ITS Security Policy 000 - Security Policy Definitions

• Acceptable Use Policy (AUP)
  A collection of user facing policies for using Technological Resources in a manner compliant with law, regulation, and CCC governance
• Access Control
  The selective restriction of access to a place or computing resource for security purposes.
  • The act of accessing may mean consuming, entering, or using. For example, the lock on your front door is an access control mechanism to limit who can enter your house. Similarly, entering a user ID and password restricts access to your computer account.
• Access Control List (ACL)
  A technical form of access control.
  • An ACL is a set of rules in a network device, such as a router, that controls access to segments of the network. A router with ACLs can filter inbound and/or outbound network traffic similar to a firewall, but with less functionality.
• Affiliate
  Any person or entity that has been sponsored by a CCC manager to receive controlled temporary access to CCC services.
  • This is generally a result of a contractual relationship with CCC. For example, an air conditioning vendor may require affiliate access to test the HVAC system. A consultant project manager may require affiliate access to access project plans on a CCC system.
• Anti-Malware Software
  In this use, applies to all software designed to detect and destroy computer viruses, malware, adware, or other malicious software.
• Application
  (aka Application Software) A computer program that is designed to perform a specific set of functions.
  • D2L is an application designed to support online learning. Microsoft Word is an application designed for word processing.
• ARP Cache Flood
  A form of computer hacking that “gridlocks” the network.
• Asset Form
  A document containing the description of a physical asset and a unique asset identification number that assigns responsibility for the physical possession and care of that asset to an individual. Asset Forms are generally maintained by CCC’s Business Office
• Authentication
  Any process by which a system verifies the identity of a user who wishes to access it.
  • Since access control is normally based on the identity of the user who requests access to a resource, authentication is essential to effective security. For example, when someone logs into MyClackamas Portal, the user ID and password entered authenticates that the person logging in is the owner of the account.
• Authenticators
  An attribute that is used singularly or in conjunction with other attributes to establish the unique identity of a user. Attributes may be something you know (password/PIN number), something you are (fingerprints and other Biometric data), or something you have (id card)
  • Examples of Authenticators include username, password, PIN number, fingerprints, digital certificates, and identification cards/badges
• Authorization
  Permission to access a specific piece of data or system function is called authorization.
  • A common form of authorization is “role-based” – a system may look up the role assigned to a particular user and only grant that user access to the functions of a computer program that are authorized for that role. For example, users associated with the “Payroll Administrator” role in Banner can access the payroll functions that they need to perform their job, but other Banner users cannot.
• Automatic Clearing House (ACH)
  An electronic network for financial transactions in the United States.
  • ACH allows CCC to execute electronic financial transactions with other financial institutions. ACH credit transfers include direct deposit, payroll, and vendor payments.
• Availability
  Being accessible and usable upon demand by an authorized entity.
• Back-out
  (aka “roll back”) The procedure for undoing a production change in the event of failure or unanticipated issues. The back-out will restore the system to its original state.
• Backup
  The copying and archiving of computer data so it may be used to restore the original after a data loss event.
  • Backups are copies of data taken periodically (usually nightly) and stored offsite for the purpose of archiving regulatory compliance, and data-loss recovery.
• Bandwidth
  The amount of traffic that a computer network can support.
  • Technically, the bit rate of available or consumed information capacity expressed typically in metric multiples of bits per second.
  • Variously, bandwidth may be characterized as network bandwidth, data bandwidth, or digital bandwidth. Bandwidth determines the performance of the network. Just as a highway can become gridlocked with too many cars, insufficient bandwidth to support data (especially during peak times like Fall Enrollment) can gridlock the network.
• Biometric
  In the context of information technology biometric refers to an attribute of an individual that is intrinsic to the individual themselves (i.e. something they are). Biometrics that are unique to an individual, such as fingerprints or facial recognition, are sometimes used for authentication purposes
• Binary Wipe
  A process that permanently deletes all data from an electronic storage medium, such that it cannot be recovered.
• Blogging
  A means of expressing personal opinions on the Internet.
  • Blogging is performed by Bloggers, who use a discussion or informational website published on the World Wide Web to publish informal, diary-style text entries (“posts”).
• Buffer
  Part of a computer’s operating system is designed to temporarily store data in order to increase the efficiency of data processing.
  • A data buffer (or just buffer) is a region of a physical memory storage used to temporarily store data while it is being moved from one place to another. Typically, the data is stored in a buffer as it is retrieved from an input device (such as a microphone) or just before it is sent to an output device (such as speakers).
  • Buffers are typically used when there is a difference between the rate at which data is received and the rate at which it can be processed, or in the case that these rates are variable. For example, in a printer spooler or in online video streaming.
• Bring Your Own Device (BYOD)
  An information technology strategy that permits users to use personally owned (private) devices for work related purposes. BYOD generally trades security for cost savings, convenience, and user acceptance.
• Business Email Compromise
  A situation in which a trusted email account (typically that of an employee) is accessed by a malicious actor allowing the malicious actor to circumvent security controls and increasing the likelihood of successful phishing attempts and breach of Controlled Sensitive Data.
• CCC Executive Team
  The Executive Team consists of College President, Vice President of College Services, Provost/Vice President, Instruction & Student Services  and …
• Central Processing Unit (CPU)
  The “brains” of a computer.
