02 - Information Technology and Security Definitions

Information Technology and Security Definitions

  1. Asset:  Information technology assets include: desktops, laptops, tablets, smart phones, monitors, televisions, projectors, servers, storage systems, network devices and appliances, removable media, software, interfaces, databases, and data.Assets may also include any item that connects to the university network and any item that adds modular capacity or functionality to another asset through a (chasis) slot or port.
  2. Asset Administrator:  An individual with principal responsibility for: the installation, configuration, security, and ongoing maintenance of an asset (e.g., system administrator or network administrator). The Asset Administrator role is performed by University Personnel with a named Office of Information Technology or Departmental Information Technology job title.
  3. Asset Deployment:  Includes tagging assets, entering asset information in the Asset Management tool, and configuring and installing assets.
  4. Asset Disposition:  Includes removing assets from service, deleting storage contents, disassembling components for reuse, terminating contracts, disposing of equipment, and removing asset from active inventory.
  5. Asset Management:  Includes inventory/counting, monitoring usage (some software), managing contracts for maintenance and support, and monitoring age and configuration.
  6. Asset Name or Fully Qualified Domain Name:  The name of an asset or the complete domain name that identifies an asset on the network.
  7. Asset Owner:  Also knows as assigned to.This is the person that the asset is currently issued to.
  8. Asset Support:  Includes adding and changing configuration, repairing devices, and relocating equipment and software.
  9. Asset Tag:  The OU assigned or department assigned property number.
  10. Authoritative Source: A source of data recognized by a Data Owner to be valid or trusted because it is considered highly reliable or accurate or is from an official publication or reference.
  11. Availability:  The property that data or information is accessible and usable upon demand by an authorized person.
  12. Breach:  The acquisition, access, use, or disclosure of Protected Health Information (PHI), Payment Card Information (PCI), or Personally Identifiable Information (PII) in a manner not permitted by law or obligations that compromises the security or privacy of the data.
  13. Business Associate:  See University of Oklahoma HIPAA Privacy and Security Policies.
  14. Business Continuity Management Program (BCM):  Outlines the planning process for developing prior arrangements and procedures to enable the University Colleges, Departments, Units or Research Projects to respond to an event in such a manner that critical business functions can continue within planned levels of disruption.This systematic approach includes policies, procedures, continuity of operations plans COOP), also referred to as business continuity plans (BCP), business impact analysis (BIA), risk assessment (RA), validation and testing, incident identification, and disaster recovery.
  15. Business Impact Analysis:  A process that estimates the impact of losing the support of any Information System, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems.
  16. Cardholder Data Environment (CDE):  Area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission.
  17. Computers:  Defined as all computer variations (desktop, laptops, notebook, etc.) owned by the University of Oklahoma that run a complete desktop operating system and are used for performance of job functions and/or business/instructional purposes.Other computing devices, such as servers and hand-held devices, are not considered computers.
  18. Confidentiality:  The property that data or information is not made available or disclosed to unauthorized persons or processes.
  19. Continuity of Operations Plan (COOP):   Also referred to as a Business Continuity Plan (BCP), a broad plan designed to keep a College, Unit, or Department running, even in the event of a disruption in normal operations, including and up to a disaster.The COOP or BCP is established for the purposes of identifying personnel; resources and location needs before, during and after an event, incident, or disaster.The COOP or BCP document provides core team contact information and responsibilities, essential systems and needs, critical functions, vital records, vendors and dependencies.The COOP or BCP document is intended as a quick reference guide for specific information, but is not intended for use as standard operating procedures or detailed training materials.
  20. Control: A process or procedure to reduce risk.
  21. Controlled Unclassified Information (CUI):  Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding and dissemination controls pursuant to law, regulation, or government-wide policy, as listed in the CUI Registry by the National Archives and Records Administration (NARA). 
  22. Covered Entity:  See University of Oklahoma HIPAA Privacy and Security Policies.
  23. Cybersecurity Event: A change that may have an impact on organizational operations (including mission, capabilities, or reputation).  Cybersecurity events include, but are not limited to:
    • Any alert indicating a security incident is possible (e.g., phishing, malware, etc.) where an unauthorized access attempt was detected but blocked
