Glossary of UCSC IT Policy-Related Terms
| Getting Help |
Archive: Data that has been removed from the storage system, to another (off-line) location for historical purposes, available for reference or recovery on an as-needed basis. The archive medium may be different from that of the previously stored data, may be in a different physical location, and may, depending on the media and software used, be usable only after it has been run through a “restore” process.
Authentication: The process by which you prove your identity to another party. “Authentication is the act of confirming the identity of an individual by verification of the digital credentials presented by the individual when accessing a resource. An authentication credential may be:
- something the individual knows, such as a password, passphrase, or other secret information
- something the individual has, such as a smart card with a public-key certificate
- something that is biologically part of the individual, such as a fingerprint or a retina
Backup: A copy of data as it existed at a specific point in time. The backup is held on physically different media (but may be of the same type) as the active data set. Backup data may, depending on the medium and backup software used, be usable only after it has been run through a “restore” process.
Breach of Security: A breach of security occurs when there is a reasonable belief that an unauthorized person has acquired unencrypted electronic personal identity information (as defined below) or other restricted data. Good faith acquisition of personal information by a University employee or agent for University purposes does not constitute a security breach, provided that the personal information is not used or subject to further unauthorized disclosure.
Business “need to know” or “need to access:” Access to non-public EIRs covered by this policy is provided to employees or campus affiliates on a “need to know” basis – i.e., access to the electronic data elements or information is relevant in the ordinary course of the performance of the employee’s or affiliate’s officially assigned duties.
Campus Information Privacy Official : The individual designated by the Chancellor to have responsibility for campus compliance with legislation, University policy and campus policy on information privacy. The Privacy and Information Practices Director is the Campus Information Privacy Official for the Santa Cruz campus.
Campus Information Security Officer : The individual designated by the Chancellor to have responsibility for campus compliance with IS-3, and all other University policies on electronic information security. The Chief Information Officer, VP IT, is the Campus Information Security Officer for the Santa Cruz campus.
Compensating Control: Compensating controls are alternative protections that sufficiently mitigate the risk associated with a requirement. Compensating controls can be implemented where allowed when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints. Compensating controls must
- meet the intent and rigor of the original stated requirement; and
- be commensurate with the additional risk imposed by not adhering to the requirement as stated
Computer Security Incident: See "Security Incident"
Confidential Information  : The term confidential information applies broadly to information for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be warranted. Unauthorized access to or disclosure of information in this category could result in a serious adverse effect, cause financial loss, cause damage to the University’s reputation and loss of confidence or public standing, constitute an unwarranted invasion of privacy, or adversely affect a partner, e.g., a business or agency working with the University.
Customer Support: Service Providers responsible for working directly with customers and clients.
Data Integrator : Manager(s) of an EIR that integrates the data of two or more source systems. One of these source systems may be the Data Integrator’s system, itself.
Data Expert: See Subject Matter Expert.
Data Owner / Data Steward: See System Steward.
De-identify: Anonymize or remove information or data elements that could be used to connect sensitive information to a specific individual.
Device: Any electronic component, such as a computer, printer, router, switch, modem, PDA, etc.
Disaster recovery: Restoring a system or operational function after a service-impacting event.
Electronic Communications: Electronic communications are any information that is transmitted electronically. This includes, but is not limited to, email and email attachments, web pages, phone calls, faxes, broadcasts, electronically transmitted files, information submitted online, etc. It also applies to details about an individual’s online activities, and information from transactional logs. Please see the University-wide definition  for additional details.
Electronic Communications Service Provider: Any campus unit or individual who provides electronic communications services that involve the use of University equipment and facilities.
Electronic Information Resource (EIR) : A resource used in support of University activities that involves the electronic storage, processing or transmitting of data, as well as the data itself. Electronic Information Resources include application systems, operating systems, tools, communications systems, electronic services, including services offered through contracts with the university, data in raw, summary, and interpreted form; and associated computer servers, desktops (workstations), portable devices (laptops, PDAs) or media (CD ROM, memory sticks, flash drives), communications and other hardware used to conduct activities in support of the University’s mission. These resources are valued information assets of the University.
