Data Management & Protection: Common Definitions



Similar documents
Information Security Incident Management Guidelines

Data Management Policies. Sage ERP Online

Data Security Incident Response Plan. [Insert Organization Name]

Information Security Policy

How To Manage Information Security At A University

University of Colorado at Denver and Health Sciences Center HIPAA Policy. Policy: 9.2 Latest Revision: 04/17/2005 Security Incidents Page: 1 of 9

Network Security Policy

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Vulnerability Management Policy

Information Security Plan May 24, 2011

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

REGION 19 HEAD START. Acceptable Use Policy

AASTMT Acceptable Use Policy

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Cybersecurity for the C-Level

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

Fortinet Solutions for Compliance Requirements

Security Controls What Works. Southside Virginia Community College: Security Awareness

Business & Finance Information Security Incident Response Policy

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

NC DPH: Computer Security Basic Awareness Training

Standard: Information Security Incident Management

Austin Peay State University

Cyril Onwubiko Networking and Communications Group ncg.kingston.ac.

Common Cyber Threats. Common cyber threats include:

How To Protect Research Data From Being Compromised

INFORMATION SECURITY FOR YOUR AGENCY

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

787 Wye Road, Akron, Ohio P F

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

UF IT Risk Assessment Standard

PII Personally Identifiable Information Training and Fraud Prevention

The Business Case for Security Information Management

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Information Resources Security Guidelines

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

Iowa Health Information Network (IHIN) Security Incident Response Plan

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

Network & Information Security Policy

United Tribes Technical College Acceptable Use Policies for United Tribes Computer System

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

UF Risk IT Assessment Guidelines

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

Top Ten Technology Risks Facing Colleges and Universities

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

Incident categories. Version (final version) Procedure (PRO 303)

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

UIT Security is responsible for developing security best practices, promoting security awareness, coordinating security issues, and conducting

Information Technology Acceptable Use Policy

ORANGE REGIONAL MEDICAL CENTER Hospital Wide Policy/Procedure

How To Protect Yourself From Cyber Threats

Revision Date: October 16, 2014 Effective Date: March 1, Approved by: BOR Approved on date: October 16, 2014

Acceptable Usage Policy

Information Security Policy Manual

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Contact: Henry Torres, (870)

13. Acceptable Use Policy

plantemoran.com What School Personnel Administrators Need to know

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Rowan University Data Governance Policy

How To Use A College Computer System Safely

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

How To Protect Your Data From Being Stolen

Security Management. Keeping the IT Security Administrator Busy

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Acceptable Usage Policy

ACCEPTABLE USAGE PLOICY

POLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.

FACT SHEET: Ransomware and HIPAA

Acceptable Use Policy

HIPAA Security Alert

Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Chapter 6: Fundamental Cloud Security

Practical Storage Security With Key Management. Russ Fellows, Evaluator Group

Overview of the HIPAA Security Rule

Sample Employee Network and Internet Usage and Monitoring Policy

Information Technology Cyber Security Policy

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Network Security: Introduction

Information Security Program Management Standard

NORTH CAROLINA AGRICULTURAL AND TECHNICAL STATE UNIVERSITY

Incident Response Plan for PCI-DSS Compliance

Acceptable Use Policy

Transcription:

Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy, Information and Infrastructure Assurance Approval Authority: Paul Howell, CISO Contact: Information and Infrastructure Assurance Telephone: (734) 647-5357 Email: iia.inform@umich.edu Table of Contents Purpose... 2 Updates... 2 Data Management and Protection Terms... 2 Data Management and Protection Common Acronyms... 6 References... 8

