/IPS Intrusion Detection System/Intrusion Prevention System Data Center
Inappropriate Use Use of RIT information resources in contravention of law or RIT policy Computer Incident Handling Process
Information Any RIT knowledge, data or communication resident on Information Resources. Information may have many forms including, but not limited to, emails, documents, databases, photographs, stored audio or video. RIT and its users are responsible for information regardless of where it is stored. Academic/Business Continuity and Disaster Recovery, Information Access and Protection 
Information Resources

Include, but are not limited to:

  • RIT-owned or leased transmission lines, networks, wireless networks, servers, exchanges, Internet connections, terminals, applications, and computers.
  • Information owned by RIT or used by RIT under license or contract, in any form including but not limited to all types of electronic media, portable media, all electronic hardware, software, network, communications device or system and paper.
  • Personal computers, servers, wireless networks, mobile devices, and other devices not owned by RIT but intentionally connected to RIT-owned Information Resources.
Information Access and Protection, Solutions Life Cycle Management, Academic/Business Continuity and Disaster Recovery
Information Safeguards Administrative, technical, and physical controls that support the confidentiality, integrity, availability, and authenticity of information. Information Security Policy
Information systems and supporting infrastructure Information in its analog and digital forms and the software, network, computers, tokens, and storage devices that support the use of information. Information Security Policy
Interactive Login A login console which requires a user to interact locally with the system. An example of this is the Windows environment, the user is required to press Control+Alt+Delete simultaneously. Servers, Server-based Applications and Databases
Internal A classification for information restricted to RIT faculty, staff, students, alumni, contractors, volunteers, and business associates for the conduct of University business. Examples include online building floor plans, specific library collections, etc. Information Access and Protection
IT Support Personnel Any individual or department engaged in official support of RIT Information Resources or RIT network users. Computer Incident Handling Process
Lifecycle Protection Information systems and supporting infrastructure have a lifecycle that begins with evaluation and selection, and advances through planning, development/ acquisition, and operations through to disposal or retirement. Information safeguards are needed at all phases of the lifecycle. Information Security Policy
Network Administrator Any individual who administers or deploys any Network Device that connects the Institute network. A local administrator may be responsible for specific subnets and registered addresses. Network
Network Devices Any physical device that mediates transmitted data in some way, including but not limited to routing, switching, repeating and blocking. Network Devices include Storage Area Networks (SANs). Network
Non-Critical Information or process/function which if corrupted, lost, interrupted or made inaccessible during a disruption would pose a minimal risk to RIT.  The information or process/function could be supplied through alternate means during the disruption or delayed until after the disruption. Academic/Business Continuity and Disaster Recovery
Passphrase A sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. Password/Passphrase
Patch Cluster A group of patches and/or vulnerability fixes that change the version of the operating system/service, e.g., a service pack or minor version update. Servers, Server-based Applications and Databases
Portable hard drive A portable hard drive is any disk drive that is plugged into an external port on a computer such as USB or FireWire. For laptops, the PC Card slot may be used to connect a cable to a full-size drive, or the hard disk may be contained entirely inside the PC Card. Portable Media
Preventive controls Include use of encryption, information integrity measures, security configuration, media reuse, use of anti-virus, and physical protection. Information Security Policy
Private A classification for information that is confidential which could be used for identity theft and has additional requirements associated with its protection. Private information includes: Social Security Numbers (SSNs), Taxpayer Identification Number (TIN), or other national identification number, Driver’s license numbers, Financial account information (bank account numbers (including checks), credit or debit card numbers, account numbers) Information Access and Protection
Private Information a classification for information that is confidential which could be used for identity theft and has additional requirements associated with its protection. The Information Access and Protection Standard provides examples. Solutions Life Cycle Management
Privileged Access A computer access level that enables an individual to take actions which may affect computing systems, network communications, or the accounts, files, data, or processes of other users. Desktop and Portable Computers
Process/Function An organization’s purpose/mission and its collection of related, structured activities or tasks that produce a specific service or product (serve a particular goal) for a particular customer or customers to achieve that purpose. Processes/functions may include instruction, research, and business services (housing, food storage, etc.). Academic/Business Continuity and Disaster Recovery
Process/Function Owner The department/organization responsible for providing the process/function to the university. Academic/Business Continuity and Disaster Recovery
Public A classification for information that may be accessed or communicated by anyone without restriction. Information Access and Protection
Recovery Point Objective (RPO) The point in time to which you must recover data as defined by the process/function owner. It is also the minimum acceptable level of data loss (for example, 24 hours) should an outage occur. The RPO helps determine the appropriate IT back-up schedule for applications. Academic/Business Continuity and Disaster Recovery
Recovery Time Objective (RTO) The period of time within which systems, applications, or processes/functions must be recovered after an outage (for example, one business day). RTOs are often used as the basis for the development of recovery strategies, and as a determinant as to whether or not to implement the recovery strategies during a disaster situation. Academic/Business Continuity and Disaster Recovery
RIT Authentication Services RIT Authentication Services are the centralized services that verify the digital identity of a user by examining the user’s credentials. Common credentials include user name and password. User credentials permitting access to RIT networks must be treated as RIT Confidential Information. Web
RIT Confidential or Operationally Critical Information Definitions for RIT Confidential and RIT Operationally Critical Information are found in the Information Access and Protection Standard. Web
RIT Record The original or copy of any record (paper or electronic), which is either an Active Record, Archival Record, or which must be held for official business or regulatory purposes in accordance with the Records Retention Schedule. Official repositories for these records are contained in Records Management Policy. RIT Record does not include records which are not created in the official course of business, serve no legitimate or necessary business purpose, or are created for personal purposes only. Academic/Business Continuity and Disaster Recovery
RIT Web Infrastructure The hardware and software that supports websites with rit.edu in the URL including third party RIT information resources. Web
SAN A storage area network (SAN) is a network that interconnects different kinds of data storage devices with associated data servers.  
Security Incident

An event involving inappropriate use, abuse, loss, theft, or compromise that has the potential to adversely impact the confidentiality, integrity or availability of RIT Information Resources. Examples of incidents include, but are not limited to: 

  • Loss or theft of RIT Information resources
  • Detection or discovery of a program agent that is not readily contained or blocked or cleaned by installed security tools, such as log review. Examples of program agents include, but are not limited to viruses, worms, Trojan horse programs, keystroke loggers, rootkits, logic bombs, spam relays, or remote control bots
  • Detection or discovery of unauthorized users, unauthorized physical or logical access, or users with privileges in excess of authorized privileges
  • Detection of use in an unauthorized manner, or possession by an unauthorized party of an authorized user’s credentials, including but not limited to login name and password.
  • Detection of the abuse of an RIT website through the addition of unauthorized content, such as unauthorized advertising
  • Malicious denial of service attacks
Computer Incident Handling Process
Security Review A process by which an implementation is evaluated for secure use at RIT either by the Information Security Officer or through a peer review system with prior notification to the ISO. Servers, Server-based Applications and Databases, Institute Networks and Equipment, Web
Segregation of Duties The principles of segregation of duties must be followed when assigning roles. System owners must maintain an appropriate level of segregation of duties when issuing credentials to individuals who have access to information systems and private, confidential, or critical process information. System owners must avoid issuing credentials that allow a user to have excessive authority over systems or private/confidential or critical process information. Where separation of duties is not possible, there must be compensating controls. Account Management
Server (logical servers, virtual servers) Any physical or virtual network host that if you were to block all incoming network connections would affect more than one user system and any related test, development or staging system. Servers, Server-based Applications and Databases
Service A service is any program that maintains a network socket for listening same key to authenticate. Servers, Server-based Applications and Databases
Service Account A non-interactive account that has as its primary purpose the automated operation of a specific application, service or system.   This includes any type of embedded administrative accounts (e.g., root or superuser). Account Management
Shared Account An account wherein multiple users authenticate and are authorized to use the system using a single username and password. Account Management
Solution A product, service, or a combination of products and/or services that address a specific process/function.  Solutions Life Cycle Management
Solution Life Cycle The feasibility, planning, evaluation, selection, development, implementation, maintenance, and retirement of a solution Solutions Life Cycle Management
Trust Relationship A relationship where two or more systems share the same key to authenticate. Servers, Server-based Applications and Databases
Virtual LAN A virtual local area network (LAN) provides the ability to map workstations on some other basis than geographic location (e.g., department, type of user, etc.). Servers, Server-based Applications and Databases
Virtual Machine A virtual machine (VM), or “guest,” is an environment that does not physically exist and is separate from the physical resources it uses, which is the “host” environment that created it. One host can run multiple VMs at once. Servers, Server-based Applications and Databases
Web Content Any file or stream consumed directly or indirectly via a web-oriented protocol. Web
Web Content Service Any software system running on a server with the purpose of delivering or faciliating web content, directly or mapped. Web
Web-oriented Protocols Rules that allow systems to communicate with one another in a structured method over the Internet.  A listing of common web-oriented  protocols may be found on the RIT Information Security website. Web
Web/Application Administrative Access Any access to the system for the purpose of system maintenance or modifying system configuration Web