Glossary of Terms
Active shooter/hostile intruder - A person who appears to be actively engaged in killing or attempting to kill people in a populated area — typically employing the use of firearms. Learn what to do by checking out this video.
Active collection - For the purposes of the Website Privacy Notices Policy, active collection refers to the gathering of information where a visitor voluntarily provides information such as through a form, or creating a profile, or choosing account settings.
Advisory - A notification category that provides urgent information about an unusual occurrence or threat of an occurrence, but no activation of the notified entity is ordered or expected at that time.
Aggravated assault - An unlawful attack by one person upon another for the purpose of inflicting severe or aggravated bodily injury. This type of assault usually is accompanied by the use of a weapon or by means likely to produce death or great bodily harm. (FBI’s UCR Program Definition)
IU-Notify emergency notifications v. crime alerts
IU-Notify emergency notifications use multiple means of communication-- text, email, phone, digital signs -- to warn students and employees of an imminent threat on campus, such as a flash flood or violent intruder.
Crime alerts are intended to warn of certain crimes that represent a serious or on-going threat, such as a string of auto burglaries or a reported sexual assault. Email is the primary method of communication for sharing details of the incident and for offering information that may aid in preventing similar crimes. Read more
Anti-virus software - According to Wikipedia, antivirus or anti-virus software (often abbreviated as AV), sometimes known as anti-malware software, is computer software used to prevent, detect and remove malicious software. Antivirus software was originally developed to detect and remove computer viruses, hence the name.
Arson - Any willful or malicious burning or attempt to burn, with or without intent to defraud, a dwelling house, public building, motor vehicle or aircraft, personal property of another, etc. (FBI’s UCR Program Definition)
Authentication – Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. To access most technology services of Indiana University, you must provide such proof of identity. In private and public computer networks (including the Internet), authentication is commonly done through the use of login passwords or passphrases; knowledge of such is assumed to guarantee that the user is authentic. Thus, when you are asked to "authenticate" to a system, it usually means that you enter your username and/or password for that system.
Authorization - In computing systems, authorization is the process of determining which permissions a person or system is supposed to have. In multi-user computing systems, a system administrator defines which users are allowed access to the system, as well as the privileges of use for which they are eligible (e.g., access to file directories, hours of access, amount of allocated storage space). Authorization can be seen as both the preliminary setting of permissions by a system administrator, and the actual checking of the permission values when a user obtains access. Authorization is usually preceded by authentication.
Authorized user - Authorized users are people acting within the scope of a legitimate affiliation with the university, using their assigned and approved credentials (ex. network IDs, passwords, or other access codes) and privileges, to gain approved access to university information technology resources. A person acting outside of a legitimate affiliation with the university or outside the scope of their approved access to university information technology resources is considered an unauthorized user.
Autorun - A feature in personal computers that runs a program on a CD/DVD or USB drive. AutoRun is considered a security risk because a virus could be unleashed when the medium is inserted, which is why it is no longer the default in Windows. The Mac AutoStart equivalent was also dropped in Mac OS X. (PCMAG definition)
Best practice - Best practices are comprised of one or more general statements or recommendations detailing procedural or technology approaches to following or implementing policy. In contrast to procedures and standards, best practices are not requirements to be met, although they are strongly recommended. (See also Guideline.)
Bloodborne pathogens – Pathogenic microorganisms that are present in human blood and can cause disease in humans. These include, but are not limited to, hepatitis B virus (HBV) and human immunodeficiency virus (HIV).
Board of Trustees - For the purposes of information security and privacy governance, the Board of Trustees is a Role Title. The Board is Indiana University's governing board, legal owner, and final authority, and the owner of all information, except information excluded from university ownership as set forth in the Indiana University Policy on Intellectual Property. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Breach - The acquisition, access, use, or disclosure of information in a manner not permitted under existing law which compromises the security or privacy of the information (i.e. poses a significant risk of financial, reputational, or other harm to the individual and/or university).
Building Emergency Coordinator - University employees who serve as one of the primary emergency contacts for an IU campus building or facility. They are responsible for the implementation of the building’s Emergency Action Plan and assists with the safe evacuation and accountability of building staff with assistance appointed Floor Wardens. Learn about building managers and building emergency control committee members.
