Access Account Manager
- The individual who is responsible for creating, monitoring, modifying, administering, or terminating Account privileges on any UMGC Information System or Information Resource.
- An established relationship between a User and a computer, network, or Information System which is assigned a credential such as a username and password. (In Account Management (Learner Community) Policy: For the purposes of this Policy, Accounts include but are not limited to those that are issued for the purposes of application for admission to UMGC, registration for, and participation in, academic or training activities, UMGC email accounts and general access to other IT Resources.)
- An Account with elevated privileges intended to be used only when performing management tasks, such as installing updates and application software, managing Accounts, and modifying operating system and application settings.
- The management of IT assets requires well-developed processes and clear policies. IT asset management software may track physical devices, software instances and licenses, and even the cabinets that house them. Managers should be able to look up warranty and vendor information and understand how each asset contributes to the environment. Change control procedures are effective ways to manage upgrades and replacements.
Asset Management Software
- Asset management software is a dedicated application which is used to record and track an asset throughout its life cycle, from procurement to disposal. It provides an organization with information like where certain assets are located, who is using them, how they are being utilized and details about the asset. The asset management software is used for management of both software and hardware assets.
Audit Record Reduction
- An automated process that interprets raw audit log data and extracts meaningful and relevant information without altering the original logs. An example of log reduction for files to be analyzed would be the removal of details associated with nightly backups. Report generation on reduced log information allows you to create succinct customized reports without the need to burden the reader with unimportant information.
- A set of records that collectively provide documentary evidence of processing used to aid in tracing from original transactions forward to related records and reports, and/or backwards from records and reports to their component source transactions.
- Verifying the identity of a user often as a prerequisite to allowing access to resources in an Information System.
- The quality of Information and records as being genuine, verifiable, and trusted; confidence in the validity of a transmission, a message, or message originator.
- A User who has been granted authorization to access electronic Information Resources and is current in their privileges.
- Ensuring timely and reliable access to and use of Information.
- A documented set of specifications for an Information System, or a configuration item within a system, which has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.
- Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as:
1. Facial images
4. Retina scans
- A list of discrete entities, such as hosts or applications that have been previously determined to be associated with malicious activity.
- An ongoing process to ensure that necessary steps are taken to identify the impact of potential losses and maintain viable recovery strategies, recovery plans, and continuity of services.
Collaborative Computing Devices
- Collaborative computing devices include smartboards, camera systems, and microphones. This includes cameras and microphones built into laptops as well as standalone devices in conference rooms or classrooms.
Computer Incident Response Team (CIRT)
- Group of individuals usually consisting of Security Analysts organized to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from computer security incidents.
- Data that requires restrictions on access and disclosure, including the protection of personal privacy and proprietary information.
- Preserving authorized restrictions on Information access and disclosure, including means for protecting personal privacy and proprietary information.
- A set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related Configuration Settings can be defined include mainframe computers, servers, workstations, input and output devices, network components (e.g., firewalls, voice and data switches, routers, wireless access point, network appliances, sensors), operating systems, middleware, and applications.
- A person or a company that undertakes a contract to provide materials or labor to perform a service.
Controlled Unclassified Information (CUI)
- US Federal Government or Contractor created information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
- The entity that determines the purposes and means of the Processing of Personal Information.
- A Record that is required only for a limited time to ensure the completion of a routine action or the preparation of a subsequent Record such as correspondence that requires no administrative action, policy decision, or special handling. Convenience Records are not used as the basis of an administrative action or decision. Examples include duplicates or copies of Official Business Records, personal notes, preliminary working drafts, magazines, industry publications or documents where multiple copies exist other than the document's creator/owner, casual correspondence, and calendar entries.
Critical Information System (CIS)
- Inter-related components of Information Resources working together where the loss of confidentiality, integrity, availability, or privacy could be expected to have a severe or catastrophic adverse effect on University operations, assets, or individuals.
- Element(s) of Information in the form of facts, such as numbers, words, names, or descriptions of things from which "understandable information" can be derived.
- A facility, or portion of a facility, with the primary function to house University Information Systems.
- The assignment of a classification to Data or sets of Data based on the impact to the University if the Confidentiality, Integrity, Availability of the Data is compromised.
- The practices that establish authority, management, and decision-making parameters related to the Data produced or managed by UMGC.
- Handling is any use of data, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.
- The depiction of structured and unstructured UMGC Data, and UMGC Data ingress, egress, movement, usage, and storage.
- The quantity of Personal Information being adequate, relevant, and limited to what is necessary in relation to the purposes for which the Personal Information is Processed.
- The UMGC employees, or designees, who are responsible for determining User access and assigning Data Classifications to data originating from or residing in their respective business units.
- A natural person who is identified, or can be identified, by reference to their Personal Information.
- A form of electronic media where data are stored in digital (as opposed to analog) form.
- The ability to restore the University's critical systems and return the entity to an acceptable operating condition following a catastrophic event, by activating a disaster recovery plan. Disaster Recovery is a subset of business continuity planning.
