Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy, Information and Infrastructure Assurance Approval Authority: Paul Howell, CISO Contact: Information and Infrastructure Assurance Telephone: (734) 647-5357 Email: iia.inform@umich.edu Table of Contents Purpose... 2 Updates... 2 Data Management and Protection Terms... 2 Data Management and Protection Common Acronyms... 6 References... 8
2 Data Management & Protection: Common Definitions Purpose This is a University reference to common terms and acronyms used in Information Security and Data Management and Protection policies, procedures, and guidelines. Updates The Data Management and Protection Common Definitions will be maintained and revised as needed by MAIS/Data Administration and Information Infrastructure Assurance (IIA) with inputs from data stewards, data managers, information security coordinators, and others. University employees are encouraged to correspond with MAIS/DA and IIA describing any suggestions for improving these definitions. Data Management and Protection Terms Authentication Confirming the correctness of the claimed identity. Availability Assurance that authorized users have access to information resources when required. Business Owner Cardholder Information Security Program (CISP) A security program initiated by Visa to protect the security and confidentiality of personal cardholder information (see PCI DSS). Chain of Custody For use in legal prosecution, a documented record identifying the person who maintained physical ownership or control of evidence, from its time of collection until its presentation or admission into a court of law. Compliance Officer Compromised System A type of security incident, in which an unauthorized user takes control of a machine or resource. Compromised User Credentials A type of security incident, in which the password or credentials of a user have been compromised and possibly used to perform unauthorized activity. Computer Security Incident Response Team (CSIRT) A team that is typically convened by the security incident coordinator to appropriately respond to a security incident. The team includes individuals from different organizations (such as law enforcement, office of general counsel, communications office or compliance offices) as necessary relative to the incident type and severity. Confidentiality Assurance that information is not made available or disclosed to unauthorized individuals, entities, or processes.
3 Criticality The relative importance of the information to the mission of the University, and the degree to which the information requires protection to ensure it is not accidentally or intentionally altered or destroyed. Data Administration The function of applying formal guidelines and tools to manage the University s information resource. Data Manager Data Management Integration Coordinator Data Steward Data User Delegated Data Steward Disaster Recovery/Business Continuity Creating, implementing, and testing plans and procedures for the continuation of essential business operations after a disaster, such as an earthquake, tornado, flood, extended power outage, terrorist incident or other event. Encryption Encoding information such that it cannot be decoded and read without provision of an appropriate key. Electronic Protected Health Information (ephi) Protected Health Information that is stored or transmitted electronically (see PHI). Firewall A device or program designed to control the network traffic allowed to flow to a computer or segment of the network. Incident Management Processes for managing security incidents throughout their life cycle including incident detection, triage, response, mitigation, tracking and analysis. Information Asset Information, information systems, computers, documents, and other components of the University infrastructure which store or process information. Also called information technology asset or information technology resource. Information Security Administrator Information Security Coordinator Information Security Unit Liaison
4 Infrastructure Set of underlying equipment of a computer network. Institutional Data See SPG 601.12, Institutional Data Resource Management and Protection Policy. Integrity Assurance that information is not accidentally or intentionally altered or destroyed. Intrusion Detection System (IDS) A security management system for computers and networks which gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization). IT Resource User IT Service Provider Lost Equipment/Theft A type of security incident, where lost or stolen equipment, such as laptops, thumb drives or PDAs, may lead to disclosure of sensitive or other non public information. Malware Malicious software such as viruses, worms, and Trojans. Network Attacks A type of security incident involving use of the network for malicious activity, including: A denial of service attack which causes legitimate access to University resources to be hindered; Network scanning, such as portscanning or hostscanning; Unauthorized packet capture, including grabbing passwords or sniffing wireless segments. Payment Card Industry Data Security Standard (PCI DSS) An industry standard designed by major credit card companies to protect card holder personal information associated with credit card transactions. The PCI DSS prescribes twelve categories of security safeguards. Protected Health Information (PHI) Information created, received, maintained or transmitted, that was created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relating to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Phishing The use of e mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e mail and the web site look like they are part of a bank the user is doing business with. Policy Violation A type of security incident, in which a user or system resource violates written or implied acceptable usage policies. Port Scanning A series of messages sent by someone attempting to break into a computer to determine where to probe
