Information Security Defined Terms Standard

Applies-to-Faculty Applies-to-Staff Applies-to-Students IT University-Standard IT-Security Applies-to-Constituents Glossary Definitions

University Standard

Title

University of North Carolina at Chapel Hill Standard on Information Security Defined Terms

Introduction

Purpose

The University of North Carolina at Chapel Hill ("UNC-Chapel Hill" or "University") Information Security Office (ISO) sets policy that defines the University’s Information Security Program (Program). The Program and its processes require action by specific groups and individuals, and some requirements apply to every person at the University. The policies that create the Program are intended to be clear and consistent. To promote consistency, this Standard sets out certain key defined terms that support understanding of all Program policies and are to be used as defined in all Program activities.

Scope

The defined terms in this Standard apply to all University Information Security policy documents that reference it.

Use of the terms in the context of Program activities is required of all individuals, groups, roles, and University units.

Standard

The defined terms below are defined for the purposes of the Information Security Program and apply to each policy document that references this Standard in its “Definitions” section. Definitions in this Standard do not supersede any terms defined directly in any policy document.

Exceptions

This Standard is informational for all other University Information Security and Information Technology policies where the given term is not defined in that document.

Definitions

Accountable Person: Unit heads of each unit within the university are accountable for meeting the requirements in this Standard for all University IT systems used by the unit.
Associated Entity (AE): An Associated Entity is a foundation, association, corporation, limited liability company, partnership, or other nonprofit entity formally recognized and approved in writing pursuant to the University of North Carolina System Regulation on Required Elements of University-Associated Entity Relationship (G.S. 116-30.20 and related policies). The regulation requires each Associated Entity to maintain a written agreement with the University obligating the Associated Entity to comply with applicable University and UNC System policies and regulations, including the University’s Information Security policies and related standards, unless specific exceptions are expressly stated in the agreement or written exceptions are provided as allowed under a specific policy or standard.
Critical IT Infrastructure: Anything that serves as a “common control” (A security control that is inherited by one or more organizational information systems) such as a Single Sign-On portal. Largely or massively shared Infrastructure shared between multiple high-protection-obligation systems (such as a central virtualized system environment.) Technology may be designated as “Critical IT Infrastructure” if a security compromise of the technology also compromises multiple, unrelated IT systems with a high protection obligation.
Delegated Security Authority (DSA): The DSA is the person or people formally designated by the unit head (Dean or Vice Chancellor) who implements the Key Controls within the unit. Implementing the Key Controls within the unit aligns the unit's operational practices with the University's security program. The designation of the DSA is re-confirmed annually in the Chancellor's joint cabinet meeting.
Documented: In writing, stored along with comparable documentation in a way that is accessible to the people who need it and available in case of staff turnover.
Endpoint: The device, like a laptop or mobile phone, used by a single person at a time to access other systems. Endpoints are typically used for web browsing and email.
Incident Handler: An individual authorized by the Chief Information Security Officer (CISO) or acting under the direction of the University Information Security Office (ISO) to perform information security incident response on behalf of UNC-Chapel Hill. Incident Handlers are responsible for managing potential and confirmed Information Security Incidents in accordance with University standards and procedures.
Individual Account: An arrangement by which a person is given personalized access to University IT. Examples include email, file storage, cloud, phone voicemail, and similar accounts assigned to a single individual person.
Information Security Incident: A Suspected Information Security Incident that has been confirmed through investigation by the University Information Security Office, involving unauthorized access to or disruption of the availability, confidentiality, or integrity of University data, systems, networks, services, or credentials. An Information Security Incident may trigger internal response processes and reporting obligations under applicable laws, contracts, regulations, or University policies.
Information Security Program: Under the authority of the Chief Information Security Officer, the Information Security Program is defined by the Information Security Policy, Standards, and Procedures, overseen by the Information Security Office, and undertaken by all units of the University.
Internet Accessible: Systems not protected by border firewalls, Intrusion Protection and Intrusion Detection Systems that are configured in a way that will prevent exploitation of a specific vulnerability, are generally considered “Internet Accessible.” If an uncredentialed person can reach the service in a way that they could exploit a Vulnerability from non-University address space, it is “Internet Accessible.”
Intrusion Detection System (IDS): A security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, tries to access system resources in an unauthorized manner.
Intrusion Prevention System (IPS): Software that has all the capabilities of an intrusion detection system and can also try to stop possible incidents. Systems that watch network or computer activities to spot malicious activity. An IPS will log information, try to stop the activity, and report what it has found. The University implements various IPSs, including web application firewalls. Please contact your local IT admin or ISL if you have questions.
Key Controls: Key Controls are the set of security processes which must be implemented in every unit, overseen by the DSA. These processes address risk management, security approvals, program changes, and communication. The Key Controls are defined as part of the University's information security program, directed by the University Chief Information Security Officer.
