Original Issuance Date: October 13, 2020

Last Revision Date: January 19, 2023

1. Policy Purpose

The purpose of this policy is to provide a list of general terms and definitions that are used in the 1000 series of the UW System Administrative policy set.

2. Responsible UW System Officer

Associate Vice President for Information Security

3. Scope

This policy is applicable to the 1000 series of UW System Administrative policies and procedures.

4. Background

The President of the University of Wisconsin System is empowered to establish information security polices under Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology (IT) environment in support of its mission. This policy provides general definitions for all the Information Security policies promulgated by the University of Wisconsin System.

5. Definitions

Account Types: While each institution will have varying account types by title, all accounts fall into one or more of the 4 categories below. The type and usage of an account generally determines its authentication requirements. In order to distinguish between requirements based on account type, several different kinds of accounts are defined.

  • User Accounts: Accounts under the control of a specific individual and are not accessible to others. These are user-interactive accounts.
  • Shared Accounts: An account that can be accessed by multiple individuals to allow them to appear as a single business entity or accomplish a single shared function. These are user-interactive accounts.
  • Privileged Accounts: A qualifier used to describe User Accounts and Shared Accounts that have elevated access to configure or significantly change the behavior of a computing system, device, application or other aspect of systems. These accounts should be considered highly sensitive. These are user-interactive accounts.
  • Service Accounts: Accounts that are intended for automated processes such as running batch jobs or applications or establishing connections between web, application, and database servers, or external applications or services. To be considered a service account, the account must not be primarily used for general login to systems by users.

Advance Threat Protection: A category of security solutions that defend against sophisticated malware or hacking based attacks targeting sensitive data.

Authentication: The process of verifying that someone who holds an account on an IT system is who they purport to be.

Availability: Ensuring timely and reliable access to and use of information.

Compensating Control: A physical, technical or administrative control used by an organization instead of a recommended security control, that provides equivalent or comparable protection for an information system.

Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Control: Any physical, administrative, management, technical, or legal method that is used to prevent, detect or correct risks. Controls are also known as safeguards or countermeasures. Examples include but are not limited to policies, procedures, programs, techniques, technologies, guidelines, and organizational structures.

Data: Information collected, stored, transferred or reported for any purpose, whether electronic or hard copy.

Data Backup: A copy of files and programs made to facilitate recovery of the data and service if necessary.

Data Breach: The intentional or unintentional release of secure or private/confidential information to an untrusted environment.

Data Classification:

UW System uses the following qualifiers to classify data:

  1. High Risk: The loss of confidentiality, integrity, or availability of data that could result in a significant or catastrophic impact to individuals, mission, assets, or operations of UW System.
  2. Moderate Risk: The loss of confidentiality, integrity or availability of data that could result in a serious impact to individuals, mission, assets or operations of the UW System.
  3. Low Risk: The loss of confidentiality, integrity, or availability of data that could result in a minimal impact to individuals, mission, assets or on the operations of the UW System.

Data Custodian: A term describing a UW System employee that has been given formal responsibility for the security of the asset or the data hosted on the asset. It does not mean that the asset belongs to the owner in a legal sense.

Data Privacy: Encompasses how and when information is collected, accessed, processed and disclosed, and whether the disclosure involves consent or notice.

Data Security: Encompasses the administrative, technical, and physical measures used to protect information. Data privacy cannot exist without data security.

Data Steward: An individual who has direct responsibility to ensure that a data domain is classified appropriately. The data steward collaborates with institutional Security, Privacy, Data Officers and Risk Executives, to ensure that appropriate controls are in place to protect data in a manner commensurate with its value to the university.

Data Subject: An identified or identifiable natural person to which Personal Data applies.

Digital Credentials: A user’s identification and authentication information, typically a username and password.

Disaster Recovery (DR) Plan: A written plan with detailed procedures to restore IT systems after a significant disruption of services that will let the organization operate at an acceptable level.

Employee: Faculty, staff, or students who are employed by an institution, whether compensated or voluntary.

Endpoint: Desktop computers, servers, laptops, or tablet computers with access to the internet.

Equivalent Control: See Compensating Control.

External Network: A network not controlled by the organization.

High Impact System: A system that is identified as instrumental to continued business operations, including administrative and academic missions. This includes systems that if made unavailable or compromised, would cause a major disruption to daily operations or would be significantly expensive to restore, as well as systems with data that if compromised, would cause significant financial or reputational harm.

High Risk: See Data Classification.

Indicators of Compromise (IOC): Artifacts observed on a system or network that, with high confidence, indicate potential malicious activity.

Information Security Incident Response Team (ISIRT): A team consisting of personnel with the technical, administrative, and communication skills required to facilitate a prompt and thorough response to security incidents.

Inherent Risk: Level of risk before risk treatment controls are applied.

Institution: All research and comprehensive UW System universities and associated branch campuses, UW Shared Services, and UW System Administration.

Integrity: Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

IT Asset: Physical hardware or software used to process, store, or transmit data, including virtual instances and in cloud environments.

IT Asset Management (ITAM): The set of business practices that join financial, contractual and inventory functions to support life cycle management and strategic decision making for the IT environment. See IT Asset for additional information.

IT Asset Owner: People or team responsible for making technical or operational decisions about the asset which includes patching, testing patches or evaluating the risk of not remediating vulnerabilities.

IT Inventory: One or more authoritative sources for IT Asset information.

Low Risk: See Data Classification.

Malware: Software or firmware intended to perform an unauthorized process that will have an adverse impact on the confidentiality, integrity, or availability of any information system.

Managed Interface: An interface that provides boundary protection capabilities using automated mechanisms or devices.

Moderate Risk: See Data Classification.

Multi-Factor Authentication (MFA): A security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.

