The following words and terms, when used in this chapter, shall have the following meanings, unless the context clearly indicates otherwise. (1) Access--The physical or logical capability to interact with, or otherwise make use of information resources. (2) Business Continuity Planning--The process of identifying mission critical data systems and business functions, analyzing the risks and probabilities of service disruptions and developing procedures to restore those systems and functions. (3) Confidential Information--Information that must be protected from unauthorized disclosure or public release based on state or federal law (e.g. the Texas Public Information Act, and other constitutional, statutory, judicial, and legal agreement requirements). (4) Control--A safeguard or protective action, device, policy, procedure, technique, or other measure prescribed to meet security requirements (i.e., confidentiality, integrity, and availability) that may be specified for a set of information resources. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. (5) Custodian of an Information Resource--A person responsible for implementing the information owner-defined controls and access to an information resource. Custodians may include state employees, vendors, and any third party acting as an agent of, or otherwise on behalf of the state entity. (6) Department--The Department of Information Resources. (7) DMZ--A network area created between the public Internet and internal private network(s). This neutral zone is usually delineated by some combination of routers, firewalls, and other hosts. A DMZ usually includes devices that are accessible to Internet traffic. (8) Electronic Communication--A process used to convey a message or exchange information via electronic media. It includes the use of electronic mail (email), Internet access, Instant Messaging (IM), Short Message Service (SMS), facsimile transmission, and other paperless means of communication. (9) Encryption (encrypt, encipher, or encode)--The conversion of plaintext information into a code or cipher text using a variable, called a "key" and processing those items through a fixed algorithm to create the encrypted text that conceals the data's original meaning. (10) Firewall--A software or hardware device or system that filters communications between networks that have different security domains based on a defined set of rules. A firewall may be configured to deny, permit, encrypt, decrypt, or serve as an intermediary (proxy) for network traffic. (11) Information Owner--A person with statutory or operational authority for specified information (e.g., supporting a specific business function) and responsibility for establishing the controls for its generation, collection, processing, access, dissemination, and disposal. The Information Owner may also be responsible for other information resources including personnel, equipment, and information technology that support the Information Owner's business function. (12) Information Resources--Is defined in §2054.003(7), Government Code and/or other applicable state or federal legislation. (13) Information Security Program--The elements, structure, objectives, and resources that establish an information resources security function within an institution of higher education, or state agency. (14) Intrusion Detection System (IDS)--Hardware or a software application that can be installed on network devices or host operating systems to monitor network traffic and host log entries for signs of known and likely methods of intruder activity and attacks. Suspicious activities trigger administrator alarms and other configurable responses. (15) Intrusion Prevention System (IPS)--Hardware or a software application that can be installed on a network or host operating system to monitor network and/or system activities for malicious or unwanted behavior and can automatically block or prevent those activities. (Firewalls, routers, IDS devices, and anti-virus gateways all may have IPS capabilities). IPS can make access control decisions based on application content. (16) Mission Critical Information--Information that is defined by the institution of higher education, or state agency to be essential to the institution of higher education, or state agency function(s). (17) Platform--The foundation technology of a computer system. The hardware and systems software that together provide support for an application program. (Ref: Practices for Protecting Information Resources Assets.) (18) Risk Assessment--The process of identifying, evaluating, and documenting the level of impact that may result from the operation of an information system on an organization's mission, functions, image, reputation, assets, or individuals. Risk assessment incorporates threat and vulnerability analyses and considers mitigations provided by planned or in-place security controls. (19) Risk Management--Decisions to accept risk exposures or to reduce vulnerabilities and to align information resources risk exposure with the organization's risk tolerance. (20) Router--A device or, in some cases, software in a computer, that determines the next network point to which a packet should be forwarded toward its destination. The router is connected to at least two networks and decides which way to send each information packet based on its current understanding of the state of the networks to which it is connected. A router is located at any intersection where one network meets another. (21) Sanitize--A Process to remove information from media such that data recovery is not possible. It includes removing all confidential labels, markings, and activity logs as specified in applicable National Institute of Standards and Technology Special Publication (NIST SP) 800-88 or U.S. Department of Defense 5220.22-M guidelines and standards for media sanitization. (22) Security Incident--An event which results in accidental or deliberate unauthorized access, loss, disclosure, modification, disruption, or destruction of information resources. (23) Sensitive Personal Information--A category of personal identity information as defined by §521.002(a)(2), Business and Commerce Code. (24) Storage Device--Any fixed or removable device, that contains data and maintains the data after power is removed from the device such as a DVD/CD-ROM, external or internal hard drive, Universal Serial Bus (USB) flash drive, memory card, or media player. (25) Test--A simulated or, otherwise documented event for which results and records are kept. (26) Threat--Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. (27) User of an Information Resource--An individual or automated application authorized to access an information resource in accordance with the information owner-defined controls and access rules. (28) Vulnerability Assessment--A documented evaluation containing information described in §2054.077(b), Government Code which includes the susceptibility of a particular system to a specific attack. (29) Wireless Access--Using one or more of the following technologies to access the information resources systems of a state agency or institution of higher education: (A) Wireless Local Area Networks--Based on the IEEE 802.11 family of standards. (B) Wireless Personal Area Networks--Based on the Bluetooth and/or InfraRed (IR) technologies. (C) Wireless Handheld Devices--Includes text-messaging devices, Personal Digital Assistant (PDAs), and smart phones. NIST SP 800-48 provides an overview of Wireless Network Security 802.11 technologies and provides guidelines to reduce the risks associated Bluetooth and Handheld Devices. |
