Definitions

The following definitions shall apply throughout this document. The Texas Administrative Code 202.1 Applicable Terms and Technologies for Information Security can also be used to provide additional guidance.

  • Account – information resource users are typically assigned logon credentials that include, at the minimum, a unique user name, and password.
  • Account Credentials refers to an account’s logon ID and any items used to authenticate that logon ID, such as a password or certificate.
  • Account Management refers to all the activities associated with the account lifecycle, e.g., account creation, ongoing account maintenance, and account de-activation/deletion.
  • Administrative Account – an access account that grants the user significantly elevated privileges above that granted to a typical user.
  • Administrative User – a user who possesses an administrative account.
  • Anomalous activity – workstation, server, or network work activity that is unusual or out of the ordinary and may be the indicator of malware or malicious user activity.
  • Authentication mechanisms – account names and passwords, security access cards, tokens, and keys associated with mechanisms that permit access to facilities, information resources, or data.
  • Business continuity – the availability of critical resources and the continuity of operations to facilitate the effective operation of university business-related activities.
  • Change 
    • any implementation of new functionality,
    • any interruption of service,
    • any repair of existing functionality, and
    • any removal of existing functionality.
  • Confidential information – Information that is exempted from disclosure requirements under the provisions of the Texas Public Information Act or other applicable state or federal laws. Most student records are confidential records.
  • Contractor – any company, and its employees, not affiliated with Texas A&M University-Corpus Christi, which provides a service to the university.
  • Custodian – A person (or department) providing operational support for an information system and having responsibility for implementing owner-defined controls and access privileges.
  • External media storage devices – any external device that is capable of storing electronic data. Examples of external media storage devices include but are not limited to: USB drives, flash media, floppy disks, CD/DVD-ROM, external hard drives, MP3 players, iPods, cellular phones, cameras, etc.
  • File owner – Holder (assignee) of the computer account which controls a file. Not necessarily the owner in the sense of property.
  • IdP stands for identity provider, i.e., any service that stores account credentials and provides authentication of users based on those credentials. Examples of University IdPs include Active Directory, Open LDAP, and Banner’s user account database.
  • IdP Custodian is a person who manages an IdP and thus manages not only the stored identities, but also the processes whereby identities are created, modified, and disabled or deleted.
  • Intranet – the university’s network that is used to interconnect the university’s information resources and, when permitted, allow the connection of those resources to the Internet.
  • Internet – a worldwide, publicly accessible network of interconnected computer networks.
  • Incident Response Plan – an organized approach to addressing and managing situations involving information resources and Sensitive Information in a manner that limits damage and reduces recovery time and costs.
  • Information resources – The procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
  • Information resource facility – the physical locations (rooms, closets, crawlways, cable conduit, etc) that house the supporting infrastructure and physical information resources used to manage Sensitive Information.
  • Malware – Software that is designed to operate in a manner that is inconsistent with the intentions of the user and which typically results in annoyance or damage to the user's information systems. Examples of such software include:
    • viruses: Pieces of code that attach to host programs and propagate when an infected program is executed.
    • worms: Particular to networked computers to carry out pre-programmed attacks that jump across the network.
    • Trojan Horses: Hide malicious code inside a host program that appears to do something useful.
    • attack scripts: These may be written in common languages such as Java or ActiveX to exploit weaknesses in programs; usually intended to cross network platforms.
    • Spyware: Software planted on systems to capture and reveal information to someone outside the system. It can do such things as capture keystrokes while typing passwords, read and track e-mail, record the sites visited, pass along credit card numbers, and so on. It can be planted by Trojan horses or viruses, installed as part of freeware or shareware programs that are downloaded and executed, installed by an employer to track computer usage, or even planted by advertising agencies to assist in feeding the user targeted ads.
  • Mission critical information – Information that is defined by Texas A&M University-Corpus Christi or any division thereof (department, etc.), to be essential to their function(s) and would cause severe detrimental impact if the data/system were lost and unable to be restored in a timely fashion.
  • Mission critical service – a service or information resource that is defined by the university or information resource owner to be essential to the continued performance of the mission of the university or department. Unavailability of such service or information resource would result in more than an inconvenience. An event causing the unavailability of mission critical service would result in consequences such as significant financial loss, institutional embarrassment, and/or failure to comply with regulations or legal obligations, or closure of the university or department.
  • The network infrastructure – all the University-owned or -managed hardware devices (“infrastructure devices”), media (e.g., fiber optic cables, copper cables), and software that permit the exchange of electronic information between two network nodes. The network infrastructure does not comprise traditional endpoint devices such as phone handsets, workstations, printers, faxes, etc., unless those devices are configured to further extend network connectivity to other devices. The infrastructure includes, but is not limited to:
    • All in-wall, above ceiling, or buried voice, data, and video cabling;
    • Any network addresses (e.g., IP addresses);
    • All devices that retransmit or extend network connectivity, e.g., repeaters, multiplexers, switches, hubs, routers, wireless access points, etc.
  • Network extending or re-transmitting devices, systems and software – include, but are not limited to, the following: modems, hubs, routers, switches, wireless access points, ad hoc wireless interfaces, telecommunication voice devices, firewalls, virtual private network servers, virtual network connection software, and Internet Anonymizer servers.