Burglary - The unlawful entry of a structure to commit a felony or a theft. For reporting purposes this definition includes: unlawful entry with intent to commit a larceny or felony; breaking and entering with intent to commit a larceny; housebreaking; safecracking; and all attempts to commit any of the aforementioned. (FBI’s UCR Program Definition)
Business continuity plan – Business continuity planning (BCP) is the practice of planning how you will run your service or business unit processes when normal operating procedures are not possible.
Building emergency action plan -- These plans are the agreed upon actions for fire, severe weather, medical and other emergencies that all staff who work in a building should be made aware of when tehy start employment (or when the plans change) as per the guidelines of the federal Occupational Safety and Health Administrations. Plans for many buildings at IU can be viewed on Box.
Business function management – For the purposes of information security and privacy governance, Business Function Management is a Role Title, and is defined as those individuals assigned business management responsibilities for a unit or service. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Campus community - All of the people (e.g., students, faculty, staff) or organizations that have a connection to the university as it relates to academic, research, recreational, administrative, or other supportive functions.
Campus Emergency Preparedness Certificate - A 100-hour program offered by IU Emergency Management and Continuity and University Human Resources. The skills and activities include things such as short online classes through the Department of Homeland Security, participation in campus emergency drills (active shooter, earthquake, etc.), on-campus classes, and individual skill development such as CPR/1st Aid certification and creating an emergency kit for the office. Learn more.
To clear buildings/facilities - The practice used by law enforcement or other public safety personnel to systematically remove all personnel and any potential risks or threats from a building or facility.
Commercial activities - Commercial activities are defined as economic activities geared toward a mass or specialized market and ordinarily intended to result in a profit, and that are not part of one's university responsibilities. Commercial activities do not include the use of information technology resources for one-time, minimal transactions, such as students using their Indiana University email accounts to communicate with potential buyers for used textbooks or with potential sub-lessees. This type of transaction is considered incidental personal use.
Compliance officer - For the purposes of information security and privacy governance, Compliance Officer is a Role Title, and is defined as an individual who provides compliance oversight and/or coordination that includes information security and/or privacy, usually for a specific information type, business sector, or business function. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Computer virus – A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting – i.e. inserting a copy of itself into and becoming a part of another program. It cannot run by itself; it requires that its host program be run to make the virus active.
Content owner - For the purposes of the Web Site Privacy Notices Policy, the content owner of a university web site is the functional person or group that owns and directs the content of a web site. Typically, the content owner directs the site manager in the implementation of a web site. The content owner and site manager share responsibility for a web site and for adherence to this policy.
Content-neutral information - Content-neutral information is information relating to the operation of systems, including information relating to interactions between individuals and those systems. Such information includes but is not limited to operating system logs (i.e., record of actions or events related to the operation of a system or device), user login records (i.e., logs of usernames used to connect to university systems, noting source and date/time), dial-up logs (i.e., connections to university modems, noting source, date/time, and caller id), network activity logs (i.e., connections attempted or completed to university systems, with source and date/time), non-content network traffic (i.e., source/destination IP address, port, and protocol), email logs (i.e., logs indicating email sent or received by individuals using university email systems, noting sender, recipient, and date/time), account/system configuration information, and audit logs (i.e., records of actions taken on university systems, noting date/time).
Data - Data are symbols or characters that represent raw facts or figures and form the basis of information. Source: Glossary of Records and Information Management Terms, 3rd ed. ARMA International (2007) NOTE: For the purposes of the Indiana University Information Security and Privacy Program, the terms data and information are used interchangeably, with a preference for the use of the term information.
Data Access Manager - For the purposes of information security and privacy governance, Data Access Manager is a Role Title, and is defined as an individual who has been assigned to receive, evaluate, and authorize or deny requests for access to systems, applications, and/or databases containing information. These systems may be electronic or in paper form, for example, in paper-based filing systems. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Data Custodian - For the purposes of information security and privacy governance, Data Custodian is a Role Title, and is defined as a manager of systems containing information. These systems may be in electronic or paper form, for example, in paper-based filing systems. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Data Steward - For the purposes of information security and privacy governance, Data Steward is a Role Title, and is defined as an individual who has been named to represent information, usually for a specific information type, business sector, or business function, for university-wide information governance purposes. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Dating violence - Violence committed by a person who is or has been in a social relationship of a romantic or intimate nature with the victim. The existence of such a relationship shall be determined based on the reporting party’s statement and with consideration of the length of the relationship, the type of relationship, and the frequency of interaction between the persons involved in the relationship. (Clery Act definition)
Department-Only Data - Any data that is not covered by the definition of Institutional Data. When a requested cloud solution does not include institutional data, the requester should follow normal procurement procedures. Depending upon the situation, these procedures may include involving IU Purchasing but will not involve a Third Party Security Assessment, review by the Data Steward, or a Privacy Notice review.
