Information Security Glossary
Individuals with administrative responsibility University wide or for University organizational units. The University Redbook (see http://louisville.edu/provost/redbook/chap2.html#SEC2.3.1) for more information.
Business Continuity Plan (BCP)
- Perform Gap Analysis
- Conduct Risk Assessment
- Perform Business Impact Analysis
- Determine Continuity/Recovery Strategy
- Implement Continuity/Recovery Strategy
- Establish BCP and Disaster Recovery Maintenance and Awareness Program
BCP and Disaster Recovery Maintenance and Awareness Program
- Conduct education and awareness training with personnel.
- Perform periodic BCP plan walkthrough and testing.
- Review and update plans and documentation annually or per testing deficiencies.
Business Impact Analysis
In business continuity planning, a business impact analysis includes:
- Identification of critical business processes at departmental/unit level.
- Risk Assessment including quantification of impact of an event.
- Identification of points of failure and process interdependencies.
- Development of recovery time objective (RTO) and recovery point objective (RPO). See definitions of these terms in this document.
- Degree of criticality and supporting prioritization of processes for recovery.
- Review and update annually.
Includes but is not limited to workstations, desktop computers, notebook computers, tablet computers, network enabled printers, scanners and multi-function devices, email/messaging mobile devices and cell phones, all hereafter referred to as "computing devices".
In disaster recovery or business continuity planning, a continuity and recovery strategy includes these steps:
- Assess alternate continuity/recovery strategies.
- Select continuity/recovery strategy.
- Develop and document continuity/recovery strategy plans.
- Disaster Recovery Plans as part of a broader Business Continuity Plan should include:
- Classification of critical systems and records to ensure priority of recovery.
- Mitigation strategies and safeguards to avoid disasters.
- Support of RPO and RTO objectives.
- Necessary electronic files backup and off-site storage strategy (see IS PS015 Backup of Data).
- Security controls equal to those of day-to-day operations.
- Define organizational responsibilities and critical functions for implementing plans, document, communicate to all involved parties and implement.
- Off-site storage, for at least 1 copy of the planning documents, which meets University security requirements.
- Off-site storage - which meets University security requirements - for at least 1 copy of the planning documents.
- Sufficient and secure off-site facilities for continuation of business, if necessary (see IS PS009 Data Facilities).
- Annual training and testing of plans to include documented procedures, results and correcting of noted deficiencies.
- Annual review and revision of the plans.
- Coordination with central IT disaster recovery strategy, if applicable.
Includes all electronic data storage devices funded as under Computing Devices above or other electronic data storage devices used to store UofL related data. Media includes but is not limited to removable and non-removable storage such as hard drives, CDs, DVDs, magnetic tape, removable disks (floppy, zip, cartridge systems, etc.) and flash memory devices.
Server class computing systems physically maintained in the University's computing center by the Information Technology Division which features multiple layers of physical security and access control, back-up power, climate control, fire suppression, data back-up and disaster recovery plans, etc. Only a few computing centers elsewhere fit the enterprise systems category and they include the Speed School data center and the Dental School data center. Servers and computers located in offices, data closets and other areas that do not have the features and dedicated staffing of one of these data centers do not fit the enterprise systems criteria.
Electronic Protected Health Information - Health information maintained or transmitted in an electronic format that:
- identifies or could be used to identify an individual;
- is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
- relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.
- Individuals employed by the University as faculty or other employees who teach courses or are engaged in academic research activities for the University
- Visiting faculty who are conducting academic research or teaching courses on a time-limited basis from another institution for the University
- An individual, who is teaching courses or conducting academic research activities for the University without salary and is under the control/supervision of the University
- See also the University Redbook at http://louisville.edu/provost/redbook/contents.html/chap3.html
A process where the current state vs. the desired state for a process, system or organization is prepared. The differences between the current state and the desired state are called gaps. These gaps then become the basis for prioritization, planning and basis for action to move to the desired state.
Information Security Incident
Any accidental or malicious act with the potential to result in the misappropriation or inappropriate modification or disclosure of sensitive information, affect the functionality of the information technology infrastructure, provide for unauthorized access to sensitive information or allow University resources to be used in an inappropriate manner. Impacting the confidentiality, integrity or availability of University information.
ISIRT (Information Security Incident Response Team)
Individuals who receive, triage, resolve, classify and track Information Security Incidents for the University. The ISIRT assists in the coordination of efforts of external resources such as law enforcement agencies and other institutions.
Least Required Access
Only the access needed to perform required functions is assigned to an account. For example, an Oracle database administrator's (DBA) operating system account on the Oracle host system would not allow the DBA to configure or affect underlying operating system functions except as required within the DBA role.
