Personal tools
 
You are here: Home Resources Information Security Glossary
Document Actions

Information Security Glossary

Information Security Glossary

Administrators
Individuals with administrative responsibility University wide or for University organizational units. The University Redbook (see http://louisville.edu/provost/redbook/chap2.html#SEC2.3.1) for more information.

Business Continuity Plan (BCP)
Typically includes:

  1. Perform Gap Analysis
  2. Conduct Risk Assessment
  3. Perform Business Impact Analysis
  4. Determine Continuity/Recovery Strategy
  5. Implement Continuity/Recovery Strategy
  6. Establish BCP and Disaster Recovery Maintenance and Awareness Program

BCP and Disaster Recovery Maintenance and Awareness Program
Typically includes:

  1. Conduct education and awareness training with personnel.
  2. Perform periodic BCP plan walkthrough and testing.

Business Impact Analysis
In business continuity planning, a risk assessment will typically include:

  1. Identification of critical business processes at departmental/unit level.
  2. Quantification of impact of an event.
  3. Identification of points of failure and process interdependencies.
  4. Development of recovery time objective (RTO) and recovery point objective (RPO). See definitions of these terms in this document.
  5. Prioritization of processes for recovery.

Computing Devices
Includes but is not limited to workstations, desktop computers, notebook computers, tablet computers, network enabled printers, scanners and multi-function devices, PDAs, email/messaging devices and cell phones, all hereafter referred to as "computing devices".

Continuity/Recovery Strategy
In disaster recovery or business continuity planning, a continuity and recovery strategy will typically include these steps:

  1. Assess alternate continuity/recovery strategies.
  2. Select continuity/recovery strategy.
  3. Develop continuity/recovery strategy plans.
  4. Disaster Recovery Plans as part of a broader Business Continuity Plan should include:
    I. Classification of critical systems and records.
    II. Mitigation strategies and safeguards to avoid disasters.
    III. Necessary electronic files back-up and off site storage strategy (see IS PS015 Back-up of Data).
  5. Define organizational responsibilities for implementing plans and implement.
  6. Off-site storage for the planning documents.
  7. Training and testing of plans.
  8. Annual review and revision of the plans.
  9. Coordination with central IT disaster recovery strategy, if applicable.

Electronic Media
Includes all electronic data storage devices funded as under Computing Devices above or other electronic data storage devices used to store UofL related data. Media includes but is not limited to removable and non-removable storage such as hard drives, CDs, DVDs, magnetic tape, removable disks (floppy, zip, cartridge systems, etc.) and flash memory devices.

ePHI
Electronic Protected Health Information - Health information maintained or transmitted in an electronic format that:

  1. identifies or could be used to identify an individual;
  2. is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
  3. relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.

Faculty member
Includes:

  1. Individuals employed by the University as faculty or other employees who teach courses or are engaged in academic research activities for the University
  2. isiting faculty who are conducting academic research or teaching courses on a time-limited basis from another institution for the University
  3. An individual, who is teaching courses or conducting academic research activities for the University without salary and is under the control/supervision of the University
  4. See also the University Redbook at http://louisville.edu/provost/redbook/chap3.html

Gap Analysis
A process where the current state vs. the desired state for a process, system or organization is prepared. The differences between the current state and the desired state are called gaps. These gaps then become the basis for prioritization, planning and basis for action to move to the desired state.

Least Required Access
 Only the access needed to perform required functions is assigned to an account. For example, an Oracle database administrator's (DBA) operating system account on the Oracle host system would not allow the DBA to configure or affect underlying operating system functions except as required within the DBA role.

Providers
Individuals who design, manage, and operate campus electronic information resources, e.g. project managers, system designers, application programmers, or system administrators.

Recovery Point Objective (RPO)
Describes the point in time to which data must be restored in order to successfully resume processing. This is often thought of as time between last backup and when outage occurred and indicates the amount of data lost.

Note: The Recovery Point Objective definition is copied from the definition on "The Free Dicitonary by Farlex" (http://encyclopedia.thefreedictionary.com/). This definition is distributed under the terms of "GNU Free Documentation License" (http://www.gnu.org/copyleft/fdl.html).