Destruction/damage/vandalism of property: To willfully or maliciously destroy, damage, deface, or otherwise injure real or personal property without the consent of the owner or the person having custody or control of it.
Disaster - An occurrence of a natural catastrophe, technological or human-caused incident that has resulted in severe property damage, deaths, and/or multiple injuries. A disaster is a situation exceeding the response capability of a local jurisdiction and may necessitate the need and subsequent request for resources from external sources such as state and federal governments or from mutual aid partners.
Domain - Common areas of information security and privacy activities are grouped into twelve specific domains. This domain grouping allows the use of common vocabulary and structure to identify and track projects, actions, policies, tools, and other safeguards. The Indiana University Security and Privacy Domains are adapted from the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) international standard ISO/IEC 27002:2005 on Information Security Management.
Domestic violence - A felony or misdemeanor crime of violence committed—(A) By a current or former spouse or intimate partner of the victim; (B) By a person with whom the victim shares a child in common; (C) By a person who is cohabitating with, or has cohabitated with, the victim as a spouse or intimate partner;(D) By a person similarly situated to a spouse of the victim under the domestic or family violence laws of the jurisdiction in which the crime of violence occurred, or By any other person against an adult or youth victim who is protected from that person’s acts under the domestic or family violence laws of the jurisdiction in which the crim of violence occured. (Clery Act definition)
Drill - A coordinated, supervised activity usually employed to test a single, specific operation or function with a single entity (e.g., a fire department conducts a fire drill for a building).
Drug abuse violations - The violation of laws prohibiting the production, distribution, and/or use of certain controlled substances and the equipment or devices utilized in their preparation and/or use. The unlawful cultivation, manufacture, distribution, sale, purchase, use, possession, transportation, or importation of any controlled drug or narcotic substance. Arrests for violations of State and local laws, specifically those relating to the unlawful possession, sale, use, growing, manufacturing, and making of narcotic drugs. (FBI’s UCR Program Definition)
Emergency responder - An individual trained to a specific public safety discipline (e.g., law enforcement,fire service, emergency medical service, emergency management, critical infrastructure, hazardous materials, search and rescue, etc.) that takes action during crisis situations where people, property, and the environmental may be adversely impacted.
Encryption – Cryptographic transformation of data into a form that conceals the data’s original meaning to prevent it from being known or used. It is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.
Excessive use - Excessive use exists when a user or process has exceeded established limits placed on the service, or is consuming a resource to a level such that service to other users is degraded, or where the actions of a user could cause degradation if the user is permitted to continue the practice or activity. Service managers, system administrators, and security and network engineers must use experience and knowledge of normal service usage patterns in consultation with the management of the unit owning the service or resource, and exercise judgment in making decisions about excessive use.
Executive Management - For the purposes of information security and privacy governance, Executive Management is a Role Title, and is defined as those individuals assigned executive management responsibilities, typically with the titles of President, Vice President, and Chancellor, and including Academic Deans. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Extending the network - Excessive use exists when a user or process has exceeded established limits placed on the service, or is consuming a resource to a level such that service to other users is degraded, or where the actions of a user could cause degradation if the user is permitted to continue the practice or activity. Service managers, system administrators, and security and network engineers must use experience and knowledge of normal service usage patterns in consultation with the management of the unit owning the service or resource, and exercise judgment in making decisions about excessive use.
Fast-tracked Third Party Review process may apply in certain cloud solution acquisition situations and may not require a standard review. In these cases, the Purchasing department should be made aware of the acquisition and may be involved in establishing contractual agreements with appropriate data security language. Fast-tracked approvals do not require a security assessment, privacy/policy reviews or formal signoff from the data stewards. In all cases, standard procurement procedures should be followed.
