Original Issuance Date: October 13, 2020
Last Revision Date: October 13, 2020
1. Policy Purpose
The purpose of this policy is to provide a list of general terms and definitions that are used in the 1000 series of the UW System Administrative policy set.
2. Responsible UW System Officer
Associate Vice President (AVP) for Information Security
This policy is applicable to the 1000 series of UW System Administrative policies and procedures.
The President of the University of Wisconsin System is empowered to establish information security polices under Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology (IT) environment in support of its mission. This policy provides general definitions for all the Information Security policies promulgated by the University of Wisconsin System.
Account Types: While each institution will have varying account types by title, all accounts fall into one or more of the 4 categories below. The type and usage of an account generally determines its authentication requirements. In order to distinguish between requirements based on account type, several different kinds of accounts are defined.
- User Accounts: Accounts under the control of a specific individual and are not accessible to others. These are user-interactive accounts.
- Shared Accounts: An account that can be accessed by multiple individuals to allow them to appear as a single business entity or accomplish a single shared function. These are user-interactive accounts.
- Privileged Accounts: A qualifier used to describe User Accounts and Shared Accounts that have elevated access to configure or significantly change the behavior of a computing system, device, application or other aspect of systems. These accounts should be considered highly sensitive. These are user-interactive accounts.
- Service Accounts: Accounts that are intended for automated processes such as running batch jobs or applications or establishing connections between web, application, and database servers, or external applications or services. To be considered a service account, the account must not be primarily used for general login to systems by users.
Advance Threat Protection: A category of security solutions that defend against sophisticated malware or hacking based attacks targeting sensitive data.
Authentication: The process of verifying that someone who holds an account on an IT system is who they purport to be.
Availability: Ensuring timely and reliable access to and use of information.
Compensating Control: A physical, technical or administrative control used by an organization instead of a recommended security control, that provides equivalent or comparable protection for an information system.
Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Control: Any physical, administrative, management, technical, or legal method that is used to prevent, detect or correct risks. Controls are also known as safeguards or countermeasures. Examples include but are not limited to policies, procedures, programs, techniques, technologies, guidelines, and organizational structures.
Data: Information collected, stored, transferred or reported for any purpose, whether electronic or hard copy.
Data Breach: The intentional or unintentional release of secure or private/confidential information to an untrusted environment.
UW System uses the following qualifiers to classify data:
- High Risk: The loss of confidentiality, integrity, or availability of data that could result in a significant or catastrophic impact to individuals, mission, assets, or operations of UW System.
- Moderate Risk: The loss of confidentiality, integrity or availability of data that could result in a serious impact to individuals, mission, assets or operations of the UW System.
- Low Risk: The loss of confidentiality, integrity, or availability of data that could result in a minimal impact to individuals, mission, assets or on the operations of the UW System.
Data Custodian: A term describing a UW System employee that has been given formal responsibility for the security of the asset or the data hosted on the asset. It does not mean that the asset belongs to the owner in a legal sense.
Data Privacy: Encompasses how and when information is collected, accessed, processed and disclosed, and whether the disclosure involves consent or notice.
Data Security: Encompasses the administrative, technical, and physical measures used to protect information. Data privacy cannot exist without data security.
Data Steward: An individual who has direct responsibility to ensure that a data domain is classified appropriately. The data steward collaborates with institutional Security, Privacy, Data Officers and Risk Executives, to ensure that appropriate controls are in place to protect data in a manner commensurate with its value to the university.
Data Subject: An identified or identifiable natural person to which Personal Data applies.
Digital Credentials: A user’s identification and authentication information, typically a username and password.
Employee: Faculty, staff, or students who are employed by an institution, whether compensated or voluntary.
Equivalent Control: See Compensating Control.
High Risk: See Data Classification.
Indicators of Compromise (IOC): Artifacts observed on a system or network that, with high confidence, indicate potential malicious activity.
Information Security Incident Response Team (ISIRT): A team consisting of personnel with the technical, administrative, and communication skills required to facilitate a prompt and thorough response to security incidents.
Inherent Risk: Level of risk before risk treatment controls are applied.
Institution: All research and comprehensive UW System universities and associated branch campuses, UW Shared Services, and UW System Administration.
Integrity: Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.
IT Asset: Equipment or software used to manage, process, or store UW System data and is used in the course of accomplishing the UW System mission. This includes but is not limited to all UW owned or leased:
- Desktop, laptop and server computers and associated IT infrastructure;
- Mobile devices and portable computing equipment;
- Network devices such as firewalls, routers, switches, and wireless access points;
- Software; and
- Multi-function devices, printers and scanners.
