This is a short list of information-security-related terms.
Asset: In the context of ISO 27001 and ISO 27002, an asset is any
tangible or intangible thing that has value to an organization.
Authorized Person: An authorized person is one whose individual DCCCD account/password authorizes access based on a business need to know; when in doubt, check with your supervisor.
Availability: is a characteristic that applies to assets. An asset is available if it is accessible and usable when needed by an authorized entity. In the context of this standard, assets include things like information, systems, facilities, networks, and computers. All of these assets must be available to authorized entities when they need to access or use them.
Confidential Information: This information is private and requires protection with the highest levels of security, as prescribed by applicable laws, regulations and standards including, but not limited to PCI Data Security Standard, GLB, FERPA, HIPAA, USA PATRIOT Act and Texas Administrative Code, Information Security Standards for Higher Education. This information is available to District school officials on a need-to-know basis (based on applicable laws, regulations and standards).
Confidentiality: is a characteristic that applies to information. To protect and preserve the confidentiality of information means to ensure that it is not made available or disclosed to unauthorized entities. In this context, entities include both individuals and processes.
Control: A control is any administrative, management, technical, or legal method that is used to manage risk. Controls are safeguards or countermeasures. Controls include things like practices, policies, procedures, programs, techniques, technologies, guidelines, and organizational structures.
Corrective actions: are steps that are taken to address existing nonconformities and make improvements. Corrective actions deal with actual nonconformities (problems), ones that have already occurred. They solve existing problems by removing their causes. In general, the corrective action process can be thought of as a problem solving process.
Dallas County Community College District: Dallas County Community College District (hereinafter referred to as “Dallas County Community College District” and/or “District”), located at 701 Elm Street, Dallas, TX 75202, a community college district, created pursuant to Chapter 130 of the Texas Education Code.
District IPS Incident Response Coordinator: The District level employee responsible for administering the District’s IPS Incident Response Model and the IPS Response Team’s activation to a privacy/security event or incident. The District IPS Incident Response Coordinator will report to executive management.
Document: The term document refers to information and the medium that is used to bring it into existence. Documents can take any form or use any type of medium. The extent of your ISMS documentation will depend on the scope of your ISMS, the complexity of your security requirements, the size of your organization, and the type of activities it carries out.
Event: An observable occurrence; an aspect of an investigation that can be documented, verified, and analyzed.
FERPA: Family Educational Rights and Privacy Act
FIREWALLS: Security systems that control and restrict network connectivity and access to or from network services.
GLB: Gramm-Leach Bliley
HIPAA: Health Insurance Portability and Accountability Actincident: An adverse event or series of events that impact the privacy/security of the District, its customers, its public image and/or the ability of the District to do business.
Information Classification Scheme: The classification level given to information — according to its use, sensitivity, and importance — that determines how information is to be handled and protected within DCCCD. The three Categories of information are as follows:
- Category I – Public Information
- Category II – Internal Information
- Category III – Confidential Information
|
Internal Information: This information is generally considered only for internal use by District school officials as needed for their job functions and is not disclosable to the public unless required by law.
Information processing facility: An information processing facility is defined as any system, service, or infrastructure, or any physical location that houses these things. A facility can be either an activity or a place; it can be either tangible or intangible.
Information security event: An information security event indicates that the security of an information system, service, or network may have been breached or compromised. An information security event indicates that an information security policy may have been violated or a safeguard may have failed.
Information security incident: An information security incident is made up of one or more unwanted or unexpected information security events that could very likely compromise the security of your information and weaken or impair your business operations.
Information security management system (ISMS): An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks. An ISMS is part of a larger management system.
Information security policy: An information security policy statement expresses management’s commitment to the implementation, maintenance, and improvement of its information security management system.
Integrity: To preserve the integrity of information means to protect the accuracy and completeness of information and the methods that are used to process and manage it.
IPS: (Information Privacy/Security) Protecting and preserving the confidentiality, integrity, authenticity, availability, and reliability of information.
IPS Response Team: A team of District employees formed to address a given information privacy/security incident.
IPSO: Information Privacy and Security Officer
IPSP: Information Privacy and Security Program
Location IPSP Incident Response Coordinator: The Vice President-level location employee and/or their designee responsible for coordinating the location’s response (in conjunction with the District IPS Incident Response Coordinator) to a privacy/security event or incident.Location Law Enforcement: Any of the seven District police departments licensed by the Texas Commission on Law Enforcement Officer Standards and Education (TCLEOSE).
Management review: The purpose of a management review is to evaluate the
overall performance of an organization's information security management system and to identify improvement opportunities.
Owner: In the context of ISO 27001 and ISO 27002, an owner is a person or entity that has been given formal responsibility for the security of an asset or asset category. It does not mean that the asset belongs to the owner in a legal sense. Asset owners are formally responsible for making sure that assets are secure while they are being developed, produced, maintained, and used.
PCI: Payment Card Industry
PCI
DSS: Payment Card Industry Data Security Standard
PDCA model: PDCA stands for Plan-Do-Check- Act. ISO IEC 27001 says
that every ISMS process should be structured using the PDCA model. This means that every process should be planned (Plan); implemented, operated, and maintained (Do); monitored, audited, and reviewed (Check); and improved (Act).
Personal Identifiable Information: Information that alone or in conjunction with other information identifies an individual.
Policy: A policy statement defines a general commitment, direction, or intention. An information security policy statement expresses management’s commitment to the implementation, maintenance, and improvement of its information security management system.
