Glossary of UCSC IT Policy-Related Terms

| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X Y Z |

Glossary of Roles | Getting Help |

Acceptable Use: A term referring to usage of Institutional Information and IT Resources that complies with UC’s security, privacy and ethics policies.

Archive: Data that has been removed from the storage system, to another (off-line) location for historical purposes, available for reference or recovery on an as-needed basis. The archive medium may be different from that of the previously stored data, may be in a different physical location, and may, depending on the media and software used, be usable only after it has been run through a “restore” process.

Authentication: The process by which you prove your identity to another party. “Authentication is the act of confirming the identity of an individual by verification of the digital credentials presented by the individual when accessing a resource. An authentication credential may be:

  • something the individual knows, such as a password, passphrase, or other secret information
  • something the individual has, such as a smart card with a public-key certificate
  • something that is biologically part of the individual, such as a fingerprint or a retina

Availability Level: The degree to which Institutional Information and IT Resources must be accessible and usable to meet business needs. See Availability Levels for UC Information for details.

Breach (Breach of Security): Any confirmed disclosure or unauthorized acquisition of Institutional Information that compromises the security, confidentiality or integrity of Institutional Information maintained by UC. Good faith acquisition of personal information by a University employee or agent for University purposes does not constitute a security breach, provided that the personal information is not used or subject to further unauthorized disclosure.

Backup: A copy of data as it existed at a specific point in time. The backup is held on physically different media (but may be of the same type) as the active data set. Backup data may, depending on the medium and backup software used, be usable only after it has been run through a “restore” process.

Business “need to know” or “need to access:” A method of isolating information resources that a user requires to do their job, but no more. access to electronic data elements or information is relevant in the ordinary course of the performance of the employee’s or affiliate’s officially assigned duties. 

Compensating Control: Compensating controls are alternative protections that sufficiently mitigate the risk associated with a requirement. Compensating controls can be implemented where allowed when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints. Compensating controls must

  • meet the intent and rigor of the original stated requirement; and 
  • be commensurate with the additional risk imposed by not adhering to the requirement as stated

Computer Security Incident: See "Security Incident"

Confidential Information: At UC, the data classifications Confidential and Restricted are no longer being used in policy. They have been replaced by the concepts of Protection Level and Availability Level ratings.

Cyber Incident Escalation Protocol: A required process used to ensure that appropriate incident communication occurs at the Location and from the Location to the UCOP cyber leadership team, UCOP supporting departments/functions and the Regents of the University of California.

De-identify: Anonymize or remove information or data elements that could be used to connect sensitive information to a specific individual.

Device: Any electronic component, such as a computer, printer, router, switch, modem, PDA, etc.

Disaster recovery: Restoring a system or operational function after a service-impacting event.

Electronic Communications: Any information that is transmitted electronically. This includes, but is not limited to, email and email attachments, Google Docs, web pages, phone calls, faxes, broadcasts, electronically transmitted files, information submitted online, etc. It also applies to details about an individual’s online activities, and information from transactional logs. 

Electronic Information Resource (EIR): A resource used in support of University activities that involves the electronic storage, processing or transmitting of data, as well as the data itself. Electronic Information Resources include application systems, operating systems, tools, communications systems, electronic services, including services offered through contracts with the university, data in raw, summary, and interpreted form; and associated computer servers, desktops (workstations), portable devices (laptops, PDAs) or media (CD ROM, memory sticks, flash drives), communications and other hardware used to conduct activities in support of the University’s mission. These resources are valued information assets of the University.

Electronic Personal Identity Information (PII): See Personal Identity Information (PII).

Electronic Protected Health Information (ePHI): Sometimes called "HIPAA data." Electronic protected Health Information, or ePHI, is patient health information which is computer based, e.g., created, received, stored or maintained, processed and/or transmitted in electronic media, including computers, laptops, disks/CDs/DVDs, memory sticks, PDAs, servers, networks, dial-modems, email, web-sites, etc. EPHI is protected by Federal HIPAA legislation.

