A Back to Top

  • Advanced Encryption Standard.
  • Audio-visual surveillance technology.
  • Excessive/improper use of a resource, or intentional destruction, diversion, manipulation, misapplication, or misuse of resources.

Accessibility (EIR)
  • Providing electronic information and services through multiple ways so that communication is not contingent on a single sense or ability.

  • Describes an electronic information resource that can be used in a variety of ways and does not depend on a single sense or ability.

  • Information resource users are typically assigned log-on credentials which include, at the minimum, a unique username and password.
Active AVST Installation
  • Cameras or similar technology that are viewing/recording activities within the area of surveillance.
  • Responsible for configuring, managing, overseeing and maintaining a computing environment or system. Responsibilities vary depending on an organization's requirements. This person should possess strong technical knowledge and skills.
Anonymous proxies
  • Tools that attempt to make activity on the internet untraceable.
Approved Wireless Clients
  • Any wireless device that properly supports Networking and Information Security (NIS) installed 802.11 enterprise authentication and encryption or NIS-provided, web-based authentication.
Attack Scripts
  • Malicious code often written in common languages such as Java or ActiveX to exploit weaknesses in programs. Usually intended to cross network platforms.
Audiovisual Surveillance
  • Cameras or similar technology used to enhance security, safety, and quality of life for the TAMU campus community.
  • Verification of the identity of an account owner by validating the correctness of submitted credentials. This is the process of establishing confidence in the identity of users or information systems. There are many ways to authenticate a user, including password, Smartcard, fingerprint, iris scan, or voice recognition.

B Back to Top

  • Transmitting data beyond its normal destination point and back again to utilize network equipment not available at the destination location. Typically used to mask the location of the point of origin.
Breach of Security
  • Unauthorized access to information resources or information resources technologies and/or release of password or other confidential information related to computer security.
Business Function
  • Process or operation performed routinely to carry out a part of the mission of an organization.
Business Impact Analysis
  • Business impact analysis is the activity in business continuity management that identifies vital business functions and dependencies. These dependencies may include suppliers, people, other business processes, IT services, etc. Business impact analysis defines the recovery requirements for IT services. These requirements include recovery time objectives, recovery point objectives and minimum service level targets for each IT service. (ITIL Service Strategy)

C Back to Top

  • Chief Information Security Officer

Chain of Custody
  • A document or paper trail showing the seizure, custody, control, transfer, analysis and disposition of physical and electronic evidence.

  • any implementation of new functionality, interruption of service, repair of existing functionality, or removal of existing functionality.
Classified National Security Information
  • Records, files, reports and other data or material relating to contracts between the system (and by extension the university) and the U.S. Government which are required by the contract, pursuant to Executive Order 12356 April 2, 1982, updated by Executive Order 13526, to be protected against unauthorized disclosure in the interest of national security.

Cloud Computing
  • Cloud computing has the meaning assigned by Special Publication 800-145 issued by the United States Department of Commerce National Institute of Standards and Technology: a model for enabling access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort. Cloud computing service models include Infrastructure as a Service, Platform as a Service, and Software as a Service.

Collaborative Computing Device
  • Collaborative computing devices include, but are not limited to, networked white boards, cameras, and microphones. Collaborative computing devices often have the capability to transmit audio, video, or images from their installed location across a network.

  • Collection is the act of gathering ESI for further use in the E-Discovery process (process, review, etc).

Common Vulnerability Scoring System
  • The Common Vulnerability Scoring System (CVSS) is a standard metric to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity.  The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Compromised System
  • Any system where unauthorized access has been achieved.
Confidential Data
  • The third of four university data classification levels. Confidential Data is restricted because of legal, ethical, or contractual constraints, and should not be accessed without specific authorization. Improper release of data in this category would have a significant adverse impact to the university. Data in this category is often specifically protected by federal or state law, and may be subject to state or federal breach notification requirements. Data in this category is generally not subject to release under open records laws. See security control DC-5.

Contingency Plan
  • Management policy and procedures used to guide an enterprise response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the enterprise risk managers to determine what happened, why, and what to do. It may point to the continuity of operations plan (COOP) or disaster recovery plan (DRP) for major disruptions.

Continuity of Operations
  • The ability of an organization to provide service and support for its customers and maintain its viability before, during, and after a business continuity event.