  • CPU is the electronic circuitry within a computer that carries out the instructions of a computer program by performing the basic arithmetic, logical, control, and input/output (I/O) operations specified by the instructions.
• Certificate
  see Digital Certificate
• Change Control Board (CCB)
  A committee within the Information Technology Services (ITS) Department designed to minimize risk to the normal operations of the college’s technology.
  • The CCB makes decisions regarding whether proposed changes to the production operating environment should be implemented. This could include new program code, network or firewall configurations, new project “go live”, etc.
• Chief Information Officer (CIO)
  Senior manager of the Information Technology Services (ITS) Department.
  • At CCC, the CIO is responsible for all technology, with the exception of:
    • Online Learning (Academic Affairs)
    • Some specialized technology that supports CTE or other engineering programs (e.g. software that supports machine labs, specialized dental technology, etc.)
    • Some technology that supports auxiliary services (e.g. Point of Sale systems in the cafeterias and bookstores)
• Chief Information Security Officer (CISO)
  Senior manager responsible for overseeing information technology and data security within the organization. A CISO may have responsibilities that extend beyond the scope of the IT department.
• Client
  In a network – A desktop computer or workstation that is capable of obtaining information and applications from a server. For example, all classroom computers are clients of the servers that apply security patches to them.
• Cloud Computing
  A general term for the delivery of hosted computing services over the internet.
  • Cloud computing enables companies to consume a compute resource, such as a virtual machine (VM), storage, or an application, as a utility service.
  • CCC’s Google “G-Suite” environment (that supports Gmail, Google Drive, etc.) is a Cloud service.
  • IaaS – Infrastructure as a Service.
  • iPaaS – Integration platform as a Service.
  • PaaS – Platform as a Service.
  • SaaS – Software as a Service.
• Code
  Source Code (aka program code) is the set of instructions forming a computer program, so that the functions described can be executed by a computer. Source Code is written in a specific computer language – for example, C++, Java, Python, etc.
  • Machine Code is the actual code that is executed by the computer.
  • Source Code is translated into Machine Code by specialized software called a compiler or interpreter, so that the computer can execute it to perform its tasks.
• Common Gateway Interface (CGI)
  A standard protocol for web servers to interface with executable programs running on a server that generate web pages dynamically.
• Compact Disk (CD)
  A small plastic disc on which music or other digital information is stored, and from which the information can be read using reflected laser light. Because of the use of light, CDs are a type of data storage media referred to as Optical Storage.
• Confidentiality
  Information is not made available or disclosed to unauthorized individuals, entities or processes.
• Controlled Sensitive Data (CSD)
  A general categorization that is used in CCC’s Information Technology (IT) policies (primarily the Information Security Policy and the Acceptable Use Policy) to represent all confidential and private information governed by those policies.
  • CSD includes PII, PHI, HIPAA, FERPA, regulated, private, personal, or sensitive information for which CCC is liable if publicly disclosed.
• Copyright
  A legal right created by the law of a country that grants the creator of an original work exclusive rights for its use and distribution.
• Credentials
  In the context of authentication, the term “credential” refers to a key that uniquely identifies a user to a system. A credential is most commonly in the form of a “user name and password” authentication token that is bound to a particular user. Some other examples of credentials are biometric identifiers (e.g. thumbprint scan) and digital identification mechanisms such as smartcards and multi-factor authentication.
• Cross-site Scripting (XSS)
  A method of computer hacking that takes advantage of vulnerabilities in dynamically generated Web pages.
• Cryptographic Key
  A unique and secret piece of data that is required to encrypt and subsequently decrypt a specific piece of information.
  • A cryptographic key determines the correct output of a cryptographic algorithm. Most commonly used cryptographic systems use pairs of keys:
    • Public key, which may be disseminated widely. This is used to verify that a holder of the paired private key sent the message (authentication).
    • Private key, which is known only to the owner. Whereby only the holder of the paired private key can decrypt the message encrypted with the public key.
• Cybercrime
  Criminal activity or a crime that involves the Internet, a computer system, or computer technology.
• Data Breach
  Generally, an incident in which sensitive, protected, or confidential data has potentially been viewed, stolen, or used by an individual unauthorized to do so.
  • Note: Although “breach” is a commonly used term in the information security community, legally, the term “breach” tends to only be used when a security event reaches the threshold of regulatory reporting. Legal counsel recommends using the terms “incident” or “compromise” until it can be determined whether an event satisfies the legal definition of a breach.
• Data Custodian
  The individual or group responsible for the implementation of the controls used to share, store, and protect data. The Data Custodians role is frequently allocated to an IT department as data storage solutions, access controls, backups, access logging, etc. Require specialized training and expertise.
• Data Owner
  The individual or group responsible for making decisions about the data, such as who can access the data, who can share the data, who can change the data, and how the data should be classified. The Data Owner is not necessarily the data creator.

• Data Reconstruction
  Forensic methods that allows data to be recovered after being deleted or corrupted.
• Decryption
  The process of converting data back to readable form (“plaintext”) from encrypted form, so it is usable.
• Degauss
  A way of wiping electronic data storage media so that it is no longer usable and data cannot be accessed.
  • Degaussing works by eliminating remnant magnetic field.
• