Data Management & Protection: Common Definitions

(1)

Data Management & Protection: Common Definitions

Table of Contents

Purpose ... 2

Updates ... 2

Data Management and Protection Terms... 2

Data Management and Protection Common Acronyms... 6

References ... 8

Document Version: 5.5

Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011

Responsible: Alan Levy, Information and Infrastructure Assurance Approval Authority: Paul Howell, CISO

Contact: Information and Infrastructure Assurance

Telephone: (734) 647-5357

Email: [email protected]

(2)

Data Management & Protection: Common Definitions

Purpose

This is a University reference to common terms and acronyms used in Information Security and Data Management and Protection policies, procedures, and guidelines.

Updates

The Data Management and Protection Common Definitions will be maintained and revised as needed by MAIS/Data Administration and Information Infrastructure Assurance (IIA) with inputs from data stewards, data managers, information security coordinators, and others. University employees are encouraged to correspond with MAIS/DA and IIA describing any suggestions for improving these definitions.

Data Management and Protection Terms

Authentication

Confirming the correctness of the claimed identity.

Availability

Assurance that authorized users have access to information resources when required.

Business Owner

See Data Management and Protection Roles and Responsibilities.

Cardholder Information Security Program (CISP)

A security program initiated by Visa to protect the security and confidentiality of personal cardholder information (see PCI-DSS).

Chain of Custody

For use in legal prosecution, a documented record identifying the person who maintained physical ownership or control of evidence, from its time of collection until its presentation or admission into a court of law.

Compliance Officer

Compromised System

A type of security incident, in which an unauthorized user takes control of a machine or resource.

Compromised User Credentials

A type of security incident, in which the password or credentials of a user have been compromised and possibly used to perform unauthorized activity.

Computer Security Incident Response Team (CSIRT)

A team that is typically convened by the security incident coordinator to appropriately respond to a security incident. The team includes individuals from different organizations (such as law enforcement, office of general counsel, communications office or compliance offices) as necessary relative to the incident type and severity.

Confidentiality

Assurance that information is not made available or disclosed to unauthorized individuals, entities, or processes.

(3)

Criticality

The relative importance of the information to the mission of the University, and the degree to which the information requires protection to ensure it is not accidentally or intentionally altered or destroyed.

Data Administration

The function of applying formal guidelines and tools to manage the University’s information resource.

Data Manager

Data Management Integration Coordinator

Data Steward

Data User

Delegated Data Steward

Disaster Recovery/Business Continuity

Creating, implementing, and testing plans and procedures for the continuation of essential business operations after a disaster, such as an earthquake, tornado, flood, extended power outage, terrorist incident or other event.

Encryption

Encoding information such that it cannot be decoded and read without provision of an appropriate key.

Electronic Protected Health Information (ePHI)

Protected Health Information that is stored or transmitted electronically (see PHI).

Firewall

A device or program designed to control the network traffic allowed to flow to a computer or segment of the network.

Incident Management

Processes for managing security incidents throughout their life cycle including incident detection, triage, response, mitigation, tracking and analysis.

Information Asset

Information, information systems, computers, documents, and other components of the University infrastructure which store or process information. Also called information technology asset or information technology resource.

Information Security Administrator

Information Security Coordinator

Information Security Unit Liaison

(4)

Infrastructure

Set of underlying equipment of a computer network.

Institutional Data

See SPG 601.12, Institutional Data Resource Management and Protection Policy.

Integrity

Assurance that information is not accidentally or intentionally altered or destroyed.

Intrusion Detection System (IDS)

A security management system for computers and networks which gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization).

IT Resource User

IT Service Provider

Lost Equipment/Theft

A type of security incident, where lost or stolen equipment, such as laptops, thumb drives or PDAs, may lead to disclosure of sensitive or other non-public information.

Malware

Malicious software such as viruses, worms, and Trojans.

Network Attacks

A type of security incident involving use of the network for malicious activity, including:

• A denial of service attack which causes legitimate access to University resources to be hindered;

• Network scanning, such as portscanning or hostscanning;

• Unauthorized packet capture, including grabbing passwords or sniffing wireless segments.

Payment Card Industry Data Security Standard (PCI‐DSS)

An industry standard designed by major credit card companies to protect card holder personal information associated with credit card transactions. The PCI-DSS prescribes twelve categories of security safeguards.

Protected Health Information (PHI)

Information created, received, maintained or transmitted, that was created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relating to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Phishing

The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site look like they are part of a bank the user is doing business with.

Policy Violation

A type of security incident, in which a user or system resource violates written or implied acceptable usage policies.