Cost Benefit Analysis
  • Cost benefit analysis (CBA), sometimes called benefit cost analysis (BCA), is a systematic approach to estimating the strengths and weaknesses of alternatives (for example in transactions, activities, functional business requirements). It is used to determine options that provide the best approach to achieve benefits while preserving savings. The CBA is also defined as a systematic process for calculating and comparing benefits and costs of a decision, policy (with particular regard to government policy) or (in general) project. Broadly, CBA has two main purposes: 1. to determine if an investment/decision is sound (justification/feasibility) by verifying whether its benefits outweigh the costs, and by how much; 2. to provide a basis for comparing projects,which involves comparing the total expected cost of each option against its total expected benefits.
Critical Infrastructure Functions
  • University-wide functions that must continue uninterrupted or can be resumed within a few hours. Examples of critical infrastructure include: - Emergency response services; - Utilities, including electricity, water, and reasonable climate control; - Communications with internal and external audiences to include students, faculty, staff, and media; - Internet, authentication, and voice communications; - Hazardous materials spill response and control to include safe handling and proper disposal of toxic substances, biologically hazardous materials, and radioactive materials.

D Back to Top

  • Division Risk Assessment Coordinator. A liaison between his/her college or division and Technology Services Risk Management and Policy (IT-RMP) concerning the annual IT risk assessment process. Responsible for coordinating/managing the IT risk assessment process (outlined in the Information Security Risk Assessment Procedures) for the college or division. This includes:

    • Ensuring there is an accurate inventory list of all information resources for the college or division
    • Coordinating with and assisting staff and faculty within the college or division to accurately perform an information security risk assessment for their information resources
    • Consulting with IT-RMP to add the information and complete the on-line assessment process using the provided IT risk assessment tool
    • Monitoring the progress of all assessments for the college or division from beginning to completion to ensure due dates are met

    The number of D-RACs per college or division is determined by IT-RMP, in consultation with the college or division, based on the IT environment.

Data Custodian
  • Typically information technology professionals who manage the information systems that store and process university data. Data Custodians develop and implement technology infrastructure to support the functional needs of a data domain, and implement technical security controls to ensure the confidentiality, integrity, and availability of their data under their care.

Data Manager
  • An individual responsible for the quality and integrity of a defined dataset on a day-to-day basis. Data Managers evaluate and authorize requests for access to the data, and are responsible to protect the data from misuse or mismanagement. Data Managers are assigned these responsibilities by a Data Steward over a particular data domain, and may act as a delegate of the Data Steward for routine purposes.

Data Steward
  • An individual with a role title related to representing information—usually for a specific information type, business sector, or business function—for university-wide information governance purposes. Data Stewards are institutional officers and have management and policy-making authority over their specific data subject areas, including the business definitions of data, and the access and use of that data across the university.

Data User
  • Any individual (student, employee, or affiliate of the university) who interacts with university data.

Data at Rest
  • Data recorded on storage media, such as hard drives, disks, desktop computers, laptop computers, USB flash drives, file servers, databases, et al.
Data in Transit
  • Data electronically transferred between two hosts, including data traversing the internet.
Department of Information Resources
  • State agency that develops information resource policies and rules for state agencies and institutions of higher education. Responsible for operating and maintaining SPECTRIM.

Descriptive Data
  • Information created by a computer system or other information resource that is electronically captured and relates to the operation of the system and/or movement of files, regardless of format, across or between a computer system or systems. Examples of captured information are dates, times, file size and locations sent to and from.

  • A developer is an individual that builds and create software and applications. He or she writes, debugs and executes the source code of a software application. A developer is also known as a software developer, computer programmer, programmer, software coder or software engineer. There may be different types of developers. For example: -A software developer is someone who creates software programs. -A web developer is a person who builds and maintains websites. -A content developer, also called a content producer, is someone who creates publishable content.
Digital Certificate
  • A certificate, as defined in Texas Administrative Code, Chapter 203, Subchapter A, §203.1, issued by a business unit for purposes of electronic commerce.

Digital Signature
  • An electronic identifier intended to have the same force and effect as the use of a manual signature (Texas Government Code 2054.60). Digital signatures verify the trustworthiness of information (e.g. sender and content integrity).

E Back to Top

E-Discovery Questionnaire/Hold questionnaire
  • A questionnaire to be filled out by the named person. The hold questionnaire will list examples of the common types of places where relevant ESI might be stored, and will ask the named person to identify where the named person has relevant ESI stored in those types of places.

