Information Security Standards

DEFINITIONS

Access—The physical or logical capability to interact with, or otherwise make use of information resources.

Account information—Resource users are typically assigned logon credentials, which include, at the minimum, a unique user name and password.

Business Continuity Planning—The process of identifying mission critical data systems and business functions, analyzing the risks and probabilities of service disruptions and developing procedures to restore those systems and functions.

Change—(a) Any implementation of new functionality; (b) Any interruption of service; (c) Any repair of existing functionality; or, (d) Any removal of existing functionality.

Confidential Information—Information that must be protected from unauthorized disclosure or public release based on state or federal law (e.g. the Texas Public Information Act, and other constitutional, statutory, judicial, and legal agreement requirements). Examples of “Confidential” data may include but are not limited to the following:

• Personally Identifiable Information, such as: a name in combination with Social Security number (SSN) and/or financial account numbers

• Student Education Records

• Intellectual Property, such as: certain intellectual property as set forth in section 51.914 of the Texas Education Code

• Medical Records

Control—A safeguard or protective action, device, policy, procedure, technique, or other measure prescribed to meet security requirements (i.e., confidentiality, integrity, and availability) that may be specified for a set of information resources. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices.

Custodian of an Information Resource—A person responsible for implementing the information owner-defined controls and access to an information resource. Custodians may include state employees, vendors, and any third party acting as an agent of, or otherwise on behalf of the state entity.

DMZ—A network area created between the public Internet and internal private network(s). This neutral zone is usually delineated by some combination of routers, firewalls, and other hosts. A DMZ usually includes devices that are accessible to Internet traffic.

Electronic Communication—A process used to convey a message or exchange information via electronic media. It includes the use of electronic mail (email), Internet access, Instant Messaging (IM), Short Message Service (SMS), facsimile transmission, and other paperless means of communication.

EMR—Electronic Medical Records, or a system for storing and retrieving electronic Medical Records.

Encryption (encrypt, encipher, or encode)—The conversion of plaintext information into a code or cipher text using a variable, called a "key" and processing those items through a fixed algorithm to create the encrypted text that conceals the data's original meaning.

Firewall—A software or hardware device or system that filters communications between networks that have different security domains based on a defined set of rules. A firewall may be configured to deny, permit, encrypt, decrypt, or serve as an intermediary (proxy) for network traffic.

Host-based firewall—software that functions on a single host (i.e., a single computer including laptop computers) that can permit or deny incoming or outgoing traffic to or from only that host (as opposed to a network-based firewall which protects one or more networks of hosts).

Information Owner—A person with statutory or operational authority for specified information (e.g., supporting a specific business function) and responsibility for establishing the controls for its generation, collection, processing, access, dissemination, and disposal. The Information Owner may also be responsible for other information resources including personnel, equipment, and information technology that support the Information Owner's business function.

Information Resources—the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Program—The elements, structure, objectives, and resources that establish an information resources security function within an institution of higher education, or state agency.

Intrusion Detection System (IDS)—Hardware or a software application that can be installed on network devices or host operating systems to monitor network traffic and host log entries for signs of known and likely methods of intruder activity and attacks. Suspicious activities trigger administrator alarms and other configurable responses.

Intrusion Prevention System (IPS)—Hardware or a software application that can be installed on a network or host operating system to monitor network and/or system activities for malicious or unwanted behavior and can automatically block or prevent those activities. (Firewalls, routers, IDS devices, and anti-virus gateways all may have IPS capabilities). IPS can make access control decisions based on application content.

ISAAC—Information Security Awareness, Assessment, and Compliance system. ISAAC allows departments to register and perform a baseline security risk assessment of their information systems and perform the following functions:

• Help develop a Business Continuity/Disaster Recovery Plan for information systems that contain mission critical and/or confidential data;

• Perform an automated, web-based Risk Analysis;

• Perform a Physical Security check of your premises;

• Ensure compliance with state (Texas Administrative Code 202) and local information security standards.

Logon ID—a user name that is required as the first step to logging into a secure system. Generally, a logon ID must be associated with a password to be of any use.

Malicious code—Software that is designed to operate in a manner that is inconsistent with the intentions of the user and which typically results in annoyance or damage to the user's information systems. Examples of such software include:

• Viruses: Pieces of code that attach to host programs and propagate when an infected program is executed.

• Worms: Particular to networked computers to carry out preprogrammed attacks that jump across the network.

