Glossary

a
Active Collection
For the purposes of the Web Site Privacy Notices Policy, active collection refers to the gathering of information where a visitor voluntarily provides information such as through a form, or creating a profile, or choosing account settings.
Authorized user
Authorized users are people acting within the scope of a legitimate affiliation with the university, using their assigned and approved credentials (ex. network IDs, passwords, or other access codes) and privileges, to gain approved access to university information technology resources. A person acting outside of a legitimate affiliation with the university or outside the scope of their approved access to university information technology resources is considered an unauthorized user.
b
Best Practice
Best Practices are comprised of one or more general statements or recommendations detailing procedural or technology approaches to following or implementing policy. In contrast to procedures and standards, best practices are not requirements to be met, although they are strongly recommended. (See also Guideline.)
Board of Trustees
For the purposes of information security and privacy governance, the Board of Trustees is a Role Title. The Board is Indiana University's governing board, legal owner, and final authority, and the owner of all information, except information excluded from university ownership as set forth in the Indiana University Policy on Intellectual Property. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Breach
The acquisition, access, use, or disclosure of information in a manner not permitted under existing law which compromises the security or privacy of the information (i.e. poses a significant risk of financial, reputational, or other harm to the individual and/or university).
Business Function Management
For the purposes of information security and privacy governance, Business Function Management is a Role Title, and is defined as those individuals assigned business management responsibilities for a unit or service. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
c
Commercial activities
Commercial activities are defined as economic activities geared toward a mass or specialized market and ordinarily intended to result in a profit, and that are not part of one's university responsibilities. Commercial activities do not include the use of information technology resources for one-time, minimal transactions, such as students using their Indiana University email accounts to communicate with potential buyers for used textbooks or with potential sub-lessees. This type of transaction is considered incidental personal use.
Compliance Officer
For the purposes of information security and privacy governance, Compliance Officer is a Role Title, and is defined as an individual who provides compliance oversight and/or coordination that includes information security and/or privacy, usually for a specific information type, business sector, or business function. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Confidentiality
Confidentiality considers the effects of the inappropriate disclosure of the information.
Content Owner
For the purposes of the Web Site Privacy Notices Policy, the content owner of a university web site is the functional person or group that owns and directs the content of a web site. Typically, the content owner directs the site manager in the implementation of a web site. The content owner and site manager share responsibility for a web site and for adherence to this policy.
Content-neutral information
Content-neutral information is information relating to the operation of systems, including information relating to interactions between individuals and those systems. Such information includes but is not limited to operating system logs (i.e., record of actions or events related to the operation of a system or device), user login records (i.e., logs of usernames used to connect to university systems, noting source and date/time), dial-up logs (i.e., connections to university modems, noting source, date/time, and caller id), network activity logs (i.e., connections attempted or completed to university systems, with source and date/time), non-content network traffic (i.e., source/destination IP address, port, and protocol), email logs (i.e., logs indicating email sent or received by individuals using university email systems, noting sender, recipient, and date/time), account/system configuration information, and audit logs (i.e., records of actions taken on university systems, noting date/time).
Criticality
Criticality considers the importance of maintaining integrity and availability for business operations.
d
Data
Data are symbols or characters that represent raw facts or figures and form the basis of information. Source: Glossary of Records and Information Management Terms, 3rd ed. ARMA International (2007) NOTE: For the purposes of the Indiana University Information Security and Privacy Program, the terms data and information are used interchangeably, with a preference for the use of the term information.
Data Access Manager
For the purposes of information security and privacy governance, Data Access Manager is a Role Title, and is defined as an individual who has been assigned to receive, evaluate, and authorize or deny requests for access to systems, applications, and/or databases containing information. These systems may be electronic or in paper form, for example, in paper-based filing systems. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Data Custodian
For the purposes of information security and privacy governance, Data Custodian is a Role Title, and is defined as a manager of systems containing information. These systems may be in electronic or paper form, for example, in paper-based filing systems. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Data Steward
For the purposes of information security and privacy governance, Data Steward is a Role Title, and is defined as an individual who has been named to represent information, usually for a specific information type, business sector, or business function, for university-wide information governance purposes. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Domain
Common areas of information security and privacy activities are grouped into twelve specific domains. This domain grouping allows the use of common vocabulary and structure to identify and track projects, actions, policies, tools, and other safeguards. The Indiana University Security and Privacy Domains are adapted from the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) international standard ISO/IEC 27002:2005 on Information Security Management.
e
Excessive use
Excessive use exists when a user or process has exceeded established limits placed on the service, or is consuming a resource to a level such that service to other users is degraded, or where the actions of a user could cause degradation if the user is permitted to continue the practice or activity. Service managers, system administrators, and security and network engineers must use experience and knowledge of normal service usage patterns in consultation with the management of the unit owning the service or resource, and exercise judgment in making decisions about excessive use.