IT Asset Management (ITAM): The set of business practices that join financial, contractual and inventory functions to support life cycle management and strategic decision making for the IT environment. See IT Asset for additional information.
Low Risk: See Data Classification.
Moderate Risk: See Data Classification.
Multi-Factor Authentication (MFA):A security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.
National Institute for Standards and Technology (NIST): A measurements standards laboratory and non-regulatory agency working under the U.S. Department of Commerce.
Non-public Information Technology Resources: Any information technology resources that is not intended to be accessed by the general public and requires authentication of the user using digital credentials.
Passphrase :A secret consisting of a sequence of words or other text that a claimant uses to authenticate their identity. A passphrase is similar to a password in usage but is generally longer for added security.
Password: A secret that a claimant uses to authenticate his or her identity. Passwords are typically character strings.
Personal Data: The collective definition of PII and PHI.
Personal Identifiable Information (PII):Information which can be used to distinguish or trace the identity of an individual alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual.
Protected Health Information (PHI):Any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity) and can be linked to a specific individual. This includes any part of a patient’s medical record or payment history.
Residual Risk: The threat that remains after all efforts to identify and eliminate risk have been made.
Risk: A function of the likelihood of a given threat-source exercising a specific vulnerability, and the resulting impact of that adverse event on the organization.
Risk Acceptance: A response in which the organization decides to take no action to address the risk and continues to operate with the risk in place.
Risk Appetite: The amount and type of risk that an organization is willing to accept in order to meet their strategic objectives.
Risk Assessment: The process of taking identified risks and analyzing their potential severity of impact and likelihood of occurrence.
Risk Executive: The person who is ultimately responsible for the management, monitoring and control of all identified risks, including the approval of any mitigating controls and/or risk acceptance. The Risk Executive should be an executive or director, (e.g., Dean or their appointee, department chair, director of a research lab, etc.,) within the academic / functional unit, or in the line of authority above that unit. The Risk Executive must have the authority to accept the risk of operating the system on behalf of the institution and should be in the unit which is responsible for risk acceptance.
Risk Management: The ongoing process of assessing risks and implementing plans to address them.
Risk Mitigation: Prioritizing, evaluating, and implementing the appropriate risk-reducing controls and countermeasures recommended from the risk management process.
Risk Treatment: The process of managing assessed or identified risks. Risk treatment options are risk avoidance (withdraw from), sharing (transfer), modification (reduce or mitigate) and retention (acceptance).
Safeguard: Protective measures prescribed to meet the security requirements specified for an information system. Safeguards may include security features, processes, management constraints, personnel security, and security of physical structure, areas, and devices.
Secret: Commonly referred to as a passphrase, password, or if numeric, a PIN. A secret value of sufficient complexity and secrecy intended to be impractical for an attacker to guess or otherwise discover the correct secret value.
Security Controls: Safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.
Security Incident: Any irregular, adverse, or uncontrolled event that threatens the confidentiality, integrity, or availability of any UW System information asset, system, network or storage media, or any violation or imminent threat of violation of any UW System information security policies, acceptable use policies, or standard security practices. See also Data Breach.
Standards: A specific set of minimum characteristics or requirements, usually measurable, that must be met in order to comply.
Threat: Any circumstance or event with the potential to adversely impact the organizational operations, organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Threat Intelligence: Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.
Vulnerability: Weakness in an information system, system security procedure, internal control, or implementation that could be exploited or triggered by a threat source.
Vulnerability Assessment: Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
6. Policy Statement
7. Related Documents
Regent Policy Document 25-5, Information Security
UW System Information Security Program
UW System Information Security Incident Response Plan
UW System Administrative Policy 1030, Information Security: Authentication
UW System Administrative Procedure 1030.A, Information Security: Authentication
UW System Administrative Policy 1031, Information Security: Data Classification and Protection
UW System Administrative Procedure 1031.A, Information Security: Data Classification
UW System Administrative Procedure 1031.B, Information Security: Data Protection
UW System Administrative Policy 1032, Information Security: Security Awareness
UW System Administrative Policy 1033, Information Security: Incident Response
UW System Administrative Policy 1035, Information Security: IT Asset Management
UW System Administrative Procedure 1035.A, Information Security: IT Asset Management Standard
UW System Administrative Policy 1039, Information Security: Risk Management
UW System Administrative Procedure 1039.A, Information Security: Risk Management Procedure
UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance Standard
8. Policy History
First approved: October 13, 2020
9. Scheduled Review