Recovery Time Objective (RTO)
Determined based on the acceptable down time in case of a disruption of operations. It indicates the latest point in time at which the business operations must resume after disaster.

  • RTO must be considered in conjunction with Recovery Point Objective (RPO) to get a total picture of the total time that a business may lose due to a disaster. The two of them together are very important requirements when designing a disaster recovery solution.
  • RTO = Time of Crash to Time the system is operational (Tup - Tcrash)
  • RPO = Time since the last backup of complete transactions representing data that must be re-acquired / (entered). (Tcrash - Tbackup)
  • Lost business Time = (Tup - Tcrash - Tbackup)

Note: The Recovery Time Objective definition is copied from the definition on "The Free Dicitonary by Farlex" (http://encyclopedia.thefreedictionary.com/). This definition is distributed under the terms of "GNU Free Documentation License" (http://www.gnu.org/copyleft/fdl.html).

Risk Assessment
In disaster recovery or business continuity planning, a risk assessment will typically include:

  1. Identification and classification of primary risks and exposures including external and environmental risks as well as inherent business risks;
  2. Probability of occurrence;
  3. Cost of occurrence;
  4. Senior management risk tolerance and level of acceptance of identified risks vs. cost of various mitigation plans

Sensitive Information
Sensitive information is information of a confidential or proprietary nature as well as other information that would not be routinely published for unrestricted public access or where disclosure is prohibited by laws, regulations, contractual agreements or University policy. Sensitive information includes but is not limited to information such as medical and health records, grades and other enrollment information, credit card, bank account and other financial information, social security numbers, personal addresses, phone numbers, etc.

Note: Sensitive information does not include personal information of a particular individual which that individual elects to reveal (such as via opt-in or opt-out mechanisms).

Server Computing Devices
For the purposes of this policy, server computing devices are those whose primary purpose is to store, contain or transmit information from within the University network (or hosted outside the University network if used to host University related information and funded by University related entities) to users within or outside of the University network. Computing devices that are not servers, for the purposes of this policy, are covered under the IS PS011 Workstation and Computing Devices policy.

Spoofing
The use of software or other techniques to appear on the network as something other than reality (masquerading as something you are not). Example: The hacker tricked the system into allowing him onto the trusted network by spoofing the identity of a trusted server

Staff
The staff of the University of Louisville shall consist of all employees of the University who do not hold faculty appointments, are not full-time students enrolled in the University, are not graduate assistants at the University, or are not administrators as defined in Section 2.3.1 of the University Redbook (see http://louisville.edu/provost/redbook/chap5.html#ART5.1).

Student
Includes:

  1. An individual taking a course at the University whether for credit or non-credit who is enrolled for course
  2. An individual who was enrolled at the University for a specific term (e.g., fall, spring, summer semester), who has not graduated, and who is not yet enrolled for the immediately subsequent term, provided such enrollment is still permitted, and provided further, that where the individual was enrolled at the University for the spring term, the immediate subsequent term shall be the University succeeding fall term. (e.g., (1) a student enrolled in the spring term, who does not graduate at the end of the spring term, may not enroll for the summer term; but will still be a student unless the individual fails to enroll for the succeeding Fall semester, and (2) a student who has completed all other degree requirements but is completing a dissertation/thesis.)
  3. An individual who is admitted to the University or an academic program of the University but has not yet commenced the program of study. An admitted student will be included in the definition of student for a period of one-year following the date of admission to the University or an academic program of the University.

See the University Redbook at http://louisville.edu/provost/redbook/chap6.htm for more information.

ULCirt
University of Louisville Computer Incident Response Team

User
Includes students, faculty, staff, administrators and other employees of the University of Louisville and its affiliated entities and any other individual having a computer account, email address or utilizing the computer, network or other information technology services of the University of Louisville.

Valuable Information
Information that that has significant value to the University's mission and/or result in possible harm to the University, its staff, clients or students if lost. This information may or may not be sensitive information (see definition above).

(Last updated August 1, 2007)

Latest News & Updates

10/04/07
THIRD NOTICE Changes to Privacy, Security, and HSC Compliance Training

09/05/07
Third Annual Cyber-Security Awareness Week
and Grill the ISO Cook-outs!
Week of October 1-5, 2007

08/20/07
Information Security Policies
and Standards Approved:

 
Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: