Glossary of UC Santa Cruz IT Policy-Related Terms

| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X Y Z |

Glossary of Roles | Getting Help |


Acceptable Use: A term referring to usage of Institutional Information and IT Resources that complies with UC’s security, privacy and ethics policies.

Administrative Record: See Record

Archive: Data that has been removed from the storage system, to another (off-line) location for historical purposes, available for reference or recovery on an as-needed basis. The archive medium may be different from that of the previously stored data, may be in a different physical location, and may, depending on the media and software used, be usable only after it has been run through a “restore” process.

Asset: A term used to collectively refer to IT Resources and Institutional Information.

Attribute-Based Access Control (ABAC): A method of controlling access to digital resources and information based on the attributes (or characteristics), rather than roles, of users, resources, and environmental conditions. In the context of UC Santa Cruz, ABAC would involve considering various attributes such as user roles (e.g., student, faculty, staff, contractors), department affiliations, clearance levels, time of access, location, and other relevant factors when determining access permissions.

Authentication: The process by which you prove your identity to another party. “Authentication is the act of confirming the identity of an individual by verification of the digital credentials presented by the individual when accessing a resource. An authentication credential may be:

  • something the individual knows, such as a password, passphrase, or other secret information
  • something the individual has, such as a smart card with a public-key certificate
  • something that is biologically part of the individual, such as a fingerprint or a retina

Availability Level: The degree to which Institutional Information and IT Resources must be accessible and usable to meet business needs. See Availability Levels for UC Information for details.


Breach (Breach of Security): Any confirmed disclosure or unauthorized acquisition of Institutional Information that compromises the security, confidentiality or integrity of Institutional Information maintained by UC. Good faith acquisition of personal information by a University employee or agent for University purposes does not constitute a security breach, provided that the personal information is not used or subject to further unauthorized disclosure.

Backup: A copy of data as it existed at a specific point in time. The backup is held on physically different media (but may be of the same type) as the active data set. Backup data may, depending on the medium and backup software used, be usable only after it has been run through a “restore” process.

Business “need to know” or “need to access:” A method of isolating information resources that a user requires to do their job, but no more. access to electronic data elements or information is relevant in the ordinary course of the performance of the employee’s or affiliate’s officially assigned duties. 


Cloud Service: A cloud service is any service that is hosted remotely and provided over the Internet.

Compensating Control: Compensating controls are alternative protections that sufficiently mitigate the risk associated with a requirement. Compensating controls can be implemented where allowed when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints. Compensating controls must

  • meet the intent and rigor of the original stated requirement; and 
  • be commensurate with the additional risk imposed by not adhering to the requirement as stated

Computer Security Incident: See "Security Incident"

Confidential Information: At UC, the data classifications Confidential and Restricted are no longer being used in policy. They have been replaced by the concepts of Protection Level and Availability Level ratings.

Critical IT Infrastructure: 

  1. IT Resources that manage unrelated sets of Institutional Information or sets of large or particularly sensitive Institutional Information.
  2. IT Resources that meet two conditions: a) Several information systems rely on the resource such that a security issue with the resource would affect multiple systems. b) The default or standard method for securing the system is inappropriate due to an elevated level of risk, complexity, or the specialized nature of the IT Resource

Cyber Incident Escalation Protocol: A required process used to ensure that appropriate incident communication occurs at the Location and from the Location to the UCOP cyber leadership team, UCOP supporting departments/functions and the Regents of the University of California.


De-identify: Anonymize or remove information or data elements that could be used to connect sensitive information to a specific individual.

Device: Any electronic component, such as a computer, printer, router, switch, modem, PDA, etc.

Disaster recovery: Restoring a system or operational function after a service-impacting event.

Disposition: The systematic treatment of records that are no longer active. Options for disposition are: 1. Transfer to an inactive records storage area or commercial records center, 2. Transfer to the University Archives, or 3. Records destruction.


Electronic Communications: Any information that is transmitted electronically. This includes, but is not limited to, email and email attachments, Google Docs, web pages, phone calls, faxes, broadcasts, electronically transmitted files, information submitted online, etc. It also applies to details about an individual’s online activities, and information from transactional logs. 