Firewall - A firewall is a system designed to prevent unauthorized access to or from a private network. You can implement a firewall in either hardware or software form, or a combination of both. Firewalls prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet (i.e., the local network to which you are connected) must pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
Fondling -The touching of the private body parts of another person for the purpose of sexual gratification, without the consent of the victim, including instances where the victim is incapable of giving consent because of his/her age or because of his/her temporary or permanent mental incapacity. (From the National Incident-Based Reporting System (NIBRS) User Manual from the FBI’s UCR Program)
Guideline - Guidelines are comprised of one or more general statements or recommendations detailing procedural or technology approaches to following or implementing policy. In contrast to procedures and standards, guidelines are not requirements to be met, although they are strongly recommended. (See also Best Practice.)
Hate crime - A crime reported to local police agencies or to a campus security authority that manifests evidence that the victim was intentionally selected because of the perpetrator’s bias against the victim. (Clery Act definition)
Health information - Any information created, maintained or received, via any communication or record retention format, by any entity such as a provider, insurance plan, employer, or university that identifies an individual and any services regarding their health care or health payments relating to their past, present, or future health status.
Incidental personal use - Incidental personal use is the use of information technology resources by members of the Indiana University community in support of activities that do not relate to their university employment or studies or to other activities involving and approved by the university. Examples include use of email to send personal messages to friends, family, or colleagues, including messages relating to one-time minimal sales or purchase transactions, and use of the personal home page service to provide information about personal hobbies or interests. If personal use adversely affects or conflicts with university operations or activities, the user will be asked to cease those activities. All direct costs (for example, printer or copier paper and other supplies) attributed to personal incidental use must be assumed by the user.
Incest - Sexual intercourse between persons who are related to each other within the degrees wherein marriage is prohibited by law. (From the National Incident-Based Reporting System (NIBRS) User Manual from the FBI’s UCR Program)
Identity Theft - the fraudulent acquisition and use of a person's private identifying information, usually for financial gain.
Indiana University information – See University information.
Indiana University property - Buildings, grounds, and land that are owned by Indiana University or controlled by Indiana University via leases or other formal contractual arrangements to house ongoing IU operations.
Information - Information is data that has been given value through analysis, interpretation, or compilation in a meaningful form. Source: Glossary of Records and Information Management Terms, 3rd ed. ARMA International (2007) (See also University information.) NOTE: For the purposes of the Indiana University Information Security and Privacy Program, the terms data and information are used interchangeably, with a preference for the use of the term information.
Information asset - An information asset is an item of value that contains information. Examples include documents, spreadsheets, databases, and files. For the purposes of information classification, Data Stewards typically classify information elements. Then, other individuals handling information determine the classification of an information asset based on what information elements are contained in the asset. (See also Information element.)
Information element - An information element is a single or small piece of data or information. For the purposes of information classification, Data Stewards typically classify information elements. Then, other individuals handling information determine the classification of an information asset based on what information elements are contained in the asset. (See also Information asset.)
Information Security and Privacy Program - Indiana University's Information Security and Privacy Program outlines a university-wide approach to implementing and managing information and information technology security and privacy. It describes the university's philosophies, values, and approach to safeguarding information and information technology.
Information security program - An Information Security Program is a "methodical, programmatic approach to implementing and managing security within an organization." Source: Robert B. Kvavik and John Voloudakis, Safeguarding the Tower: IT Security in Higher Education 2006 (Boulder, CO: EDUCAUSE Center for Applied Research, 2006), http://connect.educause.edu/Library/Abstract/SafeguardingtheTowerITSec/41170, 94."
Information system - A discrete set of information resources, procedures and/or techniques, organized or designed, for the classification, collection, accessing, use, processing, manipulation, maintenance, storage, retention, retrieval, display, sharing, disclosure, dissemination, transmission, or disposal of information. An information system can be as simple as a paper-based filing system or as complicated as a tiered electronic system.
Information technology governance - IT governance is defined as "the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly." Source: Board Briefing on IT Governance, 2nd ed. (Rolling Meadows, IL: IT Governance Institute, 2003), http://www.coso.org/ic.htm
Information technology resources - Information technology resources includes all university-owned computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software; all other associated tools, instruments, and facilities; and the services that make use of any of these technology resources. The components may be individually controlled (i.e., assigned to an employee) or shared in a single-user or multi-user manner; they may be stand-alone or networked; and they may be stationary or mobile.