Electronic Personal Identity Information (PII): See Personal Identity Information (PII).
Electronic Protected Health Information (ePHI): Electronic protected Health Information, or ePHI, is patient health information which is computer based, e.g., created, received, stored or maintained, processed and/or transmitted in electronic media, including computers, laptops, disks/CDs/DVDs, memory sticks, PDAs, servers, networks, dial-modems, email, web-sites, etc. EPHI is protected by Federal HIPAA legislation. EPHI is sometimes called "HIPAA data."
Email Relay: A service that allows third parties to process an email message where neither the sender nor the recipient is a local user.
Email Spam Robot (spam bot): A malicious program designed to covertly send unsolicited email (spam) from computers that it infects. The spam bot is remotely controlled as part of a collection, or “army,” of spam engines.
Encryption: The process of converting data into a cipher or code in order to prevent unauthorized access. The technique obfuscates data in such a manner that a specific algorithm and key are required to interpret the cipher.
Essential Resource : A resource is designated as Essential by the University of California if its failure to function correctly and on schedule could result in (1) a major failure by a Campus to perform mission-critical functions, (2) a significant loss of funds or information, or (3) a significant liability or other legal exposure to a Campus.”
FERPA: The Federal Family Educational Rights and Privacy Act of 1974. The disclosure of information from student records is governed by FERPA. Campuses can lose Federal educational funding for the improper management and disclosure of non-public student records. At UCSC, information about FERPA and its application at UCSC is maintained by the Office of the Registrar.
File recovery: Restoring individual files or records from original, archive or backup media.
FTP: “File Transfer Protocol.” A non-secure method of transferring files between computers on a network. The currently preferred alternative is SFTP.
HIPAA: Federal Health Insurance Portability and Accountability Act. HIPAA Privacy and Security Laws mandate protection and safeguards for access, use and disclosure of protected health information and/or ePHI with sanctions for violations. Information and links are available at http://its.ucsc.edu/policies/hipaa.html.
HIPAA Data: See Electronic Protected Health Information (ePHI)
Host-Based Firewall: A host-based firewall is software that runs directly on a networked device and protects that device against attack from the network by controlling incoming and/or outgoing network traffic. Additional information: http://its.ucsc.edu/security/stay-secure/minreq/firewall.html
Hostile Software: See Malicious Software.
HTTP: “Hypertext Transfer Protocol.” The communication protocol (language) that enables web browsing.
HTTPS: “Secure Hypertext Transfer Protocol.” Acronym used to indicate a secure, encrypted HTTP connection.
IMAPS: Secure, encrypted IMAP.
Incident: See "Security Incident"
Infected Computer: A computer containing any type of malicious software.
Information Privacy Officer: See Campus Information Privacy Officer.
Information Security Officer: See Campus Information Security Officer.
IT Security Committee (ITSC) : A cross-representational governance committee to the VP IT charged to coordinate and direct the development of appropriate campus policy to address the critical, ongoing need to provide a comprehensive oversight process for protecting campus information assets and electronic systems.
Malicious Software, or "malware": A generic term for software that performs unauthorized activities on a computer, causes damage or allows unauthorized access to be gained. Examples of malicious software include viruses, spyware, and email spam robots. Additional information: http://www.comptechdoc.org/independent/security/recommendations/sechostilesoftware.html
"Need to Know:" See Business “need to know” or “need to access”.
Network Service: A resource running on a device that can be shared by other computers. Examples include web servers, mail servers, file sharing, remote connectivity capability, DHCP servers.
Payment Card Industry: Credit card number in conjunction with name is a form of personal identity information (PII). Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard (DSS). This Standard is set of data security requirements that apply to all employees, merchants, vendors, service providers, contractors and business partners who store, process or transmit credit cardholder data, as well as to all system components included in or connected to or the cardholder data environment. The complete Standard is available online at https://www.pcisecuritystandards.org
PCI DSS: Payment Card Industry Data Security Standard. See Payment Card Industry.