Electronic Information Resource (EIR): A resource used in support of University activities that involves the electronic storage, processing or transmitting of data, as well as the data itself. Electronic Information Resources include application systems, operating systems, tools, communications systems, electronic services, including services offered through contracts with the university, data in raw, summary, and interpreted form; and associated computer servers, desktops (workstations), portable devices (laptops, PDAs) or media (CD ROM, memory sticks, flash drives), communications and other hardware used to conduct activities in support of the University’s mission. These resources are valued information assets of the University.

Electronic Personally Identifiable Information (PII): See Personally Identifiable Information (PII).

Electronic Protected Health Information (ePHI): Sometimes called "HIPAA data." Electronic protected Health Information, or ePHI, is patient health information which is computer based, e.g., created, received, stored or maintained, processed and/or transmitted in electronic media, including computers, laptops, disks/CDs/DVDs, memory sticks, PDAs, servers, networks, dial-modems, email, web-sites, etc. EPHI is protected by Federal HIPAA legislation.

Email Relay: A service that allows third parties to process an email message where neither the sender nor the recipient is a local user.

Email Spam Robot (spam bot): A malicious program designed to covertly send unsolicited email (spam) from computers that it infects. The spam bot is remotely controlled as part of a collection, or “army,” of spam engines.

Encryption: The process of converting data into a cipher or code in order to prevent unauthorized access.  The technique obfuscates data in such a manner that a specific algorithm and key are required to interpret the cipher.

Essential Resource: A resource is designated as Essential by the University of California if its failure to function correctly and on schedule could result in

  1. A major failure by a Campus to perform mission-critical functions
  2. A significant loss of funds or information
  3. A significant liability or other legal exposure to a Campus. 
A system required for the operation of a major function is an essential system.


FERPA: The Federal Family Educational Rights and Privacy Act of 1974. The disclosure of information from student records is governed by FERPA. Campuses can lose Federal educational funding for the improper management and disclosure of non-public student records. At UC Santa Cruz, information about FERPA and its application at UC Santa Cruz is maintained by the Office of the Registrar.

File recovery: Restoring individual files or records from original, archive or backup media.

FTP: “File Transfer Protocol.” A non-secure method of transferring files between computers on a network. The currently preferred alternative is SFTP.

Functional Account: (sometimes called a shared account) An account that can be accessed by multiple individuals to allow them to appear as a single business entity or accomplish a single shared function (e.g., “physics department” or “chancellor’s office"). Auto logon systems that automatically log users in (e.g., kiosk1, guest1, etc.) should also be treated as functional accounts.


HIPAA: Federal Health Insurance Portability and Accountability Act. HIPAA Privacy and Security Laws mandate protection and safeguards for access, use and disclosure of protected health information and/or ePHI with sanctions for violations. Information and links are available at

HIPAA Data: See Electronic Protected Health Information (ePHI)

High Risk Data: Information classified at UC Protection Level 4 (P4)

Host-Based Firewall: A host-based firewall is software that runs directly on a networked device and protects that device against attack from the network by controlling incoming and/or outgoing network traffic. Additional information:

HTTP: “Hypertext Transfer Protocol.” The communication protocol (language) that enables web browsing.

HTTPS: “Secure Hypertext Transfer Protocol.” Acronym used to indicate a secure, encrypted HTTP connection.


IMAP: “Internet Message Access Protocol.” A mail protocol that provides access to email and management of email messages on a remote server.

IMAPS: Secure, encrypted IMAP.

Inactive Records: Records that are no longer required for day-to-day business and may be obsolete. At the end of their active use, records should be systematically removed from active systems and from prime office spaces. If the retention period found in the UC Records Retention Schedule has lapsed, the inactive records may be eligible for destruction. If the retention periods have not lapsed or the inactive records are still required for a records hold or other legitimate business requirement, then they should be managed in secure environments for appropriate lengths of time based on the Schedule prior to their destruction. Should the inactive records have permanent retention periods, they may be eligible to be formally transferred to the University Archives.

Information Security Event: An identified occurrence in a system, service or network state indicating a possible breach of information security policy, a failure of controls or a previously unknown situation that may be relevant to security. 

Infected Computer: A computer containing any type of malicious software.

Information Security Incident Response Plan: An Information Security Incident Response Plan is the written document detailing the steps required to address and manage an Incident or cyber attack. A response plan is one part of a Security Program.

