Select a letter to go directly to the list of entities beginning with that letter.
Active collection - For the purposes of the Web Site Privacy Notices (Policy ISPP-24), active collection refers to the gathering of information where a visitor voluntarily provides information such as through a form, or creating a profile, or choosing account settings.
Administrative controls - Methods of controlling employee exposure to hazards by means of operating procedures or work scheduling.
Advisory - A notification category that provides urgent information about an unusual occurrence or threat of an occurrence, but no action is ordered or expected of the notified entity at that time.
Alert - A notification category that provides urgent information and indicates that system action may be necessary.
Anti-virus software - According to Wikipedia, anti-virus software or anti-malware software is computer software used to prevent, detect and remove malicious software.
Authentication - The process of determining whether someone or something is who or what it is declared to be. To access most technology services of Indiana University, you must provide such proof of identity. In private and public computer networks (including the Internet), authentication is commonly done through the use of login passwords or passphrases; knowledge of such is assumed to guarantee that the user is authentic. Services such as the IU Login, Active Directory, and Duo provide this functionality for most major systems and applications at IU.
Authorization - The process of determining which permissions a person or system is supposed to have in computing systems. In multi-user computing systems, a system administrator defines which users are allowed access to the system, as well as the privileges of use for which they are eligible (e.g., access to file directories, hours of access, amount of allocated storage space). Authorization can be seen as both the preliminary setting of permissions by a system administrator, and the actual checking of the permission values when a user obtains access. Authorization is usually preceded by authentication.
Authorized user - Authorized users are people acting within the scope of a legitimate affiliation with the university, using their assigned and approved credentials (ex. network IDs, passwords, or other access codes) and privileges, to gain approved access to university information technology resources. A person acting outside of a legitimate affiliation with the university or outside the scope of their approved access to university information technology resources is considered an unauthorized user.
Autorun - According to PCMAG, autorun is a feature in personal computers that runs a program on a CD/DVD or USB drive. AutoRun is considered a security risk because a virus could be unleashed when the medium is inserted, which is why it is no longer the default in Windows. The Mac AutoStart equivalent was also dropped in Mac OS X.
Best practice - One or more general statements or recommendations detailing procedural or technology approaches to following or implementing policy. In contrast to procedures and standards, best practices are not requirements to be met, although they are strongly recommended. (See also Guideline)
Board of Trustees - Indiana University’s governing board, its legal owner, and its final authority. For the purposes of information security and privacy governance, the Board of Trustees is the owner of all information except information excluded from university ownership as set forth in the Indiana University Policy on Intellectual Property.
Breach - The acquisition, access, use, or disclosure of information in a manner not permitted under existing law which compromises the security or privacy of the information (i.e. poses a significant risk of financial, reputational, or other harm to the individual and/or university).
Business continuity plan - Business continuity planning (BCP) is the practice of planning how you will run your service or business unit processes when normal operating procedures are not possible.
Business function management - Those individuals assigned business management responsibilities for a unit or service.
Campus community - All of the people (e.g., students, faculty, staff) or organizations that have a connection to the university as it relates to academic, research, recreational, administrative, or other supportive functions.
Cloud computing - The delivery of shared, on-demand computing services over the internet ("the cloud") to offer faster innovation, flexible resources, and economies of scale.
Commercial activities - Economic activities geared toward a mass or specialized market and ordinarily intended to result in a profit, and that are not part of one's university responsibilities. This does not include the use of information technology resources for one-time, minimal transactions, such as students using their Indiana University email accounts to communicate with potential buyers for used textbooks or with potential sub-lessees. This type of transaction is considered incidental personal use.
Compliance officer - An individual who provides compliance oversight and/or coordination that includes information security and/or privacy, usually for a specific information type, business sector, or business function.
Computer virus - A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting – i.e. inserting a copy of itself into and becoming a part of another program. It cannot run by itself; it requires that its host program be run to make the virus active.
Confidentiality - Considers the effects of the inappropriate disclosure of the information.
Content owner -For the purposes of the Web Site Privacy Notices (Policy ISPP-24), the content owner of a university web site is the functional person or group that owns and directs the content of a web site. Typically, the content owner directs the site manager in the implementation of a web site. The content owner and site manager share responsibility for a web site and for adherence to this policy.
