IT Glossary of Terms Draft

Effective: to be determined
Updated/Revised: under review
Contact: Office of the CIO
Algorithm
A process that performs some sequence of operations; a specialized computer
coding sequence designed to limit or restrict the use or access of sensitive
information.
Assets
Items of ownership which have some intrinsic value; Ex: Data or information
stored on ISU's networks are considered assets, and their safekeeping is the
responsibility of the owner or steward.
Attack Vectors
A path or means by which someone with malicious intent can gain access to a
computer or network; common attack vectors include viruses, e-mail
attachments, Web pages, pop-up windows, instant messages, chat rooms, etc.
Authentication
The process of confirming a user's identity in order to allow access to secured
data. Authentication usually requires the user to sign in with a unique username
and password.
Authorization
The act of granting permission for a person or group of people to perform
specific acts. Even though identity and authentication have determined who
someone is, authorization is required to allow specific actions, such as access to
secured data.
Best Practices
Definition to be written
Cleartext
Data that is transmitted or stored unencrypted; plaintext.
Custodian
The person in charge of guarding, protecting and maintaining specific assets or
property. Ex: A Data Custodian is responsible for the safe-keeping, transport,
storage of the data.
Data
Information that has been converted into a form convenient for moving,
processing, analyzing, and storing.
Data Custodian
Individual or entity in possession or control of the data who is responsible for
the safe-keeping, transport, storage, and implementation of policies, procedure,
and guidelines applicable to the data. The custodians including entities
contracted for outsourced services to the university must:
implement controls specified by the data steward;

provide physical and procedural safeguards for the data and other IT
resources using the data;
implement monitoring techniques and procedures for detecting, reporting,
and investigating security incidents (through their own action or by
delegation) based on the Minimum Security Standards.
Definition to be written
Definition to be written
Data Steward
University office represented by an executive officer who has policy-level and
planning responsibilities for data owned by the university in their functional
areas. These data stewards, as a group, are responsible for recommending
policies, establishing procedures and guidelines for university-wide data
administration activities. Data stewards may delegate the implementation of
university policies, standards, and guidelines to data custodians.
Data User
Individual, automated application or process that is authorized by the data
steward to create, enter, edit, and access data, in accordance with the data
steward's procedures and rules. Users have the responsibility to
use the data only for the purpose specified by the data steward;
comply with controls established by the data steward and
prevent disclosure of confidential or sensitive data
report suspected security incidents that may have breached the
confidentiality of data.
Disclosure Request
A request for information not otherwise available to the requestor, often used to
gain information pertinent to a legal case.
Discovery in Litigation
Part of the pre-trial litigation process during which each party requests relevant
information and documents from the other side in an attempt to "discover"
pertinent facts.
Email Bomb
Sending huge volumes of e-mail to an address in an attempt to overflow the
mailbox or overwhelm the server where the email address is hosted in a denialof-service attack.
Encryption
The process of transforming information using an algorithm (specialized
computer code) to make it unreadable to anyone except those possessing
special knowledge, usually referred to as a key.
Impact
The degree to which a security failure has the potential to result in harm or loss.
The three levels of impact are:
Low

Incidents that cause limited damage to operations or assets and that do not
involve risk for individuals. These incidents require minor corrective actions
or repairs within the designated custodial structure and communication is
frequently required only within the affected unit.
Moderate
Incidents that cause short-term degradation or partial loss of the university's
mission capability; that affect or disadvantage only subsets of the university
community; or result in limited loss or damage to significant assets. These
incidents require corrective actions or repairs that can normally be handled
within the designated custodial structure, usually involves only internal
communications, and normally will not require the involvement of high-level
administration.
High
Incidents that cause an extensive loss of the university's mission capability;
result in a loss of major assets; pose a significant threat to the well-being of
large numbers of individuals or to human life; or damage the reputation of
the university. These incidents require substantial allocation of human
resources to correct; may require communication to external agencies or law
enforcement and the public; and often require the involvement of high-level
administration within the university.
InCommon Bronze
The InCommon Federation creates and supports a common framework for
trustworthy shared management of access to on-line resources in support of
education and research in the United States. InCommon Bronze is the lowest
level of trustworthiness assigned to any authorized user.
InCommon Silver
The InCommon Federation creates and supports a common framework for
trustworthy shared management of access to on-line resources in support of
education and research in the United States. InCommon Silver provides an
additional level of trust above the Bronze level for Identity Providers that
require this enhancement.
Information
Data that has gained meaning through processing. into a form more convenient
and understandable for viewing and analyzing.
Information Processing
The handling of information by computers in accordance with strictly defined
systems of procedure.
Information System
The hardware, software, and procedures used for information processing.
ISU High Password Strength
The PIN (numeric-only) or password, and the controls used to limit on-line
guessing attacks shall ensure that an attack targeted against a given identity