5 for weaknesses. Private/Confidential Data Data elements which do not meet the definition of public data or sensitive data. This is the default classification category and should be assumed when there is no information indicating that data should be classified as public or sensitive. Private Personal Information (PPI) A category of sensitive information that is associated with an individual, such as social security number, credit card number, protected health information, etc. Public Data Data elements whose disclosure to the general public poses little to no risk to the University s reputation, resources, services, or individuals. Risk Assessment A process that examines information assets within a given scope against a set of security requirements and identifies the risks associated with them. Security Safeguards Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system or environment. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Also called security controls or countermeasures. Security Incident An attempted or successful unauthorized access, use, disclosure, modification, or destruction of information; interference with information technology operation; or violation of explicit or implied acceptable usage policy (see SPG 601.25, Information Security Incident Reporting Policy). Sensitive Data Data elements whose unauthorized disclosure may have a serious adverse effect on the University s reputation, resources, services, or individuals. Data protected under federal or state regulations or data protected due to proprietary, ethical, or privacy considerations would typically be classified as sensitive. Serious Incident An incident that may pose a threat to University resources, stakeholders, and/or services which meets the criteria listed in SPG 601.25, Information Security Incident Reporting Policy. Sensitivity The degree to which information requires protection to ensure it is not exposed to unauthorized users. Social Engineering A type of security incident, in which legitimate users are manipulated into revealing sensitive or other non public information. Spam Electronic junk mail or junk newsgroup postings. Spyware Unsolicited software installed on a computer, typically from a website, to monitor and report computer use. System Administration
6 The function of maintaining and operating hardware and software platforms, and system environments. Trojan Horse A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. Two factor Authentication An authentication method requiring two items beyond a user ID for authentication. Typically, these items would be something you know (e.g. a password) and something you have (e.g. a number from a token, a fingerprint). University Chief Information Technology Security Officer Virus A hidden, self replicating section of computer software, usually malicious logic, that propagates by infecting i.e., inserting a copy of itself into and becoming part of another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. Vulnerability A flaw or weakness in a systemʹs design, implementation, or operation and management that could be exploited to violate the systemʹs security policy. Vulnerability Assessment An act or procedure intended to evaluate or identify the existence of known vulnerabilities in a computer system or network. Workforce Member Any faculty, staff, student, volunteer, trainee, or other person whose conduct is under the University s direct control, whether or not the University pays them for their services. Worm A self contained program that runs itself on a system which replicates to other systems without user intervention. Data Management and Protection Common Acronyms CERT/CC CERT Coordination Center (http://www.cert.org/) CFR Code of Federal Regulations CIO Chief information officer CISP Cardholder Information Security Program CISSP Certified Information Systems Security Professional CSIRT Computer Security Incident Response Team
7 DPS Department of Public Safety at the University of Michigan ephi Electronic Protected Health Information FERPA Family Educational Rights and Privacy Act FIPS Federal Information Processing Standards (http://www.itl.nist.gov/fipspubs/) FIRST Forum of Incident Response and Security Teams (http://www.first.org/) GLBA Gramm Leach Bliley Act HIPAA Health Insurance Portability and Accountability Act IDS Intrusion detection system ISAC Information sharing and analysis center IT Information technology ITIL IT Infrastructure Library MSS Managed Security Services NICR Network Information Change Request NIST National Institutes of Standards and Technology (http://www.nist.gov/) NOC Network Operations Center NSP Network service provider OGC Office of General Counsel OVPR
8 Office of the Vice President for Research PCI DSS Payment Card Industry Data Security Standard PHI Protected Health Information PPI Private Personal Information RECON Risk Evaluation of Computers and Open Networks SME Subject matter expert SOX The Sarbanes Oxley Act SPG Standard Practice Guide References Glossary of Security Terms http://www.sans.org/resources/glossary.php Data Management and Protection Roles and Responsibilities http://www.mais.umich.edu/access/policies.html SPG 601.12, Institutional Data Resource Management and Protection Policy http://spg.umich.edu/pdf/601.12.pdf SPG 601.25, Information Security Incident Reporting Policy http://spg.umich.edu/pdf/601.25.pdf Incident Management Guidelines https://www.itss.umich.edu/umonly/im_guidelines.pdf