Standards Lexicon
The table below provides definitions for terms used in the Information Security Standards, including any draft standards. We will update these definitions as needed.
You can use the jump-to navigation below or the Sort option, located directly above the chart, to sort alphabetically by Term or Standard.
Jump to:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
| Term | Definition | Standard(s) |
|---|---|---|
| Access Control | Controls provide reasonable assurance that physical access to the data center and the information technology systems infrastructure is limited to authorized individuals. | Server |
| Account | A combination of a unique username and password or other authentication combination, which allows a user to authenticate to a system or service and be granted authorization to access them. | Account Management |
| Administrative Access (server and services) | The use, interactive or automated, of an account that has the ability to read, write, or execute files or directories that can affect all other users. | Server |
| Administrative Account | An account with full privileges that has as its primary purpose the administration of an RIT information resource. | Account Management |
| Alternate site | An alternative operating location to be used to continue academic/business processes/functions or recovery/restoration when the primary facilities are inaccessible. | Disaster Recovery |
| Approved Encryption Methods | Any encryption method evaluated and approved for use by the Information Security Office, as listed on the Information Security Web site. | Network |
| Authoritative Source | The information source with the highest level of information verification or data integrity. | Server |
| Authorized User | Anyone who has been granted permission to read or access a given set of data or system. This may or may not entail the modification of the data or system. | Desktop and Portable Computer |
| Business Continuity | The ability of an organization to respond to the impact of a disaster and continue to provide a minimum acceptable level of processes/functions in the immediate aftermath of the disaster and thereafter return conditions to a level that is acceptable to the organization. | Disaster Recovery |
| Business Continuity Plan | The management-approved document that defines the resources and actions required to manage the process/function recovery effort. | Disaster Recovery |
| Business Continuity System |
Web-based software used to create, manage and distribute academic/business continuity and disaster recovery plans. The software houses information related to processes/functions including:
|
Disaster Recovery |
| Central Identity and Account Management | A centralized organization with responsibility for identity, authentication and authorization services. | Account Management |
| Common Vulnerability Scoring System (CVSS) | An industry standard for assessing the severity of computer system security vulnerabilities. It is structured on a 10 point scale, where 0-3.9 is a low score, 4-6.9 is a medium score, and 7-10 is a high score. | Server |
| Confidential | A classification for information that is restricted on a need to know basis that, because of legal, contractual, ethical, or other constraints, may not be accessed or communicated without specific authorization. Confidential information includes: Educational records governed by the Family Educational Rights & Privacy Act (FERPA) that are not defined as directory information, Refer to the RIT Educational Records Policy D15.0. University Identification Numbers (UIDs), Employee and student health information as defined by Health Insurance Portability and Accountability Act (HIPAA), Alumni and donor information, Employee personnel records, Employee personal information including: home address and telephone number; personal e-mail addresses, usernames, or passwords; and parent’s surname prior to marriage Management information, including communications or records of the Board of Trustees and senior administrators, designated as Confidential, Faculty research or writing before publication or during the intellectual, property protection process. Refer to the RIT Intellectual Property Policy C3.0., Third party information that RIT has agreed to hold confidential under a contract | Information Access and Protection, Solutions Life Cycle Management |
| Controls | Depends on the system, its capabilities, and expected usage, as well as anticipated threats against the information. | Information Security Policy |
| Core Network Equipment | Any Network Device that is required for the functioning of the network backbone. | Network |
| Corrective controls | Include recovery plans for handling isolated information safeguard failure incidents to business continuity plans. | Information Security Policy |
| Critical | Information or a process/function which if corrupted, lost, interrupted or made inaccessible during a disruption would pose a significant life, safety, financial, reputation or other risk to RIT. | Disaster Recovery |
| Critical Business Process | Any process/function whose loss would severely impact the ability of RIT to provide essential services | Solutions Life Cycle Management |
| Detective Controls | Include network and information access monitoring, and intrusion detection (host based or network based), manual or automated review of security logs. | Information Security Policy |
| Disaster | An event that compromises an organization’s ability to provide critical processes/functions for some unacceptable period of time. | Disaster Recovery |
| Disaster Recovery | The ability of an organization to restore information resources required to support a process/function. | Disaster Recovery |
| Disaster Recovery Plan | The management-approved document that defines the resources and actions required to manage the information resources recovery effort that supports the broader process/function recovery effort. The Disaster Recovery Plan is a component of the overall Academic/Business Continuity Plan. | Disaster Recovery |