Email Relay: A service that allows third parties to process an email message where neither the sender nor the recipient is a local user.

Email Spam Robot (spam bot): A malicious program designed to covertly send unsolicited email (spam) from computers that it infects. The spam bot is remotely controlled as part of a collection, or “army,” of spam engines.

Encryption: The process of converting data into a cipher or code in order to prevent unauthorized access.  The technique obfuscates data in such a manner that a specific algorithm and key are required to interpret the cipher.

Essential Resource: A resource is designated as Essential by the University of California if its failure to function correctly and on schedule could result in

  1. A major failure by a Campus to perform mission-critical functions
  2. A significant loss of funds or information
  3. A significant liability or other legal exposure to a Campus. 
A system required for the operation of a major function is an essential system.

FERPA: The Federal Family Educational Rights and Privacy Act of 1974. The disclosure of information from student records is governed by FERPA. Campuses can lose Federal educational funding for the improper management and disclosure of non-public student records. At UCSC, information about FERPA and its application at UCSC is maintained by the Office of the Registrar.

File recovery: Restoring individual files or records from original, archive or backup media.

FTP: “File Transfer Protocol.” A non-secure method of transferring files between computers on a network. The currently preferred alternative is SFTP.

HIPAA: Federal Health Insurance Portability and Accountability Act. HIPAA Privacy and Security Laws mandate protection and safeguards for access, use and disclosure of protected health information and/or ePHI with sanctions for violations. Information and links are available at

HIPAA Data: See Electronic Protected Health Information (ePHI)

Host-Based Firewall: A host-based firewall is software that runs directly on a networked device and protects that device against attack from the network by controlling incoming and/or outgoing network traffic. Additional information:

HTTP: “Hypertext Transfer Protocol.” The communication protocol (language) that enables web browsing.

HTTPS: “Secure Hypertext Transfer Protocol.” Acronym used to indicate a secure, encrypted HTTP connection.

IMAP: “Internet Message Access Protocol.” A mail protocol that provides access to email and management of email messages on a remote server.

IMAPS: Secure, encrypted IMAP.

Information Security Event: An identified occurrence in a system, service or network state indicating a possible breach of information security policy, a failure of controls or a previously unknown situation that may be relevant to security. 

Infected Computer: A computer containing any type of malicious software.

Information Security Incident Response Plan: An Information Security Incident Response Plan is the written document detailing the steps required to address and manage an Incident or cyber attack. A response plan is one part of a Security Program.

Information Security Incident Response Program: The full, comprehensive effort to identify, prevent, prepare for, respond and recover from Incidents or cyber attacks

Institutional Information: A term that broadly describes all data and information created, received and/or collected by UC.

Integrity: The consistency, accuracy and trustworthiness of data over its entire lifecycle. Integrity is one of the 3 elements of the "CIA Triad" security model (Confidentiality, Integrity, and Availability).

ISMP: Information Security Management Program (ISMP) is an overall program of identifying and managing information security risk within established UC and Location tolerances. The ISMP identifies the requirements for a Location-wide information security program and describes the established or planned management controls and common controls for meeting those requirements. It combines elements related to cyber security to manage risk to acceptable levels. This includes management commitment, policies, standards, procedures, work instructions, tools, systems of record, guidelines and checklists.

IT Resource: A term that broadly describes IT infrastructure, software and/or hardware with computing and networking capability. These include, but are not limited to: personal and mobile computing systems and devices, mobile phones, printers, network devices, industrial control systems (SCADA, etc.), access control systems, digital video monitoring systems, data storage systems, data processing systems, backup systems, electronic and physical media, biometric and access tokens and other devices that connect to any UC network.

