IT Security Standards Definitions

The following definitions are used within the context of this Policy and all UNF Standards established by this Policy.

Authentication: A process used to verify one's identity.

Backup: Copy of files or applications made to avoid loss of data and facilitate recovery in the event of a system failure or other data loss event.

Centralized IT: Information Technology Services (ITS) and support organizations reporting to the Chief Information Officer (CIO).

Change: Any addition or removal of, and any modification or update to an Information Resource.

Change Management: The process of controlling the communication, approval, implementation, and documentation of modifications to hardware, software, and procedures to ensure that Information Resources are protected against improper modification before, during, and after system implementation.

Cloud Computing (Cloud Services): A service that provides network access to a shared pool of configurable computing resources on demand, including networks, servers, storage, applications, or related technology services.

Commodity Server: A system providing commodity services to University affiliates (e.g., web servers, e-mail servers, file servers, database servers, directory servers).

Computing Device: Any device capable of sending, receiving, or storing Digital Data, including but not limited to: computer servers, workstations, desktop computers, laptop computers, tablet computers, cellular/smart phones, personal digital assistants, USB drives, embedded devices, smart watches and other wearable electronic devices, etc.

Data: Elemental units, regardless of form or media, that are combined to create information used to support research, teaching, and other University business processes. Data may include but are not limited to: physical media, digital, video, audio records, photographs, negatives, etc.

Data Center: A secure and protected facility used to house computer systems and associated components, e.g. storage.

Data Classification: The process of sorting and categorizing data into various types according to risk and confidentiality.

Decentralized Systems: Information technology systems supported by units reporting to the heads of business units, departments, or programs other than ITS.

Digital Data: The subset of Data transmitted by, maintained in, or made available in electronic form.

Emergency Change: A change to an Information Resource made in response to unexpected events or circumstances that require urgent action and/or pose a threat to the environment or institution, and thereby justify use of expedited change procedures.

Encryption Standards: The following is a list of approved UNF encryption standards: Advanced Encryption Standard (AES), RSA, Open PGP. AES should use at least 128 bit keys and 256 bit is recommended. Web and web server encryption should use at least TLS 1.2 or above using only advanced ciphers recommended by OWASP.

Electronic Communication: Method used to convey a message or exchange information via Electronic Media instead of paper media. It includes the use of Electronic Mail, instant messaging, Short Message Service (SMS or texting), facsimile transmission, Social Media, and other paperless means of communication.

Electronic Mail (Email): Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system.

Electronic Media: Any of the following:

• Electronic storage media including storage devices in computers (hard drives, memory) and any removable/transportable digital storage medium, such as an external hard drive, magnetic tape, CD/DVD, or digital memory card; or
• Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, leased lines, dial-up lines, private networks, intranet, and the physical movement of removable/transportable electronic storage media.

Guideline: Recommended, non-mandatory controls that help support Standards or serve as a reference when no applicable Standard is in place.

High Impact Information Resources: Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Such an event could:

• Cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions;
• Result in major damage to organizational assets;
• Result in major financial loss; or
• Result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.

High Risk Computing Device: A computing device meeting any of the following criteria:

• Is used to create, store, or process Sensitive Data or is used within a functional area that handles such data;
• Is used by any executive officers or their support staff; or
• Contains data that if accessed, changed, or deleted by an unauthorized party could have a highly adverse impact on the University.

Based on these criteria, designation of a computing device as being "High Risk" is made by the Information Technology Security Office in consultation with the UNF Chief Information Security Officer.

Information: Data organized, formatted and presented in a way that facilitates meaning and decision making. All information is comprised of data.

Information Resources: Any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting data. This includes, but is not limited to, mainframes, servers, Network Infrastructure, personal computers, notebook computers, hand-held computers, pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment, telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.

Information Resource Custodian (Custodian): An individual, department, Institution, or third-party service provider responsible for supporting and implementing Information Resources Owner defined controls to Information Resources. Custodians include Data Owners, University information technology units, faculty or staff, vendors, and any third-party acting as an agent of or otherwise on behalf of the University.