ESI Preservation Coordinator
  • The individual responsible for facilitating university IT Preservation Hold activities and acts as a liaison to the Office of General Counsel on behalf of the Institution.

Electronic Signature
  • An electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record (Texas Business and Commerce Code 322.002).

Electronically Stored Information
  • Electronically Stored Information, or ESI, is a broad term applicable to all information stored electronically, however, email communication and files are the most common types of ESI.

  • The process by which plain text information is converted to a form not readable by humans (i.e., ciphertext) through the use of a mathematical process (encryption algorithm) and a parameter (encryption key).

End User Device
  • As defined by NIST Special Publication 800-111, an End User Device is a personal computer (desktop or laptop), consumer device (e.g., personal digital assistant, smart phone), or removable storage media (e.g., USB flash drive, memory card, external hard drive, writable CD or DVD) that can store information.

Essential Functions
  • Defined in the Institutional Continuity Plan (Annex J) as functions that must be either Uninterrupted or resumed within a few hours of an incident.

    Essential Functions support:

    • Emergency Response Services,
    • Utilities to include electricity, water, and reasonable climate control,
    • Communications with internal and external audiences to include students, faculty, staff and the media,
    • Internet, authentication, and voice communications,
    • Hazardous materials spill response and control, to include safe handling and proper disposal of toxic substances, biologically hazardous materials, and radioactive materials.
Essential IT Service
  • An IT service with a Recovery Time Objective of less than 12 hours and one required to support the critical infrastructure functions of the university.

F Back to Top

  • Federal Information Processing Standards

Family Educational Rights to Privacy Act of 1974
  • Refer to the University Catalog (http://catalog.tamu.edu//), pages 1039-1040 for definitions regarding FERPA.

File Owner
  • Holder (assignee) of the computer account that controls a file. Not necessarily the owner in the sense of property.
  • A software or hardware device or system that filters communications between networks that have different security domains based on a defined set of rules. A firewall may be configured to deny, permit, encrypt, decrypt, or serve as an intermediary (proxy) for network traffic.
  • Any intentional act or omission designed to deceive others and which results in the victim suffering a loss and/or the perpetrator achieving a gain (i.e., a willful or deliberate act or failure to act with the intention of obtaining an unauthorized benefit, such as money or property, by deception or other unethical means). For purposes of this rule, fraud and fraudulent activities include - but are not limited to - such things as theft of any system asset including money, tangible property, time, trade secrets and intellectual property; embezzlement; bribery/rebate/kickback; misappropriation, misapplication, destruction, removal or concealment of university property; forgery, alteration or falsification of documents; and/or conflicts of interests.

G Back to Top

Google Vault
  • The section of Google Apps Suite where Gmail and Google Drive data can be placed on hold.

Guest Wireless Access Accounts
  • Access for individuals who do not have an affiliation with Texas A&M University or an eduroam federated institution.

H Back to Top

Harmful Access
  • Creating a computer malfunction or interruption of operation; alteration, damage, or destruction of data; or injection of malicious software.
High Impact Information Resources
  • Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Such an event could:

        (A) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions;

        (B) result in major damage to organizational assets;

        (C) result in major financial loss; or

        (D) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

  • A common term used by OGC and email platforms alike to refer to the act of preserving ESI.

Host-Based Firewall
  • Software that functions on a single host (i.e., a single computer, including laptop computers) that can permit or deny incoming or outgoing traffic to or from only that host (as opposed to a network-based firewall which protects one or more networks of hosts).
Hosted Service
  • Outsourced information technology (IT) systems and functions. A hosted service provider owns and oversees infrastructure, software and administrative tasks and makes the system available to clients. The three main elements of hosted services are software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS). In combination, the three elements encompass software and network capacity as well as the equipment used to support operations, including storage, hardware, servers and networking components.

I Back to Top

  • Internet Engineering Task Force.
IT Disaster Recovery Plan
  • Department/unit-level plan that is focused on the overall recovery of Electronic Information Resources supported by the department/unit.

IT Professional
  • A staff or faculty member whose primary duties are to manage information systems or directly support, in the technical sense, personnel who manage information resources (e.g. Database Administrator, Systems Analyst, Web Developer, etc.)
IT Service
  • Made up of a combination of information technology, people, and processes. A customer-facing IT service directly supports the business processes of one or more customers. Other IT services, called supporting services, are not directly used by the business, but are required by the service provider to deliver customer-facing services.