2 Data Management & Protection: Common Definitions Purpose This is a University reference to common terms and acronyms used in Information Security and Data Management and Protection policies, procedures, and guidelines. Updates The Data Management and Protection Common Definitions will be maintained and revised as needed by MAIS/Data Administration and Information Infrastructure Assurance (IIA) with inputs from data stewards, data managers, information security coordinators, and others. University employees are encouraged to correspond with MAIS/DA and IIA describing any suggestions for improving these definitions. Data Management and Protection Terms Authentication Confirming the correctness of the claimed identity. Availability Assurance that authorized users have access to information resources when required. Business Owner Cardholder Information Security Program (CISP) A security program initiated by Visa to protect the security and confidentiality of personal cardholder information (see PCI DSS). Chain of Custody For use in legal prosecution, a documented record identifying the person who maintained physical ownership or control of evidence, from its time of collection until its presentation or admission into a court of law. Compliance Officer Compromised System A type of security incident, in which an unauthorized user takes control of a machine or resource. Compromised User Credentials A type of security incident, in which the password or credentials of a user have been compromised and possibly used to perform unauthorized activity. Computer Security Incident Response Team (CSIRT) A team that is typically convened by the security incident coordinator to appropriately respond to a security incident. The team includes individuals from different organizations (such as law enforcement, office of general counsel, communications office or compliance offices) as necessary relative to the incident type and severity. Confidentiality Assurance that information is not made available or disclosed to unauthorized individuals, entities, or processes.

3 Criticality The relative importance of the information to the mission of the University, and the degree to which the information requires protection to ensure it is not accidentally or intentionally altered or destroyed. Data Administration The function of applying formal guidelines and tools to manage the University s information resource. Data Manager Data Management Integration Coordinator Data Steward Data User Delegated Data Steward Disaster Recovery/Business Continuity Creating, implementing, and testing plans and procedures for the continuation of essential business operations after a disaster, such as an earthquake, tornado, flood, extended power outage, terrorist incident or other event. Encryption Encoding information such that it cannot be decoded and read without provision of an appropriate key. Electronic Protected Health Information (ephi) Protected Health Information that is stored or transmitted electronically (see PHI). Firewall A device or program designed to control the network traffic allowed to flow to a computer or segment of the network. Incident Management Processes for managing security incidents throughout their life cycle including incident detection, triage, response, mitigation, tracking and analysis. Information Asset Information, information systems, computers, documents, and other components of the University infrastructure which store or process information. Also called information technology asset or information technology resource. Information Security Administrator Information Security Coordinator Information Security Unit Liaison

4 Infrastructure Set of underlying equipment of a computer network. Institutional Data See SPG 601.12, Institutional Data Resource Management and Protection Policy. Integrity Assurance that information is not accidentally or intentionally altered or destroyed. Intrusion Detection System (IDS) A security management system for computers and networks which gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization). IT Resource User IT Service Provider Lost Equipment/Theft A type of security incident, where lost or stolen equipment, such as laptops, thumb drives or PDAs, may lead to disclosure of sensitive or other non public information. Malware Malicious software such as viruses, worms, and Trojans. Network Attacks A type of security incident involving use of the network for malicious activity, including: A denial of service attack which causes legitimate access to University resources to be hindered; Network scanning, such as portscanning or hostscanning; Unauthorized packet capture, including grabbing passwords or sniffing wireless segments. Payment Card Industry Data Security Standard (PCI DSS) An industry standard designed by major credit card companies to protect card holder personal information associated with credit card transactions. The PCI DSS prescribes twelve categories of security safeguards. Protected Health Information (PHI) Information created, received, maintained or transmitted, that was created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relating to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Phishing The use of e mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e mail and the web site look like they are part of a bank the user is doing business with. Policy Violation A type of security incident, in which a user or system resource violates written or implied acceptable usage policies. Port Scanning A series of messages sent by someone attempting to break into a computer to determine where to probe