Disaster Recovery Plan (DRP)
- A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.
- A temporary Account created in response to a crisis situation and with the need for rapid Account activation.
- University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.
Federal Contract Information (FCI)
- Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Federal Information Processing Standard (FIPS)
- A standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability.
- A collection of Information logically grouped into a single entity and referenced by a unique alpha-numeric name.
- An Account used to perform automated account management functions regardless of being within an operating system, application, on-premise, or in the cloud.
- Accounts associated with a group or role that may be used by multiple individuals or Accounts that are associated with production job processes.
- A temporary Account with a limited set of privileges given to certain types of third-party Users.
- Any Security Incident with (i) significant impact on University Information Systems, Information Resources or operations, (ii) the potential for significant negative financial or public relations impact, or (iii) a legal impact on the University.
High Risk Data
- University Data that (i) could be exploited for criminal or nefarious purposes; (ii) the University is obligated by state or federal statute or regulation to keep confidential; (iii) the University is contractually obligated to keep confidential, or (iv) are critical to the University's operational performance and cannot be easily replaced. The loss of Confidentiality, Integrity, or Availability of such Data would cause severe harm to individuals or the University operations, safety, finances and/or reputation if disclosed.
- An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
- Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.
- The delineation of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, access, use, archival, disposal, and other processing of Information. It includes the processes, roles, standards, metrics and technologies that ensure the effective and efficient use of Information in enabling the University to achieve its goals.
Information Governance Team (IGT)
- A group of representatives from the various functional areas of the University and third party subject matter experts as appropriate who are responsible for (i) providing interdepartmental oversight and strategic management of the University's Information and Information Resources; (ii) facilitating the integration of Privacy by Design into University operations; and (iii) supporting the development and review of Information Governance related policies and procedures across the University.
- Anything that is intended to generate, store, or transmit Information.
- The protection of Information and Information Systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide Confidentiality, Integrity, and Availability.
Information Security Program (IS Program)
- Provides a formal structure for (1) developing and maintaining University-wide security policies, (2) defines security principles that safeguard University computing resources, and (3) ensures compliance with internal and external regulations.
- Inter-related components of Information Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of Information.
Information System Steward
- A UMGC staff member or other individual providing services to the University who is responsible for the development, procurement, compliance, and/or final disposition of an Information System.
Information Technology Resource(s)
- Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.
- Ensuring Records and the Information contained in an Information System are accurate and Authentic by guarding against improper modification or destruction.
- A piece of software or hardware within an information technology environment. Tracking of IT assets within an IT asset management system can be crucial to the operational or financial success of an enterprise. IT assets are integral components of the organization's systems and network infrastructure.
- The principle that Information Systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that information system.
- The security objective of granting an individual access to only such Information Resources and records, and the Information contained therein, as necessary to perform the individual's job.
- (a) An old, obsolete paper Record stored at a University location or at offsite storage, which is no longer needed or used for legitimate business purposes; (b) a Record that has reached the end of its required period of retention; or (c) a Record in electronic form stored in a format or application that can no longer be accessed because of outdated technology.
Low Risk Data
- University Data that contains any Information that is already available to the general public or is required by law, policies, procedures, contract or otherwise to be made available to the general public with no legal restrictions on its access or use. The loss of the confidentiality, integrity, or availability would cause no harm to individuals or the University's operations, safety, finances, or reputation.
- Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.
- A University department that is approved to accept credit cards as a form of payment. It is also referenced as the Merchant in this policy
- Removable electronic storage devices (e.g., USB flash drives, and external hard drives) and computing devices (e.g., laptops, tablets, and cell phones).
- Any Security Incident with (i) moderate impact on the University Information Systems, Information Resources or operations and/or (ii) some limited risk of negative financial or public relations impact.
Moderate Risk Data
- University Data that is not available to the public. The loss of the Confidentiality, Integrity, or Availability would cause limited harm to individuals or the University's operations, safety, finances, and/or reputation. Data that was created or received primarily for use by the University or its Employees, Contractors, vendors, consultants, volunteers, students, alumni, donors, agents, or representatives for the University's legitimate business purposes and can reasonably be expected to be secured from public view.
Multi-Factor Authentication (MFA)
- Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric).
Non-Critical Information System
- An electronic Information Resource that does not meet the definition of a Critical Information System.
Official Business Record(s)
- A Record, usually an original, that the University has determined should be retained for business or legal reasons for the period of time indicated on the Record Retention Schedule or as otherwise indicated in this Policy.
- For purposes of PCI DSS, payment cards include any credit, debit or prepaid cards used in financial transactions that bear the logo of the five major card associations (Visa, MasterCard, American Express, Discover and JCB). In this policy, the term credit card may be used in lieu of Payment Card.
Payment Card Industry (PCI)
- Includes Payment Card brands, issuing and acquiring banks, independent sales organizations, service providers and merchants who accept Payment Cards.