Content-neutral information - Information relating to the operation of systems, including information relating to interactions between individuals and those systems. This includes but is not limited to operating system logs (i.e., record of actions or events related to the operation of a system or device), user login records (i.e., logs of usernames used to connect to university systems, noting source and date/time), dial-up logs (i.e., connections to university modems, noting source, date/time, and caller id), network activity logs (i.e., connections attempted or completed to university systems, with source and date/time), non-content network traffic (i.e., source/destination IP address, port, and protocol), email logs (i.e., logs indicating email sent or received by individuals using university email systems, noting sender, recipient, and date/time), account/system configuration information, and audit logs (i.e., records of actions taken on university systems, noting date/time).
Criticality - This considers the importance of maintaining integrity and availability for business operations.
Data - Data are symbols or characters that represent raw facts or figures and form the basis of information. Source: Glossary of Records and Information Management Terms, 3rd ed. ARMA International (2007) NOTE: For the purposes of the Indiana University Information Security and Privacy Program, the terms data and information are used interchangeably, with a preference for the use of the term information.
Data Access Manager - An individual who has been assigned to receive, evaluate, and authorize or deny requests for access to systems, applications, and/or databases containing information. These systems may be electronic or in paper form, for example, in paper-based filing systems.
Data Custodian - A manager of systems containing information. These systems may be in electronic or paper form, for example, in paper-based filing systems.
Data Steward - An individual who has been named to represent information, usually for a specific information type, business sector, or business function, for university-wide information governance purposes.
Department-Only Data - Any data that is not covered by the definition of Institutional Data. When a requested cloud solution does not include institutional data, the requester should follow normal procurement procedures. Depending upon the situation, these procedures may include involving IU Purchasing but will not involve a Third Party Security Assessment, review by the Data Steward, or a Privacy Notice review.
Domain - Common areas of information security and privacy activities are grouped into twelve specific domains. This domain grouping allows the use of common vocabulary and structure to identify and track projects, actions, policies, tools, and other safeguards. The Indiana University Security and Privacy Domains are adapted from the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) international standard ISO/IEC 27002:2005 on Information Security Management.
Employee - Any faculty member, staff member, or student who receives compensation from Indiana University for a job performance.
Encryption - Encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to conceal the data's original meanting to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. Data can be encrypted in two ways: at rest and in transit.
Excessive use - When a user or process has exceeded established limits placed on the service, or is consuming a resource to a level such that service to other users is degraded, or where the actions of a user could cause degradation if the user is permitted to continue the practice or activity. Service managers, system administrators, and security and network engineers must use experience and knowledge of normal service usage patterns in consultation with the management of the unit owning the service or resource, and exercise judgment in making decisions about excessive use.
Executive Management - Individuals assigned executive management responsibilities, typically with the titles of President, Vice President, and Chancellor, and including Academic Deans.
Extending the network - For the purposes of the Extending the University Data Network (Policy IT-19), extending the network refers to connecting something other than a single end-system (i.e., a computer that had no other network connections) to a part of the university network (in most cases a data jack). Devices that extend the network include but are not limited to hubs, bridges, switches, routers, firewalls, WAPs, NATs, RAS, VPN servers, or workstations or servers or devices to provide any of this functionality.
Firewall - A system designed to prevent unauthorized access to or from a private network. You can implement a firewall in either hardware or software form, or a combination of both. All messages entering or leaving the intranet (i.e., the local network to which you are connected) must pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
Guideline - Guidelines are comprised of one or more general statements or recommendations detailing procedural or technology approaches to following or implementing policy. In contrast to procedures and standards, guidelines are not requirements to be met, although they are strongly recommended. (See also Best Practice)
Protected Health Information - As defined by the HIPAA Privacy Rule, protected health information (PHI) is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, transmitted, or maintained by a HIPAA-covered entity or its business associate in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations.
Health Information - Individually identifiable information relating to healthcare services received, payment for healthcare services, and the past, present, or future health status of the individual that is created, collected, transmitted, or maintained in any communication or record retention format, by any entity.
Incidental personal use - The use of information technology resources by members of the Indiana University community in support of activities that do not relate to their university employment or studies or to other activities involving and approved by the university. Examples include use of email to send personal messages to friends, family, or colleagues, including messages relating to one-time minimal sales or purchase transactions, and use of the personal home page service to provide information about personal hobbies or interests. If personal use adversely affects or conflicts with university operations or activities, the user will be asked to cease those activities. All direct costs (for example, printer or copier paper and other supplies) attributed to personal incidental use must be assumed by the user.
Identity Theft - Identity theft is when someone uses personal information about you in an attempt to impersonate you. Identity thieves often do this to make purchases, establish accounts in your name, and sometimes commit more serious crimes.
Indiana University information - See also University information.
