This document is intended to define common definitions and terms used in IRT policies.
The use of computer-controlled entry and locking devices to limit and log access to areas of a physical facility, usually by means of a digitally-enclosed identification card or biometric device.
Administrative actions, and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect the University’s information assets and to manage the conduct of the University community in relation to the protection of those information assets.
Individuals who are not current Rowan University faculty, staff, or students. Including, but are not limited to, non-employees of Rowan University School of Osteopathic Medicine (SOM), Cooper Medical School of Rowan University (CMSRU), visiting faculty – both long and short term, visiting scholars, researchers, contractors, subcontractors, vendors, external maintenance/contractors, volunteers, volunteer faculty who are not considered "faculty of record," temporary University employees, and summer program participants.
An individual who has received a degree from Rowan University. A student who attended classes but did not graduate from Rowan or receive a diploma is not considered an Alumnus/a of the university. An Alumnus/a will be classified into exactly one of the following subsets:
Software that runs on either a server or workstation and monitors network connections looking for malicious software. Antivirus software is generally reactive, meaning a signature file must be developed for each new virus discovered and these virus definition files must be sent to the software in order for the software to find the malicious code.
A computer program that processes, transmits, or stores University information and which supports decision-making and other organizational functions. It typically presents as a series of records or transactions. These records and transactions are generally accessible by more than one user.
Rowan staff member who is responsible for granting access and providing support on the application to the Rowan community.
The technology manager who is directly responsible for the development, maintenance, configuration, or functional specifications of the application. He or she is also required to implement, operate, and maintain security measures defined by the information owners.
Defined as (1) all categories of information and data, including (but not limited to) records, files, and databases, regardless of form and (2) information technology facilities, equipment and software owned, outsourced, or leased by the University. This includes all University IT systems and data, including university owned, leased or managed assets.
A person authorized to access information resources specific to their role and responsibilities, and who has conveyed upon them the expectation of “Least Privilege.”
Software that executes pre-scripted tests on software applications or hardware devices.
The expectation that information is accessible by Rowan University when needed.
Any incident that results in unauthorized access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms.
Business (Application) Owner
Business unit that purchased the application using University funds allocated to its budget or purchased using a grant. The business owner may be a technology organization for utility services-type applications, such as Banner and MS Exchange.
Business Impact Analysis (BIA)
A process managed by the Office of Emergency Management that determines the financial and operational impact of a disruption to a business, and the requirements for recovering from the disruption. A business unit uses the BIA to list their business-critical functions and processes and supporting applications.
An event, whether anticipated or unanticipated, which disrupts the normal course of business operations within the university.
Applies to multiple levels of the university, such as a revenue generating unit or a functional unit (e.g., Compliance, Human Resources, Information Resources and Technology (IR&T), Legal, and Finance). It may also be comprised of several departments.
A function or process which, if compromised, presents a severe financial, operational, or regulatory risk to the business unit and/or to the University as a whole. A business-critical function/process may be supported by an information system owned by the business unit or by an information system that is shared across multiple units.
Cable companies such as Comcast provide Internet access over Cable TV coaxial cable. A cable modem accepts this coaxial cable and can receive data from the Internet at over 1.5 Mbps.
Any device that is capable of out-of-the-box support for cellular voice and data services. This includes, but is not limited to, Apple smartphones and Android smartphones.
Any device that is capable of out-of-the-box support for data services. This includes, but is not limited to, Apple tablets and Android tablets.
Survey administered to an entire population.
The addition, modification or removal of approved, supported or base lined hardware, network, software, application, environment, system, desktop build or associated documentation of the production IT environment.
Consumer and business products, services and solutions delivered and consumed on-demand, using the cloud service providers' pooled resources, and delivered over a broad network, such as the Internet.
Any type of device connected to a network that could become infected with a computer virus. Examples of computer devices would be, but not limited to, workstations, servers, laptops, PDAs, etc.
Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know.
The most sensitive information, which requires the strongest safeguards to reduce the risk of unauthorized access or loss. Unauthorized disclosure or access may 1) subject Rowan to legal risk, 2) adversely affect its reputation, 3) jeopardize its mission, and 4) present liabilities to individuals (for example, HIPAA and HITECH penalties). See the Information Classification policy for additional information.