5 for weaknesses. Private/Confidential Data Data elements which do not meet the definition of public data or sensitive data. This is the default classification category and should be assumed when there is no information indicating that data should be classified as public or sensitive. Private Personal Information (PPI) A category of sensitive information that is associated with an individual, such as social security number, credit card number, protected health information, etc. Public Data Data elements whose disclosure to the general public poses little to no risk to the University s reputation, resources, services, or individuals. Risk Assessment A process that examines information assets within a given scope against a set of security requirements and identifies the risks associated with them. Security Safeguards Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system or environment. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Also called security controls or countermeasures. Security Incident An attempted or successful unauthorized access, use, disclosure, modification, or destruction of information; interference with information technology operation; or violation of explicit or implied acceptable usage policy (see SPG 601.25, Information Security Incident Reporting Policy). Sensitive Data Data elements whose unauthorized disclosure may have a serious adverse effect on the University s reputation, resources, services, or individuals. Data protected under federal or state regulations or data protected due to proprietary, ethical, or privacy considerations would typically be classified as sensitive. Serious Incident An incident that may pose a threat to University resources, stakeholders, and/or services which meets the criteria listed in SPG 601.25, Information Security Incident Reporting Policy. Sensitivity The degree to which information requires protection to ensure it is not exposed to unauthorized users. Social Engineering A type of security incident, in which legitimate users are manipulated into revealing sensitive or other non public information. Spam Electronic junk mail or junk newsgroup postings. Spyware Unsolicited software installed on a computer, typically from a website, to monitor and report computer use. System Administration

6 The function of maintaining and operating hardware and software platforms, and system environments. Trojan Horse A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. Two factor Authentication An authentication method requiring two items beyond a user ID for authentication. Typically, these items would be something you know (e.g. a password) and something you have (e.g. a number from a token, a fingerprint). University Chief Information Technology Security Officer Virus A hidden, self replicating section of computer software, usually malicious logic, that propagates by infecting i.e., inserting a copy of itself into and becoming part of another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. Vulnerability A flaw or weakness in a systemʹs design, implementation, or operation and management that could be exploited to violate the systemʹs security policy. Vulnerability Assessment An act or procedure intended to evaluate or identify the existence of known vulnerabilities in a computer system or network. Workforce Member Any faculty, staff, student, volunteer, trainee, or other person whose conduct is under the University s direct control, whether or not the University pays them for their services. Worm A self contained program that runs itself on a system which replicates to other systems without user intervention. Data Management and Protection Common Acronyms CERT/CC CERT Coordination Center (http://www.cert.org/) CFR Code of Federal Regulations CIO Chief information officer CISP Cardholder Information Security Program CISSP Certified Information Systems Security Professional CSIRT Computer Security Incident Response Team

7 DPS Department of Public Safety at the University of Michigan ephi Electronic Protected Health Information FERPA Family Educational Rights and Privacy Act FIPS Federal Information Processing Standards (http://www.itl.nist.gov/fipspubs/) FIRST Forum of Incident Response and Security Teams (http://www.first.org/) GLBA Gramm Leach Bliley Act HIPAA Health Insurance Portability and Accountability Act IDS Intrusion detection system ISAC Information sharing and analysis center IT Information technology ITIL IT Infrastructure Library MSS Managed Security Services NICR Network Information Change Request NIST National Institutes of Standards and Technology (http://www.nist.gov/) NOC Network Operations Center NSP Network service provider OGC Office of General Counsel OVPR

8 Office of the Vice President for Research PCI DSS Payment Card Industry Data Security Standard PHI Protected Health Information PPI Private Personal Information RECON Risk Evaluation of Computers and Open Networks SME Subject matter expert SOX The Sarbanes Oxley Act SPG Standard Practice Guide References Glossary of Security Terms http://www.sans.org/resources/glossary.php Data Management and Protection Roles and Responsibilities http://www.mais.umich.edu/access/policies.html SPG 601.12, Institutional Data Resource Management and Protection Policy http://spg.umich.edu/pdf/601.12.pdf SPG 601.25, Information Security Incident Reporting Policy http://spg.umich.edu/pdf/601.25.pdf Incident Management Guidelines https://www.itss.umich.edu/umonly/im_guidelines.pdf

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information