Information Security Incident Response Program: The full, comprehensive effort to identify, prevent, prepare for, respond and recover from Incidents or cyber attacks

Individual Account: An account that is under the control of a specific individual and is not accessible to others.

Individual Devices: End-user workstations that do not meet the definition of "Privileged Access Devices" or "Institutional Devices"

Individually-Owned Data: Data which is defined as an individual’s own personal information that is not considered "Institutional Information"

Institution: University of California

Institutional Devices: 

  • Devices that store 500 or more records of protected data -OR-
  • Servers that store, process or transmit protected data. This includes database servers, application servers, web front-end servers, back-up and storage systems and any systems that provide authentication, authorization or configuration management for those systems -OR-
  • Systems with stored credentials that access protected data in any of the above systems

Institutional Information: A term that broadly describes all data and information created, received and/or collected by UC.

Integrity: The consistency, accuracy and trustworthiness of data over its entire lifecycle. Integrity is one of the 3 elements of the "CIA Triad" security model (Confidentiality, Integrity, and Availability).

ISMP: Information Security Management Program (ISMP) is an overall program of identifying and managing information security risk within established UC and Location tolerances. The ISMP identifies the requirements for a Location-wide information security program and describes the established or planned management controls and common controls for meeting those requirements. It combines elements related to cyber security to manage risk to acceptable levels. This includes management commitment, policies, standards, procedures, work instructions, tools, systems of record, guidelines and checklists.

IT Resource: A term that broadly describes IT infrastructure, software and/or hardware with computing and networking capability. These include, but are not limited to: personal and mobile computing systems and devices, mobile phones, printers, network devices, industrial control systems (SCADA, etc.), access control systems, digital video monitoring systems, data storage systems, data processing systems, backup systems, electronic and physical media, biometric and access tokens and other devices that connect to any UC network.


Least Perusal: Concept for granting access to systems. Activities shall be limited to the minimal access and retention required to ensure the reliability and security of systems. Also sometimes referred to as "Need-to Know"

 Least Privilege Access: The practice of limiting access to the minimum level that will allow normal functioning. Applied to Workforce Members, this principle translates to giving people the minimum level of access rights they require to do their jobs. Applied to security architecture, each entity is granted the minimum system resources and authorizations it needs to perform its function.

Location: A discrete organization or entity governed by the Regents of the University of California. Locations include, but are not limited to: campuses, laboratories, medical centers and health systems, as well.

Long-term Retention: A retention period of more than five years (including permanent retention).

Low Risk Data: Information classified at UC Protection Level 2 (P2)


Malicious Software, or "malware": A generic term for software that performs unauthorized activities on a computer, causes damage or allows unauthorized access to be gained. Examples of malicious software include viruses, spyware, and email spam robots. 

Minimal Risk Data: Information classified at UC Protection Level 1 (P1)

Moderate Risk Data: Information classified at UC Protection Level 3 (P3)

Multifactor Authentication (MFA): An authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors.


"Need to Know:" See Business “need to know” or “need to access”.

Network Service: A resource running on a device that can be shared by other computers. Examples include web servers, mail servers, file sharing, remote connectivity capability, DHCP servers.

Non-record: Material that is of immediate value only. Non-records do not serve to document the organization, functions, policies, decisions, procedures, operations, or other activities of the university, and have little or no operational value.


Passphrase: A sequence of words or other text used as part of the authentication process. A passphrase is similar to a password in usage, but is generally longer for added security.

Password: A string of characters (letters, numbers and/or symbols) used to authenticate an identity, verify access authorization or derive cryptographic keys. Generally composed of not more than 8-16 characters.

Payment Card Industry: Credit card number in conjunction with name is a form of personally identifiable information (PII). Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard (DSS). This Standard is set of data security requirements that apply to all employees, merchants, vendors, service providers, contractors and business partners who store, process or transmit credit cardholder data, as well as to all system components included in or connected to or the cardholder data environment. PCI Compliance at UC Santa Cruz:

PCI DSS: Payment Card Industry Data Security Standard. See Payment Card Industry.

Personal Identification Number (PIN): A memorized secret typically consisting of numerical digits.