Executive Management
For the purposes of information security and privacy governance, Executive Management is a Role Title, and is defined as those individuals assigned executive management responsibilities, typically with the titles of President, Vice President, and Chancellor, and including Academic Deans. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Extending the network
Excessive use exists when a user or process has exceeded established limits placed on the service, or is consuming a resource to a level such that service to other users is degraded, or where the actions of a user could cause degradation if the user is permitted to continue the practice or activity. Service managers, system administrators, and security and network engineers must use experience and knowledge of normal service usage patterns in consultation with the management of the unit owning the service or resource, and exercise judgment in making decisions about excessive use.
g
Guideline
Guidelines are comprised of one or more general statements or recommendations detailing procedural or technology approaches to following or implementing policy. In contrast to procedures and standards, guidelines are not requirements to be met, although they are strongly recommended. (See also Best Practice.)
h
Health Information
Any information created, maintained or received, via any communication or record retention format, by any entity such as a provider, insurance plan, employer, or university that identifies an individual and any services regarding their health care or health payments relating to their past, present, or future health status.
i
Incidental personal use
Incidental personal use is the use of information technology resources by members of the Indiana University community in support of activities that do not relate to their university employment or studies or to other activities involving and approved by the university. Examples include use of email to send personal messages to friends, family, or colleagues, including messages relating to one-time minimal sales or purchase transactions, and use of the personal home page service to provide information about personal hobbies or interests. If personal use adversely affects or conflicts with university operations or activities, the user will be asked to cease those activities. All direct costs (for example, printer or copier paper and other supplies) attributed to personal incidental use must be assumed by the user.
Indiana University information
See University information.See also: University information
Information
Information is data that has been given value through analysis, interpretation, or compilation in a meaningful form. Source: Glossary of Records and Information Management Terms, 3rd ed. ARMA International (2007) (See also University information.) NOTE: For the purposes of the Indiana University Information Security and Privacy Program, the terms data and information are used interchangeably, with a preference for the use of the term information.
Information asset
An information asset is an item of value that contains information. Examples include documents, spreadsheets, databases, and files. For the purposes of information classification, Data Stewards typically classify information elements. Then, other individuals handling information determine the classification of an information asset based on what information elements are contained in the asset. (See also Information element.)
Information element
An information element is a single or small piece of data or information. For the purposes of information classification, Data Stewards typically classify information elements. Then, other individuals handling information determine the classification of an information asset based on what information elements are contained in the asset. (See also Information asset.)
Information Security and Privacy Program
Indiana University's Information Security and Privacy Program ( "Program " hereafter) outlines a University-wide approach to implementing and managing information and information technology security and privacy. It describes the University's philosophies, values, and approach to safeguarding information and information technology.
Information Security Program
An Information Security Program is a "methodical, programmatic approach to implementing and managing security within an organization." Source: Robert B. Kvavik and John Voloudakis, Safeguarding the Tower: IT Security in Higher Education 2006 (Boulder, CO: EDUCAUSE Center for Applied Research, 2006), http://connect.educause.edu/Library/Abstract/SafeguardingtheTowerITSec/41170, 94."
Information system
A discrete set of information resources, procedures and/or techniques, organized or designed, for the classification, collection, accessing, use, processing, manipulation, maintenance, storage, retention, retrieval, display, sharing, disclosure, dissemination, transmission, or disposal of information. An information system can be as simple as a paper-based filing system or as complicated as a tiered electronic system.
Information technology governance
IT governance is defined as "the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly." Source: Board Briefing on IT Governance, 2nd ed. (Rolling Meadows, IL: IT Governance Institute, 2003), http://www.itgi.org/AMTemplate.cfm?Section=Board_Briefing_on_IT_Governance
Information technology resources
Information technology resources includes all university-owned computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software; all other associated tools, instruments, and facilities; and the services that make use of any of these technology resources. The components may be individually controlled (i.e., assigned to an employee) or shared in a single-user or multi-user manner; they may be stand-alone or networked; and they may be stationary or mobile.
Information type
An information type is a grouping of information in order to assign specific governance, policies, standards, and related guidance. Information types are typically determined by business sector or business function. Examples of information types include, but are not limited to: medical, student, financial, and research.
Institutional Data
A data element is considered institutional data if it satisfies one or more of the following four criteria: it is relevant to planning, managing, operating, or auditing a major administrative function of the university; it is referenced or required for use by more than one organizational unit - data elements used internally by a single department or office are not typically considered institutional data; it is included in an official university administrative report; it is used to derive an element that meets the criteria above.
IP address space
IP address spaces in this context means blocks of IP addresses assigned to Indiana University by Internet addressing authorities.
l
Layer-2 device
Layer-2 devices function at the data link layer of the Open Systems Interconnection Basic Reference Model. Typically these are Ethernet devices such as hubs, switches, repeaters, and WAPs. These devices are often used to provide network connectivity to multiple machines in the same room using a single data jack.