Information - Data that has been given value through analysis, interpretation, or compilation in a meaningful form. Source: Glossary of Records and Information Management Terms, 3rd ed. ARMA International (2007) (See also University information) NOTE: For the purposes of the Indiana University Information Security and Privacy Program, the terms data and information are used interchangeably, with a preference for the use of the term information.
Information asset - An item of value that contains information. Examples include documents, spreadsheets, databases, and files. For the purposes of information classification, Data Stewards typically classify information elements. Then, other individuals handling information determine the classification of an information asset based on what information elements are contained in the asset. (See also Information element)
Information element - A single or small piece of data or information. For the purposes of information classification, Data Stewards typically classify information elements. Then, other individuals handling information determine the classification of an information asset based on what information elements are contained in the asset. (See also Information asset)
Information Security and Privacy Program - Indiana University's Information Security and Privacy Program outlines a university-wide approach to implementing and managing information and information technology security and privacy. It describes the university's philosophies, values, and approach to safeguarding information and information technology.
Information security program - A "methodical, programmatic approach to implementing and managing security within an organization." Source: Robert B. Kvavik and John Voloudakis, Safeguarding the Tower: IT Security in Higher Education 2006 (Boulder, CO: EDUCAUSE Center for Applied Research, 2006)."
Information system - A discrete set of information resources, procedures and/or techniques, organized or designed, for the classification, collection, accessing, use, processing, manipulation, maintenance, storage, retention, retrieval, display, sharing, disclosure, dissemination, transmission, or disposal of information. An information system can be as simple as a paper-based filing system or as complicated as a tiered electronic system.
Information technology governance - The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly. Source: Board Briefing on IT Governance, 2nd ed. (Rolling Meadows, IL: IT Governance Institute, 2003), http://www.coso.org/ic.htm
Information technology resources - Includes all university-owned computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software; all other associated tools, instruments, and facilities; and the services that make use of any of these technology resources. The components may be individually controlled (i.e., assigned to an employee) or shared in a single-user or multi-user manner; they may be stand-alone or networked; and they may be stationary or mobile.
Institutional data (or information) - Data in any form, location, or unit that meets one or more of the following criteria:
- It is subject to a legal obligation requiring the University to responsibly manage the data;
- It is substantive and relevant to the planning, managing, operating, documenting, staffing or auditing of one or more major administrative functions or multiple organizational units of the university;
- It is included in an official university report;
- It is clinical data or research data that meets the definition of “University Work” under the Intellectual Property Policy UA-05; or
- It is used to derive any data element that meets the above criteria.
IU-Notify - Indiana University’s mass communication tool for alerting students and IU employees to immediate dangers, such as severe weather or hostile intruders, and ongoing threats that could cause harm, such as unsolved robberies and sexual assaults. IU-Notify's messages can be sent to cell phones (voice and text) and land-line phones, email, digital signs and some desktop computers.
Layer-2 device - Layer-2 devices function at the data link layer of the Open Systems Interconnection Basic Reference Model. Typically these are Ethernet devices such as hubs, switches, repeaters, and WAPs. These devices are often used to provide network connectivity to multiple machines in the same room using a single data jack.
Layer-3 device - Layer-3 devices function at the network layer of the Open Systems Interconnection Basic Reference Model. Typically these are IP devices such as firewalls, NATs, and packet-filtering routers that isolate or conceal other devices from the rest of the network.
Misuse or abuse - Uses of Indiana University information technology resources that violate existing laws or university policies and procedures (including but not limited to University Information Technology Policies; the Code of Student Rights, Responsibilities, and Conduct; the Academic Handbook; University Human Resources Policies; and University Financial Policies), or that otherwise violate generally accepted ethical norms and principles. Misuse or abuse also includes the sharing or transferring of an individual's university accounts, including network ID, password, or other access codes that allow them to gain access to university information technology resources, with one or more other persons.
Network Address Translation (NAT) device - NAT devices rewrite the IP header of a packet traversing the device, changing the IP source and/or destination addresses. They also change the layer-2, or MAC address, to that of the NAT device. Often the result is to present multiple devices behind a NAT as if they were a single device.
OWASP (Open Web Application Security Project) - The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
Owner - Identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the information or information technology assets. The term "owner" does not necessarily mean that the person or entity actually has any property rights to the asset.
Passphrase - Short sequences of letters, number, and symbols that you enter to verify you identity to a system in order to access secure data or other resources. A different way of thinking about a much longer password. Your passphrase must contain at least 15 characters (127 characters maximum).