Personnel Records:

Academic Personnel Records include, but are not limited to: confidential academic review records, non-confidential academic review records and "personal" information (as defined in Section 160 of the Academic Personnel Manual).

Staff Personnel Records (listed in Section 80 of the Personnel Policies for Staff Members) include, but are not limited to:
  • Home telephone number and home address
  • Spouse's or other relatives' names
  • Birth date
  • Citizenship
  • Income tax withholdings
  • Information relating to evaluation of performance
Academic and staff personnel records are generally classified as UC Protection Level 3 (P3).

Personally Identifiable Information (PII): A category of sensitive information that’s associated with an individual person and can be used to uniquely identify, contact or locate that person. PII should be accessed on a strict need-to-know basis and handled carefully. Examples include:

  • Social Security Number.
  • Driver’s license number.
  • Passport number.
  • National ID number.
  • Visa identification number.

California S.B. 1386 amended civil codes 1798.29, 1798.82 and 1798.84, the California law regulating
the privacy of personal information. Therefore, while Federal law and NIST uses PII, California law
uses PI. UC generally opted to follow California law.

This definition comes from the UC Protection Level Classification Guide. More information can also be found in University of California – Policy BFB-RMP-7.

Physical Media: The tangible, physical materials or devices that are used to store or transmit Institutional Information. They can be touched and felt, having physical properties such as weight and color.

Policy-Based Access Control (PBAC): A method of controlling access to digital resources and information based on predefined policies. These policies specify the conditions under which access to resources is allowed or denied, typically based on attributes such as user roles (e.g., student, faculty, staff, contractors), department affiliations, time of access, location, and other relevant factors.

POP: “Post Office Protocol.” A protocol used to retrieve email from a mail server.

POPS: Secure, encrypted POP.

Privileged Access: Privileged access is any access to systems, applications, databases, etc. that enables a user to carry out system administration functions, or that provides broad access to personal or institutional data (beyond just the user's own data).

Procedure: A collection of steps or processes that describe how the requirements of a specific job task, policy or standard are met.

Protected Data: A general term used to refer to information classified at UC Protection Level 2 (P2) or higher.

Protected Data Applications: Information systems that handle, store, or transmit institutional data restricted by laws and policies, or that handle institutional data classified as UC P2 or higher.

Protection Level: An assigned number representing the level of protection needed for Institutional Information or an IT Resource. The scale goes from the minimum level of protection (Protection Level 1) to the highest level of protection (Protection Level 4) and is based on the potential harm resulting from unauthorized access, disclosure, loss of privacy, compromised integrity or violation of external obligations. See Protection Levels for UC Institutional Information for more details.

P3-P4 Data: Definition of P3-P4 data. Protection of P3-P4 data.

Proxy Server: A server interposed between a client application, such as a Web browser, and a source server.

Public Information: Public information is any information relating to the conduct of the public's business. In the case of personal information the term relates to information that has been determined not to constitute an unwarranted invasion of privacy if publicly disclosed.


Record: Any writing, regardless of physical form or characteristics, containing information relating to the conduct of the public’s business prepared, owned, used, or maintained by an operating unit or employee of the university. “Writing” means handwriting, typewriting, printing, photostating, photographing, photocopying, transmitting by electronic mail or facsimile, and every other means of recording upon any tangible thing any form of communication or representation, including letters, words, pictures, sounds, or symbols, or combination thereof, and any record thereby created, regardless of the manner in which the record has been stored. The term “administrative record” is used to describe any record that documents or contains valuable information related to the organization, functions, policies, decisions, procedures, operations, or other business activities of the university.

Records Access Notice: A notice to separating and separated employees to provide the University with copies of, or access to, all records in their possession that pertain to the administrative business of the University.

Records Custodian: The individual with responsibility for maintenance of the records of a university department or unit.

Records Lifecycle: The three stages through which records are to be managed: (1) creation or receipt; (2) use; and (3) disposition.

Records Management Program: In accordance with RMP-1, the Program that promotes sound, efficient, and economical records management in the following areas: (1) creation, organization of, and access to records; (2) maintenance and retention of Administrative Records; (3) security and privacy of records; (4) protection of records vital to the University; (5) preservation of records of historical importance; (6) disposition of Administrative Records when they no longer serve their purpose; and (7) other functions the University may deem necessary for good records management.