Least Perusal: Concept for granting access to systems. Activities shall be limited to the minimal access and retention required to ensure the reliability and security of systems. Also sometimes refered to as "Need-to Know"

 Least Privilege Access: The practice of limiting access to the minimum level that will allow normal functioning. Applied to Workforce Members, this principle translates to giving people the minimum level of access rights they require to do their jobs. Applied to security architecture, each entity is granted the minimum system resources and authorizations it needs to perform its function.

Location: A discrete organization or entity governed by the Regents of the University of California. Locations include, but are not limited to: campuses, laboratories, medical centers and health systems, as well.

Malicious Software, or "malware": A generic term for software that performs unauthorized activities on a computer, causes damage or allows unauthorized access to be gained. Examples of malicious software include viruses, spyware, and email spam robots. 

Multifactor Authentication (MFA): An authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors.

"Need to Know:" See Business “need to know” or “need to access”.

Network Service: A resource running on a device that can be shared by other computers. Examples include web servers, mail servers, file sharing, remote connectivity capability, DHCP servers.

Passphrase: A sequence of words or other text used as part of the authentication process. A passphrase is similar to a password in usage, but is generally longer for added security.

Password: A string of characters (letters, numbers and/or symbols) used to authenticate an identity, verify access authorization or derive cryptographic keys. Generally composed of not more than 8-16 characters.

Payment Card Industry: Credit card number in conjunction with name is a form of personal identity information (PII). Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard (DSS). This Standard is set of data security requirements that apply to all employees, merchants, vendors, service providers, contractors and business partners who store, process or transmit credit cardholder data, as well as to all system components included in or connected to or the cardholder data environment. PCI Compliance at UCSC:

PCI DSS: Payment Card Industry Data Security Standard. See Payment Card Industry.

Personal Identification Number (PIN): A memorized secret typically consisting of numerical digits.

Personal Identity Information (PII): The electronic manifestation of an individual’s first name or first initial, and last name, in combination with one or more of the following:

  • Social Security number (SSN)
  • Drivers license number or State-issued Identification Card number
  • Account number*, credit or debit card number in combination with any required security code, access code, or password that could permit access to an individual’s financial account
  • Medical information, including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
  • Health insurance information, including an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records

At UC, all PII is classified as Protection Level 4.

This definition of electronic PII is not dependent on where the personal identity information is stored. This includes, but is not limited to, formal database systems such as DB2, Sybase, or Oracle as well as simple text files, spreadsheets, etc.  Electronic personal identity information may exist on, but is not limited to, hard drives, magnetic tape, optical disks, diskettes, hand held computing devices, etc.

*Note: “Account number” is not defined in the legislation but can refer to any financial account such as a bank or brokerage account, etc

Physical Media: The tangible, physical materials or devices that are used to store or transmit Institutional Information. They can be touched and felt, having physical properties such as weight and color.

POP: “Post Office Protocol.” A protocol used to retrieve email from a mail server.

POPS: Secure, encrypted POP.

Privileged Access: Privileged access is any access to systems, applications, databases, etc. that enables a user to carry out system administration functions, or that provides broad access to personal or institutional data (beyond just the user's own data).

Procedure: A collection of steps or processes that describe how the requirements of a specific job task, policy or standard are met.

Protection Level: An assigned number representing the level of protection needed for Institutional Information or an IT Resource. The scale goes from the minimum level of protection (Protection Level 1) to the highest level of protection (Protection Level 4) and is based on the potential harm resulting from unauthorized access, disclosure, loss of privacy, compromised integrity or violation of external obligations. See Protection Levels for UC Institutional Information for more details.

P3-P4 Data: Definition of P3-P4 data. Protection of P3-P4 data.

Proxy Server: A server interposed between a client application, such as a Web browser, and a source server.

Public Information: Public information is any information relating to the conduct of the public's business. In the case of personal information the term relates to information that has been determined not to constitute an unwarranted invasion of privacy if publicly disclosed.

Redact: To obscure or remove the sensitive portions of a data set or document, typically prior to publication or release. 