Information Resource Owner (Owner): The manager or agent responsible for the business function that is supported by the Information Resource or the individual upon whom responsibility rests for carrying out the program that uses the resources. The Owner is responsible for establishing the controls that provide the security, as well as authorizing access to the Information Resource. The Owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared. Note: In the context of this Policy and associated Standards, Owner is a role that has data and/or security responsibilities. It does not imply legal ownership of an Information Resource. All University Information Resources are legally owned by UNF.

Information Security Administrator: A departmental employee, designated by management, who assists with information security tasks as described in Standard 1 - Information Resources Security Responsibilities and Accountability.

Information Security Program: The Policies, Standards, Procedures, Guidelines, elements, structure, strategies, objectives, plans, metrics, reports, resources, and services adopted for the purpose of securing University Information Resources.

Information System: An interconnected set of Information Resources under the same direct management control that shares common functionality. An Information System normally includes hardware, software, Network Infrastructure, information, data, applications, communications, and people.

Information Technology (IT): The hardware, software, services, supplies, personnel, facilities, maintenance, and training used for the processing of Data and telecommunications.

Inherent Impact: The degree of Impact (High, Moderate, or Low) that could result if Information Resources were subjected to unauthorized access, use, disclosure, disruption, modification, or destruction.

Institution: Same as University.

Integrity: The accuracy and completeness of information and assets, and the authenticity of transactions.

Internal Use Data: One of three data classifications defined within the UNF Data Classification and Security Policy. Internal Use Data is information that is restricted to members of the University community who have a legitimate purpose for accessing such data.

Internet: A global system interconnecting computers and public computer networks. A host of organizations, government agencies, companies, and colleges own the computers and networks separately.

Lead Researcher: The person engaged in the conduct of Research with primary responsibility for stewardship of Research Data in a specific instance on behalf of the University. For the purpose of this Policy and associated Standards, the term is synonymous with Principal Investigator.

Local Area Network (LAN): A data communications network spanning a limited geographical area, a few miles at most. It provides communication between computers and peripherals.

Low Impact Information Resources: Information resources whose loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Such an event could:

• Cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced;
• Result in minor damage to organizational assets;
• Result in minor financial loss; or
• Result in minor harm to individuals.

Malware: A computer program that is inserted into an Information System, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of data, applications, or operating system, or of otherwise annoying or disrupting the User or Information System. Malware (malicious software) may attach itself to a file or application; deliver a payload without the knowledge or permission of the User; insert itself as a service or process to intercept sensitive information and/or keystrokes and deliver it to a third-party; or compromise the User's computer and use it to launch compromises against other computers, among other capabilities. Viruses, worms, Trojan horses, spyware, adware, ransomware, and any code-based entity that infects a host are examples of malicious software.

Mission Critical Information Resources: Information Resources defined to be essential to UNF's ability to meet its instructional, research, or public service missions. The loss of these resources or inability to restore them in a timely fashion would result in the failure of UNF's operations, inability to comply with regulations or legal obligations, negative legal or financial impact, or endanger the health and safety of faculty, students or staff. Mission Critical Information Resources include but are not limited to:

• Information Systems managing Sensitive Data;
• Institutional Network and Data Center Infrastructure;
• Identity and Access Management Systems, such as single-sign-on or other applications required to enable access to other critical systems;
• Administrative systems (e.g., HR, Finance, Payroll, student enrollment and billing, etc.);
• Student information systems

Moderate Impact Information Resources: Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. Such an event could:

• Cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced;
• Result in significant damage to organizational assets;
• Result in significant financial loss; or
• Result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries.

Network Infrastructure: The distributed hardware and software (i.e., cabling, fiber, routers, switches, wireless access points, access methods, and protocols), information, and integrating components that allow institutional network hosts to communicate with one another and enable the administrative, learning, research, and public service missions of the Institution.

Non-University Owned Computing Device: Any device that is capable of receiving, transmitting, and/or storing electronic data, and that is not owned, leased, or under the management of the University. This includes personally owned devices.

Owner: See Information Resources Owner.

Password: A string of characters used to verify or "authenticate" a person's identity. Passphrases and personal identification numbers (PIN) serve the same purpose as a Password.

