UTMB INFORMATION RESOURCES PRACTICE STANDARD

Similar documents
Data Management Policies. Sage ERP Online

Information Resources Security Guidelines

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

Wireless Network Standard and Guidelines

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

University of Cincinnati Limited HIPAA Glossary

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

SonicWALL PCI 1.1 Implementation Guide

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

HIPAA Security COMPLIANCE Checklist For Employers

Procedure Title: TennDent HIPAA Security Awareness and Training

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

COSC 472 Network Security

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Enterprise K12 Network Security Policy

74% 96 Action Items. Compliance

St. Johns River State College

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Ohio Supercomputer Center

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Data Security Incident Response Plan. [Insert Organization Name]

Information Security Program Management Standard

How To Write A Health Care Security Rule For A University

Content Teaching Academy at James Madison University

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Information Security Policy

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

Information Technology Cyber Security Policy

MCOLES Information and Tracking Network. Security Policy. Version 2.0

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Firewalls, Tunnels, and Network Intrusion Detection

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

Ovation Security Center Data Sheet

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Data Management & Protection: Common Definitions

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

ICANWK406A Install, configure and test network security

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Excerpt of Cyber Security Policy/Standard S Information Security Standards

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Network & Information Security Policy

ULH-IM&T-ISP06. Information Governance Board

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

IBX Business Network Platform Information Security Controls Document Classification [Public]

REMOTE ACCESS POLICY OCIO TABLE OF CONTENTS

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

Supplier Information Security Addendum for GE Restricted Data

Payment Card Industry Data Security Standard

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Network Security Administrator

Section 12 MUST BE COMPLETED BY: 4/22

Security in Wireless Local Area Network

BUSINESS ONLINE BANKING AGREEMENT

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

How To Protect The Time System From Being Hacked

ADM:49 DPS POLICY MANUAL Page 1 of 5

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Achieving PCI-Compliance through Cyberoam

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Guideline on Auditing and Log Management

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Security Management. Keeping the IT Security Administrator Busy

Network Security: Introduction

Payment Card Industry (PCI) Compliance. Management Guidelines

California State University, Chico. Information Security Incident Management Plan

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

XX-XXX Wireless Local Area Network Guidelines. Date: August 13, 2003 Date Adopted by NITC: Other:

13. Acceptable Use Policy

Health and Human Services Enterprise Information Technology Security Training Resource Guide

EC-Council Network Security Administrator (ENSA) Duration: 5 Days Method: Instructor-Led

PCI DSS Requirements - Security Controls and Processes

Common Cyber Threats. Common cyber threats include:

SCADA/Business Network Separation: Securing an Integrated SCADA System

Top tips for improved network security

Transcription:

IR Security Glossary Introduction Purpose Applicability Sensitive Digital Data Management Privacy Implications This abbreviated list provides explanations for typically used Information Resources (IR) security terminology. These terms are intended to provide a common frame of reference with respect to the protection of UTMB IR. These terms are common to all UTMB IR Security Policies and Practice Standards. Sensitive Digital Data, as defined by UTS 165, includes social security numbers, Protected Health Information (PHI), Sensitive Research Data, digital Data associated with an individual and/or digital Data protected by law. Sensitive digital Data must be secured and protected while at rest (electronic storage on a hard drive, digital or optical media), mobile (laptop, PDA or flash drive) and in transit (via email or the Internet). Electronic files created, sent, received, or stored on IR owned, leased, administered, or otherwise under the custody and control of UTMB are not private and may be accessed by appropriate personnel in accordance with the provisions and safeguards provided in the Texas Administrative Code 1 TAC 202 (Information Security Standards), Information Resource Standards and in the University of Texas System, UTS 165 - Information Resources Use and Security Policy. The following terms, when used within UTMB IR Security Policies and Practice Standards, shall have the following meanings, unless the context clearly indicates otherwise. Page 1 of 11

802.1x: an authentication standard often used as an access control for wireless networks. 802.1x Security Model: a best practice combining strong authentication with encryption for wireless networks. Abuse of Privilege: when a user willfully performs an action prohibited by organizational policy or law, even if technical controls are insufficient to prevent the user from performing the action. Access Point (AP): hardware or software that facilitates end user wireless connectivity to a wired network. Ad-Hoc mode: a networking framework in which wireless devices communicate directly with one another without the use of an access point. Back Door: undocumented program code within the otherwise secure system used to gain access to the system through the vulnerability and then exploit or attack the system. The back door usually leads to privileged access or a supervisor state and typically bypasses normal audit trails. Backup: copy of files and applications made to avoid loss of data and facilitate recovery in the event of a system crash. Change: any implementation of new functionality any interruption of service any repair of existing functionality any removal of existing functionality Change Management: the process of controlling modifications to hardware, software, firmware, and documentation to ensure that IR s are protected against improper modification before, during, and after system implementation. CERT: Computer Emergency Response Team at Carnegie-Mellon University. Computer Incident Response Team (CIRT): personnel responsible for coordinating the response to computer security incidents in an organization (cirt@utmb.edu). Page 2 of 11