    • Any event in which an account belonging to a person that has access to the data might have been compromised or the password shared with an unauthorized person (responding to phishing emails, someone shoulder surfing and writing down your password, etc.)
    • Any event in which University or Information System policies, standards, or practices are violated
  24. Cybersecurity Incident:  An event that has been determined to have an impact on the organization prompting the need for response and recovery.  Cybersecurity incidents include but are not limited:  
    • Any scenario in which access to university data has been gained by an unauthorized person that requires response and recovery procedures
    • Any scenario in which a device containing university data has been infected with malicious software (viruses, Trojans, etc.) and requires response and recovery procedures
    • Successful attempts to physically enter or break into a secure area where University data is or might be stored
    • Lost or stolen assets or hardware
  25. Data Asset:  A Data Asset may be a system or application output file, database, document, or web page sourced from an Authoritative Source of data.  A Data Asset also includes a service that may be provided to access data from an application.  For example, a service that returns individual records from a database would be a Data Asset.
  26. Data Catalog:  An enterprise software tool that allows for and focuses primarily on managing data assets including business glossaries, metadata repository, data dicitionary, data lineage, and provenance.
  27. Data Classification:  The process of categorizing Information Systems and Data into distinct classes for the purpose of identifying Information Security control requirements.
  28. Data Governance:  The orchestration of managing, controlling, and using Institutional Data in a manner that ensures data accuracy, consistency, reliability, security, and accessibility.  Guided and enforced by regulations, policies, standards, and practices.
  29. Data Integration:  The ability of data to be assimilated across information systems.
  30. Data Lineage:  The documentation of the origin, movement, transformations, and data assets across systems and processes.
  31. Data Management:  The comprehensive approach to acquiring, validating, storing, protecting, and processing data for reliable and timely decision making.  It includes many disciplines in which is oversees the architectural framework and operational processes that enable OU to collect, store, and use data effectively and efficiently.  Data Governance is a discipline of Data Management.
  32. Data Program:  Any discrete amalgamation, storage, and/or distributed usage of non-public Institutional Data.
  33. Data Owner:  A senior university administrator (Vice President, Dean, or above) who is accountable for creating and maintaining one or more Authoritative Sources of data relied upon for key university operations.  See University Leadership.
  34. Data Quality:  The extent to which data meets predefined requirements, including accuracy, completeness, consistency, timeliness, and validity.
  35. Data Steward:  An individual, or group, appointed by a Data Owner who is primarily responsible for implementing rules and procedures needed to ensure data and security policies set by the Data Owner are enforced.  Data Steward(s) are high-level functional end user(s) within an operational area who is deemed an expert in using data managed by the area or system.  Any individual who creates an Authoritative Source or SOR is responsible for performing the duties of a Data Steward.  The Data Owner and the Data Steward may not be the same person. 
  36. Department Information Technology (DIT):  Department IT provide services and support specific to the industry of a college or department to aid in teaching and research.
  37. Device ID:  See Asset Tag.
  38. Defense Federal Acquisition Regulation Supplement (DFARS):  A Department of Defense (DoD) supplement to the FAR (Federal Acquisition Requisition).It provides acquisition regulations that are specific to the DoD.DoD government acquisition officials and contractors doing business with the DoD must adher to the regulations in the DFARS.
  39. Disaster:  An unplanned event resulting in significant damage, destruction or extended loss of IT services provided to the university, include: a) an interruption to Essential IT services (core network, voice service, central computing facilities, enterprise applications), b) workforce disruption.Interruptions can include the loss of third-party infrastructure that are not the property of OU IT, but critical to IT operations (e.g., power grids, telephone switching centers, or OneNet).
  40. Distributed IT (DIT): Distributed IT organizations within existing OU academic, administrative, or research units are specialized teams or individuals designated by OU IT and approved by IT Governance.  These organizations are responsible for addressing the discipline-specific or administrative function information and technology needs of their specific units at the University of Oklahoma.
  41. Essential IT Service:  Defined as a system or service considered critical to the University and included in the OU IT Disaster Recovery Plan.Essential IT Services provide supporting infrastructure to the University and its Mission- or Unit-Critical IT Services.  Essential IT Services may include, but are not limited to: OU network infrastructure, data centers, voice and telephony systems, account and identity management services, centralized storage services, virtual hosting platforms, and university messaging and collaboration services.