The expectation that only authorized individuals, processes, and systems will have access to Rowan's information.
A mathematical algorithm, used in conjunction with a secret key, that transforms original input into a form that is unintelligible without special knowledge of the secret information and the algorithm.
A string of bits used by a cryptographic algorithm to transform plain text into cipher text or vice versa.
|CVSS||The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. In addition to a CVSS score, independent threat intelligence sources contribute toward the overall risk rating.|
Funds originate from the Departmental budget
A peripheral device that connects computers to each other for sending communications via the telephone lines.
Digital Subscriber Line (DSL)
A form of high-speed Internet access used over standard phone lines.
Information identified by Rowan that may be released without prior consent of the student. (See Family Educational Rights and Privacy Act policy (00-01-25-05 00) for a comprehensive list of information categorized as Directory Information.)
Steps that demonstrate the University has taken responsibility for the activities that take place within the institution, and has implemented the requisite measures to help protect its assets, including its students, faculty, staff, and the community which we serve.
A method of exchanging digital messages from an author to one or more recipients
Physical object on which data can be stored, such as hard drives, zip drives, floppy disks, compact discs, CD-ROMs, DVDs, USB drives, memory sticks, MP3 players (iPod), Personal Digital Assistants (PDA's), digital cameras, smart phones and tapes.
An Employee is considered any member in an active pay status according to Human Resources at Rowan University. This includes but is not limited to faculty, staff, affiliates, etc.
A process by which data is transformed into a format that renders it unreadable without access to the encryption key and knowledge of the process used. It is also defined as a method of converting information or data into a cipher or code to prevent unauthorized access and requires a passcode or other form of confirming identity to decrypt and access the information or data.
A password, file or piece of hardware that is required to encrypt or decrypt information, essentially locking and unlocking the data.
Enterprise Information System
An information system and/or server providing services commonly needed by the University community and typically provided by IRT units. Departmental information systems provide services specific to the mission and focus of individual departments, administrative units, or affiliated organizations.
Electronic Patient Health Information
Data for which the University is a custodian, such as video or media that are not directly licensed to Rowan University, but are being offered to the Rowan community via an external partnership.
Family Educational Rights and Privacy Act. FERPA is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA applies to the records of individuals from the point of first registration until death of the individual.
Fiber Optic Service (FiOS)
A data communications service provided by Verizon that uses fiber optic cables to transfer data.
A software or hardware-based network security system that controls the incoming and outgoing network traffic based on applied rule set.
An account that is shared among a group of individuals, and typically used for devices like kiosks and clinical workstations. There is no corresponding employee account (i.e., RUID).
Gramm-Leach-Bliley Act. Requires academic institutions to implement policies and controls for protecting financial information. An institution that is compliant with FERPA is considered compliant with GLBA.
Acounts provisioned to individuals not employed by ROWAN, but who have a justifiable business reason to access University resources.
High-Performance Computing Resources
All specialty computing systems, whether a single host or clustered hosts, that are used to address compute-bound, memory-bound, I/O-bound, or storage-bound applications or programs.
Health Insurance Portability and Accountability Act of 1996.
Health Information Technology for Economic and Clinical Health Act.
|Incident Board||The Incident Board comprises of the department heads of Information Resources & Technology (IRT), Office of Compliance and Corporate Integrity, Office of Risk Management, Information Security Office and General Counsel. The board is to be informed of suspected major incidents and to ensure the timely and appropriate engagement of the University's risk mitigation partners and service providers.|
Information owners are the business unit managers, senior management, or their designees who have planning and management or legal responsibility for the information generated within their functional areas. They must ensure that the level of protection assigned to their information is relative to its classification and sensitivity. For information regulated by HIPAA, FERPA, or GLBA, the information owner is expected to exercise due care when defining its level of protection.
Information Resources & Technology (IRT)
The Rowan University department responsible for the governance of all information and technology.
The potential that a given threat will exploit vulnerabilities of an information asset, thereby causing loss or harm to the information asset. It is measured in terms of a combination of the probability of an event and its impact to the University if the confidentiality, integrity, or availability of an asset is compromised. A risk can be financial, operational, regulatory, and/or reputational in nature.