Records Proprietor: The individual with management responsibility for the records associated with a university administrative function.

Records Retention: The maintenance of records for prescribed time periods. See also: Long-term Retention and Short-term Retention.

Redact: To obscure or remove the sensitive portions of a data set or document, typically prior to publication or release. 

Restricted data:  At UC, the data classifications Confidential and Restricted are no longer being used in policy. They have been replaced by the concepts of Protection Level and Availability Level ratings.

Risk Acceptance: Risk acceptance is the process of deciding whether a risk is within the tolerances acceptable to an organization. This determination must take into consideration both the likelihood and impact of a negative event, the combination of which represents the “risk". In the context of information security, impacts may include:

  • Loss of critical Campus operations
  • Negative financial impact (breach response costs, money lost, lost opportunities, value of the data)
  • Damage to the reputation of the Institution
  • Risk of harm to individuals (such as in the case of a breach of personal information)
  • Potential for regulatory or legal action
  • Requirement for corrective actions or repairs
  • Violation of University of California or UC Berkeley mission, policy, or principles
Risk acceptance is one component of risk management, along with risk avoidance, risk mitigation, risk sharing, and risk transfer[1], and must occur at the level of campus authority that matches the potential risks. [1] NIST SP 800-39, Sec 3.3 (Activities, Task 3-)

Risk Assessment: A process to identify, rate and prioritize risk, as well as to document risk tolerance.

Risk Treatment Plan: A pre-approved plan to provide a standard, scalable and repeatable response to address pre-identified risks in a specific situation.

Risk-Based Approach: A process for managing information security risk including:

  1. A general overview of the risk management process
  2. How organizations establish the context for risk-based decision
  3. How organizations assess risk in considering threats, vulnerabilities, likelihood and consequences/impact
  4. How organizations respond to risk once determined
  5. How organizations monitor risk over time with changing mission/business needs, operating environments and supporting information systems.

Role-Based Access Control (RBAC): A method of managing access to digital resources and information based on the roles and responsibilities of individuals within the organization. Individuals are only allowed to access the information necessary to effectively perform their job duties. This approach entails defining roles within UC Santa Cruz, such as student, faculty, staff, contrcactor, administrator, etc., and assigning permissions and privileges to these roles accordingly.


SCP: “Secure Copy.” A utility that allows files to be copied between machines. SCP is an updated version of an older, insecure utility named RCP (Remote Copy). It works the same, except that information (including the password used to log in) is encrypted in transit.

Secure Deletion: Any disposal process that removes the ability to access the respective file, record or data in the operating system or application. ITS offers secure data disposal as a service.

Security Audit Agent: An application that checks for vulnerabilities on machines operating on the network. The Internet Engineering Task Force (IETF) name for this is “posture broker.”

Security Incident: A compromise of the confidentiality, integrity or availability of Institutional Information in a material or reportable way. A single event or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations or threatening information security.

Sensitive Data: Sensitive data is an informal term used to describe information with some level of sensitivity. At the University of California, "sensitive data" is categorized using the Protection Level and Availability Level scales.

Separation of Duties: A process that addresses the potential for abuse of authorized privileges and helps reduce the risk of malicious activity without collusion. Separation of duties includes:

  1. Dividing operational functions and information system support functions among different individuals and/or roles
  2. Dividing information system support functions between different individuals (e.g., system management, programming, configuration management, quality assurance and testing, network security)
  3. Ensuring that security personnel administering access control functions do not also administer audit functions.

Service Account: Accounts intended for automated processes such as running batch jobs or applications.

Session Timeout: A process that automatically prevents user access to a system or application after a period of inactivity. The purpose of timeouts is to lock out unauthorized users when a system is unattended or when someone forgets to log out of an application.

SFTP: “Secure File Transfer Protocol.”

  • A program similar to FTP that uses SSH to transfer files. Unlike FTP, SFTP encrypts both the session and the password so nothing is sent in clear text form. This prevents an eavesdropper from capturing or stealing passwords or data as they travel over the network.
  • A secure, encrypted method of transferring files between computers on a network.

Shared-Fate: If a data or system compromise would cause further and extensive compromise from multiple (even unrelated) sensitive systems, the data or system creating this "shared-fate" warrants an elevated UC P4. 