- It is subject to a legal obligation requiring the University to responsibly manage the data;
- It is substantive and relevant to the planning, managing, operating, documenting, staffing or auditing of one or more major administrative functions or multiple organizational units of the university;
- It is included in an official university report;
- It is clinical data or research data that meets the definition of “University Work” under the Intellectual Property Policy UA-05; or
- It is used to derive any data element that meets the above criteria.
Intimidation - To unlawfully place another person in reasonable fear of bodily harm through the use of threatening words and/or other conduct, but without displaying a weapon or subjecting the victim to actual physical attack. (From the Hate Crime Data Collection Guidelines and Training Manual from the FBI’s UCR Program.) IP address spaces - IP address spaces in this context means blocks of IP addresses assigned to Indiana University by Internet addressing authorities.
IU-Notify - A collective system used by Indiana University, which integrates a variety of methods to provide emergency and safety information, including sirens, public address, Web pages, building stewards, residence hall assistants, broadcast and electronic media, and a consolidated communications system. The IU-Notify project was designed to consolidate IU's communications systems to enhance the university's ability to effectively transmit critical incident information.
Larceny - Theft (except motor vehicle theft): The unlawful taking, carrying, leading, or riding away of property from the possession or constructive possession of another. (From the Hate Crime Data Collection Guidelines and Training Manual from the FBI’s UCR Program.)
Large, discrete, occasional program - Part of the Programs involving Children policy, this term refers to an event or activity that involves a large number of volunteers and/or occur only once or infrequently could be considered a Large, Discrete, and Occasional program.
Layer-2 device - Layer-2 devices function at the data link layer of the Open Systems Interconnection Basic Reference Model. Typically these are Ethernet devices such as hubs, switches, repeaters, and WAPs. These devices are often used to provide network connectivity to multiple machines in the same room using a single data jack.
Layer-3 device - Layer-3 devices function at the network layer of the Open Systems Interconnection Basic Reference Model. Typically these are IP devices such as firewalls, NATs, and packet-filtering routers that isolate or conceal other devices from the rest of the network.
Liquor law violations - The violation of state or local laws or ordinances prohibiting the manufacture, sale, purchase, transportation, possession, or use of alcoholic beverages, not including driving under the influence and drunkenness. (FBI’s UCR Program Definition)
Lock-down - This term is rarely used in emergency notices at IU because of its difficulty to implement. It generally refers to a temporary “sheltering-in-place” technique used to limit exposure to an apparent life-threatening, hostile or hazardous situation or threat. When a lockdown is declared by administrative officials, occupants of any building within the impacted area are to remain in their respective spaces locking all doors and windows, not allowing entry or exit to a secured area until the “all clear” confirmation has been given.
Lock-down v. shelter-in-place
The term "lock-down" often is mistakenly used interchangeably with "shelter-in-place" but rarely is used during emergency communications at IU. Both are terms to describe efforts to hide to evade harm from a hostile intruder or other threat. See the full definition for shelter-in-place
Lockout - The placement of a lockout device on an energy isolating device, in accordance with an established procedure, ensuring that the energy isolating device and the equipment being controlled cannot be operated until the lockout device is removed.
Lockout device - A device that utilizes a positive means such as a lock, either key or combination type, to hold an energy isolating device in the safe position and prevent the energizing of a machine or equipment. Included are blank flanges and bolted slip blinds.
Misuse or abuse - Misuse or abuse are uses of Indiana University information technology resources that violate existing laws or university policies and procedures (including but not limited to University Information Technology Policies; the Code of Student Rights, Responsibilities, and Conduct; the Academic Handbook; University Human Resources Policies; and University Financial Policies), or that otherwise violate generally accepted ethical norms and principles. Misuse or abuse also includes the sharing or transferring of an individual's university accounts, including network ID, password, or other access codes that allow them to gain access to university information technology resources, with one or more other persons.
Network Address Translation (NAT) device - NAT devices rewrite the IP header of a packet traversing the device, changing the IP source and/or destination addresses. They also change the layer-2, or MAC address, to that of the NAT device. Often the result is to present multiple devices behind a NAT as if they were a single device.
Normal Procurement Procedures - May include the process of competitive bidding, review, approval, and negotiation of contract language prior to signature of any binding contract per the appropriate and authorized signature policies. Additional policy and contact information can be found here.