  42. Electronic Protected Health Information (ePHI):  See University of Oklahoma HIPAA Privacy and Security Policies.
  43. Externally Derived Research Funds:  Refer to University accounts categorized as SPNSR, SP490, or NONSP (e.g., FAR/SRI distribution) funds within the PeopleSoft financial system.
  44. Family Education Rights and Privacy Act of 1974 (FERPA):  Federal law that grants five specific rights to and governs disclosure of student electronic records of current and former students who have reached the age of 18 or are attending a postsecondary institution.
  45. Gramm-Leach-Bliley Act (GLBA): Requires OU to explain their information-sharing practices to their customers and to safeguard sensitive data.
  46. Health Care Component(s):  See University of Oklahoma HIPAA Privacy and Security Policies.
  47. Health Insurance Portability and Accountability Act of 1996 (HIPAA):  See University of Oklahoma HIPAA Privacy and Security Policies.
  48. Health Information Technology for Economic and Clinical Health Act (HITECH): A law passed in 2009 to strengthen the privacy and security provisions of HIPAA.  
  49. Hybrid Entity:  See University of Oklahoma HIPAA Privacy and Security Policies.
  50. Independent System Administrators (ISAs): Individuals with information & technology responsibilities that augment their primary role as faculty, researcher, or staff and who operate independently of OU IT and departmental IT organizations within the University of Oklahoma.
  51. Information System:  Defined as any and all online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting data, including but not limited to, servers, network infrastructure, computers, tablets, distributed processing systems, network attached and computer controlled medical and laboratory equipment, telecommunication resources, network environments, telephones, fax machines, and printers.Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
  52. Information Systems Category:  indicates how critical the asset is (e.g., Essential, Mission-Critical, Unit-Critical, Non-Critical)
  53. Information Technology Disaster Recovery Plan (IT DRP):   A more focused plan, included in a COOP or BCP, that is narrowed to focus on the data and the information systems of a College, Unit, or Department.The aim of the IT DRP is to save data with the sole purpose of being able to recover quickly in the event of a disaster.IT DRPs are developed to address the specific requirements of IT departments to get back up and running – which ultimately affects the business a whole.
  54. Information Technology Executive Steering Committee (ITESC):
  55. Information Technology Governance, Risk, and Compliance (IT GRC): 
  56. Inherent Risk: The level of risk before risk treatment (controls) are applied.
  57. Institutional Data:  Any data – structured or unstructured, detailed, or aggregated – that are relevant to operations, planning, or management of any institutional unit including research data for which OU has custodial or legal obligations.
  58. Internally Derived Research Funds:  Refer to all other funds intended for research activities, including internally funded research grants, center, and startup funds.
  59. International Traffic in Arms Regulation (ITAR): a set of United States regulations that control the import and export of defense products.
  60. MAC Address:  A media access control address is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network.
  61. Manufacturer:  A person or company that makes goods for sale.
  62. Metadata:  Refers to the descriptive, structural, or administrative information that helps in the management, discovery, and understanding of data assets.  It is the set of data that provides details about the characteristics, quality, lineage, and relationships of other data.  Metadata is crucial for enforcing Data Governance policies by aiding in data classification, security, and compliance.  Metadata, properly managed, enhances data quality and integrity making it easier to drive the value of data.
  63. Mission-Critical IT Service:  Defined as a system or service considered critical to a university mission and included in the OU IT Disaster Recovery Plan.
  64. Model:  The model of a product made by a manufacturer.
  65. Non-Critical IT Service:  Defined as a system or service considered to be non-critical and has a Recovery Time Objective of three (3) days or more.
  66. OU Business Network:  Includes wired and wireless access provided in OU IT Data Centers.
  67. OU Campus Network:  Includes wired and wireless access provided in campus buildings, facilities, and dorms for Student, Staff, and Faculty use.
  68. OU Information Technology (OU IT): A single, systemwide administrative department of the University of Oklahoma with enterprise responsibility for "information & technology" on all OU campuses.  As designated by the OU Board of Regents, the IT Senior Associate Vice President and Chief Information Officer (CIO) oversees and is responsible for technology investments, services, programs, policies, projects, and strategies - as well as managing risks for each - for the University of Oklahoma system.
  69. Payment Card Industries Data Security Standards (PCI DSS): An information security standard used to handle credit cards from major card brands.  Administered by the PCI Security Standards Council, it aims to create a secure environment for processing, storing, and transmitting cardholder data.