Short-term Retention: A retention period of five years or less.

SMTP: “Simple Mail Transfer Protocol.” The de facto standard for email transmissions across the Internet. SMTP is a text-based protocol, where one or more recipients of a message are specified and then the message text is transferred.

SNMP: “Simple Network Management Protocol.” A protocol used by network management systems to monitor network-attached devices for conditions that warrant administrative attention. It consists of a set of standards for network management, including an application layer protocol, a database schema, and a set of data objects.

Spyware: Computer programs that typically track your use and report this information to a remote location. The more malicious spyware programs may capture and report keystrokes, revealing passwords and personal information. Users are often tricked into installing spyware programs without their knowledge. Spyware is sometimes referred to as adware.

SSH: “Secure Shell.” A program that provides secure, encrypted communications to log into another computer over a network, execute commands on a remote machine, or move files from one machine to another. SSH also provides strong encryption for authentication. SSH is the currently preferred alternative to Telnet.

SSL: “Secure Sockets Layer.” A cryptographic (encrypted) protocol that provides secure communications on the Internet for such things as web browsing, email, Internet faxing, instant messaging and other data transfers. SSL is the technology that SSH uses.

SSL Certificate: SSL certificates (certs) are used to confirm the identity of a website or server, encrypt data during transmission, and ensure the integrity of transmitted data.

Standard: Requirements that specify the set of administrative, technical or procedural controls necessary to meet the related policy. Standards differ from policy in that they can be more detailed and can change more rapidly in response to new technology or to new or evolving threats.

Statutory Requirement for Notification: California State Civil Code 1798.29 and other legal statues, such as the Health Insurance Portability and Accountability Act (HIPAA), require notification to individuals in the event of a security breach of certain personal information. The Berkeley campus also refers to this data as "notice-triggering" information:

  • Social security number
  • Government issued identification numbers
  • Driver's license number. California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used for identity verification
  • Financial account numbers, credit or debit card numbers, and financial account security codes, access codes, or passwords
  • Personal medical information*
  • Personal health insurance information*
  • Biometric data used for authentication purposes, including photographs used or stored for facial recognition purposes
  • A username or email address, in combination with a password or security question and answer that would permit access to an online account
  • Information or data collected through the use or operation of an automated license plate recognition system
  • Separate but related is personal information under the General Data Protection Regulation (GDPR)
  • Genetic data as defined by California AB-825 (effective 1/1/2022)

* California State Civil Code 1798.29 applies to personal medical information and personal health insurance information even under circumstances not covered by HIPAA. See section (h) for definitions under this law.

System: In general, any interrelated group of electronic components, e.g. hardware and/or software, that work as a coherent entity. With respect to information security breaches, a system is any computer readable collection of information that contains electronic data in an organized form such that information about a particular subject can be distinguished from information about other subjects.


Telnet: A network protocol used for connecting to a remote host or server. Telnet is an insecure Internet protocol. The currently preferred alternative is SSH.

Transactional Information: Information, including electronically gathered information, needed either to complete or to identify an electronic communication. Examples include but are not limited to: electronic mail headers, summaries, addresses and addressees; records of telephone calls; and IP address logs. Transactional information does not include the actual contents of people's computers, files, emails, telephone conversations, etc.

Truncate: To make shorter. This can be for the purpose of reducing or eliminating the sensitivity of data, such using the last four digits of a Social Security number instead of the entire number.


UC Records Retention Schedule: A universitywide document that lists and governs the retention period and the disposition of identified records that are common across the University of California (UC) system.

Unit: An IT, academic, research, administrative or other entity operating within UC. A Unit is typically a defined organization or set of departments.

University Archivist: The individual at each campus, appointed by the University Librarian, who is responsible for the preservation of campus administrative records that deal with the history of the university.

Updates: Updates “fix" an inherent flaw or security risk in an operating system (the basic program that runs a computer) or in application software. Updates are released on an as-needed basis – typically from the operating system or software vendor (such as Microsoft, Apple, or Mozilla).


Virus: Computer viruses are small, self-replicating computer programs that interfere with computer operation. The effect of viruses can range from negligible to devastating, depending on what the virus program does when it runs. A virus might, for example, corrupt or delete data on a computer, spread itself to other computers, or even install a malicious program.