OWASP (Open Web Application Security Project) – According to Wikipedia, the Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Its mission is to make software security visible, so that individuals and organizationsworldwide can make informed decisions about true software security risks.
Owner - The term "owner" identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the information or information technology assets. The term "owner" does not necessarily mean that the person or entity actually has any property rights to the asset.
Passphrase - A passphrase is simply a different way of thinking about a much longer password. Dictionary words and names are no longer restricted. In fact, one of the very few restrictions is the length - 15 characters. Your passphrase can be a favorite song lyric, quote from a book, magazine, or movie, or something your kids said last week. It's really that easy.
Passive collection - For the purposes of the Web Site Privacy Notices Policy, passive collection refers to the automatic gathering of information from visitors as they migrate or navigate from page to page on a web site or series of sites, such as via server logs or cookies.
Peer-to-peer (P2P) file-sharing - Peer-to-peer (P2P) file-sharing allows users to share files online through an informal network of computers running the same software. File-sharing can give you access to a wealth of information, but it also has a number of risks. You could download copyright-protected material, pornography, or viruses without meaning to. Or you could mistakenly allow other people to copy files you don't mean to share.
Personally Identifiable Information (PII) - Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. (As used in the NIST standards and according to the United States Government Accountability Office.)
Personal protective equipment (PPE) - Devices worn by the worker to protect against hazards in the work environment. Examples are gloves, safety shoes, safety eye wear, hard hats, hearing protectors, and respirators.
Phishing – A scam where Internet fraudsters send spam or pop-up messages to lure unsuspecting victims into providing passphrases, personal, and/or financial information.
PIC – Programs Involving Children. Any program that involves minors under 18 must comply with Indiana University Programs Involving Children (“PIC”) Policy. A program is considered a PIC when it targets minors. A program in not considered a PIC when children are present, but the main purpose of the program was not to attract children (such as Auditorium shows, or an athletic event). Additionally, this policy does not apply to student registered at IU who are under 18.
Policy, Information - An information or information technology policy is an agreed upon, formal, high-level statement that describes the university's philosophy, values, and/or direction for a specified subject area. Policies tend to be fairly brief and focus on guiding principles (i.e. the "why ") rather than on technical or process details (i.e. the "how "). The purpose of policies is to guide present and future decisions so that they are in agreement with university goals and objectives. University-level information and information technology policies are developed and approved using a formal process. Because policies are official institutional statements, compliance with policies is non-optional and failure to follow policies may result in sanctions imposed by the appropriate university office. Policies are not procedures (although many policy documents have a procedures section), standards, guidelines or best practices. These other, more detailed documents flow from and support policies.
Position paper - A position paper is a concise, practical document that focuses on a specific technology or issue (often new or not yet widely used or encountered within the university) and expresses the professional opinion of the University Information Policy Office or University Information Security office on its use within or effect on the university.
Practice – See also: “Best Practice”
Principle of least privilege - The principle of least privilege (PoLP; also known as the principle of least authority) is an important concept in computer security, promoting minimal user profile privileges on computers, based on users' job necessities. It can also be applied to processes on the computer; each system component or process should have the least authority necessary to perform its duties. This helps reduce the "attack surface" of the computer by eliminating unnecessary privileges that can result in network exploits and computer compromises. You can apply this principle to the computers you work on by normally operating without administrative rights.
Privacy - Privacy is defined as the rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information. Source: Generally Accepted Privacy Principles: A Global Privacy Framework ([Durham, NC?]: American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants, 2006), http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles/, 4."
Private IP address - Private IP addresses are local network addresses that are not routed to the Internet, so that connections to them from other devices on the Internet are not possible. The most common private IP address blocks are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as defined by RFC 1918.
Procedure - Procedures (like standards) support policy by further describing specific implementation details (i.e. the "how"). A procedure can be thought of as an extension of a policy that articulates the process to be used in carrying out/complying with the policy. A procedure may describe a series of steps, or how to use standards and guidelines to achieve the goals of a policy. Procedures, along with standards, promote a consistent approach to following policy. Procedures make policies more practically meaningful and effective. Procedures overlap with standards although procedures tend to be more process oriented while standards tend to be more focused on requirements or specifications. Because procedures directly support policies, compliance with procedures is non-optional and failure to follow procedures may result in sanctions imposed by the appropriate university office.