• Trojan Horses: Hide malicious code inside a host program that appears to do something useful.

• Attack scripts: These may be written in common languages such as Java or ActiveX to exploit weaknesses in programs; usually intended to cross network platforms.

• Spyware: Software planted on your system to capture and reveal information to someone outside your system. It can do such things as capture keystrokes while typing passwords, read and track email, record the sites visited, pass along credit card numbers, and so on. It can be planted by Trojan horses or viruses, installed as part of freeware or shareware programs that are downloaded and executed, installed by an employer to track computer usage, or even planted by advertising agencies to assist in feeding you targeted ads.

Mission Critical Information—information that is defined by the University or information resource owner to be essential to the continued performance of the mission of the University or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the University or department.

Network Scanning—the process of transmitting data through a network to elicit responses in order to determine the configuration state of an information system.

Owner of an Information Resource—an entity responsible for (a) a business function (Department Head); and, (b) determining controls and access to information resources.

Platform—The foundation technology of a computer system. The hardware and systems software that together provide support for an application program. (Ref: Practices for Protecting Information Resources Assets.)

Risk Assessment—The process of identifying, evaluating, and documenting the level of impact that may result from the operation of an information system on an organization's mission, functions, image, reputation, assets, or individuals. Risk assessment incorporates threat and vulnerability analyses and considers mitigations provided by planned or in-place security controls.

Risk Management—Decisions to accept risk exposures or to reduce vulnerabilities and to align information resources risk exposure with the organization's risk tolerance.

Router—A device or, in some cases, software in a computer, that determines the next network point to which a packet should be forwarded toward its destination. The router is connected to at least two networks and decides which way to send each information packet based on its current understanding of the state of the networks to which it is connected. A router is located at any intersection where one network meets another.

Sanitize—A Process to remove information from media such that data recovery is not possible. It includes removing all confidential labels, markings, and activity logs as specified in applicable National Institute of Standards and Technology Special Publication (NIST SP) 800-88 or U.S. Department of Defense 5220.22-M guidelines and standards for media sanitization.

Security Incident—An event which results in accidental or deliberate unauthorized access, loss, disclosure, modification, disruption, or destruction of information resources.

Sensitive data–An optional owner defined category. Sensitive data may be subject to disclosure or release under the Texas Public Information Act, however the University or owner has decided that the data should have the same or equivalent level of protection as Confidential data. Examples of Sensitive data may include but are not limited to:

• operational information

• personnel records

• information security procedures (other than standard administrative procedures)

• research

• internal communications

Sensitive Personal Information—A category of personal identity information as defined by §521.002(a)(2), Business and Commerce Code.

Security Incident Reporting System (SIRS)—an electronic system for reporting (after the fact, after-action) incidents in compliance with Texas Department of Information Resources (DIR) regulations.

Storage Device—Any fixed or removable device, that contains data and maintains the data after power is removed from the device such as a DVD/CD-ROM, external or internal hard drive, Universal Serial Bus (USB) flash drive, memory card, or media player.

Test—A simulated or, otherwise documented event for which results and records are kept.

Threat—Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

User of an Information Resource—An individual or automated application authorized to access an information resource in accordance with the information owner-defined controls and access rules.

Virtual LAN (VLAN)—a subdivision of a Local Area Network (LAN) that is logically grouped, but may not be physically located in the same area.

Vulnerability Assessment—A documented evaluation containing information described in §2054.077(b), Government Code which includes the susceptibility of a particular system to a specific attack.

Wireless Access—Using one or more of the following technologies to access the information resources systems:

• Wireless Local Area Networks—Based on the IEEE 802.11 family of standards.

• Wireless Personal Area Networks—Based on the Bluetooth and/or InfraRed (IR) technologies.

• Wireless Handheld Devices—Includes text-messaging devices, Personal Digital Assistant (PDAs), and smart phones. NIST SP 800-48 provides an overview of Wireless Network Security 802.11 technologies and provides guidelines to reduce the risks associated Bluetooth and Handheld Devices.

Wireless Access Point—a device that connects to the wired network infrastructure and provides wireless access to the network through an antenna. Wireless access points include wireless bridges and wireless routers.

Wireless Bridge—a device that connects to the wired network and provides a wireless connection allowing the wired and wireless networks to appear to clients as a single network.

Wireless Router—a device that connects to the wired network and provides a wireless connection, but presents the wired and wireless as separate networks.