National Institute for Standards and Technology (NIST): A measurements standards laboratory and non-regulatory agency working under the U.S. Department of Commerce.

Network Backbone Connection: An interconnection between two managed network devices with no attached clients. Used for high-speed and high-volume data transmission and controlled by a single administrative entity.

Network Security Zone: A group of logical or physical network segments with a defined level of network security for the connected systems, users, and data within an overall network architecture.

Non-public Information Technology Resources: Any information technology resources that is not intended to be accessed by the general public and requires authentication of the user using digital credentials.

Passphrase: A secret consisting of a sequence of words or other text that a claimant uses to authenticate their identity. A passphrase is similar to a password in usage but is generally longer for added security.

Password: A secret that a claimant uses to authenticate his or her identity. Passwords are typically character strings.

Patch Management: The process to identify, deploy, install and verify successful patching.

Penetration Testing: The mimicking of real‐world attacks, in an attempt to verify the security features or identify methods to circumvent the security features of an application, system, or network, often involving execution of attacks on production systems and data, utilizing tools and techniques employed by malicious actors

Personal Data: The collective definition of PII and PHI.

Personal Identifiable Information (PII): Information which can be used to distinguish or trace the identity of an individual alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual.

Protected Health Information (PHI):  Any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity) and can be linked to a specific individual. This includes any part of a patient’s medical record or payment history.

Recovery Point Objective (RPO): The point in time to which the UW institution’s data must be recovered after an outage.

Recovery Time Objective (RTO): The maximum length of time an information system’s components can be in the recovery phase before negatively impacting the UW institution’s mission or business processes.

Remote Access: User-initiated access through an External Network to a system on a secure network. Does not apply to systems designed for public access, e.g., public web servers, public directory servers, or domain name servers.

Research Network: Networks that support research and do not provide administrative services, may require transmitting large amounts of data, and may have unconventional configurations that evolve rapidly. Considered a type of Network Security Zone.

Residual Risk: The threat that remains after all efforts to identify and eliminate risk have been made.

Risk: A function of the likelihood of a given threat-source exercising a specific vulnerability, and the resulting impact of that adverse event on the organization.

Risk Acceptance: A response in which the organization decides to take no action to address the risk and continues to operate with the risk in place.

Risk Appetite: The amount and type of risk that an organization is willing to accept in order to meet their strategic objectives.

Risk Assessment: The process of taking identified risks and analyzing their potential severity of impact and likelihood of occurrence.

Risk Executive: The person who is ultimately responsible for the management, monitoring and control of all identified risks, including the approval of any mitigating controls and/or risk acceptance. The Risk Executive should be an executive or director, (e.g., Dean or their appointee, department chair, director of a research lab, etc.,) within the academic / functional unit, or in the line of authority above that unit. The Risk Executive must have the authority to accept the risk of operating the system on behalf of the institution and should be in the unit which is responsible for risk acceptance.

Risk Management: The ongoing process of assessing risks and implementing plans to address them.

Risk Mitigation: Prioritizing, evaluating, and implementing the appropriate risk-reducing controls and countermeasures recommended from the risk management process.

Risk Treatment: The process of managing assessed or identified risks. Risk treatment options are risk avoidance (withdraw from), sharing (transfer), modification (reduce or mitigate) and retention (acceptance).

Safeguard: Protective measures prescribed to meet the security requirements specified for an information system.  Safeguards may include security features, processes, management constraints, personnel security, and security of physical structure, areas, and devices.

Secret: Commonly referred to as a passphrase, password, or if numeric, a PIN. A secret value of sufficient complexity and secrecy intended to be impractical for an attacker to guess or otherwise discover the correct secret value.

Security Controls: Safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.

Security Incident: Any irregular, adverse, or uncontrolled event that threatens the confidentiality, integrity, or availability of any UW System information asset, system, network or storage media, or any violation or imminent threat of violation of any UW System information security policies, acceptable use policies, or standard security practices. See also Data Breach.

Split Tunneling: A method that routes organization-specific traffic through the virtual private network tunnel but routes other traffic through the remote user’s default gateway.

Standards: A specific set of minimum characteristics or requirements, usually measurable, that must be met in order to comply.

System Boundary: Defines the components of the information systems under the authority of the institution.

Threat: Any circumstance or event with the potential to adversely impact the organizational operations, organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Threat Intelligence: Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.

Transit Peer Link: A connection to an external backbone service that is similar to a Network Backbone Connection in that it has no attached clients and is used for high-speed and high-volume data transmission.

Trusted Network Security Zone: A Network Security Zone with an institution-defined trust level based on the security services and standards for control and management commensurate with the risk and classification of the connected systems and data transmitted. Example controls include firewalls, access control lists, virtual private networks, intrusion detection systems, and network access control policy enforcement.

Untrusted Network Security Zone: Network Zones that are public with no minimum standards for control or management, e.g., the Internet is an Untrusted Network Security Zone.

Vulnerability: Weakness in an information system, system security procedure, internal control, or implementation that could be exploited or triggered by a threat source.

Vulnerability Assessment: Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

Vulnerability Management: The process to identify, analyze, and manage vulnerabilities.

Vulnerability Scanning: The technique used to identify vulnerabilities of IT systems.

Zero Trust Architecture: A network architecture that replaces perimeter security with controls to secure applications and data based on user and device authentication, contextual data, (e.g., user location, endpoint status, and service requested), and continuous monitoring.

6. Policy Statement

7. Related Documents

Regent Policy Document 25-5, Information Security

UW System Information Security Program

UW System Information Security Incident Response Plan

8. Policy History

Revision 2: January 19, 2023

Revision 1: March 8, 2022

First approved: October 13, 2020

9. Scheduled Review

December 2023