  • Office of Information Technology Risk Management of Networking and Information Services.
  • Identification is the act of locating potential sources of ESI & determining its scope, breadth & depth.

In-Place Hold
  • A feature of Microsoft Exchange, introduced in Microsoft Exchange 2013, that places mailboxes on hold within the platform. In-Place Holds are the preferred method of placing user mailboxes on hold.

Information Resource Custodian
  • A person responsible for implementing owner-defined controls and access to an information resource. Custodians may include university employees, vendors, and any third party acting as an agent of – or otherwise on behalf of – the university and/or the owner.

Information Resource Owner
  • A person responsible for a business function and for determining controls and access to information resources supporting that business function.
Information Resource User
  • An individual or automated service authorized to access an information resource in accordance with the owner-defined controls and access rules.

Information Resources
  • The procedures, computer equipment, computing facilities, software and data which are purchased, designed, built, operated and maintained to collect, record, process, store, retrieve, display, report and transmit information.

Information Resources Crisis (formerly incident)
  • A situation declared as a crisis by designated Technology Services personnel.

Information System
  • A discrete set of information resources organized for the management and processing of information supporting a defined business, academic, or research function.
Information System Contingency Plan
  • Establishes procedures to recover a Mission Critical Electronic Information Resource or Essential IT Service or a grouping of interdependent IT Services following a disruption.

Information Technology
  • Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. The term includes computers (including desktop and laptop computers), ancillary equipment, desktop software, client-server software, mainframe software, web application software and other types of software, firmware and similar procedures, services (including support services), and related resources (TAC 213.1 (9)).

Infrastructure as a Service
  • A model of Cloud Computing that allows a consumer of the service to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls) (NIST 800-145 September 2011).

Inherent Risk
  • The risk that an activity/event would pose if no controls or other mitigating factors were in place (the gross risk or risk before implementation of controls).

Internet Service Provider
  • A company that provides access to the internet.

K Back to Top

Key Public Entry Point (KPEP)
  • Web page that a state agency or institution of higher education has specifically designed for members of the general public to access official information (e.g., the governing or authoritative documents) from the agency or institution of higher education. A list of these pages can be found at http://itaccessibility.tamu.edu/requirements/kpep.php.

L Back to Top

Litigation Hold
  • A feature introduced in Microsoft Exchange 2010 that places mailboxes on hold within the platform. This type of hold is gradually being phased out on TAMU Exchange.

Logon ID
  • A user name that is required as the first step for logging in to a secure system. Generally, a logon ID must be associated with a password to be of any use.
Low Impact Information Resources
  • Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Such an event could:

        (A) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; 

        (B) result in minor damage to organizational assets; 

        (C) result in minor financial loss; or 

        (D) result in minor harm to individuals.

M Back to Top

Malicious code
  • Software designed to operate in a manner inconsistent with intentions of the user and which typically results in annoyance or damage to the user's information systems. Examples include attack scripts, rootkits, spyware, trojan horses, viruses and worms.
Managed Device
  • An end user device that is configured to allow Texas A&M Technology Services to discover, maintain, and control the device.

  • Refers to any issue handled by OGC that requires the preservation and potential production of ESI. A matter might be a lawsuit that has been filed, or the reasonable anticipation of litigation.

  • Materials that hold data in any form or allow data to pass through, including paper, transparencies, multipart forms, hard/floppy/optical disks, magnetic tape, wire, cable and fiber.

  • Data about data. Index-type data used to identify, describe, locate, or preserve (other) data over time.
Mission Critical Information Resource
  • Information resources defined by the owner (or by the university in the case of Essential IT Services) to be crucial to the continued performance of the mission of the department/unit. Unavailability of such information resources would result in more than an inconvenience. An event causing the unavailability of mission-critical information resources would result in consequences such as: significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the department/unit.

Mobile Device
  • As defined by NIST Special Publication 800-124, a mobile device is a portable computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations.

Moderate Impact Information Resources
  • Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. Such an event could:

        (A) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced;

        (B) result in significant damage to organizational assets;

        (C) result in significant financial loss; or

        (D) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.

N Back to Top

  • National Institute of Standards and Technology (NIST). The Texas A&M Information Security Controls, adopted from state requirements, align with the NIST Special Publication 800-53 Version 4 (NIST SP 800-53 Rev. 4).