Subject's PIN or password shall have a probability of success of less than 2^16
(1 chance in 16,384) success over the life of the PIN or password.
ISU Moderate Password Strength
The PIN (numeric-only) or password, and the controls used to limit on-line
guessing attacks shall ensure that an attack targeted against a given identity
Subject's PIN or password shall have a probability of success of less than 2^10
(1 chance in 1,024) success over the life of the PIN or password.
LAN
Local Area Network; a system for linking a number of microcomputers,
terminals, work stations, etc. with each other or with a mainframe computer in
order to share data, printers, information, programs, disks, etc.
Malware
A computer program designed specifically to damage, disrupt, or otherwise
compromise a system, such as a Trojan or worm.
Multifactor authentication (MFA)
A security system in which more than one form of authentication is required to
verify access privileges. Ex. A single factor authentication only requires a user
name and password (1 factor), while a multifactor authentication requires three
or more methods of verification, such as a smart card, retinal scan, fingerprint
or voice ID.
Net-ID
A unique identifier for each member of the ISU community; the Net-ID is the
prefix to your ISU email address, which appears before the @iastate.edu. Ex:
Net-ID for student@iastate.edu is "student."
Network
A system containing any combination of computers, computer terminals,
printers, audio or visual display devices, or telephones interconnected by
telecommunication equipment or cables: used to transmit or receive
information.
Policy
Definition to be written
Proprietary
Belonging or controlled as property; Ex: Proprietary enrollment data is owned by
the University registrar's office.
Proxy Access
A means by which only authorized users can view specific confidential
information stored on a computer network; a security barrier between ISU's
internal network and the Internet, keeping others on the Internet from being
able to obtain access to information that is located on ISU's internal network.
Qualified Controlled Devise
A device normally acting as a server that stores data or executes an application.
It has controls that match the minimum security standards for data classified as
high. It includes attributes such as restricted physical access, sits behind a

firewall, and administrated by an IT professional to provide regular software

updates and backups.
Risk
A source of danger; a possibility of incurring loss or damage. In general, risk is a
composite of three factors: threats, vulnerabilities, and impact.
Risk Assessment
In information technology security, a systematic process used to determine the
potential for any given information system to be subject to loss and to assess
the impact of that loss. Risk assessment involves determining potential for and
impact of a negative event by evaluating the nature of the information and
information systems.
Risk Factors
Factors used to determine the level of risk include the effect of the loss on the
university's strategic missions; the extent of loss to major information systems;
the potential for injury or damage to individual(s); the inconvenience or loss of
productivity for subsets of the university community; the potential for damage
to the university's reputation; the level of administrative involvement required;
and the level at which the security problem can be resolved.
Risk Mitigation
Action taken to reduce risk to an acceptable level. An analysis evaluating costs,
benefits, and impacts to the university will be critical in determining what, if
any, action should be taken. Some options to reduce risk include:
Risk assumption - Accepting the potential risk and continuing operations
of the IT system.
Risk avoidance - Risk mitigation by eliminating a risk cause and/or
consequence.
Risk limitation - Risk mitigation by implementing controls reducing the
negative impact of a threat exercising a vulnerability.
Risk transfer - Risk mitigation by using other options to compensate for a
loss due to a security incident.
Security
The state of being free from unacceptable risk. IT security focuses on reducing
the risk of computing systems, communications systems, and information being
misused, destroyed, or modified, or for information to be disclosed
inappropriately either by intent or accident.
Security incident
An accidental or malicious act that exercises a vulnerability resulting in the
potential of a negative impact.
Standards
Definition to be written
Storage Media
A device for storing, recording and transporting data; Ex: USB Flash drive, data
CD, external hard drive, remote server.

Subpoena duces tecum

A legal written request for the summoning of witnesses or the submission of
evidence, as records or documents, before a court or other deliberative body.
System Administrator
A person in charge of managing and maintaining a computer system or
telecommunication system.
Threats
Actions or events that potentially compromise the confidentiality, integrity,
availability, or authorized use. These threats may be human or non-human,
natural, accidental, or deliberate. Examples:
Acts of malice by individuals or groups; purposeful or malicious use of
information or information systems.
Natural or physical disasters such as fire, flood, hardware failures.
Unintentional oversight, action, or inaction; data left open to unauthorized
access; accidental deletion of data files; inadequate data backup
procedures.
Trojan Horse
A computer program that appears to perform a desirable function for the user
prior to run or install, but instead facilitates unauthorized access of the user's
computer system. A Trojan horse is a method of secretly introducing a virus or
malware program to a computer or computer network.
User
Synonymous with data user.
Virus
A computer program that can copy itself and infect a computer. A true virus can
spread from one computer to another when its host is taken to the target
computer through an email attachment, file transfer over a network or the
Internet, or delivered on a portable storage medium such as a USB drive or
floppy disk.
Vulnerabilities
Security exposures that increase the potential for a failure of security. A narrow
technical definition includes only those exposures created by software or
hardware design. However, a broader definition includes exposure that can be
inherent to an activity or practice. Examples:
Software or hardware that allows unauthorized access to information or
information systems.
Business practices such as collecting and storing personal information that
could, if revealed, be damaging to individuals.
Personal practices or procedures such as improperly protecting one's
password or providing inadequate physical environments for IT systems.
VLAN
A virtual LAN; a group of hosts with a common set of requirements that
communicate as if they were attached to the same broadcast domain,

regardless of their physical location. A VLAN has the same attributes as a

physical LAN, but it allows for end stations to be grouped together even if they
are not located on the same network switch
Worm
A self-replicating malware computer program that uses a computer network to
send copies of itself to other computers on the network without any user
intervention.