Restricted data:  At UC, the data classifications Confidential and Restricted are no longer being used in policy. They have been replaced by the concepts of Protection Level and Availability Level ratings.

Risk Assessment: A process to identify, rate and prioritize risk, as well as to document risk tolerance.

Risk Treatment Plan: A pre-approved plan to provide a standard, scalable and repeatable response to address pre-identified risks in a specific situation.

Risk-Based Approach: A process for managing information security risk including:

  1. A general overview of the risk management process
  2. How organizations establish the context for risk-based decision
  3. How organizations assess risk in considering threats, vulnerabilities, likelihood and consequences/impact
  4. How organizations respond to risk once determined
  5. How organizations monitor risk over time with changing mission/business needs, operating environments and supporting information systems.

SCP: “Secure Copy.” A utility that allows files to be copied between machines. SCP is an updated version of an older, insecure utility named RCP (Remote Copy). It works the same, except that information (including the password used to log in) is encrypted in transit.

Secure Deletion: Any disposal process that removes the ability to access the respective file, record or data in the operating system or application. ITS offers secure data disposal as a service.

Security Audit Agent: An application that checks for vulnerabilities on machines operating on the network. The Internet Engineering Task Force (IETF) name for this is “posture broker.”

Security Incident: A compromise of the confidentiality, integrity or availability of Institutional Information in a material or reportable way. A single event or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations or threatening information security.

Sensitive Data: Sensitive data is an informal term used to describe information with some level of sensitivity. At the University of California, "sensitive data" is categorized using the Protection Level and Availability Level scales.

Separation of Duties: A process that addresses the potential for abuse of authorized privileges and helps reduce the risk of malicious activity without collusion. Separation of duties includes:

  1. Dividing operational functions and information system support functions among different individuals and/or roles
  2. Dividing information system support functions between different individuals (e.g., system management, programming, configuration management, quality assurance and testing, network security)
  3. Ensuring that security personnel administering access control functions do not also administer audit functions.

Session Timeout: A process that automatically prevents user access to a system or application after a period of inactivity. The purpose of timeouts is to lock out unauthorized users when a system is unattended or when someone forgets to log out of an application.

SFTP: “Secure File Transfer Protocol.”

  • A program similar to FTP that uses SSH to transfer files. Unlike FTP, SFTP encrypts both the session and the password so nothing is sent in clear text form. This prevents an eavesdropper from capturing or stealing passwords or data as they travel over the network.
  • A secure, encrypted method of transferring files between computers on a network.

SMTP: “Simple Mail Transfer Protocol.” The de facto standard for email transmissions across the Internet. SMTP is a text-based protocol, where one or more recipients of a message are specified and then the message text is transferred.

SNMP: “Simple Network Management Protocol.” A protocol used by network management systems to monitor network-attached devices for conditions that warrant administrative attention. It consists of a set of standards for network management, including an application layer protocol, a database schema, and a set of data objects.

Spyware: Computer programs that typically track your use and report this information to a remote location. The more malicious spyware programs may capture and report keystrokes, revealing passwords and personal information. Users are often tricked into installing spyware programs without their knowledge. Spyware is sometimes referred to as adware.

SSH: “Secure Shell.” A program that provides secure, encrypted communications to log into another computer over a network, execute commands on a remote machine, or move files from one machine to another. SSH also provides strong encryption for authentication. SSH is the currently preferred alternative to Telnet.

SSL: “Secure Sockets Layer.” A cryptographic (encrypted) protocol that provides secure communications on the Internet for such things as web browsing, email, Internet faxing, instant messaging and other data transfers. SSL is the technology that SSH uses.

SSL Certificate: SSL certificates (certs) are used to confirm the identity of a website or server, encrypt data during transmission, and ensure the integrity of transmitted data.

Standard: Requirements that specify the set of administrative, technical or procedural controls necessary to meet the related policy. Standards differ from policy in that they can be more detailed and can change more rapidly in response to new technology or to new or evolving threats.