Layer-3 device
Layer-3 devices function at the network layer of the Open Systems Interconnection Basic Reference Model. Typically these are IP devices such as firewalls, NATs, and packet-filtering routers that isolate or conceal other devices from the rest of the network.
m
Misuse or abuse
Misuse or abuse are uses of Indiana University information technology resources that violate existing laws or university policies and procedures (including but not limited to University Information Technology Policies; the Code of Student Rights, Responsibilities, and Conduct; the Academic Handbook; University Human Resources Policies; and University Financial Policies), or that otherwise violate generally accepted ethical norms and principles. Misuse or abuse also includes the sharing or transferring of an individual's university accounts, including network ID, password, or other access codes that allow them to gain access to university information technology resources, with one or more other persons.
n
Network Address Translation (NAT) device
NAT devices rewrite the IP header of a packet traversing the device, changing the IP source and/or destination addresses. They also change the layer-2, or MAC address, to that of the NAT device. Often the result is to present multiple devices behind a NAT as if they were a single device.
o
Owner
The term "owner" identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the information or information technology assets. The term "owner" does not necessarily mean that the person or entity actually has any property rights to the asset.
p
Passive collection
For the purposes of the Web Site Privacy Notices Policy, passive collection refers to the automatic gathering of information from visitors as they migrate or navigate from page to page on a web site or series of sites, such as via server logs or cookies.
Personal private gain
Personal private gain is defined as securing profit or reward for an individual in his or her personal capacity, that is not otherwise permitted by this policy.
Policy
An information or information technology policy is an agreed upon, formal, high-level statement that describes the university's philosophy, values, and/or direction for a specified subject area. Policies tend to be fairly brief and focus on guiding principles (i.e. the "why ") rather than on technical or process details (i.e. the "how "). The purpose of policies is to guide present and future decisions so that they are in agreement with university goals and objectives. University-level information and information technology policies are developed and approved using a formal process. Because policies are official institutional statements, compliance with policies is non-optional and failure to follow policies may result in sanctions imposed by the appropriate university office. Policies are not procedures (although many policy documents have a procedures section), standards, guidelines or best practices. These other, more detailed documents flow from and support policies.
Political campaigning and similar activities that are inconsistent with the university‰Ûªs tax-exempt status
Political campaigning and similar activities that are inconsistent with the university's tax-exempt status include campaign purposes that would further the interests of the candidate or candidates of any one political party.
Position Paper
A position paper is a concise, practical document that focuses on a specific technology or issue (often new or not yet widely used or encountered within the university) and expresses the professional opinion of the University Information Policy Office or University Information Security office on its use within or effect on the university.
Practice
See also: Best Practice
Privacy
Privacy is defined as the rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information. Source: Generally Accepted Privacy Principles: A Global Privacy Framework ([Durham, NC?]: American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants, 2006), http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles/, 4."
Private IP address
Private IP addresses are local network addresses that are not routed to the Internet, so that connections to them from other devices on the Internet are not possible. The most common private IP address blocks are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as defined by RFC 1918.
Procedure
Procedures (like standards) support policy by further describing specific implementation details (i.e. the "how"). A procedure can be thought of as an extension of a policy that articulates the process to be used in carrying out/complying with the policy. A procedure may describe a series of steps, or how to use standards and guidelines to achieve the goals of a policy. Procedures, along with standards, promote a consistent approach to following policy. Procedures make policies more practically meaningful and effective. Procedures overlap with standards although procedures tend to be more process oriented while standards tend to be more focused on requirements or specifications. Because procedures directly support policies, compliance with procedures is non-optional and failure to follow procedures may result in sanctions imposed by the appropriate university office.
Program
The word "Program" is used to refer to Indiana University's Information Security and Privacy Program.
Public IP address
Public IP addresses are local network addresses that are routed to the Internet, so that connections to them from other devices on the Internet are allowed.
r
Regional campus Chief Information Officer
Regional campus Chief Information Officer: The primary responsibility of a regional campus Chief Information Officer is the development and use of information technology in support of the campus' vision for excellence in research, teaching, outreach, and lifelong learning. He or she is also responsible for disseminating information to the campus, coordinating activities that involve more than one campus, fostering cooperation in areas such as sharing technical expertise and training, and problem coordination and resolution for their own campus information technology issues.
Related Third Party
For the purposes of information security and privacy governance, Related Third Party is a Role Title, and is defined as an organization, contractor, vendor, or consultant with whom Indiana University establishes relationships or contracts to perform a service for or on behalf of the university. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Remote access service
Remote access services are defined as any mechanisms that allow a machine outside of the physical university data network to appear as though it is part of the Indiana University network. Typically this involves creating a link over either the data network or a phone line and assigning an Indiana University IP address to the remote machine.
Role
A function or set of functions performed by an individual.
Role title
A generic information security and privacy role title is given to a set of high-level, general responsibilities. An individual may then be assigned to a role title, so that he or she understands what functions to perform.
s
Safeguards
Safeguards are the administrative (e.g., policies, procedures), technical, and physical measures put in place to protect information.
Security Incident
The attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. Security incident also means the loss of data through theft or device misplacement, loss or misplacement of hardcopy documents, misrouting of mail, or compromise of physical security, all of which may have the potential to put the data at risk of unauthorized access, use, disclosure, modification or destruction.
Site Manager
For the purposes of the Web Site Privacy Notices Policy, the site manager of a university web site is the person or group that technically implements the wishes and publishes the content of the content owner. Typically, the site manager follows the direction of the content owner. The site manager and content owner share responsibility for a web site and for adherence to this policy.
SSID
SSID stands for "Service Set Identifi