Passive collection - For the purposes of the Web Site Privacy Notices (Policy ISPP-24), passive collection refers to the automatic gathering of information from visitors as they migrate or navigate from page to page on a web site or series of sites, such as via server logs or cookies.
Peer-to-peer (P2P) file-sharing - Peer-to-peer (P2P) file-sharing allows users to share files online through an informal network of computers running the same software. File-sharing can give you access to a wealth of information, but it also has a number of risks. You could download copyright-protected material, pornography, or viruses without meaning to. Or you could mistakenly allow other people to copy files you don't mean to share.
Personally Identifiable Information (PII) - Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. (As used in the NIST standards and according to the United States Government Accountability Office.)
Personal private gain - Personal private gain is defined as securing profit or reward for an individual in his or her personal capacity, that is not otherwise permitted by the Appropriate Use of Information Technology Resources (Policy IT-01).
Phishing - Phishing is a scam where Internet fraudsters send spam or pop-up messages to lure unsuspecting victims into providing passphrases, personal, and/or financial information.
Information Policy - An agreed upon, formal, high-level statement that describes the university's philosophy, values, and/or direction for a specified subject area. Policies tend to be fairly brief and focus on guiding principles (i.e. the "why ") rather than on technical or process details (i.e. the "how "). The purpose of policies is to guide present and future decisions so that they are in agreement with university goals and objectives. University-level information and information technology policies are developed and approved using a formal process. Because policies are official institutional statements, compliance with policies is non-optional and failure to follow policies may result in sanctions imposed by the appropriate university office. Policies are not procedures (although many policy documents have a procedures section), standards, guidelines or best practices. These other, more detailed documents flow from and support policies.
Position paper - A concise, practical document that focuses on a specific technology or issue (often new or not yet widely used or encountered within the university) and expresses the professional opinion of the University Information Policy Office or University Information Security Office on its use within or effect on the university.
Practice - See also Best Practice.
Pre-existing Contracted Solutions - Are known by the IU Purchasing Department. Contact that office to see if there are existing enterprise level contracts in place that will meet your needs.
Principle of least privilege - The principle of least privilege (PoLP; also known as the principle of least authority) is an important concept in computer security, promoting minimal user profile privileges on computers, based on users' job necessities. It can also be applied to processes on the computer; each system component or process should have the least authority necessary to perform its duties. This helps reduce the "attack surface" of the computer by eliminating unnecessary privileges that can result in network exploits and computer compromises. You can apply this principle to the computers you work on by normally operating without administrative rights.
Privacy - The rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information. Source: Generally Accepted Privacy Principles: A Global Privacy Framework ([Durham, NC?]: American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants, 2006), http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles/, 4."
Private IP address - Local network addresses that are not routed to the Internet, so that connections to them from other devices on the Internet are not possible. The most common private IP address blocks are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 as defined by RFC 1918.
Procedure - Support policy by further describing specific implementation details (i.e., the "how"). A procedure can be thought of as an extension of a policy that articulates the process to be used in carrying out/complying with the policy. A procedure may describe a series of steps, or how to use standards and guidelines to achieve the goals of a policy. Procedures, along with standards, promote a consistent approach to following policy. Procedures make policies more practically meaningful and effective. Procedures overlap with standards although procedures tend to be more process oriented while standards tend to be more focused on requirements or specifications. Because procedures directly support policies, compliance with procedures is non-optional and failure to follow procedures may result in sanctions imposed by the appropriate university office.
Public IP addresses - Public IP addresses are local network addresses that are routed to the Internet, so that connections to them from other devices on the Internet are allowed.
Ransomware - Ransomware is a type of malicious software which blocks access to a computer system or encrypts digital files so no one can access it/them without paying a fee. The malicious software displays a message about how the user can supposedly regain access to his/her system/files by paying a ransom. There is no guarantee paying the ransom will allow the user to regain access to those files.
Regional campus Chief Information Officer - The primary responsibility of a regional campus Chief Information Officer is the development and use of information technology in support of the campus' vision for excellence in research, teaching, outreach, and lifelong learning. They are also responsible for disseminating information to the campus, coordinating activities that involve more than one campus, fostering cooperation in areas such as sharing technical expertise and training, and problem coordination and resolution for their own campus information technology issues.
Related Third Party - An organization, contractor, vendor, or consultant with whom Indiana University establishes relationships or contracts to perform a service for or on behalf of the university.
Remote access service - Any mechanisms that allow a machine outside of the physical university data network to appear as though it is part of the Indiana University network. Typically this involves creating a link over either the data network or a phone line and assigning an Indiana University IP address to the remote machine.