Individuals who design, manage, and operate campus electronic information resources, e.g. project managers, system designers, application programmers, or system administrators.
Recovery Point Objective (RPO)
Describes the point in time to which data must be restored in order to successfully resume processing. This is often thought of as time between last backup and when outage occurred and indicates the amount of data lost.
Note: The Recovery Point Objective definition is copied from the definition on "The Free Dicitonary by Farlex" (http://encyclopedia.thefreedictionary.com/). This definition is distributed under the terms of "GNU Free Documentation License" (http://www.gnu.org/copyleft/fdl.html).
Recovery Time Objective (RTO)
Determined based on the acceptable down time in case of a disruption of operations. It indicates the latest point in time at which the business operations must resume after disaster.
- RTO must be considered in conjunction with Recovery Point Objective (RPO) to get a total picture of the total time that a business may lose due to a disaster. The two of them together are very important requirements when designing a disaster recovery solution.
- RTO = Time of Crash to Time the system is operational (Tup - Tcrash)
- RPO = Time since the last backup of complete transactions representing data that must be re-acquired / (entered). (Tcrash - Tbackup)
- Lost business Time = (Tup - Tcrash - Tbackup)
Note: The Recovery Time Objective definition is copied from the definition on "The Free Dicitonary by Farlex" (http://encyclopedia.thefreedictionary.com/). This definition is distributed under the terms of "GNU Free Documentation License" (http://www.gnu.org/copyleft/fdl.html).
The risk assessment process will typically include:
- Identification and classification of primary risks and exposures including external and environmental risks as well as inherent business risks;
- Probability (likelihood) of occurrence;
- Impact of occurrence including cost and reputation;
- Strength of existing controls;
- Prioritization of identified risks;
- Recommendation of actions/controls that could reduce the identified risk
- Senior management risk tolerance and level of acceptance of identified risks vs. cost of various mitigation plans
Information of a confidential or proprietary nature and other information that (1) would not be routinely published for unrestricted public access (2) which was provided to the university by a third party under confidentiality obligation or (3) where disclosure is prohibited by laws, regulations, contractual agreements or University policy. This includes (but is not limited to) full name or first initial and last name and employee ID (in combination), identifiable medical and health records, grades and other enrollment information, credit card, bank account and other personal financial information, social security numbers, grant reviews, dates of birth (when combined with name, address and/or phone numbers), user IDs when combined with a password, etc. (see Information Management and Classification Standard)
Server Computing Devices
For the purposes of this policy, server computing devices are those whose primary purpose is to store, contain or transmit information from within the University network (or hosted outside the University network if used to host University related information and funded by University related entities) to users within or outside of the University network. Computing devices that are not servers, for the purposes of this policy, are covered under the IS PS011 Workstation and Computing Devices policy.
The use of software or other techniques to appear on the network as something other than reality (masquerading as something you are not). Example: The hacker tricked the system into allowing him onto the trusted network by spoofing the identity of a trusted server
The staff of the University of Louisville shall consist of all employees of the University who do not hold faculty appointments, are not full-time students enrolled in the University, are not graduate assistants at the University, or are not administrators as defined in Section 2.3.1 of the University Redbook (see http://louisville.edu/provost/redbook/chap5.html#ART5.1).
- An individual taking a course at the University whether for credit or non-credit who is enrolled for course
- An individual who was enrolled at the University for a specific term (e.g., fall, spring, summer semester), who has not graduated, and who is not yet enrolled for the immediately subsequent term, provided such enrollment is still permitted, and provided further, that where the individual was enrolled at the University for the spring term, the immediate subsequent term shall be the University succeeding fall term. (e.g., (1) a student enrolled in the spring term, who does not graduate at the end of the spring term, may not enroll for the summer term; but will still be a student unless the individual fails to enroll for the succeeding Fall semester, and (2) a student who has completed all other degree requirements but is completing a dissertation/thesis.)
- An individual who is admitted to the University or an academic program of the University but has not yet commenced the program of study. An admitted student will be included in the definition of student for a period of one-year following the date of admission to the University or an academic program of the University.
See the University Redbook at http://louisville.edu/provost/redbook/contents.html/chap6.html for more information.
ULCirt (University of Louisville Computer Incident Response Team)
Members of Enterprise Information Technology responsible for managing and resolving technology incidents such as viruses, malicious software or unauthorized system intrusions. Members may assist the ISIRT in identifying and managing the technology aspects of an Information Security Incident.
Includes students, faculty, staff, administrators and other employees of the University of Louisville and its affiliated entities and any other individual having a computer account, email address or utilizing the computer, network or other information technology services of the University of Louisville.
Information that has significant value to the University's mission and/or result in possible harm to the University, its staff, clients or students if lost. This information may or may not be sensitive information (see definition above).