ISO Glossary and Iconography

Glossary of Terms

A

Administrator Access is defined as a level of access above that of a standard end-user. This definition is intentionally vague to allow the flexibility to accommodate varying systems and authentication mechanisms. Under most circumstances this level of access is relegated to privileged accounts. The following are examples of administrator access:

  • In a traditional Microsoft Windows environment, members of the Power Users, Local Administrators, Domain Administrators and Enterprise Administrators groups would all be considered to have Administrator Access.
  • In a traditional UNIX or Linux environment, users with root level access or the ability to sudo would be considered to have Administrator Access.
  • In an application environment, users with elevated privileges, ‘super-user’, system or database administrator roles and responsibilities would be considered to have Administrator Access.  
  • Network and other infrastructure systems administrators are also considered to have Administrator Access.  

B

C

A cipher or “cypher” is a method or algorithm used to encrypt or encode information to maintain its confidentiality.

Controls are technical, administrative, or physical safeguards. Controls are the nexus used to manage risks through preventing, detecting, or lessening the ability of a particular threat from negatively impacting business processes. Controls directly map to standards, since control testing is designed to measure specific aspects of how standards are implemented.

Control Objectives are targets or desired conditions to be met. These are statements describing what is to be achieved as a result of the organization implementing a control, which is what a Standard is intended to address. Where applicable, Control Objectives are directly linked to an industry-recognized secure practice to align cybersecurity and privacy with accepted practices. The intent is to establish sufficient evidence of due diligence and due care to withstand scrutiny.

D

Dark Web is a hidden part of the Internet that is not accessible from traditional web browsers such as Google Chrome, Safari, Internet Explorer, Firefox, etc.  The Dark Web is estimated to be close to 90% of the overall Internet.  Many illicit activities are known to take place on this part of the Internet including drug trafficking, illegal weapons trade, prostitution, terrorism, etc.

Data Custodian is university personnel or designated third-party agent responsible for the operation and management of information systems which collect, manage, process, or provide access to University Data. See University Information Asset Classification & Management Policy for roles and responsibilities of Data Custodians.

 

Data Flow Diagram is a data flow diagram that maps out the flow of information for any process or system. It uses defined symbols like rectangles, circles and arrows, plus short text labels, to show data inputs, outputs, storage points and the routes between each destination.  

Digital Certificate ("certificate") are a file connected to a cryptographic key pair used to confirm identity, secure communications between parties, and ensure integrity of transmissions. The use of certificates is one method of encrypting sensitive (Export Controlled, High risk [red], Moderate risk [amber], etc...) data while in transit or at rest. 
Digital certificates can include, but are not limited to the following:

  • SSL Certificates
    • Single-Domain Certificate: A SSL Certificate is a single-domain webserver certificate needed to enable SSL operation on a server.  These certificates will secure a fully qualified domain name (FQDN). For example, “example.uoregon.edu” would be secured by a single-domain certificate. This certificate would not be valid for any other FQDN than example.uoregon.edu
    • Multi-Domain Certificates (SAN Certificate): A SAN (Subject Alternative Name) certificate has a field that specifies alternate FQDN’s that can use the certificate on the same domain. These certificates will secure up to 100 different FQDN’s on a single certificate
    • Wildcard Certificates: A “wildcard” SSL certificate is a certificate that matches any FQDN of a sub-domain. For example, “example.uoregon.edu” is a sub-domain of “uoregon.edu.” The certificate that contains “*.example.uoregon.edu” is an example of a wildcard certificate. This certificate can be used on any server whose hostname is in the “example.uoregon.edu” domain, e.g, “www.example.uc.edu,” “mail.example.uc.edu,” or “ftp.example.uoregon.edu.” Note that only one level of sub-domain is matched, so “*.example.uc.edu” does not match “www.email.example.uoregon.edu.”
  • Code Signing Certificates
    • A code signing certificate is used by a developer, at the time a program is compiled, to verify the integrity of the signed program. This is equivalent to shrink wrap, or a hologram seal used in the real world to assure a product is genuine.
  • Client Certificates
    • Client Certificates or Digital IDs are used to identify one person to another, a person to a device or gateway or one device to another device. Typically, these are used for:
      • Digital Signatures
      • Email Encryption

  • Self-Signed Certificates

    • Self-signed certificates are public key certificates that their users issue on their own behalf, as opposed to a certificate authority (CA) issuing them.

E

An encryption key is a parameter or piece of information used by a cipher to control the encryption and decryption processes. A key serves as the essential input to a cipher algorithm, determining the specific transformation applied to the plaintext during encryption and the reverse transformation during decryption.

End of life, a designation by the vendor when a product is unable to be supported and should be replaced. This generally occurs when the operating system is no longer supported, and the hardware cannot support a new operating system.

Endpoint/Endpoint device is an electronic computing device that connects to a network and communicates back and forth with that network. Endpoints include desktop computers, laptop computers, tablets, mobile devices, or any similar network enabled device.