Personal Identity Information (PII): Personal identity information (PII) is the electronic manifestation of an individual’s first name or first initial, and last name, in combination with one or more of the following:
- Social Security number (SSN)
- Drivers license number or State-issued Identification Card number
- Account number*, credit or debit card number in combination with any required security code, access code, or password that could permit access to an individual’s financial account
- Medical information, including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
- Health insurance information, including an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records
This definition of electronic PII is not dependent on where the personal identity information is stored. This includes, but is not limited to, formal database systems such as DB2, Sybase, or Oracle as well as simple text files, spreadsheets, etc. Electronic personal identity information may exist on, but is not limited to, hard drives, magnetic tape, optical disks, diskettes, hand held computing devices, etc.
*Note: “Account number” is not defined in the legislation but can refer to any financial account such as a bank or brokerage account, etc
POP: “Post Office Protocol.” A protocol used to retrieve email from a mail server.
POPS: Secure, encrypted POP.
Primary Service Provider (also known as the Responsible Service Provider): The Service Provider with primary responsibility or oversight for a given system. See Service Provider for additional information.
Privileged Access: Privileged access is any access to systems, applications, databases, etc. that enables a user to carry out system administration functions, or that provides broad access to personal or institutional data (beyond just the user's own data).
Proxy Server: A server interposed between a client application, such as a Web browser, and a source server.
Public Information : Public information is any information relating to the conduct of the public's business. In the case of personal information the term relates to information that has been determined not to constitute an unwarranted invasion of privacy if publicly disclosed.
Record Proprietor: The individual with management responsibility for the records associated with a university administrative function. See UC Business and Finance Bulletin RMP-2, Section VI.C.3 for a more complete definition and responsibilities. Also see System Steward, below.
Redact: To obscure or remove the sensitive portions of a data set or document, typically prior to publication or release.
Resource Proprietor: See System Steward.
Responsible Service Provider: See Primary Service Provider.
Restricted data or information : Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. The term should not be confused with that used by the UC-managed national laboratories where federal programs may employ a different classification scheme.
At UCSC, restricted data includes, but is not necessarily limited to
- Personal Identity Information (PII) (see definition above),
- Electronic protected health information (ePHI) protected by Federal HIPAA legislation (see definition above),
- Credit card data regulated by the Payment Card Industry (PCI) (see definition above),
- Information relating to an ongoing criminal investigation,
- Court-ordered settlement agreements requiring non-disclosure,
- Information specifically identified by contract as restricted,
- Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high.
SCP: “Secure Copy.” A utility that allows files to be copied between machines. SCP is an updated version of an older, insecure utility named RCP (Remote Copy). It works the same, except that information (including the password used to log in) is encrypted in transit.
Security Audit Agent: An application that checks for vulnerabilities on machines operating on the network. The Internet Engineering Task Force (IETF) name for this is “posture broker.”
Security Incident: In the context of information security, a security incident is any attempted or successful unauthorized access, disclosure, or misuse of computing systems, data or networks, including hacking and theft.
Sensitive Data: "Sensitive data" is an informal term used to describe information with some level of sensitivity. At the University of California, sensitive data is typically called "Confidential Data". Highly sensitive confidential data is called "Restricted Data".
Service Provider   (also known as the Resource Custodian): The department or individual that is responsible for regular operational support, backup, and system maintenance of an Electronic Information Resource (EIR), as well as for ensuring appropriate technical measures and checks are in place for protection of electronic restricted data under their control, including any downloading of such information, in partnership with a System Steward/Data Integrator, as appropriate. Often one Service Provider has primary responsibility or oversight for a given system and may be designated the Primary or Responsible Service Provider.
Session Timeout: A process that automatically prevents user access to a system or application after a period of inactivity. The purpose of timeouts is to lock out unauthorized users when a system is unattended or when someone forgets to log out of an application.
SFTP: “Secure File Transfer Protocol.”
- A program similar to FTP that uses SSH to transfer files. Unlike FTP, SFTP encrypts both the session and the password so nothing is sent in clear text form. This prevents an eavesdropper from capturing or stealing passwords or data as they travel over the network.