Payment Card Industry – Data Security Standards (PCI-DSS)
- A set of twelve technical and operational requirements set by the PCI SSC to protect cardholder data and reduce credit card fraud. These standards apply to all entities that store, process, or transmit cardholder data. The Merchant Department is required to meet the applicable requirements for their payment processing method/merchant environment.
PCI Security Standards Council (SSC)
- A council comprised of the five major card associations including, Visa, MasterCard, American Express, Discover and JCB International. The council is responsible for the development, management, education, and awareness of the PCI DSS.
- Any Information relating to an identified or identifiable natural person, including but not limited to Personally Identifiable Information. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personally Identifiable Information (PII)
- An individual's first name and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:
1. A social security number;
2. A driver's license number, state identification card number, or other individual identification number issued by a state government unit;
3. A passport number or other identification number issued by the United States government;
4. An Individual Taxpayer Identification Number; or
5. A financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual's account.
Personal Mobile Device
- Personal Mobile Devices are user's personally owned removable electronic storage devices (e.g., USB flash drives, and external hard drives) and computing devices (e.g., laptops, tablets, and cell phones). A personal mobile device is frequently known as by the moniker "BYOD" (Bring Your Own Device).
Plan of Action and Milestone (POA&M)
- A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
- The right of a party to maintain control over and Confidentiality of Information about itself.
Privacy by Design
- The concept and practice that ensures that University Information Resources, business processes, and projects that involve the use of Personal Information take the protection of that Information into consideration during development and integrate the protection of that Information through technology design and implementation.
- An Account that is authorized to perform security-relevant functions that an ordinary Account is not authorized to perform.
- A user that is authorized to perform security-relevant functions that ordinary users are not authorized to perform.
- Any operation or set of operations which is performed on Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- The entity that processes Personal Information on behalf of the Controller.
- A collection of Information, in any form, created or received by the University. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items).
Records Retention Schedule
- A schedule which documents and classifies UMGC's Official Business Records, the Business Record Owner, and the length of time that a type of Record should be retained prior to destruction or archiving.
- Portable data storage medium that can be added to or removed from a computing device or network. Note: Examples include but are not limited to: optical discs (CD, DVD, Blu-ray); external / removable hard drives; external / removable Solid State Disk (SSD) drives; magnetic / optical tapes; flash memory devices (USB, eSATA, Flash Drive, Thumb Drive); flash memory cards (Secure Digital, CompactFlash, Memory Stick, MMC, xD); and other external / removable disks (floppy, Zip, Jaz, Bernoulli, UMD).
- A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise's risk management approach.
- The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.
- An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies, including but not limited to, attempts (either failed or successful) to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data, changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent.
- An Account which is created explicitly to provide a security context for services running on the local operating system. The security context determines the service's ability to access local and network resources.
- An Account that allows multiple people to use the same username and password to access the Account.
Single Sign-On (SSO)
- An authentication process that allows an Authorized User to access multiple applications with one set of login credentials. SSO is a common procedure in enterprises, where a client accesses multiple resources connected to a local area network (LAN).
- Any person or entity that receives, maintains, processes, or otherwise is permitted access to University information through its provision of services to a University Service Provider.
- An individual who directly manages a Supervisor (Immediate). For Contractors, a UMGC staff member designated by the Information System Steward to approve Contractor access to the applicable Critical Information System.
- An individual who directly manages an Employee or Contractor; may approve access to non-Critical Information Systems, and may request access for Critical Information Systems.
System Security Plan (SSP)
- Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.
Technical System Lead
- An Employee or individual providing services to the University who works to ensure that the Information System meets the business expectations around functionality and deliverable as well as the integration, modification, security, operation, and maintenance of an Information System.
- Third party as an external entity, including, but not limited to, service providers, vendors, supply-side partners, demand-side partners, alliances, consortiums and investors, with or without a contractual relationship to University.
UMGC-Owned Mobile Device
- UMGC-owned Mobile Devices are removable electronic storage devices (e.g., USB flash drives, and external hard drives) and computing devices (e.g., laptops, tablets, and cell phones) owned or leased by UMGC and used by the UMGC community for business purposes.
- Data used to represent a person's individual identity and associated attributes.
- University of Maryland Global Campus (UMGC)
- A member of the University community, including but not limited to Staff and Faculty, and other individuals performing services on behalf of University, including Contractors, volunteers and other individuals who may have a need to access, use or control University Data.
- Software applications that are installed on a computer by an end user, instead of by the corporate IT department. Software applications provisioned by IT are typically tested to ensure compatibility and stability, but a user installed application can cause problems for other applications or for the entire operating system. In a traditional environment, this is less of a problem because it will only affect one user. With the advent of desktop virtualization, however, user-installed applications can be a threat to an entire environment.
- A process used to identify software programs that are authorized to execute on a system or authorized Universal Resource Locators (URL)/websites.