Information Security Office (ISO)
Department responsible to the executive management for administering the information security functions within the University. The ISO is the Rowan University internal and external point of contact for all information security matters.
Consists of one or more components (e.g., application, database, network, or web) that is hosted in a University campus facility, and which may provide network services, storage services, decision support services, or transaction services to one or more business units.
Information Technology Infrastructure Library (ITIL)
Provides a cohesive set of best practice to Information Technology Service Management.
Information Technology Security Board (ITSB)
A unified effort jointly managed by the Chief Information Officer and the Director of Information Security, working closely with the department heads of Human Resources, General Counsel, Public Safety, Facilities Services, Faculty Senate, Research and the Department Chair/Administrative Head of other university units, as warranted. The ITSB governs technical and operational security solutions specific to the University's needs. The ITSB will recommend security measures compliant with this policy, and security best practices.
The hardware and software resources of an entire network that enable network connectivity, communication, operations and management of an enterprise network.
The expectation that Rowan's information will be protected from improper, unauthorized, destructive, or accidental changes.
Data that is owned by the University, is not classified Confidential or Private, and is not readily available to the public. For example, this includes employee and student identification numbers and licensed software.
A Lab is considered any room that has two or more computers that will be shared or utilized by two or more individuals.
Giving every user, task, and process the minimal set of privileges and access required to fulfill their role or function. This includes access to information systems and facilities. Principles of least privilege limit access to the minimal level required for someone to perform their job responsibilities.
A licensed premise is the space that Rowan University leases to a licensee.
A licensee or lessee is the renter of the leased space. Typically, this is a person or organization that makes installment payments to use or rent the real estate space.
A licensor or lessor is the landlord of the leased space. Rowan University is the organization that owns the leased space.
Data accessible to users through systems that are in production environment (i.e., live)
Computer code that infects a machine and performs a malicious action. This is sometimes perpetrated by computer viruses, worms, trojans, etc.
Mission-Critical Resource includes any resource that is critical to the mission of the University and any device that is running a mission-critical service for the University or a device that is considered mission critical based on the dependency of users or other processes. Mission-critical services must be available. Typical mission-critical services have a maximum downtime of three consecutive hours or less. Mission-critical resources for Information Security purposes include information assets, software, hardware, and facilities. The payroll system, for example, is a Mission-Critical Resource.
Including, but not limited to, laptops, tablets (iPad, Android, Windows, etc.) smartphones (Android, iPhone, etc.), and mobile broadband cards (also known as MiFi Hotspots and connect cards).
National Institute of Standard Technology (NIST)
NIST is the federal technology agency that works with industry to develop and apply technology, measurements, and standards.
National Institutes of Health
Credit Card Primary Account Number.
An attempt to bypass the basic password requirement that prohibits reusing the same password within a specified period of time by changing the password repeatedly within a brief period of time in order to be able to reuse the password earlier than intended by the policy.
Payment Card Industry.
Personal Identifying Information (PII)
Personal Identifying Information includes employer tax ID numbers, drivers' license numbers, passport numbers, SSNs, state identification card numbers, credit/debit card numbers, banking account numbers, PIN codes, digital signatures, biometric data, fingerprints, passwords, and any other numbers or info that can be used to uniquely identify an individual
Phishing, also known as spoofing, is the term used for deceitful or fraudulent emails designed to trick people into providing personal information that leaves them vulnerable to identity theft, computer viruses and compromised email accounts. The number and sophistication of phishing scams continue to increase. Other types of phishing can include phony websites or phone calls that ask potential victims to supply or verify their personal information.
Physical measures, policies, and procedures to protect the University’s information assets from natural and environmental hazards, and unauthorized intrusion.
Sensitive information that is restricted to authorized personnel and requires safeguards, but which does not require the same level of safeguards as confidential information. Unauthorized disclosure or access may present legal and reputational risks to the University.
An account which, by virtue of function, and /or security access, has been granted special privileges within the computer system, which are significantly greater than those available to the majority of users, including but limited to, local administrative accounts, privileged user accounts, domain administrative accounts, emergency accounts, service accounts, and application accounts.
Refers to attorney-client communication.