Preventive actions: Preventive actions are steps that are taken to avoid potential nonconformities and make improvements. Preventive actions address potential nonconformities (problems), ones that haven't yet occurred. Preventive actions prevent the occurrence ofproblems by removing their causes. In general, the preventive action process can be thought of as a risk management process.
Procedure: Procedures control processes or activities. A well defined procedure controls a logically distinct process or activity, including the associated inputs and outputs. Procedures can be very general or very detailed, or anywhere in between. While a general procedure could take the form of a simple flow diagram, a detailed procedure could be a one page form or it could be several pages of text. A detailed procedure defines the work that should be done, and explains how it should be done, who should do it, and under what circumstances. In addition, it explains what authority and what responsibility has been allocated, which supplies and materials should be used, and which documents and records must be used to carry out the work. While quality procedures may be documented or undocumented, ISO usually expects them to be documented.
Process: In general, a process uses resources to transform inputs into outputs. In every case, inputs are turned into outputs because some kind of work or activity is carried out. ISO IEC 27001 recommends that you structure your ISMS processes using the Plan-Do-Check-Act (PDCA) model. This means that every process should be planned (Plan); implemented, operated, and maintained (Do); monitored, audited, and reviewed (Check); and improved (Act).
Process approach: The process approach is a management strategy. When managers use a process approach, it means that they control their processes, the interaction between these processes, and the inputs and outputs that “glue” these processes together. It means that they manage by focusing on processes and on inputs and outputs. ISO IEC 27001 suggests that you use a process approach to control your ISMS processes.
Record: A record is a document that contains objective evidence which shows how well activities are being performed or what kind of results are actually being achieved. It always
documents what has happened in the past. Records can take any form or use any type of medium.
Requirement: A requirement is a need, expectation, or obligation. It can be
stated or implied by an organization, its customers, or other interested parties. There are many types of requirements. Some of these include security requirements, contractual requirements, management requirements, regulatory requirements, and legal requirements.
Residual risk: Residual risk is the risk left over after you’ve implemented
a risk treatment decision. It’s the risk remaining after you’ve done one of the following: accepted the risk, avoided the risk, transferred the risk, or reduced the risk.
Risk: The concept of risk combines three ideas: it selects an event, and then combines its probability with its potential impact. It asks two questions: what is the probability that a particular event will occur in the future? And what negative impact would this event have if it actually occurred?
So, a high risk event would have both a high probability of occurring and a big negative impact if it occurred. The concept of risk is always future oriented: it worries about the impact events could have in the future.
Risk acceptance: Risk acceptance is part of the risk treatment decision making process. Risk acceptance means that you’ve decided that you can live with a particular risk.
Risk analysis: Risk analysis uses information to identify possible sources of risk. It uses information to identify threats or events that could have a harmful impact. It then
estimates the risk by asking: what is the probability that this event will actually occur in the future? And what impact would it have if it actually occurred?
Risk assessment: A risk assessment combines two techniques: a risk analysis and a risk evaluation.
Risk evaluation: A risk evaluation compares the estimated risk with a set of risk criteria. This is done in order to determine how significant the risk really is. The estimated risk is established by means of a risk analysis.
Risk management: Risk management is a process that includes four activities:
risk assessment, risk acceptance, risk treatment, and risk communication. Risk management includes all of the activities that an organization carries out in order to manage and control risk.
Risk treatment: Risk treatment is a decision making process. For each risk, risk treatment involves choosing amongst at least four options: accept the risk, avoid the risk, transfer the risk, or reduce the risk. In general, risks are treated by selecting and implementing measures designed to modify risk.[SOURCE: Taken from Praxiom list]
School Officials: Any employees, Trustees, or agents of the District, as well as attorneys, consultants, and independent contractors who are retained by the District. School officials have a "legitimate educational interest" in a student's record when they are working with the student; considering disciplinary or academic actions or the student's case; compiling statistical data; or investigating or evaluating programs.
Sensitive Information:
includes but is not limited to social security numbers, bank account numbers, credit card account numbers, date and/or location of birth, account balances, payment histories, credit ratings, income histories, drivers license information, documents and application information restricted by law (i.e. FERPA, GLBA, and HIPAA) of students and/or employees.
Standard: A standard is a document. It is a set of rules that control how people develop and manage materials, products, services, technologies, tasks, processes, and systems.
ISO IEC standards are agreements. ISO IEC refers to them as agreements because its members must agree on content and give formal approval before they are published.
ISO IEC standards are developed by technical committees. Members of these committees come from many different countries. Therefore, ISO standards tend to have very broad support.
Statement of applicability: A Statement of Applicability is a document that lists your organization’s information security control objectives and controls. In order to figure out what your organization’s unique information security controls and control objectives should be, you need to carry out a risk assessment, select risk treatments, identify all relevant legal and regulatory requirements, study your contractual obligations, and review your organization’s own business needs and requirements. Once you’ve done all of this, you should be ready to prepare your organization’s unique Statement of Applicability.
Third party: In the context of a specific issue, a third party is any person or body that is recognized as independent of the people directly involved with the issue in question.
Threat: A threat is a potential event. When a threat turns into an actual event, it may cause an unwanted incident. It is unwanted because the incident may harm an organization or system.
USA PATRIOT Act: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
Vulnerability: A vulnerability is a weakness in an asset or group of assets. An asset’s weakness could allow it to be exploited and harmed by one or more threats.