The following words and terms, when used in this chapter, shall have the following meanings, unless the context clearly indicates otherwise. (1) Access--To approach, interact with, or otherwise make use of information resources. (2) Business Continuity Planning--The process of identifying critical data systems and business functions, analyzing the risks and probabilities of service disruptions and developing procedures to restore those systems and functions. (3) Confidential Information--Information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act. (4) Control--Any action, device, policy, procedure, technique, or other measure that improves security. (5) Custodian of an Information Resource--A person responsible for implementing owner-defined controls and access to an information resource. (6) Department--The Department of Information Resources. (7) Information Resources--Is defined in §2054.003(7), Texas Government Code and/or other applicable state or federal legislation. (8) Information Security Program--The elements, structure, objectives, and resources that establish an information resources security function within an institution of higher education, or state agency. (9) Mission Critical Information--Information that is confidential or is defined by the institution of higher education, or state agency to be essential to the institution of higher education, or state agency function(s). (10) Owner of an Information Resource--A person responsible: (A) For a business function; and (B) For determining controls and access to information resources supporting that business function. (11) Platform--The foundation technology of a computer system. The hardware and systems software that together provide support for an application program. (Ref: Practices for Protecting Information Resources Assets.) (12) Restricted Personal Information--Includes an individual's social security number, or data protected under state or federal law (e.g., financial, medical or student data). (13) Sanitized--Overwriting data using software tools and procedures to comply with the U.S. Department of Defense 5220.22-M standard for disk-sanitization. For specific types storage media see Department of Defense 5220.22-M §8-500. Software and Data, Table 1 Clearing and Sanitization Data Storage. (14) Security Incident--An event which results in unauthorized access, loss, disclosure, modification, disruption, or destruction of information resources whether accidental or deliberate. (15) Security Risk Analysis--The process of identifying and documenting vulnerabilities and applicable threats to information resources. (16) Security Risk Assessment--The process of evaluating the results of the risk analysis by projecting losses, assigning levels of risk, and recommending appropriate measures to protect information resources. (17) Security Risk Management--Decisions to accept exposures or to reduce vulnerabilities. (18) Storage Device--Any fixed or removable device that contains data and maintains the data after power is removed from the device. (19) Test--A simulated or documented "real-live" incident for which records are kept of the incident. (20) User of an Information Resource--An individual or automated application authorized to access an information resource in accordance with the owner-defined controls and access rules. (21) Vulnerability Assessment--A measurement of vulnerability which includes the susceptibility of a particular system to a specific attack and the opportunities available to a threat agent to mount that attack. (22) Vulnerability Report--A computer related report containing information described in §2054.077(b), Government Code, as that section may be amended from time to time. (23) Wireless Access--Using one or more of the following technologies to access the information resources systems of a state agency or institution of higher education: (A) Wireless Local Area Networks--Based on the IEEE 802.11 family of standards. (B) Wireless Personal Area Networks--Based on the Bluetooth and/or InfraRed (IR) technologies. (C) Wireless Handheld Devices--Includes text-messaging devices, Personal Digital Assistant (PDAs), and smart phones. (24) Wireless Security Guidelines--The National Institute of Standards and Technology Special Publication 800-48, Wireless Network Security 802.11, Bluetooth and Handheld Devices. |