Production IT Environment
System components used to provide information technology (IT) service to employees, faculty, patients, students, including but not limited to server hardware and associated operating systems, virtual servers, software applications, virtual applications, networks, data storage, air-conditioning, power supply, server rooms, datacenters, networks, and workstations that are part of the University Environment. This includes IT environments managed by IRT, departments, colleges, and vendors.
Protected Health Information (PHI)
Information covered by the Health Insurance Portability and Accountability Act (HIPAA).
information that is readily available to the public, such as the information published on web sites.
Any network outside the Rowan University network.
Qualtrics Survey Software
Self-service electronic survey tool.
Connection to a data-processing system from a remote location, for example through a virtual private network.
Including, but not limited to CDs, DVDs, storage tapes, flash devices (e.g., CompactFlash and SD cards, USB flash drives), and portable hard drives.
Funds originate from a Research grant
A process used to identify and evaluate risks and their potential impact on the University.
Includes employees (e.g. faculty, staff, administration, physicians, researchers), students, former students, alumni, non-employees (e.g. contractors, vendors, guest affiliates), covered entities, agents and any other third parties of Rowan University.
Reserved User ID.
To expunge data from storage media so that data recovery is impossible. The most common types of sanitization are destruction, degaussing, and overwriting.
The process of removing sensitive information from a document or other medium, so that it may be distributed to a broader audience.
Secure Backup (Encryption Recommended)
The process of making a backup copy of information for the purpose of data recovery with security safeguards present to ensure the backup copy of the data remains protected from unauthorized access at all times. This may include physical protections as well as encryption to safeguard the backup information.
Areas within a building that house critical information technology services shall be designated as secure areas.
Secure Shell (SSH)
A secure network protocol for secure network communication services between two networked computers.
Security Awareness Training (SAT)
A method to inform users about the importance of protecting information technology systems and assets. SAT teaches security key concepts and best practices, such as creating a strong password, protecting mobile data, following IT Security policy, and reporting security incidents.
Security Awareness Training Program
The vehicle for disseminating security information for the ROWAN Community. Establishing and maintaining an information security awareness and training program will help to protect ROWAN's vital information resources.
Security Control Owner
The Department, Dean, or VP who is responsible for the area that is being secured by a camera and/or control access system.
Any observable occurrence that is relevant to information security. This can include attempted attacks or lapses that expose security vulnerabilities.
A security event that results in damage or risk to the confidentiality, integrity, and/or availability in a way that impacts Rowan University. Examples of incidents include violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices, and attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
Sensitive Information includes all data, in its original and duplicate form, which contains Protected Health Information as defined by HIPAA Student education records, as defined by the Family Educational Rights and Privacy Act (FERPA) Customer record information, as defined by the Gramm Leach Bliley Act (GLBA) Card holder data, as defined by the Payment Card Industry (PCI) Data Security Standard. Sensitive data also includes any other information that is protected by University policy or federal or state law from unauthorized access. This information must be restricted to those with a legitimate business need for access. Examples of sensitive information may include, but are not limited to, social security numbers, system access passwords, some types of research data (such as research data that is personally identifiable or proprietary), public safety information, information concerning select agents, information security records, and information file encryption keys.
Sensitive Information includes all data, in its original and duplicate form, which contains:
Sensitive Information must be restricted to those with a legitimate business need for access. Examples of Sensitive Information may include, but are not limited to, Social Security numbers, system access passwords, some types of research data (such as research data that is personally identifiable or proprietary), public safety information, information concerning select agents, information security records, and information file encryption keys.
Accounts created by to satisfy specific functions, such as communications between systems or to facilitate other operational requirements.
The University technology service team that receives and handles requests for technical support and requests for new or changes to technology and voice services
Security Incident Response Team.
Refers to tools that allow the sharing of information and creation of communities through online networks of people.
Unsolicited usually commercial messages (such as Email, text messages, or Internet postings) sent to a large number of recipients or posted in a large number of places. Some spam is merely annoying, while other spam can cause damage to your computer or the entire campus network.
An email targeted at a specific individual or department within an organization that appears to be from a trusted source. For example, a spear phishing email could appear to come from someone at Rowan University and target Rowan University students and employees.