Programs - The term “program” is used in the Programs Involving Children policy to include ongoing or planned events that are designed to include children such as camps, lessons, workshops, clubs, teams, projects, practices, tours, or open-houses, research activities, recruiting activities, clinical settings.
Public information officer (PIO) - The acronym PIO is frequently used by the media and organizations or agencies to describe the person authorized to discuss or provide information and updates to the media and general public.
Ransomware - A type of malicious software which blocks access to a computer system or encrypts digital files so no one can access it/them without paying a fee. The malicious software displays a message about how the user can supposedly regain access to his/her system/files by paying a ransom. There is no guarantee paying the ransom will allow the user to regain access to those files.
Rape - The penetration, no matter how slight, of the vagina or anus with any body part or object, or oral penetration by a sex organ of another person, without the consent of the victim. (FBI’s UCR Program Definition)
Recovery - The phase of Comprehensive Emergency Management that encompasses activities and programs implemented during and after response that are designed to return the entity to its usual state or to a “new normal”.
Regional campus Chief Information Officer - The primary responsibility of a regional campus Chief Information Officer is the development and use of information technology in support of the campus' vision for excellence in research, teaching, outreach, and lifelong learning. He or she is also responsible for disseminating information to the campus, coordinating activities that involve more than one campus, fostering cooperation in areas such as sharing technical expertise and training, and problem coordination and resolution for their own campus information technology issues.
Related Third Party - For the purposes of information security and privacy governance, Related Third Party is a Role Title, and is defined as an organization, contractor, vendor, or consultant with whom Indiana University establishes relationships or contracts to perform a service for or on behalf of the university. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Remote access service - Remote access services are defined as any mechanisms that allow a machine outside of the physical university data network to appear as though it is part of the Indiana University network. Typically this involves creating a link over either the data network or a phone line and assigning an Indiana University IP address to the remote machine.
Role title – A generic information security and privacy role title is given to a set of high-level, general responsibilities. An individual may then be assigned to a role title, so that he or she understands what functions to perform.
Response - Immediate actions to save and sustain lives, protect property and the environment, and meet basic human needs. Response also includes the execution of plans and actions to support short-term recovery.
Robbery - The taking or attempting to take anything of value from the care, custody, or control of a person or persons by force or threat of force or violence and/or by putting the victim in fear. (FBI’s UCR Program Definition)
Safeguards – they are the administration (e.g. policies, procedures), technical, and physical measures put in place to protect information.
Scareware - Cyber criminals are using increasingly sophisticated tactics to trick unsuspecting computer users in to downloading and installing software laced with malicious code, which, when activated, gives hackers "back door" access to a computer.
Screen lock - Make a habit of locking your computer every time you leave it, so when you are ready to use it again it asks you for your password to log in. This will prevent someone from sneaking on to your computer and stealing files.
Security incident - The attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. Security incident also means the loss of data through theft or device misplacement, loss or misplacement of hardcopy documents, misrouting of mail, or compromise of physical security, all of which may have the potential to put the data at risk of unauthorized access, use, disclosure, modification or destruction.
Secure Shell (SSH) – also known as slogin. SSH lets a user connect from one computer to another over a network and execute commands, transfer files, or get a command prompt. It uses strong cryptography to protect the data in transit and also to authenticate both the user and the server. SSH serves as a drop-in replacement for TELNET, FTP, rlogin, rsh, and rcp, none of which use strong cryptography by default. SSH consists of both a client program, Ssh, which the user runs directly, and a server program, sshd, that handles incoming requests on the server.
Severe/hazardous weather - Instances of extreme weather or hydrological events associated with such events as severe local storms; winter storms; fire weather; flooding; coastal/lakeshore hazards; marine hazards; and other hazards including but not limited to extreme temperatures, dense fog, high winds, fog, river flooding, and lakeshore flooding.
Simple assault - An unlawful physical attack by one person upon another where neither the offender displays a weapon, nor the victim suffers obvious severe or aggravated bodily injury involving apparent broken bones, loss of teeth, possible internal injury, severe laceration, or loss of consciousness. (From the Hate Crime Data Collection Guidelines and Training Manual from the FBI’s UCR Program.)
Site manager - For the purposes of the Website Privacy Notices Policy, the site manager of a university web site is the person or group that technically implements the wishes and publishes the content of the content owner. Typically, the site manager follows the direction of the content owner. The site manager and content owner share responsibility for a web site and for adherence to this policy.