Port Scanning

A series of messages sent by someone attempting to break into a computer to determine where to probe

(5)

for weaknesses.

Private/Confidential Data

Data elements which do not meet the definition of public data or sensitive data. This is the default classification category and should be assumed when there is no information indicating that data should be classified as public or sensitive.

Private Personal Information (PPI)

A category of sensitive information that is associated with an individual, such as social security number, credit card number, protected health information, etc.

Public Data

Data elements whose disclosure to the general public poses little to no risk to the University’s reputation, resources, services, or individuals.

Risk Assessment

A process that examines information assets within a given scope against a set of security requirements and identifies the risks associated with them.

Security Safeguards

Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system or environment. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Also called security controls or countermeasures.

Security Incident

An attempted or successful unauthorized access, use, disclosure, modification, or destruction of information;

interference with information technology operation; or violation of explicit or implied acceptable usage policy (see SPG 601.25, Information Security Incident Reporting Policy).

Sensitive Data

Data elements whose unauthorized disclosure may have a serious adverse effect on the University’s reputation, resources, services, or individuals. Data protected under federal or state regulations or data protected due to proprietary, ethical, or privacy considerations would typically be classified as sensitive.

Serious Incident

An incident that may pose a threat to University resources, stakeholders, and/or services which meets the criteria listed in SPG 601.25, Information Security Incident Reporting Policy.

Sensitivity

The degree to which information requires protection to ensure it is not exposed to unauthorized users.

Social Engineering

A type of security incident, in which legitimate users are manipulated into revealing sensitive or other non-public information.

Spam

Electronic junk mail or junk newsgroup postings.

Spyware

Unsolicited software installed on a computer, typically from a website, to monitor and report computer use.

System Administration

(6)

The function of maintaining and operating hardware and software platforms, and system environments.

Trojan Horse

A computer program that appears to have a useful function, but also has a hidden and potentially malicious

function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

Two‐factor Authentication

An authentication method requiring two items beyond a user ID for authentication. Typically, these items would be something you know (e.g. a password) and something you have (e.g. a number from a token, a fingerprint).

University Chief Information Technology Security Officer See Data Management and Protection Roles and Responsibilities.

Virus

A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.

Vulnerability

A flaw or weakness in a systemʹs design, implementation, or operation and management that could be exploited to violate the systemʹs security policy .

Vulnerability Assessment

An act or procedure intended to evaluate or identify the existence of known vulnerabilities in a computer system or network.

Workforce Member

Any faculty, staff, student, volunteer, trainee, or other person whose conduct is under the University’s direct control, whether or not the University pays them for their services.

Worm

A self-contained program that runs itself on a system which replicates to other systems without user intervention.

Data Management and Protection Common Acronyms

CERT/CC

CERT Coordination Center (http://www.cert.org/) CFR

Code of Federal Regulations CIO Chief information officer

CISP

Cardholder Information Security Program CISSP

Certified Information Systems Security Professional CSIRT

Computer Security Incident Response Team

(7)

DPS Department of Public Safety at the University of Michigan

ePHI

Electronic Protected Health Information FERPA

Family Educational Rights and Privacy Act FIPS

Federal Information Processing Standards (http://www.itl.nist.gov/fipspubs/) FIRST

Forum of Incident Response and Security Teams (http://www.first.org/) GLBA

Gramm-Leach-Bliley Act HIPAA

Health Insurance Portability and Accountability Act IDS

Intrusion detection system ISAC

Information sharing and analysis center IT

Information technology ITIL

IT Infrastructure Library MSS Managed Security Services

NICR

Network Information Change Request NIST

National Institutes of Standards and Technology (http://www.nist.gov/) NOC Network Operations Center

NSP Network service provider OGC Office of General Counsel OVPR

(8)

Office of the Vice President for Research PCI‐DSS

Payment Card Industry Data Security Standard PHI

Protected Health Information PPI

Private Personal Information RECON

Risk Evaluation of Computers and Open Networks SME

Subject matter expert SOX The Sarbanes-Oxley Act SPG Standard Practice Guide

References

Glossary of Security Terms - http://www.sans.org/resources/glossary.php

Data Management and Protection Roles and Responsibilities http://www.mais.umich.edu/access/policies.html SPG 601.12, Institutional Data Resource Management and Protection Policy http://spg.umich.edu/pdf/601.12.pdf SPG 601.25, Information Security Incident Reporting Policy http://spg.umich.edu/pdf/601.25.pdf

Incident Management Guidelines https://www.itss.umich.edu/umonly/im_guidelines.pdf