Personally Identifiable Information (PII): Information that alone or in conjunction with other information identifies an individual. PII includes, but is not limited to:

• An individual's name;
• Social Security number;
• Date of birth;
• Government-issued identification number;
• Mother's maiden name;
• Unique biometric data (e.g. an individual's fingerprint, voice print, and retina or iris image).

Policy: High level statements of intent relating to the protection of Information Resources across an organization (e.g., UNF). Compliance with a Policy is mandatory.

Portable Computing Device: Any easily movable device capable of receiving, transmitting, and/or storing data. These include, but are not limited to: notebook computers, handheld computers, tablets (e.g., iPads, etc.), PDAs (personal digital assistants), pagers, smartphones, Universal Serial Bus (USB) drives, memory cards, external hard drives, CDs, DVDs, and similar storage devices.

Practice: Customary actions, which may or may not be documented, taken to accomplish information security tasks.

Procedure: Step by step instructions to assist information security and technology staff, Custodians, and Users in implementing various policies, standards, and guidelines.

Public Data: One of three data classifications defined within the UNF Data Classification and Security Policy. This classification includes data/information made available to the public through posting to public websites or distribution through email, social media, print publications, or other media.

Remote Access: Access to University Information Resources that originates from a Remote Location.

Remote Location: A location outside the physical boundary of the University (inclusive of University leased/rented properties and locations within the University's compliance environment).

Residual Risk: The risk (Low, Moderate, or High) that remains after security controls are applied.

Research: Systematic investigation designed to develop and contribute to knowledge and may include all stages of development, testing, and evaluation.

Researcher: Anyone engaged in or responsible for Research activities (e.g. Lead Researchers, faculty, staff, graduate students, and visiting/affiliated scientists who are.

Risk: A function of the likelihood that a threat will exploit a vulnerability and the resulting impact to University missions, functions, image, reputation, assets, or constituencies if such an exploit were to occur.

Scheduled Change: A change to an Information Resource made under normal working conditions following formally defined change control processes as defined in Standard 7 - Change Management.

Security Incident: An event that results in unauthorized access, loss, disclosure, modification, disruption, or destruction of Information Resources whether accidental or deliberate.

Server: A program that provides services to (programs on) other devices. A computer running a server program is frequently referred to as a server, though it may also be running other client (and server) programs.

Social Media: A forum or media for social interaction, using highly accessible and scalable communication techniques. Examples include but are not limited to wikis (e.g., Wikia, Wikimedia); blogs and microblogs (e.g., Blogger, Twitter); content communities (e.g. Flickr, YouTube); social networking sites (e.g., Facebook, LinkedIn); virtual game worlds; and virtual communities (e.g., SecondLife)

Standards: Specific mandatory controls that are components of this Policy or the UNF Information Security Program.

State Record: A document, book, paper, photograph, sound recording, or other material, regardless of physical form or characteristic, made or received by a state department or institution according to law or in connection with the transaction of official state business.

Strong Password: A Password constructed so that another User cannot easily guess it and so that a "hacker" program cannot break it within a reasonable amount of time. It typically consists of a minimum number of positions in length and contains a combination of alphabetic, numeric, or special characters.

Two-factor Authentication: A process for verifying a person's identity that requires use of two of the following three elements:

• Something the person knows, such as a password;
• Something the person has, such as a token or smart card; or
• A unique characteristic of the person, such as a fingerprint.

University Data: All Data or Information held on behalf of UNF created as a result of and/or in support of University business, or residing on University Information Resources, including paper records.

UNF Information Security Program: The University policies, standards, procedures, elements, structure, strategies, objectives, plans, metrics, reports, resources, and services that establish requirements to provide for program oversight.

User: An individual, automated application, or process that is authorized by the Owner to access the resource, in accordance with Federal and State law, University policy, and the Owner's procedures and rules. The User has the responsibility to:

• Use the resource only for the purpose specified by the Owner
• Comply with controls established by the Owner
• Prevent the unauthorized disclosure of Confidential Data.

A user is any person who has been authorized by the Owner of the information to read, enter, or update that information.

Vendor: Any third-party that contracts with UNF to provide goods and/or services to the University.