F

G

Guidelines are recommendations which can be customized and used in the creation of procedures or to help explain policies and standards.

H

I

Internet facing refers to systems, services, or devices that are directly accessible or exposed to the public Internet.  

IP Address is an identifier, based on the Internet Protocol (IP) standard (RFC-791), for computer systems and devices connected to the campus network.

J

K

L

Local Access refers to all connections to a University resource performed directly through the system console or console serial connection.  

M

MAC Address or Media Access Control address, sometimes referred to as a hardware or physical address, is a unique, 12-character alphanumeric attribute that is used to identify individual electronic devices on a network.  

N

Network-based Access refers to all connections to a University resource performed via a network (e.g., University wired or wireless network, remote networks).

O

P

Personally Identifiable Information (PII) is defined as any data element or combination of data elements that would be sufficient to be used to fraudulently assume the identity of an individual, consistent with the Oregon Consumer Identify Theft Protection Act (OCITPA). Examples of this type data include a person’s name in combination with one or more of the following:

  • Social Security number (SSN)
    • Note: UOIDs or 95#s are treated as Moderate
  • W2s, W4s, I9s
  • Driver’s license number or state identification card number
  • Identification number issued by a foreign nation
  • Passport number
  • Bank Account number, Credit or Debit Card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account
  • Biometrics
  • Date of Birth
  • Personal Data of covered “data subjects” defined under the EU General Data Protection Regulation (GDPR) including:
    • Name
    • Email
    • Government-issued IDs
    • Photo
    • IP address or web cookies
    • Health information
    • Genetics, race or ethnic origin
    • Biometrics
    • Sex life or sexual orientation
    • Political opinions
    • Religious or philosophical beliefs
    • Trade/union
    • Criminal convictions.

Principle of Least Privilege (POLA) is a principle that each subject in a system be granted only the most restrictive set of privileges needed for the performance of authorized tasks. The application of this privilege limits the damage that can result from accident, error or unauthorized use.

The principle of separation of duties involves dividing roles and responsibilities among multiple individuals to ensure no single person has complete control over a process. For instance, someone responsible for creating accounts and assigning permissions should not have the ability to modify the logs that monitor these activities.

A Privileged Account is a user account that has more privileges than a standard end-user account. Privileged accounts might, for example, be able to install or remove software, upgrade the operating system, or modify network, system, application, or database configurations. They might also have access to files that are not normally accessible to a standard end-user account.

Policy defines the security objectives and the security framework of the UO.

Procedure is a detailed step by step how-to document that specifies the exact action which will be necessary to implement important security mechanisms.

Q

R

Registered device or system means either install vulnerability scanning agent or configure system with appropriate credentials to facilitate authenticated vulnerability scanning operation.

Registered and configured for ISO ongoing vulnerability scans means that the ISO can conduct vulnerability scans against the device as is necessary for compliance, security, or policy reasons.

Resource Administrator – this may variously refer to a service administrator, system administrator, database administrator, network administrator, or device/endpoint administrator depending on the resource in context. I.e., a resource administrator is the person who is responsible for, configures or administrates, a system, device, application, or service.

S

A server is a specialized computer or software system designed to provide services, data, or resources to other computers over a network.

Service Account – a local or domain computer account not generally associated with human use that is used by an automated process, executable service or application to interact with the operating system or access databases, run batch jobs or scripts, or provide access to other applications, such as application programming interface (API) calls. A Service Account can also be a Privileged Account if it has higher privileges than a general user or has full access within an application.

Service Provider – is a unit or person who provides Resource Administrator’s functions to a collection of information systems resources.

Standard is a mandatory action that gives formal policies support and direction.

Standard End-User Access is defined as a user whose access is limited to specific areas necessary to perform their job duties. These users do not, normally, perform Administrator Access duties or are labeled as privileged user accounts.

Supported system or application means that the entity providing the system or application, be it a vendor, open source, or an individual, is actively and routinely providing and deploying patches and security updates for the system or application.

System, Application, and Service can be loosely defined as any electronic environment that stores, processes or transmits information for the purpose of maintaining the operational functions of University.

T

Top-level Administrator or their designee is the head of the college, department, or unit (e.g., Vice Provost/Vice President/Dean/Department Head).

TOR Network (https://www.torproject.org/about/overview.html.en) is the most common mechanism used to access "Dark Web" resources; it provides anonymity to users.

Two-factor Authentication (a.k.a., Two-Step Login, 2FA) is defined as a second layer of security to protect an account or system. Users must go through two layers of security before being granted access to an account or system. The University of Oregon provides a Two-Step Login service that uses DUO Security to manage the second factor authentication.

U

University computing and information resources are a collection of systems, applications and services that are in the custody of the University.

An unsupported system or application means the developer or vendor is no longer issuing timely software patches or security updates.

 

V

Vulnerability Scanning is an automated, high-level test that looks for and reports potential known vulnerabilities.  

W

X

Y

Z

Iconography
ISO Iconography Structure