  • Network scanning – the process of transmitting data through a network to elicit responses in order to determine configuration state about an information system.
  • Network vulnerability scanning – the conduct of network scanning of an information system to determine the presence of security vulnerabilities in the information system.
  • Nondisclosure Agreement – a legal contract between at least two parties which outlines confidential materials or knowledge the parties wish to share with one another for certain purposes, but wish to restrict from generalized use.
  • Owner – A person responsible for a university function and for determining controls and access to electronic information resources supporting that university function.
  • Password/passphrase – a secret word, phrase, or code used to serve as a security measure in authentication mechanisms to protect against unauthorized access to information resources and data.
  • Phishing – The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site look like they are part of a bank or some other legitimate e-commerce site with which the user conducts regular business.
  • Portable devices comprise portable computing devices and portable storage devices.
  • Portable computing device is a computing device which is designed to be easily transported by one person for an extended period. Examples of portable computing devices include laptops, tablet computers, and smartphones.
  • Portable storage device is an electronic information storage device which is designed to be easily transported by one person for an extended period of time. Examples of portable storage devices include USB memory sticks and USB hard drives.
  • Providing Entity – the university department that is permitting vendor access to their information resources.
  • Restricted personal information – Includes an individual's social security number, or data protected under state or federal law (e.g., financial, medical or student data).
  • Resource consolidation – the centralization of university information resources to reduce operational costs, increase server utilization, reduce real estate and facilities costs, improve availability, exploit new hardware platforms, and build an agile infrastructure able to respond more quickly to the rapidly changing requirements related to information technology.
  • Resource custodian – See Custodian
  • The Recovery Time Objective (RTO) for a given information resource is a number that represents the maximum time the information resource can be unavailable, as determined by the business process owners who depend on that information resource. For example, an RTO of one week for a given information resource means that the business process owners have determined that that information resource cannot be unavailable for more than a week; otherwise the institution will suffer significant harm to its operations.
  • The Recovery Point Objective (RPO) for a given information resource is a number that represents that maximum amount of recent data can be lost as determined by the business process owners who depend on that data. For example, an RPO of 24 hours for a given information resource means that the business process owners have determined that no more than the most recent 24 hours’ worth of data entered into that information resource may be lost; otherwise the institution will suffer significant harm to its operations.
  • Sanitize means to overwrite data on a storage device with a program that complies with Department of Defense standard 5220.22-M.
  • Security baseline – the configuration of a network, the hosts on the network, and the applications on the host as detected by network, host, and application enumeration and vulnerability scanning tools. Information for a security baseline should be collected while the networks, hosts, and applications are operating in a "known good" state. Security baselines are used to detect changes in configuration and deployment to assist with the implementation of policy and detection of malicious activity.
  • Security incident – any violation of Federal or State laws and regulations, Texas A&M System Policies, or Texas A&M University-Corpus Christi Rules or Procedures.
  • Security patch – a fix to a program that eliminates a vulnerability exploited by malicious hackers.
  • Security testing – a combination of systems configuration testing, network scanning, and network vulnerability scanning to determine the state of an information resource and the services it provides.
  • Sensitive Information – any University information identifiable as confidential or controlled.
  • Software – A computer program, which provides the instructions which enable the computer hardware to work. System software, such as Windows or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.
  • SPAM – the abuse of electronic messaging systems to send unsolicited bulk messages.
  • System administrator – See Custodian
  • System Development Life Cycle (SDLC) – a process used to develop and implement information resources, including requirements, validation, training, and user ownership through investigation, analysis, design, implementation, and maintenance. An SDLC should result in a high quality system that meets or exceeds customer expectations, within time and cost estimates, works effectively and efficiently in the current and planned information technology infrastructure, and is cheap to maintain and cost-effective to enhance.
  • Texas Administrative Code 202 – information security standards for information resources purchased by agencies and institutions of higher education in the State of Texas.
  • University Technology Council (UTC) – a group of management level university faculty and staff members responsible for providing direction and guidance to the university in matters concerning and pertaining to the universities information resources.
  • Update refers to a revised version of a software application or operating system that does not involve a major change in functionality. Typically, updates are point releases (e.g., Application X Version 5.2 is an update to Application X Version 5.1).
  • Upgrade refers to a revised version of a software application or operating system that does involve a major change in functionality. Upgrades are typically full version changes (e.g., Application X Version 5.0 is an upgrade to Application X Version 4.0).
  • User – An individual or automated application authorized to access an information resource in accordance with the owner-defined controls and access rules.
  • Vendor – any company, and its employees, not affiliated with Texas A&M University-Corpus Christi, which provides a service to the university.
  • Wireless technologies – include, but are not limited to, any device capable of IEEE 802.11x, Bluetooth, Infrared, and/or cellular communications.
  • Workstation refers to a computing device which can be attached to a network, the resources of which computing device typically are not shared over the network with other network users.

Chief Information Security and Privacy Officer

Submit a Ticket