| Disruption | An interruption to normal operations that compromises an organization’s ability to provide critical processes/functions for some unacceptable period of time. | Disaster Recovery |
| Encryption | The conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people. Password protection does not equal encryption. RIT-approved encryption methods | Information Access and Protection |
| Event | A change to the normal behavior of a system, environment, process, workflow or person that is suspected to be an incident | Computer Incident Handling |
| Form Spam | The posting of unrelated comments or promoting commercial services to blogs, wikis, guestbooks, or other publicly accessible online discussion boards. | Web |
| Generic Account | An account that does not require specific information associated with a unique individual but instead accept some nonspecific identification information to enable access. | Account Management |
| Grid Computing | A large system of networked computers whose collective processing power is used to solve difficult and time-consuming tasks. | Server |
| Host-based Intrusion Prevention System (HIPS) | A security application which typically resides on an individual computer or system. Its main purpose is to monitor system activities--particularly those relating to network connections--for malicious or unwanted behavior and react in real time to block or prevent those compromises. | Desktop and Portable Computer |
| Hypervisor | A hypervisor is a platform that allows one or more VMs to use a single “host.” The hypervisor controls the host processor and resources and allocates what is needed to each VM. | Server |
| IDS/IPS | Intrusion Detection System/Intrusion Prevention System | Network |
| Inappropriate Use | Use of RIT information resources in contravention of law or RIT policy | Computer Incident Handling |
| Information | Any RIT knowledge, data or communication resident on Information Resources. Information may have many forms including, but not limited to, emails, documents, databases, photographs, stored audio or video. RIT and its users are responsible for information regardless of where it is stored. | Disaster Recovery, Information Access and Protection |
| Information Resources |
Include, but are not limited to:
|
Information Access and Protection, Solutions Life Cycle Management, Disaster Recovery |
| Information Safeguards | Administrative, technical, and physical controls that support the confidentiality, integrity, availability, and authenticity of information. | Information Security Policy |
| Information Systems and Supporting Infrastructure | Information in its analog and digital forms and the software, network, computers, tokens, and storage devices that support the use of information. | Information Security Policy |
| Interactive Login | A login console which requires a user to interact locally with the system. An example of this is the Windows environment, the user is required to press Control+Alt+Delete simultaneously. | Server |
| Internal | A classification for information restricted to RIT faculty, staff, students, alumni, contractors, volunteers, and business associates for the conduct of University business. Examples include online building floor plans, specific library collections, etc. | Information Access and Protection |
| IT Support Personnel | Any individual or department engaged in official support of RIT Information Resources or RIT network users. | Computer Incident Handling |
| Lifecycle Protection | Information systems and supporting infrastructure have a lifecycle that begins with evaluation and selection, and advances through planning, development/ acquisition, and operations through to disposal or retirement. Information safeguards are needed at all phases of the lifecycle. | Information Security Policy |
| Network Administrator | Any individual who administers or deploys any Network Device that connects the Institute network. A local administrator may be responsible for specific subnets and registered addresses. | Network |
| Network Devices | Any physical device that mediates transmitted data in some way, including but not limited to routing, switching, repeating and blocking. Network Devices include Storage Area Networks (SANs). | Network |
| Non-Critical | Information or process/function which if corrupted, lost, interrupted or made inaccessible during a disruption would pose a minimal risk to RIT. The information or process/function could be supplied through alternate means during the disruption or delayed until after the disruption. | Disaster Recovery |
| Passphrase | A sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. | Password/Passphrase |
| Patch Cluster | A group of patches and/or vulnerability fixes that change the version of the operating system/service, e.g., a service pack or minor version update. | Server |
| Portable Hard Drive | A portable hard drive is any disk drive that is plugged into an external port on a computer such as USB or FireWire. For laptops, the PC Card slot may be used to connect a cable to a full-size drive, or the hard disk may be contained entirely inside the PC Card. | Portable Media |
| Preventive Controls | Include use of encryption, information integrity measures, security configuration, media reuse, use of anti-virus, and physical protection. | Information Security Policy |
| Private | A classification for information that is confidential which could be used for identity theft and has additional requirements associated with its protection. Private information includes: Social Security Numbers (SSNs), Taxpayer Identification Number (TIN), or other national identification number, Driver’s license numbers, Financial account information (bank account numbers (including checks), credit or debit card numbers, account numbers) | Information Access and Protection |
| Private Information | A classification for information that is confidential which could be used for identity theft and has additional requirements associated with its protection. The Information Access and Protection Standard provides examples. | Solutions Life Cycle Management |