Named Person/Custodian
  • Refers to any person who has been asked to preserve ESI as part of a preservation hold.

Network Attached Wireless Device
  • Any device connecting to a Texas A&M Ethernet port with wireless capabilities that extend across the Texas A&M network.
Network Perimeter
  • The border between one network and another. Typically a boundary (interface) between the private and locally-managed-and-owned side of a network and the public side of a network.
Network Scanning
  • The border between one network and another. Typically a boundary (interface) between the private and locally-managed-and-owned side of a network and the public side of a network.
Network Vulnerability Assessments
  • Assessing network scanning data to determine the presence of security vulnerabilities in the information system.
Non-IT Professional
  • A staff or faculty member whose primary duties do not include directly supporting an information resource (e.g. research scientist, lecturer, professor, etc.)

O Back to Top

  • OGC refers to The Texas A&M University System - Office of General Counsel.

Off-site storage
  • Storage in a separate facility that is not co-located with the operational system.

P Back to Top

Peer-to-Peer File Sharing Software
  • Computer software, other than computer and network operating systems, with a primary function of allowing the computer on which the software is used to designate files available for transmission to another computer using the software, to transmit files directly to another computer using the software, and to request transmission of files from another computer using the software.

Personally Identifiable Information
  • Information that alone — or in conjunction with other information — identifies an individual, including an individual's name, social security number, date of birth, or government-issued identification number; mother's maiden name; unique biometric data, including the individual's fingerprint, voice print, and retina or iris image; unique electronic identification number, address, or routing code; and telecommunication access device as defined by Section 32.51, Texas Penal Code.

  • Collective term for computer hardware and software components of a particular system. A platform includes a hardware architecture and a software framework (including application frameworks), where the combination allows software, particularly application software, to run. Typical platforms include a computer architecture, operating system, programming languages and related user interface (run-time system libraries or graphical user interface). Examples of common platforms would include servers, desktop/workstations, laptops, tablets, and smartphones. Special-purpose platforms include routers, remote access servers and database servers.
Platform as a Service
  • A model of Cloud Computing that allows a consumer of the service to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment (NIST 800-145, September 2011).

Portable Computing Device
  • An easily portable device capable of capturing, processing, storing, and transmitting data to and from Texas A&M University information resources. This includes, but is not limited to: laptops, Personal Digital Assistants (PDAs), and smartphones.
Portable Storage Device
  • An easily portable device that stores electronic data. This includes, but is not limited to: flash/thumb drives, iPods, tablets, CD-Rs/CD-RWs, DVDs, and removable disk drives.
  • Preservation is the act of ensuring ESI is protected against inappropriate alteration or destruction

Preservation Hold
  • A notice from OGC to one or more persons (the “named persons”) and the institution for which they work to preserve documents and ESI pursuant to a matter. The short “hold” may be used in this context, however, that term is not contextually specific alone.

Preservation Letter
  • The document OGC sends to a person placing that person under a preservation hold. The preservation letter describes the documents and ESI to be preserved.

Preservation Personnel
  • Employees of an Institution with roles and duties important to the preservation effort. Preservation personnel typically include employees involved with employee hiring/transfer/termination, such as the Human Resources Director and the Provost. It also typically includes IT people responsible for the automatic purging of accounts and deletion of data, such as email administrators, account administrators, desktop technicians, and the help desk.

Privileged Account
  • Account assigned to a user that by virtue of function, and/or seniority, has been allocated powers within the computer system, which are significantly greater than those available to the majority of users (e.g., system administrators).
Protected Health Information
  • Any patient information, including very basic information such as name or address, that (1) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (2) either identifies the individual or could reasonably be used to identify the individual.

Public Data
  • The lowest university data classification level. Public Data is openly available to the public. This may include low-sensitivity data which is openly distributed and presents no risk to the university, such as official university communications and public announcements. Most data hosted on publicly-accessible websites falls into this classification level. Few restrictions are placed on this type of data. See security control DC-3.

Public Location or Public Network
  • Electronic location (such as a network) wherein anyone, namely the general public, has access and through it can connect, without specific credentials, to other networks or the internet or gain access to electronic information.

