7.1.0 Definitions of Terms Used in Information Resources
A. Purpose
The Chief Compliance Officer, in consultation with the Chief Information Security Officer and the Vice President of IT and Chief Information Officer, shall maintain current definitions that are used within Series 7: Information Resources.
B. Persons Affected
This Policy applies to all individuals associated with or on the premises of the University, including without limitation Employees, faculty, students, patients, visitors, volunteers, contractors, or vendors.
C. Definitions
- Authorized User: Users who have been granted administrative rights on University workstations.
- Chief Information Security Officer (CISO): Responsible to the executive management for administering the information security function within the University. The CISO is the University's internal and external point of contact for all information security matters.
- Confidential Information: Information that must be protected from unauthorized disclosure or public release based on state or federal law, (e.g., the Texas Public Information Act and other constitutional, statutory, judicial, and legal agreements). The unauthorized destruction, disclosure or modification of Confidential Information would be expected to have a severe or catastrophic adverse effect on organization operations, organizational assets, or on individuals. Examples of Confidential Information may include but are not limited to:
- Protected Health Information under HIPAA;
- protected student information under FERPA; and
- credit card numbers associated with an individual's name. (see HOP 7.5.2: Confidential Information)
- Chief Information Officer (CIO): Responsible to executive management for administering Information Resources functions within the University. The CIO is the University's internal and external point of contact for all Information Resources matters.
- Custodian: An individual, department, institution, or third-party service provider responsible for supporting and implementing Owner-defined controls to IR. Custodians include Information Security Administrators, IT, vendors, and any third party acting as an agent of or otherwise on behalf of the University.
- Data Owner (Owner): The manager or agent responsible for the business function that is supported by Information Resources, or the individual upon whom responsibility rests for carrying out the program that uses IR (see HOP 7.5.8: Data Owner).
- Electronic media: Any device that is used to store or record electronic information including but not limited to hard drives, PCMCIA (compact flash memory) drives, USB drives, magnetic tapes, compact disks, DVDs, videotapes, audiotapes, and removable storage devices such as floppy disks and zip disks.
- Email: Abbreviation for electronic mail, which consists of messages sent over any electronic media by a communications application.
- Information Owner: The individual specified in the Business Continuity Plan as the owner of and responsible for specified information.
- Information Resources (IR): Any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including but not limited to mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistants (PDAs), pagers, distributed processing systems, network-attached and computer-controlled medical and laboratory equipment (i.e., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
- Information Resource Manager (IRM). Responsible to the state of Texas for management of the University's IR. The designation of an IRM is intended to establish clear accountability for setting policy for IR management activities, provide for greater coordination of the University's information activities, and ensure greater visibility of such activities within and between state agencies. The IRM has been given the authority and the accountability by the state of Texas to implement security policies, procedures, practice standards, and guidelines to protect IR. If an agency does not designate an IRM, the title defaults to the agency's Executive Director, and the Executive Director is responsible for adhering to the duties and requirements of an IRM.
- Information Security: The University department responsible for information security matters.
- Information Security Program (ISP): The policies, procedures, elements, structure, strategies, plans, metrics, reports and resources that establish an Information Resources security function within the University.
- Information System (System): A discrete set of Information Resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. (Defined in NIST SP 800-53, Recommended Security Controls for Federal Information Systems, Appendix B.)
- Information Technology: The University department responsible for computers, networking and data management.
- Network: Computers and associated devices connected to the University’s central communications line.
- Network Infrastructure: Consists of cabling and associated equipment such as routers and switches.
- Protected Health Information (PHI) (or individually identifiable health information under HIPAA):Information held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral that relates to:
- the individual's past, present or future physical or mental health or condition;
- the provision of health care to the individual; or
- the past, present, or future payment for the provision of healthcare to the individual that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Examples: Includes many common identifiers such as demographic data, name, address, birth date, and social security number.
Exclusions: The HIPAA Privacy Rule excludes from Protected Health Information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act.
- Security Incident: In information operations, an assessed event of attempted entry, unauthorized entry, or an information attack on an automated information system, including the following:
- unauthorized probing and browsing;
- disruption or denial of service;
- altered or destroyed input, processing, storage, or output of information; and
- changes to information system hardware, firmware, or software characteristics with or without the Users' knowledge, instruction, or intent.
- Server: A computer program that provides services to other computer programs in the same, or another, computer. A computer running a server program is frequently referred to as a server, although it may also be running other client (and server) programs.
- University Data (Data): All data or information held on behalf of the University created as result and/or in support of University business or residing in Information Resources, including paper records.
- User: Any individual, automated application, or process that has been authorized by the Data Owner of the information to read, enter, or update that information.
- Virus: A program that attaches itself to an executable file or vulnerable application and delivers a payload that ranges from annoying to extremely destructive.
- File virus: Executes when an infected file is accessed.
- Macro virus: Infects the executable code embedded in Microsoft Office programs that allows Users to generate macros.
- Virtual Private Network (VPN): An encrypted, authenticated, trusted connection from an external site to the network.
D. Policy
The Chief Information Security Officer and/or the Vice President of IT and Chief Information Officer shall inform the HOP Coordinator of any changes or additions to the definitions used in Series 7: Information Resources.
E. Reference Sources and Authority
F. Review Responsibilities and Dates
The Division Head for this Policy is the Chief Compliance Officer, and this Policy shall be reviewed every two (3) years or sooner, if necessary, by the Division Head or their designee.
APPROVED:02/08/2024