System: In general, any interrelated group of electronic components, e.g. hardware and/or software, that work as a coherent entity. With respect to information security breaches, a system is any computer readable collection of information that contains electronic data in an organized form such that information about a particular subject can be distinguished from information about other subjects.

Telnet: A network protocol used for connecting to a remote host or server. Telnet is an insecure Internet protocol. The currently preferred alternative is SSH.

Transactional Information: Information, including electronically gathered information, needed either to complete or to identify an electronic communication. Examples include but are not limited to: electronic mail headers, summaries, addresses and addressees; records of telephone calls; and IP address logs. Transactional information does not include the actual contents of people's computers, files, emails, telephone conversations, etc.

Truncate: To make shorter. This can be for the purpose of reducing or eliminating the sensitivity of data, such using the last four digits of a Social Security number instead of the entire number.

Unit: An IT, academic, research, administrative or other entity operating within UC. A Unit is typically a defined organization or set of departments.

Updates: Updates “fix" an inherent flaw or security risk in an operating system (the basic program that runs a computer) or in application software. Updates are released on an as-needed basis – typically from the operating system or software vendor (such as Microsoft, Apple, or Mozilla).

Virus: Computer viruses are small, self-replicating computer programs that interfere with computer operation. The effect of viruses can range from negligible to devastating, depending on what the virus program does when it runs. A virus might, for example, corrupt or delete data on a computer, spread itself to other computers, or even install a malicious program.


Glossary of Roles

Campus Information Privacy Official: The individual designated by the Chancellor to have responsibility for campus compliance with legislation, University policy and campus policy on information privacy. The Privacy and Information Practices Director is the Campus Information Privacy Official for the Santa Cruz campus.

Campus Information Security Officer: The individual designated by the Chancellor to have responsibility for campus compliance with IS-3, and all other University policies on electronic information security. The Chief Information Officer, VP IT, is the Campus Information Security Officer for the Santa Cruz campus.

Customer Support: Service Providers responsible for working directly with customers and clients.

Data Integrator: Manager(s) of an EIR that integrates the data of two or more source systems. One of these source systems may be the Data Integrator’s system, itself.

Data Expert: See Subject Matter Expert.

Data Owner / Data Steward: See System Steward.

Electronic Communications Service Provider: Any campus unit or individual who provides electronic communications services that involve the use of University equipment and facilities.

Information Privacy Officer: See Campus Information Privacy Officer.

Information Security Officer: See Campus Information Security Officer.

IT Security Committee (ITSC): A cross-representational governance committee to the VP IT charged to coordinate and direct the development of appropriate campus policy to address the critical, ongoing need to provide a comprehensive oversight process for protecting campus information assets and electronic systems.

Institutional Information Proprietor: The individual or identified group responsible for the Institutional Information and processes supporting a University function. Proprietor responsibilities include, but are not limited to: ensuring compliance with University policy regarding the classification, protection, access to and release of information according to procedures established by UC, the Location or the department, as applicable to the situation.

Service ProviderUC groups or organizations providing specific IT services to a Unit.

Subject Matter ExpertWorkforce Members who are responsible for their domain expertise.

Supplier: An external, third-party entity that provides goods or services to UC.

System Steward (also known as the Electronic Information Resource Proprietor; Data, Resource, or Record Proprietor; Data Steward; or Data Owner):  At UC, the term System Steward, or its variations, are no longer being used in policy. This term has been replaced by Institutional Information Proprietor.

Unit Information Security Lead: The Workforce Member(s) assigned responsibility for tactical execution of information security activities including, but not limited to, implementing security controls; reviewing and updating Risk Assessment and Risk Treatment plans; devising procedures for the proper handling, storage and disposal of electronic media within the Unit; and reviewing access rights.


Contact the ITS Support Center for questions or additional information about any of the above information:, 459-HELP (4357), or 54 Kerr Hall M-F 8 AM to 5 PM.

Rev. April 2019