R Back to Top

Recovery Point Objective
  • Acceptable amount of data loss measured in time. Unless requested for by the information resource owner, offsite storage of daily incremental and full weekly backups are only taken off site once a week. (ITIL Service Design) (ITIL Service Operation)
Recovery Time Objective
  • The maximum time allowed for the recovery of an IT service following an interruption. The service level to be provided may be less than normal service level targets. Recovery time objectives for each IT service should be negotiated, agreed and documented. See also business impact analysis. (ITIL Service Design) (ITIL Service Operation)
Remote Access
  • The act of using a computing device to access another computer/network from outside of its established security realm (e.g., authentication mechanism, firewall, or encryption).
Removable Computer Media
  • Removable computer media includes digital media such as, but not limited to, diskettes, magnetic tapes, external/removable hard drives, flash/thumb drives, and optical disks.
    This also applies to portable and mobile computing and communications devices with information storage capability (e.g., notebook computers, tablets, smart phones).

Research Collaborators
  • A grouping of researchers for the purpose of achieving a common goal.
Research Partner
  • Individuals, commercial enterprises, or other entities that are not recognized as university departments and who have agreements with the university Vice-President for Research.
Residual Risk
  • The risk that remains after implemented controls are taken into account (the net risk or risk after controls have been implemented). Residual risk is the threat that remains after all efforts to identify and eliminate risk (e.g., controls implemented) have been made.
Risk Appetite
  • The level of tolerance an organization has for risk. Aspects include how much risk an organization is willing to tolerate, and how much an organization is willing to invest or spend to manage/mitigate the risk.
Risk Management Decision
  • Coordinated activities to direct and control an organization with regard to risk. NOTE: Risk management typically includes risk assessment, risk treatment, risk acceptance, and risk communication.
Risk Tolerance
  • The level of risk, types of risk, and degree of risk uncertainty that are acceptable to the organization.
  • Pieces of malicious code that install themselves in the core operating system of a computer and are very hard to detect since they appear to be normal system files.

S Back to Top

  • SPECTRIM (Statewide Portal for Enterprise Cybersecurity Threat, Risk and Incident Management) is the statewide portal for enterprise cybersecurity threat, risk, and incident management. It is provided by the Department of Information Resources (DIR).

  • A salt is a random number of a fixed length that is concatenated (i.e., linked to) to the password before the digest operation. This salt must be different for each stored entry. It must be stored as clear text next to the hashed password.

Security Incident Reporting
  • Electronic system for reporting (after the fact, after- action) incidents in compliance with Texas Department of Information Resources (DIR) regulations.

Security Operations Team
  • Security Operations (SecOps) is a team of experienced security professionals and technicians with the authority and expertise to resolve a system incident. Security Operations reports into the Office of the CISO as part of Texas A&M Technology Services, and has the responsibility to investigate, analyze available data, and resolve security incidents.

Security Patch
  • A change to a program that eliminates a vulnerability exploited by malicious hackers.
Self-Contained, Closed Products
  • Products that generally have embedded software and commonly designed in such a fashion that a user cannot easily attach or install assistive technology. These products include, but are not limited to, information kiosks and information transaction machines, copiers, printers, calculators, fax machines, and other similar products.
  • Computer or program that supplies data or resources to other machines on a network.
Significant Information Security Incident
  • An information security incident is considered significant if it meets one or more of the following criteria: involves actual or suspected unauthorized disclosure of confidential information; involves consequential legal issues; may cause severe disruption to unit mission-critical services or university wide Essential IT services; involves active threats; is widespread; is likely to raise public interest.

  • A computer program that provides the instructions enabling the computer hardware to work. System software, such as Windows or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

Software as a Service
  • A model of cloud computing that allows a consumer of the service to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings (NIST 800-145, September 2011).

  • Security incident that results in the transfer of data onto an information resource with a lower level of data classification (see DC-1), or onto an information resource that is not authorized to store or process that information.

  • Software installed without the user's knowledge or permission to capture and reveal information to someone outside the computer system. It can do such things as capture keystrokes while typing passwords, read and track email, record sites visited, and pass along credit card numbers. It can be installed by Trojan horses or viruses, installed as part of freeware or shareware programs that are downloaded and executed, or installed by advertising agencies to assist in sending targeted advertising to a computing device.

