UTMB INFORMATION RESOURCES PRACTICE STANDARD

Transcription

1 IR Security Glossary Introduction Purpose Applicability Sensitive Digital Data Management Privacy Implications This abbreviated list provides explanations for typically used Information Resources (IR) security terminology. These terms are intended to provide a common frame of reference with respect to the protection of UTMB IR. These terms are common to all UTMB IR Security Policies and Practice Standards. Sensitive Digital Data, as defined by UTS 165, includes social security numbers, Protected Health Information (PHI), Sensitive Research Data, digital Data associated with an individual and/or digital Data protected by law. Sensitive digital Data must be secured and protected while at rest (electronic storage on a hard drive, digital or optical media), mobile (laptop, PDA or flash drive) and in transit (via or the Internet). Electronic files created, sent, received, or stored on IR owned, leased, administered, or otherwise under the custody and control of UTMB are not private and may be accessed by appropriate personnel in accordance with the provisions and safeguards provided in the Texas Administrative Code 1 TAC 202 (Information Security Standards), Information Resource Standards and in the University of Texas System, UTS Information Resources Use and Security Policy. The following terms, when used within UTMB IR Security Policies and Practice Standards, shall have the following meanings, unless the context clearly indicates otherwise. Page 1 of 11

2 802.1x: an authentication standard often used as an access control for wireless networks x Security Model: a best practice combining strong authentication with encryption for wireless networks. Abuse of Privilege: when a user willfully performs an action prohibited by organizational policy or law, even if technical controls are insufficient to prevent the user from performing the action. Access Point (AP): hardware or software that facilitates end user wireless connectivity to a wired network. Ad-Hoc mode: a networking framework in which wireless devices communicate directly with one another without the use of an access point. Back Door: undocumented program code within the otherwise secure system used to gain access to the system through the vulnerability and then exploit or attack the system. The back door usually leads to privileged access or a supervisor state and typically bypasses normal audit trails. Backup: copy of files and applications made to avoid loss of data and facilitate recovery in the event of a system crash. Change: any implementation of new functionality any interruption of service any repair of existing functionality any removal of existing functionality Change Management: the process of controlling modifications to hardware, software, firmware, and documentation to ensure that IR s are protected against improper modification before, during, and after system implementation. CERT: Computer Emergency Response Team at Carnegie-Mellon University. Computer Incident Response Team (CIRT): personnel responsible for coordinating the response to computer security incidents in an organization ([email protected]). Page 2 of 11

3 Confidential Information: the classification of data that is exempt from disclosure under provisions of the Texas Public Information Act or other applicable state or federal law, regulation, or court order. The controlling factor for confidential information is prevention of dissemination. Custodian: a person responsible for implementing owner-defined controls and access to an information resource. Further, custodians of information resources, including entities providing outsourced information resources services to UTMB, must: Implement the controls specified by the owner(s); Provide physical and procedural safeguards for the information resources; Assist owners in evaluating the cost-effectiveness of controls and monitoring; and Implement the monitoring techniques and procedures for detecting, reporting, and investigating incidents. Digital Signature: electronic signature used to authenticate identity of the sender of the message or the signer of a document. Electronic Mail ( ): any message, image, form, attachment, data or other communication sent, received, or stored within an electronic mail system. Electronic Mail System: any computer software application that allows electronic mail to be communicated from one computing system to another. Emergency Change: when an unauthorized immediate response to imminent critical system failure is needed to prevent widespread service disruption. Extranet: an intranet that is accessible or partially accessible to authorized users outside the organization. Firewall: an access control mechanism that acts as a barrier between two or more segments of a computer network or overall client/server architecture used to protect internal networks or network segments from unauthorized users or processes. Host: a computer system that provides computer service for a number of users. Page 3 of 11

4 Information: any and all data, regardless of form, that is created, contained in, or processed by, UTMB IR facilities, communications networks, or storage media. Information Attack: an attempt to bypass the physical or information security measures and controls protecting an IR. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures. Information Operations: actions taken to affect adversary information and information systems while defending one s own information and information systems. Information Resources (IR): the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers, and service bureaus. Information Resources Manager (IRM): the person designated by the State of Texas, the UTMB President and President s Council to have oversight responsibility for all information resources within UTMB. Information Security Officer (ISO): responsible to the Information Resources Manager (IRM) for administering the information security functions within UTMB. The ISO is UTMB s internal and external point of contact for all information security matters. Information Services (IS): the name of the UTMB department ( responsible for computers, networking and data management. Page 4 of 11

5 Internet: a global system interconnecting computers and computer networks. The computers and networks are owned separately by a host of organizations, government agencies, companies, and colleges. The Internet is the present information super highway. Intranet: a private network for communications and sharing of information that, like the Internet, is based on TCP/IP, but is accessible only to authorized users within an organization. An organization s intranet is usually protected from external access by a firewall. Intrusion: the misuse or unauthorized access of a system and its data, which can either be initiated externally or internally. Intrusion Detection System: an intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. Local Area Network (LAN): a data communications network spanning a limited geographical area, a few miles at most. It provides communication between computers and peripherals at relatively high data rates and relatively low error rates. Malware: short for malicious software, programs or files developed for the purpose of doing harm. Thus, malware includes computer viruses, worms, and Trojan horses. Offsite Storage: based on data criticality, offsite storage should be in a geographically different location from the UTMB campus that does not share the same disaster threat event. Based on an assessment of the data backed up, removing the backup media from the building and storing it in another secured location on the UTMB Campus may be appropriate. Page 5 of 10