  70. PCI Forensics Investigator (PFI):  Investigations into compromises of payment data are typically conducted by a PCI Forensics Investigator.
  71. Personally Owned Asset:  Include but are not limited to laptops, notebook computers, tablets, smart phones, and desktop computers connecting to the OU network and purchased with externally-derived funds.
  72. Point of Interactive (POI) Device:  Any device that interacts directly with cardholder data in the payment process.  The initial point where data is read from a card.
  73. Protected On-Campus Resources:  University information resources that include: Laserfiche, CQ5 Content Management System, PeopleSoft Admin tools, Virtual Labs, Network File Shares, EMR, GE Centricity Business, Secure Shell (SSH), Remote Desktop (RDP), and certain licensing servers.
  74. Record:   Defined by Oklahoma Statutes at 67 O.S. Sec. 203, may take many forms.They include but are not limited to documents, books, papers, photographs, computer disks, electronic mail, video, or audio recordings.
  75. Recovery Time Objective (RTO):  Defined as the maximum time allowed for the recovery of an IT system or service following an interruption.
  76. Recovery Point Objective (RPO):  Defined as the acceptable amount of data loss measure in time.
  77. Residual Risk:  The level of risk that remains after risk treatment (controls) are applied).
  78. Serial Number:  The identification number of the asset as defined by the product manufacturer.This could include a serial number, IMEI, or similar unique number.
  79. System of Record: An Authoritative Source of data used for audit or regulatory reporting purposes; one where the whole data object, or specific attributes of a data object, is maintained.  This maintenance includes data creation, updating, modifying, and deleting.
  80. Third-Party:  May include contractors, vendors, agents, or technology services (e.g., Infrastructure-as-a-Service, Platform-as-a-Service, Software-as-a-Service, Database-as-a-Service, Disaster Recovery-as-a-Service) who are not employed by or directly affiliated with the university.
  81. Unit-Critical IT Service:  Defined as a system or service considered to a college, unit, center, institute, or department and included in a department IT Disaster Recovery Plan.
  82. University Business:  Work performed as part of an employee’s job responsibilities, or work performed on behalf of the University by faculty, staff, volunteers, students, other trainees, and other persons whose conduct, in the performance of work for the University, is under the direct control of the University, whether or not they are paid by the University. University business includes the use of a Portable Computing Device to access OU email, non-public University systems, networks, or data in the performance of work for the University.
  83. University Funds:  Refer to all University accounts and funding sources within the PeopleSoft financial system that are NOT defined as internally or externally derived research funds.
  84. University Owned Asset:  Include but are not limited to laptops, notebook computers, tablets, smart phones, and desktop computers connecting to the OU network and purchased using University or research-derived funds.See Externally-Derived Research Funds and Internally-Derived Research Funds.
  85. Virtual Desktop Infrastructure:  A service provided by OU IT that offers access to protected, on-campus applications using a secure, encrypted virtual desktop while using assets that do not meet university security standards or while accessing web-based resources from public Internet.
  86. Virtual Private Network:  A service provided by OU IT that offers a secure connection between any remote site and assets on the OU networks, such as file servers, data stores, virtual labs, enterprise applications, and more.

Revision, Review, and Approval History

  • March 2024: OU IT Governance, Risk, and Compliance: Added IT definitions
  • July 2024: OU IT Governance, Risk, and Compliance:  Revised and added IT definitions
Print Article

Details

Article ID: 3018
Created
Wed 8/16/23 11:45 AM
Modified
Fri 7/19/24 8:09 AM

Related Articles (4)

The purpose of this Policy is to outline the acceptable use of Information Systems at all University of Oklahoma campuses. University of Oklahoma campuses include the University of Oklahoma-Norman, the OU Health Science Center, and the University of Oklahoma-Tulsa. These rules are in place to protect each campus’ information against loss or theft, unauthorized access, disclosure, copying, use, modification, or destruction (each an “Information Security Incident”). Information Security Incidents
This policy aims to define rules and requirements for connecting to the OU network from any host. These rules and requirements are designed to minimize the potential exposure to OU from damages resulting from unauthorized use of OU resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical OU internal systems, and fines or other financial liabilities incurred because of those losses.
This Privileged Access Management Policy defines the criteria for privileged account management.
The purpose of this policy is to define which assets must be inventoried, identify the attributes that must be included in any asset inventory, and establish appropriate oversight roles, responsibilities, and procedures for asset management.