T Back to Top

  • The Texas Records and Information Locator and Electronic Depository Program (TRAIL/EDP) is an automated system used to collect, index, and preserve electronic state publications. To ensure that publications are appropriately harvested and indexed, a publishing entity must include metadata in its online publications.
Technology Services Project Management Office
  • Established to manage and mitigate risk through development and support of project management knowledge, processes and tools for the university. The Technology Services Project Management Office (PMO) has been assigned by the Vice President for Information Technology and Chief Information Officer to be responsible for publishing guidelines on and assisting with monitoring the effectiveness of information resource project and portfolio management practices at the university.

Texas A&M University IT Disaster Recovery Plan
  • Limited to Essential IT Services supporting essential functions as defined by Institutional Continuity Plan (Annex J) of the Texas A&M University Emergency Operation Plan. Organizations that support Essential IT Services shall maintain their own procedures and actively participate in the training, exercise, and maintenance needed to support this plan.

Texas A&M University IT Disaster Recovery Program
  • Builds on Institutional Continuity Plan (Annex J) of the Texas A&M University Emergency Operation Plan by providing guidance and templates to relate a business function's Recovery Time Objective (RTO) and Recovery Point Objective (RPO) to the IT services that support department/unit business functions.

Texas A&M University Website
  • A Texas A&M University (TAMU) owned, operated by/or for, or funded Web site connected to the internet, including the home page and any key public entry points.

Third Party
  • Individual or entity who is not a university employee, i.e., vendors or other individuals acting in a capacity other than a university employee.
Third-Party Vendor
  • An individual or organization separate from the two principals involved. A third party is typically a company that provides an auxiliary product or service not provided by the primary supplier to the end user (the two principals).

Trojan Horses
  • These hide malicious code inside a host program that appears to do something useful.

U Back to Top

Unauthorized Access
  • Access into any computer, network, storage medium, system, program, file, user area, or other private repository, without the express permission of the owner.
Unauthorized Access Point
  • Any wireless bridge, switch or router connected to the Texas A&M network that is not installed, supported or approved by NIS.
  • A Texas A&M University (Texas A&M) organization, or affiliate, that is managed by an employee with hiring and firing authority. Examples are a division, a department, a research center, and others.
University Campus Homepage
  • The main page for Texas A&M University, College Station; Texas A&M University, Galveston; or Texas A&M University at Qatar.
University Data
  • Data or information that is stored, processed, or transmitted on any information resource where university business occurs, including data in the possession or under the control of an individual by virtue of that person’s employment or affiliation with the university. This includes, but is not limited to, all university information resources, resources owned or managed by state agencies, or resources owned or managed by third parties (e.g., business associates, cloud service providers, vendors, or contractors).

University Electronic Directory
  • Also known as Enterprise Directory, this is used to manage NetID accounts and email account aliases for personnel with an active, close affiliation to the university; former students; guests and parents; and organizations and roles.
University Network User
  • Anyone owning and/or responsible for the operation of a computer attached to the Texas A&M University network.
University-Internal Data
  • The second of four university data classification levels (formerly Controlled). University-Internal Data may be accessed by eligible employees in the course of university business. This information is not generally created for or made available for public consumption, but it may be subject to public disclosure through the Texas Public Information Act or similar laws. Such data must be appropriately protected to ensure lawful release. See security control DC-4.

  • Web design criteria which support user performance, ease of navigation and understandability.

User Data
  • User-generated electronic forms of information that may be found in the content of a message, document, file, or other form of electronically-stored or transmitted information.

V Back to Top

  • Individual or entity who has a contract with the university to provide goods or services for compensation. This term excludes contract employees.

  • Code that attaches to host programs and propagates when an infected program is executed.

W Back to Top

  • World Wide Web Consortium; an international community that develops open standards to ensure the long-term growth of the Web.

  • Intentional or unintentional, thoughtless or careless expenditure, consumption, mismanagement, use or squandering of resources to the detriment of the organization. Waste also includes incurring unnecessary costs as a result of inefficient or ineffective practices, systems or controls.
Wireless Access
  • Type of wireless computer network that uses high-frequency radio waves rather than wires to communicate between nodes. A wireless computer network spans a relatively small area using one or more of the following technologies to access the information resources systems: Wireless Local Area Networks (based on the IEEE 802.11 family of standards); Wireless Personal Area Networks (based on the Bluetooth and/or Infrared (IR) technologies); and/or Wireless Handheld Devices which include text-messaging devices, personal digital assistants (PDAs) and smartphones.
  • Particular to networked computers to carry out pre-programmed attacks that migrate across the network.