6 Owner: a person responsible for (1) a business function, and (2) determining controls and access to information resources supporting that business function. Further, the owner or his or her designated representatives(s) are responsible for and authorized to: Approve access and formally assign custody of an information resources asset; Determine the asset's value; Specify data control requirements and convey them to users and custodians; Specify appropriate controls, based on risk assessment, to protect the state's information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources outsourced by the agency. Confirm that controls are in place to ensure the accuracy, authenticity, and integrity of data. Ensure compliance with applicable controls; Assign custody of information resources assets and provide appropriate authority to implement security controls and procedures. Review access lists based on documented agency security risk management decisions. Packet: a piece of a message transmitted over a packet-switching network. One of the key features of a packet is that it contains the destination address in addition to the data. Password: a string of characters that serves as authentication of a person s identity, which may be used to grant or deny access to private or shared data. Platform: the underlying hardware or software for a system, it also implies an operating system. Platform Hardening: to secure the configuration parameters of a given system in such a manner as to mitigate known system vulnerabilities and help protect against unauthorized access and/or use. Page 6 of 10

7 POP3: (Post Office Protocol 3) A standard interface between an e- mail client program and the mail server, defined by IETF RFC POP3 and IMAP4 are the two common mailbox access protocols used for Internet . POP3 provides a message store that holds incoming until users log in and download it. SANS: System Administration, Networking and Security Institute at Bethesda, Maryland. Scheduled Change: formal notification received, reviewed and approved by the review process in advance of the change being made. Security Administrator: the person charged with monitoring and implementing security controls and procedures for a system. Whereas each agency will have one Information Security Officer, technical management may designate a number of security administrators. Security Incident: an event which results in unauthorized access, loss, disclosure, modification, disruption, or destruction of information resources whether accidental or deliberate. Sensitive Information: the classification of data requiring special precautions to protect it from unauthorized modification or deletion. It may be either public or confidential but requires a higher than normal assurance of accuracy and completeness. The controlling factor for sensitive data is assuring and maintaining integrity. Server: a computer program that provides services to other computer programs in the same or another computer. A computer running a server program is frequently referred to as a server, though it may also be running other client (and server) programs. Service Set Identifier (SSID): a unique identifier (essentially a name that identifies a wireless network) attached to packets and sent via wireless services that acts as a password (clear text) when a wireless device attempts to connect to the network. SMTP (Simple Mail Transfer Protocol): a protocol for sending messages between servers. Page 7 of 10

8 Strong Passwords: a strong password is a password that is not easily guessed. It is normally constructed of a sequence of characters, numbers and special characters depending on the capabilities of the operating system. The longer the password, the stronger it is. It should never be a name, dictionary word in any language, an acronym, a proper name, a number or be linked to any personal information about you such as a birth date, social security number and so on. Trojan Horse: a malicious program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer. It may also be used to locate password information or facilitate remote access, bundled within a free game or other utility. Trusted Requestor (TR): employees who are trusted to make requests for authorized access to information resources on behalf of staff within their organizational jurisdiction. Unscheduled Change: failure to present notification to the formal process in advance of the change being made. Unscheduled changes will only be acceptable in the event of a system failure or the discovery of a security vulnerability. User: an individual or automated application authorized to access an information resource in accordance with the owner-defined controls and access rules. User ID: Refers to an individual s unique system identifier. UTMB Security Center Enrollment Page ( web site used to obtain or renew a digital certificate; you must have a pre-authorization key prior to taking any action on this web page. UTMB-USERS-M: the name of the master list of usernames and associated passwords used across the UTMB campus to access information technology (i.e., username and password for ). Page 8 of 10

9 Virtual Private Network (VPN): a network that is constructed by using public wires to connect nodes. These systems are encrypted and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. Virus: a program or piece of code attached to an executable file or vulnerable application that is loaded onto your computer without your knowledge and runs without your consent delivering a payload that ranges from mildly annoying to extremely destructive, with the added ability to replicate themselves. Wired Equivalent Privacy (WEP): a security protocol for wireless networks that provides security by encrypting data over radio waves so that it s protected during transmission. Wireless: a very generic term that refers to numerous forms of nonwired transmissions via the airwaves. Wireless Devices: cellular telephone, personal digital assistants, interactive TV, wireless information resources such as computers, copiers, and faxes, and transport infrastructure components such as, but not limited to, transmitters, receivers, amplifiers, and antennas. Wireless Network: transmits data via radio frequency between clients and servers and other network devices without the use of a physical cable or wire. Worm: a program or algorithm that replicates itself over a computer network and usually performs malicious actions, such as using up the computer s resources and possibly shutting the system down. Some people distinguish between general viruses and worms. A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs. WPA: (Wi-Fi Protected Access) A security protocol for wireless networks from the Wi-Fi Alliance that was developed to provide a migration from WEP. The WPA logo certifies that devices are compliant with a subset of the IEEE i protocol. WPA2 certifies full support for i. Page 9 of 10

10 Other Pertinent Online Technology Dictionaries Texas Administrative Code (Information Resource Standards) Department of Information Resources (Practices for Protecting Information Resources Assets) Tech Encyclopedia Webopedia whatis.com References UTMB IR Security Policies UTMB IR Security Management Practice Standards UTMB IR Security Procedures UT System UTS-165 Information Resource Security Program Page 10 of 10