Confidential Information: the classification of data that is exempt from disclosure under provisions of the Texas Public Information Act or other applicable state or federal law, regulation, or court order. The controlling factor for confidential information is prevention of dissemination. Custodian: a person responsible for implementing owner-defined controls and access to an information resource. Further, custodians of information resources, including entities providing outsourced information resources services to UTMB, must: Implement the controls specified by the owner(s); Provide physical and procedural safeguards for the information resources; Assist owners in evaluating the cost-effectiveness of controls and monitoring; and Implement the monitoring techniques and procedures for detecting, reporting, and investigating incidents. Digital Signature: electronic signature used to authenticate identity of the sender of the message or the signer of a document. Electronic Mail (email): any message, image, form, attachment, data or other communication sent, received, or stored within an electronic mail system. Electronic Mail System: any computer software application that allows electronic mail to be communicated from one computing system to another. Emergency Change: when an unauthorized immediate response to imminent critical system failure is needed to prevent widespread service disruption. Extranet: an intranet that is accessible or partially accessible to authorized users outside the organization. Firewall: an access control mechanism that acts as a barrier between two or more segments of a computer network or overall client/server architecture used to protect internal networks or network segments from unauthorized users or processes. Host: a computer system that provides computer service for a number of users. Page 3 of 11

Information: any and all data, regardless of form, that is created, contained in, or processed by, UTMB IR facilities, communications networks, or storage media. Information Attack: an attempt to bypass the physical or information security measures and controls protecting an IR. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures. Information Operations: actions taken to affect adversary information and information systems while defending one s own information and information systems. Information Resources (IR): the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers, and service bureaus. Information Resources Manager (IRM): the person designated by the State of Texas, the UTMB President and President s Council to have oversight responsibility for all information resources within UTMB. Information Security Officer (ISO): responsible to the Information Resources Manager (IRM) for administering the information security functions within UTMB. The ISO is UTMB s internal and external point of contact for all information security matters. Information Services (IS): the name of the UTMB department (http://www.utmb.edu/is/) responsible for computers, networking and data management. Page 4 of 11

Internet: a global system interconnecting computers and computer networks. The computers and networks are owned separately by a host of organizations, government agencies, companies, and colleges. The Internet is the present information super highway. Intranet: a private network for communications and sharing of information that, like the Internet, is based on TCP/IP, but is accessible only to authorized users within an organization. An organization s intranet is usually protected from external access by a firewall. Intrusion: the misuse or unauthorized access of a system and its data, which can either be initiated externally or internally. Intrusion Detection System: an intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. Local Area Network (LAN): a data communications network spanning a limited geographical area, a few miles at most. It provides communication between computers and peripherals at relatively high data rates and relatively low error rates. Malware: short for malicious software, programs or files developed for the purpose of doing harm. Thus, malware includes computer viruses, worms, and Trojan horses. Offsite Storage: based on data criticality, offsite storage should be in a geographically different location from the UTMB campus that does not share the same disaster threat event. Based on an assessment of the data backed up, removing the backup media from the building and storing it in another secured location on the UTMB Campus may be appropriate. Page 5 of 10

Owner: a person responsible for (1) a business function, and (2) determining controls and access to information resources supporting that business function. Further, the owner or his or her designated representatives(s) are responsible for and authorized to: Approve access and formally assign custody of an information resources asset; Determine the asset's value; Specify data control requirements and convey them to users and custodians; Specify appropriate controls, based on risk assessment, to protect the state's information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources outsourced by the agency. Confirm that controls are in place to ensure the accuracy, authenticity, and integrity of data. Ensure compliance with applicable controls; Assign custody of information resources assets and provide appropriate authority to implement security controls and procedures. Review access lists based on documented agency security risk management decisions. Packet: a piece of a message transmitted over a packet-switching network. One of the key features of a packet is that it contains the destination address in addition to the data. Password: a string of characters that serves as authentication of a person s identity, which may be used to grant or deny access to private or shared data. Platform: the underlying hardware or software for a system, it also implies an operating system. Platform Hardening: to secure the configuration parameters of a given system in such a manner as to mitigate known system vulnerabilities and help protect against unauthorized access and/or use. Page 6 of 10

POP3: (Post Office Protocol 3) A standard interface between an e- mail client program and the mail server, defined by IETF RFC 1939. POP3 and IMAP4 are the two common mailbox access protocols used for Internet e-mail. POP3 provides a message store that holds incoming e-mail until users log in and download it. SANS: System Administration, Networking and Security Institute at Bethesda, Maryland. Scheduled Change: formal notification received, reviewed and approved by the review process in advance of the change being made. Security Administrator: the person charged with monitoring and implementing security controls and procedures for a system. Whereas each agency will have one Information Security Officer, technical management may designate a number of security administrators. Security Incident: an event which results in unauthorized access, loss, disclosure, modification, disruption, or destruction of information resources whether accidental or deliberate. Sensitive Information: the classification of data requiring special precautions to protect it from unauthorized modification or deletion. It may be either public or confidential but requires a higher than normal assurance of accuracy and completeness. The controlling factor for sensitive data is assuring and maintaining integrity. Server: a computer program that provides services to other computer programs in the same or another computer. A computer running a server program is frequently referred to as a server, though it may also be running other client (and server) programs. Service Set Identifier (SSID): a unique identifier (essentially a name that identifies a wireless network) attached to packets and sent via wireless services that acts as a password (clear text) when a wireless device attempts to connect to the network. SMTP (Simple Mail Transfer Protocol): a protocol for sending email messages between servers. Page 7 of 10

Strong Passwords: a strong password is a password that is not easily guessed. It is normally constructed of a sequence of characters, numbers and special characters depending on the capabilities of the operating system. The longer the password, the stronger it is. It should never be a name, dictionary word in any language, an acronym, a proper name, a number or be linked to any personal information about you such as a birth date, social security number and so on. Trojan Horse: a malicious program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer. It may also be used to locate password information or facilitate remote access, bundled within a free game or other utility. Trusted Requestor (TR): employees who are trusted to make requests for authorized access to information resources on behalf of staff within their organizational jurisdiction. Unscheduled Change: failure to present notification to the formal process in advance of the change being made. Unscheduled changes will only be acceptable in the event of a system failure or the discovery of a security vulnerability. User: an individual or automated application authorized to access an information resource in accordance with the owner-defined controls and access rules. User ID: Refers to an individual s unique system identifier. UTMB Security Center Enrollment Page (http://vua.utmb.edu:9225): web site used to obtain or renew a digital certificate; you must have a pre-authorization key prior to taking any action on this web page. UTMB-USERS-M: the name of the master list of usernames and associated passwords used across the UTMB campus to access information technology (i.e., username and password for e-mail). Page 8 of 10

Virtual Private Network (VPN): a network that is constructed by using public wires to connect nodes. These systems are encrypted and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. Virus: a program or piece of code attached to an executable file or vulnerable application that is loaded onto your computer without your knowledge and runs without your consent delivering a payload that ranges from mildly annoying to extremely destructive, with the added ability to replicate themselves. Wired Equivalent Privacy (WEP): a security protocol for wireless networks that provides security by encrypting data over radio waves so that it s protected during transmission. Wireless: a very generic term that refers to numerous forms of nonwired transmissions via the airwaves. Wireless Devices: cellular telephone, personal digital assistants, interactive TV, wireless information resources such as computers, copiers, and faxes, and transport infrastructure components such as, but not limited to, transmitters, receivers, amplifiers, and antennas. Wireless Network: transmits data via radio frequency between clients and servers and other network devices without the use of a physical cable or wire. Worm: a program or algorithm that replicates itself over a computer network and usually performs malicious actions, such as using up the computer s resources and possibly shutting the system down. Some people distinguish between general viruses and worms. A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs. WPA: (Wi-Fi Protected Access) A security protocol for wireless 802.11 networks from the Wi-Fi Alliance that was developed to provide a migration from WEP. The WPA logo certifies that devices are compliant with a subset of the IEEE 802.11i protocol. WPA2 certifies full support for 802.11i. Page 9 of 10

Other Pertinent Online Technology Dictionaries Texas Administrative Code (Information Resource Standards) http://www.dir.state.tx.us/security/policies/tac202.htm Department of Information Resources (Practices for Protecting Information Resources Assets) http://www.dir.state.tx.us/irapc/practices/word/a2.doc Tech Encyclopedia http://www.techweb.com/encyclopedia/ Webopedia http://www.pcwebopaedia.com/ whatis.com http://www.whatis.com/ References UTMB IR Security Policies UTMB IR Security Management Practice Standards UTMB IR Security Procedures UT System UTS-165 Information Resource Security Program Page 10 of 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information