- A secure, encrypted method of transferring files between computers on a network.
SMTP: “Simple Mail Transfer Protocol.” The de facto standard for email transmissions across the Internet. SMTP is a text-based protocol, where one or more recipients of a message are specified and then the message text is transferred.
SNMP: “Simple Network Management Protocol.” A protocol used by network management systems to monitor network-attached devices for conditions that warrant administrative attention. It consists of a set of standards for network management, including an application layer protocol, a database schema, and a set of data objects.
Spam Bot: See Email Spam Robot
Spyware: Computer programs that typically track your use and report this information to a remote location. The more malicious spyware programs may capture and report keystrokes, revealing passwords and personal information. Users are often tricked into installing spyware programs without their knowledge. Spyware is sometimes referred to as adware.
SSH: “Secure Shell.” A program that provides secure, encrypted communications to log into another computer over a network, execute commands on a remote machine, or move files from one machine to another. SSH also provides strong encryption for authentication. SSH is the currently preferred alternative to Telnet.
SSL: “Secure Sockets Layer.” A cryptographic (encrypted) protocol that provides secure communications on the Internet for such things as web browsing, email, Internet faxing, instant messaging and other data transfers. SSL is the technology that SSH uses.
SSL Certificate: SSL certificates (certs) are used to confirm the identity of a website or server, encrypt data during transmission, and ensure the integrity of transmitted data.
Student Records Protected by FERPA: See FERPA.
Subject Matter Expert (or Data Expert): A Subject Matter Expert (SME) is the individual or unit responsible for advising on the appropriate use, protection, access, degree of sensitivity, criticality, and risk tolerance of a specific data set. A SME can be, but is not necessarily, the System Steward for that data set. Integrated data typically has multiple SMEs.
System. In general, any interrelated group of electronic components, e.g. hardware and/or software, that work as a coherent entity. With respect to information security breaches, a system is any computer readable collection of information that contains electronic data in an organized form such that information about a particular subject can be distinguished from information about other subjects.
System Steward  (also known as the Electronic Information Resource Proprietor ; Data, Resource, or Record Proprietor (see definition above); Data Steward; or Data Owner): The individual with ultimate responsibility for a defined set of University electronic information, including determining who should have access to it, and ensuring that the information is protected adequately and is used in ways consistent with the mission of the University as a whole. This can be, but is not limited to, the operating head of a unit or a designee.
System Steward Representative: The individual to whom the System Steward has delegated authority for carrying out specific activities for which the System Steward is ultimately responsible. This can be, but is not necessarily, a Service Provider (see definition above).
Transactional Information : Information, including electronically gathered information, needed either to complete or to identify an electronic communication. Examples include but are not limited to: electronic mail headers, summaries, addresses and addressees; records of telephone calls; and IP address logs. Transactional information does not include the actual contents of people's computers, files, emails, telephone conversations, etc.
Truncate: To make shorter. This can be for the purpose of reducing or eliminating the sensitivity of data, such using the last four digits of a Social Security number instead of the entire number.
Updates: Updates “fix" an inherent flaw or security risk in an operating system (the basic program that runs a computer) or in application software. Updates are released on an as-needed basis – typically from the operating system or software vendor (such as Microsoft, Apple, or Mozilla).
Virus: Computer viruses are small, self-replicating computer programs that interfere with computer operation. The effect of viruses can range from negligible to devastating, depending on what the virus program does when it runs. A virus might, for example, corrupt or delete data on a computer, spread itself to other computers, or even install a malicious program.
 Please see Roles and Responsibilities for UCSC Electronic Information Resources (PDF) [draft] for additional information about this role and associated responsibilities.
 See UC Business and Finance Bulletin, IS-2, Inventory, Classification, and Release
of University Electronic Information, Section III.A.1, Confidentiality, and Appendix A, Definitions, for additional details.
 Based on the definition from the UC Electronic Communications Policy, Appendix A: Definitions
Rev. Sept 2014