Rowan University full-time faculty or staff, who are eligible to initiate the request for affiliate access to Systems or an Affiliate Access Card.
Standard Access describes access to Secure Areas that contain protected IT Resources and is restricted to a defined set of individuals who are responsible for the operation of computing and network resources and have a business need for regular access to the facility. Standard Access includes the following user groups: Public Safety/EMT/Life Safety Services, Facilities personnel to maintain environmental services, IRT/Infrastructure Services designated personnel and approved Rowan third-party vendors.
A supported computer configuration as designated by Information Resources and Technology.
A method of gathering information from a sample of people. Modes of administration include electronic surveys, paper surveys and telephone surveys.
Individual responsible for final decisions on all aspects of survey methodology and analysis. This is the person who creates or owns the survey.
Group of individuals from a population who will be surveyed.
|System Administrator/Data Custodian|
A System Administrator or Data Custodian is a person who has technical control over an information asset dataset. Usually, this person has the administrator/admin, sysadmin/sysadm, sa, or root account or equivalent level of access. This is a critical role and it must be executed in accordance with the access guidelines developed by the Data Owner.
System Owner/Information Owner/Data Owner
A System Owner, Information Owner or Data Owner has administrative control and has been officially designated as accountable for a specific information asset dataset. This is usually the senior most officer or business unit manager in a division who have planning and management or legal responsibility for the information generated within their functional areas. Some examples include the Registrar and student data; the Chief Financial Officer and financial data; the VP of Human Resources and employee data. In most cases, the Data Owner is not the Data Custodian.
They must ensure that the level of protection assigned to their information is relative to its classification and sensitivity. For information regulated by HIPAA, FERPA, or GLBA, the information owner is expected to exercise due care when defining its level of protection.
System Default Service Accounts
Accounts created by a software vendor to facilitate installation or provide out-of-the-box functionality.
The technology, policies, and procedures used to control access to and protect the University’s electronic information and information systems.
Electronic or digital products and systems that are capable of being used to render information, consume information or manipulate information
The frequency with which Rowan-owned and supported computers will be replaced. Constitutes a complete lifecycle for a Rowan-owned and supported device from acquisition to disposal.
Any data related to Rowan University functions that are a) stored on University information technology systems, b) maintained by Rowan faculty, staff, or students, or c) related to institutional processes on or off campus. This applies to any format or media (in other words, it is not limited to electronic data).
All University funding sources, including, but not limited to, operational budgets, capital budgets, and grants. These funding sources do not include the use of the Student Technology Fee.
Refers to any member of the Rowan University community, as well as to visitors and temporary affiliates, who have been explicitly and specifically authorized to access and use the University’s data or information systems.
The use of image capture, processing, transmission and storage equipment for authorized monitoring of public areas. This includes full-motion and still images, use of network transmission capacity, and digital storage and retrieval software. Audio recording is specifically excluded from this definition.
Virtual Private Network (VPN)
Extends a private network across a public network, such as the Internet using secure communication.
Periodic files provided by vendors to update the anti-virus software to recognize and deal with newly discovered malicious software. Virus definition files are periodic files provided by vendors to update the anti-virus software to recognize and deal with newly discovered malicious software.
A vulnerability is a weakness in a system that can be exploited by an attacker to gain unauthorized access to Rowan University data, networks or systems. A vulnerability can be remediated or mitigate. Remediation occurs when the threat can be eradicated whereas mitigation involves minimizing the damage as the vulnerability cannot be fully eliminated.
|Vulnerability Management Program|
An effective vulnerability management program must be able to prevent the exploitation of vulnerabilities by detecting and remediating vulnerabilities in systems in a timely fashion. Proactively managing vulnerabilities on systems will reduce or eliminate the potential for exploitation and save on the resources otherwise needed to respond to incidents after exploitation has occurred.
|Vulnerability Management Team|
The Vulnerability Management Team reviews any concerns raised through the implementation of the Vulnerability Management Program at Rowan University.
Wireless networking technology that uses radio waves to provide wireless high-speed Internet and network connections. A WiFi enabled device such as a PC, mobile phone, or PDA can connect to the Internet when within range of a wireless network.
Desktop computers and laptops
By Direction of the CIO:
SVP and Chief Information Officer