| Privileged Access | A computer access level that enables an individual to take actions which may affect computing systems, network communications, or the accounts, files, data, or processes of other users. | Desktop and Portable Computer |
| Privileged User | A Privileged User is anyone who handles Private or Confidential Information | |
| Process/Function | An organization’s purpose/mission and its collection of related, structured activities or tasks that produce a specific service or product (serve a particular goal) for a particular customer or customers to achieve that purpose. Processes/functions may include instruction, research, and business services (housing, food storage, etc.). | Disaster Recovery |
| Process/Function Owner | The department/organization responsible for providing the process/function to the university. | Disaster Recovery |
| Public | A classification for information that may be accessed or communicated by anyone without restriction. | Information Access and Protection |
| Recovery Point Objective (RPO) | The point in time to which you must recover data as defined by the process/function owner. It is also the minimum acceptable level of data loss (for example, 24 hours) should an outage occur. The RPO helps determine the appropriate IT back-up schedule for applications. | Disaster Recovery |
| Recovery Time Objective (RTO) | The period of time within which systems, applications, or processes/functions must be recovered after an outage (for example, one business day). RTOs are often used as the basis for the development of recovery strategies, and as a determinant as to whether or not to implement the recovery strategies during a disaster situation. | Disaster Recovery |
| RIT Authentication Services | RIT Authentication Services are the centralized services that verify the digital identity of a user by examining the user’s credentials. Common credentials include user name and password. User credentials permitting access to RIT networks must be treated as RIT Confidential Information. | Web |
| RIT Record | The original or copy of any record (paper or electronic), which is either an Active Record, Archival Record, or which must be held for official business or regulatory purposes in accordance with the Records Retention Schedule. Official repositories for these records are contained in Records Management Policy. RIT Record does not include records which are not created in the official course of business, serve no legitimate or necessary business purpose, or are created for personal purposes only. | Disaster Recovery |
| RIT Web Infrastructure | The hardware and software that supports websites with rit.edu in the URL including third party RIT information resources. | Web |
| SAN | A storage area network (SAN) is a network that interconnects different kinds of data storage devices with associated data servers. | Server |
| Security Incident |
An event involving inappropriate use, abuse, loss, theft, or compromise that has the potential to adversely impact the confidentiality, integrity or availability of RIT Information Resources. Examples of incidents include, but are not limited to:
|
Computer Incident Handling |
| Security Review | A process by which an implementation is evaluated for secure use at RIT. | Servers, Network, Web |
| Segregation of Duties | The principles of segregation of duties must be followed when assigning roles. System owners must maintain an appropriate level of segregation of duties when issuing credentials to individuals who have access to information systems and private, confidential, or critical process information. System owners must avoid issuing credentials that allow a user to have excessive authority over systems or private/confidential or critical process information. Where separation of duties is not possible, there must be compensating controls. | Account Management |
| Server (Logical Servers, Virtual Servers) | Any physical or virtual network host that if you were to block all incoming network connections would affect more than one user system and any related test, development or staging system. | Server |
| Service | A service is any program that maintains a network socket for listening same key to authenticate. | Server |
| Service Account | A non-interactive account that has as its primary purpose the automated operation of a specific application, service or system. This includes any type of embedded administrative accounts (e.g., root or superuser). | Account Management |
| Shared Account | An account wherein multiple users authenticate and are authorized to use the system using a single username and password. | Account Management |
| Solution | A product, service, or a combination of products and/or services that address a specific process/function. | Solutions Life Cycle Management |
| Solution Life Cycle | The feasibility, planning, evaluation, selection, development, implementation, maintenance, and retirement of a solution | Solutions Life Cycle Management |
| Trust Relationship | A relationship where two or more systems share the same key to authenticate. | Server |
| Virtual LAN | A virtual local area network (LAN) provides the ability to map workstations on some other basis than geographic location (e.g., department, type of user, etc.). | Server |
| Virtual Machine | A virtual machine (VM), or “guest,” is an environment that does not physically exist and is separate from the physical resources it uses, which is the “host” environment that created it. One host can run multiple VMs at once. | Server |
| Web Content | Any file or stream consumed directly or indirectly via a web-oriented protocol. | Web |
| Web Content Service | Any software system running on a server with the purpose of delivering or faciliating web content, directly or mapped. | Web |
| Web-oriented Protocols | Rules that allow systems to communicate with one another in a structured method over the Internet. A listing of common web-oriented protocols may be found on the RIT Information Security website. | Web |
| Web/Application Administrative Access | Any access to the system for the purpose of system maintenance or modifying system configuration | Web |