Least Functionality: Set up systems to only do things they need to do. Preventing the use of unnecessary or insecure functions, ports, protocols, and services. For example, turning off Trivial File Transfer Protocol (TFTP) or peer-to-peer file sharing protocols are examples of least functionality.
Mission Critical: A system so critical to the mission of the UNC-Chapel Hill business unit that any incident requires immediate response. If a system is considered Mission Critical by the department (which makes that decision), then they will have supplied contact and escalation information in advance of any incident or outage. Heightened information security requirements apply to a mission critical system. The goal is to keep the resource available for use. If a unit does not choose a resource as mission critical, that resource falls to a lower priority to bring services back if there is an incident or outage.
Obligation to Protect: The University has an obligation to implement reasonable and appropriate administrative, technical, and physical safeguards to protect University networks and systems under its operational control, digital credentials issued by the University, and electronic data within its custody or control. Where third parties receive University data or operate IT systems on the University’s behalf, the University must ensure, through contracts or other legally enforceable mechanisms, that such third parties maintain safeguards consistent with applicable law, regulation, and University policy, and provide timely notification of any security incident involving University Data. The Information Security Program's scope is determined by this Obligation to Protect.
Overlays: See the Minimum Security Standard "Overlays" section.
Privileged Account: System or Application Administrator accounts. If account privileges allow: changes to security configuration of the system or application; change to authentication or authorization methods used by the system or application; or access to “bulk” Tier 2 or 3 data. The account is "privileged."
Responsible Person: Also known as a “service owner,” the person responsible for the overall service throughout its lifecycle. The service owner handles the service within the University regardless of where the technology components or professional capabilities live. Service owners ensure that their application/system/service is available for use meeting documented service levels (service level agreements or SLAs). Service Owners are accountable to the University and to the people using the service.
Security-relevant patches: Patches addressing identified security vulnerabilities (rather than functional issues).
Self-service: Some systems with moderate or high protection obligations have roles in which people can access only their own information (like ConnectCarolina “Self-Service.”) Some controls do not apply in the same way to people/devices/connections that are limited to self-service access only.
Sensitive Information: Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard.
Service Account: (also known as System or Device accounts) are often used by a group of administrators, rather than one person. These accounts are used to run IT services for applications (like Web services, database services, an application account created to run a specific application) or as built-in accounts in an operating system or application (like "root" or "system" or "admin")
Service Owner or Service Provider: A Service Owner is the University employee who is the Responsible Person for an overall service throughout its lifecycle. The service owner is responsible for the service at the University regardless of where the technology components or professional resources exist. Service owners ensure that their application/system/service is available for use meeting documented service levels (service level agreements or SLAs). Service Owners are accountable to the University and to the people using the service.
Suspected Information Security Incident: The belief that unauthorized access may have occurred or may be imminent, or that an unauthorized attempt has been made to disrupt the availability of University data, systems, networks, services, or credentials. Only a University Information Security Office authorized Incident Handler may determine that an event is a Suspected Information Security Incident for purposes of this Standard and for the purposes of meeting all external contractual, legal, regulatory, or other compliance obligations. No internal classification or process will delay compliance with legally mandated breach notification requirements.
University Data: any data the University has responsibility to protect. Any data or records created or received in the performance or transaction of University business, except where excluded under the Policy or Standard on University Data Governance. University Data includes, but is not limited to, machine-readable data, data in electronic communication systems, data in print, and backup and archived data on all media.
University IT: Any device, application, or system that:
- Connects to a University network, or
- Is hosted on an Internet domain registered on behalf of the University, or
- Is used for University purposes, or that
- Stores, processes, or transmits data for which the University is responsible (“University Data”)
University Network: Any wired or wireless network provided by or contracted for the University.
University Unit: Sometimes called a “Major Operating Unit” this Standard refers to a division or school headed by a Vice Chancellor, Vice Provost, or Dean who reports directly to the Provost or Chancellor. (Every part of the University is part of a “University Unit” as defined here.
Web Application Firewall (WAF): an application firewall for HTTP applications. A WAF applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. A WAF, to be effective, must be customized to protect its specific application.

Related Requirements

University Policies, Standards, and Procedures

University Information Security Policies, Standards and Procedures

Contact Information

Primary Contacts

ITS Policy Office

Email: its_policy@unc.edu

University Information Security Office

Phone: 919-962-HELP

Web: help.unc.edu

Publication Details

Who is the “Issuing Officer”? Paul Rivers, CISO.
What is the “Effective Date”? When notified following September PRC
What is the “Next Review Date”? 3 years following publication date

0 reviews

Print Article

Updating...