Social engineering - In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking or manipulating other people to divulge confidential information or break normal security procedures.
Standard - Standards (like procedures) support policy by further describing specific implementation details (i.e. the "how"). A standard can be thought of as an extension of policy that articulates the rules, mechanisms, technical or procedural requirements or specifications to be used in carrying out/complying with policy. Standards, along with procedures, promote a consistent approach to following policy. Standards make policies more practically meaningful and effective. Standards are definitional and clarifying in nature specifying the minimums necessary to meet policy objectives. Because standards directly support policies, compliance with standards is non-optional and failure to follow standards may result in sanctions imposed by the appropriate university office.
Standard Third Party Review and Approval Process – This process requires proper documentation be submitted along with the initial request (i.e. business case, identification of the executive sponsor, resource management plan identifying adequate functional and technical resources, etc.), the completion of a security assessment, a Privacy Notice review, final approval from the Data Stewards, purchasing contracts and other appropriate reviews for web accessibility, programs involving children, etc.. This process may take significant time and departments should plan accordingly. Any purchase of goods or services must comply with University Procurement Services policies and procedures.
Stalking - Engaging in a course of conduct directed at a specific person that would cause a reasonable person to—(A) Fear for the person’s safety or the safety of others; or (B) Suffer substantial emotional distress.
Sweep (buildings/facilities) - The practice used by law enforcement or other public safety personnel to systematically determine potential risks or threats in a building or facility that remains occupied as a result of emergency or crisis situation.
Tagout - The placement of a tagout device on an energy isolating device, in accordance with an established procedure, to indicate that the energy isolating device and the equipment being controlled may not be operated until the tagout device is removed.
Technician – For the purposes of information security and privacy governance, Technician is a Role Title, and is defined as an individual who applies security and privacy principles, policies, standards, guidelines, and procedures to technologies that contain, transport, or otherwise handle information. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Technology Management - For the purposes of information security and privacy governance, Technology Management is a Role Title, and is defined as those individuals assigned technology management/director responsibilities for a unit or service. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Tornado - A violently rotating storm of small diameter; the most violent weather phenomenon. It is produced in a very severe thunderstorm and appears as a funnel cloud extending from the base of a Cumulonimbus to the ground. More about tornadoes and severe weather
University Chief Information Officer - University Chief Information Officer: The primary responsibility of the University Chief Information Officer is the development and use of information technology in support of the university's vision for excellence in research, teaching, outreach, and lifelong learning. The University Information Policy Office (UIPO) represents the University Chief Information Officer (CIO) with respect to policy issues related to the IU Bloomington and IUPUI campuses.
University Information - For information security and privacy purposes, university information consists of data and information that are created, received, or maintained by the university in the course of carrying out its mission. NOTE: For the purposes of the Indiana University Information Security and Privacy Program, the terms data and information will be used interchangeably, with a preference for the use of the term information.
Universal precautions – An approach to infection control that treats all blood and other potentially infectious materials as if known to be infectious for HIV, hepatitis B, and other bloodborne pathogens. This approach includes the use of barrier precautions by employees to prevent direct skin, parenteral, or mucus membrane contact with blood or other body fluids that are visibly contaminated with blood.
University Websites - These sites are created or maintained either by or for academic, administrative, or auxiliary units of Indiana University, regardless of whether or not the sites are hosted on university servers or external servers. This includes Websites of professional associations and publications that are formally hosted, maintained and operated by faculty or staff of the university.
User - For the purposes of information security and privacy governance, User is a Role Title, and is defined as an individual who interacts with information. (Definitions and responsibilities for this Role Title are in ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities.)
Weather warning v. watch
A weather warning signals imminent severe weather and the possible need for immediate action for safety. A weather watch indicates the possibility of extreme or severe weather. Learn more
Weapons - Carrying, Possessing, Etc.: The violation of laws or ordinances prohibiting the manufacture, sale, purchase, transportation, possession, concealment, or use of firearms, cutting instruments, explosives, incendiary devices, or other deadly weapons. (FBI’s UCR Program Definition)
Wireless network - A wireless network is a telecommunications network whose interconnections between nodes are achieved using electromagnetic waves such as radio waves instead of wire or fiber optic cable. Wireless networking equipment includes devices used to set up a wireless network such as wireless hubs, routers, and access points.