Vital Record: Records that are essential to the protection of the rights of individuals, and records that are essential that are essential to the protection of the university's rights, assets, and/or the execution of its public (contractual) obligations.


Workforce Manager: A person who supervises/manages other personnel or approves work or research on behalf of the University.

Workforce Member: An employee, faculty, staff, volunteer, contractor, researcher, student worker, student supporting/performing research, medical center staff/personnel, clinician, student intern, student volunteer, or person working for UC in any capacity or other augmentation to UC staffing levels.


Glossary of Roles

Administrative Official: See Unit Head

Application Coordinator: See Service Manager

Campus Information Privacy Official: The individual designated by the Chancellor to have responsibility for campus compliance with legislation, University policy and campus policy on information privacy. The Privacy and Information Practices Director is the Campus Information Privacy Official for the Santa Cruz campus.

Campus Information Security Officer (CISO): The individual designated by the Chancellor to have responsibility for campus compliance with IS-3, and all other University policies on electronic information security. The Chief Information Officer, VP IT, is the Campus Information Security Officer for the Santa Cruz campus.

Customer Support: Service Providers responsible for working directly with customers and clients.

CRE: The Cyber-risk Responsible Executive (CRE) is an individual in a senior management or academic position who reports to the chancellor or top Campus executive. The CRE is accountable for all information risk assessments, security strategies, planning and budgeting, incident management, and information security implementation.

Data Integrator: Manager(s) of an EIR that integrates the data of two or more source systems. One of these source systems may be the Data Integrator’s system, itself.

Data Expert: See Subject Matter Expert.

Data Owner / Data Steward: See System Steward.

Electronic Communications Service Provider: Any campus unit or individual who provides electronic communications services that involve the use of University equipment and facilities.

Information Privacy Officer: See Campus Information Privacy Officer.

Information Security Officer: See Campus Information Security Officer.

IT Security Committee (ITSC): A cross-representational governance committee to the VP IT charged to coordinate and direct the development of appropriate campus policy to address the critical, ongoing need to provide a comprehensive oversight process for protecting campus information assets and electronic systems.

Institutional Information Proprietor: The individual or identified group responsible for the Institutional Information and processes supporting a University function. Proprietor responsibilities include, but are not limited to: ensuring compliance with University policy regarding the classification, protection, access to and release of information according to procedures established by UC, the Location or the department, as applicable to the situation.

IT Resource Proprietor: The individual responsible for the IT Resources and processes supporting a University function. Proprietor responsibilities include, but are not limited to: ensuring compliance with University policy regarding the classification, protection, access to, location, and disposition of IT Resources. Proprietors are also responsible for ensuring compliance with federal or state law or regulation. 

Records Management Coordinator: The individual at each campus, the Office of the President, the Division of Agriculture and Natural Resources, and the Lawrence Berkeley National Laboratory responsible for the development, coordination, implementation, and management of the Records Management Program at that location.

Researcher: UC faculty members, students or affiliates, including Principal Investigators, conducting research on behalf of UC. A Researcher is also a Workforce Member.

Service Manager: A Service Manager has overall accountability for defining a service, application, or system, ensuring services are delivered in accordance with agreed business requirements, and managing the service lifecycle. 

Service ProviderUC groups or organizations providing specific IT services to a Unit.

Subject Matter ExpertWorkforce Members who are responsible for their domain expertise.

Supplier: An external, third-party entity that provides goods or services to UC.

System Steward (also known as the Electronic Information Resource Proprietor; Data, Resource, or Record Proprietor; Data Steward; or Data Owner):  At UC, the term System Steward, or its variations, are no longer being used in policy. This term has been replaced by Institutional Information Proprietor.

Unit Information Security Lead: The Workforce Member(s) assigned responsibility for tactical execution of information security activities including, but not limited to, implementing security controls; reviewing and updating Risk Assessment and Risk Treatment plans; devising procedures for the proper handling, storage and disposal of electronic media within the Unit; and reviewing access rights.

Unit Head: Unit Heads are the executives accountable and responsible for overseeing the execution of UC and Campus information security policies within the Unit


Contact the ITS Support Center for questions or additional information about any of the above information:, or 459-HELP (4357).