Purpose:

This standard provides common definitions for terms used in the information security policies, standards, procedures and guidelines at the University of Florida.

Standard:

Computer Security Incident Response Team (CSIRT): A function of the Information Security Office responsible for receiving, reviewing and coordinating the response to computer security incident reports and activity involving University of Florida Data and/or Information Systems.

Data Breach: Unauthorized access, acquisition, use or disclosure of Restricted Data. Data breach notifications are subject to regulatory requirements following a privacy investigation and risk assessment.

Data Center: A dedicated facility in which multiple computer servers, network or telecommunications equipment are placed and operated. Data Centers have special purpose environmental, electrical, network and physical designs optimized for computing equipment.

High Severity Incidents: IT security incidents which involve a confirmed or suspected restricted data breach or have more than a minor impact on operations. High severity incidents require the activation of UFIT ISO-CSIRT’s Incident Response procedures. Metrics collected and reported by UFIT ISO-CSIRT.

Incident: An event, whether electronic, physical or social that adversely impacts the confidentiality, integrity or availability of University of Florida data or information systems; or a real or suspected action, inconsistent with University of Florida Privacy or Acceptable Use policies.

Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

Low Severity Incidents: IT security incidents which do not involve a suspected breach of restricted data and have a minor impact on operations. Low severity incidents do not involve the activation of UFIT ISO-CSIRT’s Incident Response procedures. Metrics collected and reported by UFIT ISO-Monitoring.

Mobile Computing Devices: Small devices intended primarily for the access to or processing of data, which can be easily carried by a single person and provide persistent storage. New products with these characteristics appear frequently. Current examples include, but are not limited to, the following types of products:

  • Laptop, notebook, netbook and similar portable personal computers
  • Smartphones and PDAs (Android, Blackberry, iPhone, and others)

Mobile Storage Devices: Media that can be easily carried by a single person and provide persistent storage.  New products with these characteristics appear frequently.  Current examples include, but are not limited to, the following types of products:

  • Magnetic storage devices (diskettes, tapes, USB hard drives).
  • Optical storage devices (CDs, DVDs, magneto-optical disks).
  • Memory storage devices (SD cards, thumb drives, etc).
  • Portable devices that make nonvolatile storage available for user files (cameras, MP3 and other music players, audio recorders, smart watches, cell phones).

Remote Access: Methods allowing authorized users to interact with university information systems and networks via methods or networks not controlled by the university (e.g. The Internet). Examples of remote access include Virtual Private Networks (VPN), remote desktop and terminal sessions.

Restricted Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, Florida driver licenses, non-directory student records, research protocols and export controlled technical data.

Recovery Point Objective: the point in time to which systems and data must be recovered after a disaster has occurred.  Can also be referred to as ‘maximum data loss’.

Recovery Time Objective: the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organization. This is the maximum agreed time for the resumption of the critical business functions.

Server Room: A facility in which computer servers, network or telecommunications equipment are placed and operated. Server Rooms typically rely upon general purpose environmental, electrical, and physical controls; server rooms may not be dedicated solely to computing equipment.

Telecommunication Facilities: Smaller facilities in which network or other communications cabling is run, organized and/or terminated. Telecommunications facilities may also house electronic equipment that interfaces with network or communications cabling. Telecommunications facilities include ‘network closets’, ‘telecommunications rooms’,  and ‘fiber huts’.

Unit: A part of the University of Florida that has administrative and financial duties to comply with the university’s information security policies.

University of Florida: The University of Florida, its component units, direct support organizations, and any of its affiliated entities as listed in the University’s annual financial statement.

University of Florida IT Constituency: Any person or entity using, maintaining, storing or processing University of Florida Data on behalf of the University of Florida.

University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.

University of Florida Information: see University of Florida Data.

University of Florida IT Support Team: Any member of the University of Florida Constituency that provides information technology support activities for a sub-set of University of Florida users.