Role title - A generic information security and privacy role title is given to a set of high-level, general responsibilities. An individual may then be assigned to a role title, so that he or she understands what functions to perform.
Response - Immediate actions to save and sustain lives, protect property and the environment, and meet basic human needs. Response also includes the execution of plans and actions to support short-term recovery.
Safeguards - Safeguards are the administration (e.g. policies, procedures), technical, and physical measures put in place to protect information.
Scareware - Cyber criminals are using increasingly sophisticated tactics like scareware to trick unsuspecting computer users in to downloading and installing software laced with malicious code, which, when activated, gives hackers "back door" access to a computer.
Screen lock - Make a habit of locking your computer every time you leave it, so when you are ready to use it again it asks you for your password to log in. This will prevent someone from sneaking on to your computer and stealing files.
Security incident - A security incident is the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system. Security incident also means the loss of data through theft or device misplacement, loss or misplacement of hardcopy documents, misrouting of mail, or compromise of physical security, all of which may have the potential to put the data at risk of unauthorized access, use, disclosure, modification or destruction.
Secure Shell (SSH) - Also known as slogin. SSH lets a user connect from one computer to another over a network and execute commands, transfer files, or get a command prompt. It uses strong cryptography to protect the data in transit and also to authenticate both the user and the server. SSH serves as a drop-in replacement for TELNET, FTP, rlogin, rsh, and rcp, none of which use strong cryptography by default. SSH consists of both a client program, Ssh, which the user runs directly, and a server program, sshd, that handles incoming requests on the server.
Site manager - For the purposes of the Web Site Privacy Notices (Policy ISPP-24), the site manager of a university web site is the person or group that technically implements the wishes and publishes the content of the content owner. Typically, the site manager follows the direction of the content owner. The site manager and content owner share responsibility for a web site and for adherence to this policy.
Social engineering - In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking or manipulating other people to divulge confidential information or break normal security procedures.
Standard - Supports policy by further describing specific implementation details (i.e. the "how"). A standard can be thought of as an extension of policy that articulates the rules, mechanisms, technical or procedural requirements or specifications to be used in carrying out/complying with policy. Standards, along with procedures, promote a consistent approach to following policy. Standards make policies more practically meaningful and effective. Standards are definitional and clarifying in nature specifying the minimums necessary to meet policy objectives. Because standards directly support policies, compliance with standards is non-optional and failure to follow standards may result in sanctions imposed by the appropriate university office.
Standard Third Party Review and Approval Process - This process requires proper documentation be submitted along with the initial request (i.e. business case, identification of the executive sponsor, resource management plan identifying adequate functional and technical resources, etc.), the completion of a security assessment, a Privacy Notice review, final approval from the Data Stewards, purchasing contracts and other appropriate reviews for web accessibility, programs involving children, etc.. This process may take significant time and departments should plan accordingly. Any purchase of goods or services must comply with University Procurement Services policies and procedures.
Technician - An individual who applies security and privacy principles, policies, standards, guidelines, and procedures to technologies that contain, transport, or otherwise handle information.
Technology Management - Individuals assigned technology management/director responsibilities for a unit or service.
University Chief Information Officer - The primary responsibility of the University Chief Information Officer (CIO) is the development and use of information technology in support of the university's vision for excellence in research, teaching, outreach, and lifelong learning. The University Information Policy Office (UIPO) represents the CIO with respect to policy issues related to the IU Bloomington and IUPUI campuses.
University Information - For information security and privacy purposes, university information consists of data and information that are created, received, or maintained by the university in the course of carrying out its mission. NOTE: For the purposes of the Indiana University Information Security and Privacy Program, the terms data and information will be used interchangeably, with a preference for the use of the term information.
University Web Sites - These sites are created or maintained either by or for academic, administrative, or auxiliary units of Indiana University, regardless of whether or not the sites are hosted on university servers or external servers. This includes web sites of professional associations and publications that are formally hosted, maintained and operated by faculty or staff of the university.
User - Individuals who interact with information.
Visitor - For the purposes of the Web Site Privacy Notices (Policy ISPP-24), a visitor refers to anyone viewing or entering information to a web site, regardless of affiliation or origination of the connection.
Wireless network - A telecommunications network whose interconnections between nodes are achieved using electromagnetic waves such as radio waves instead of wire or fiber optic cable. Wireless networking equipment includes devices used to set up a wireless network such as wireless hubs, routers, and access points.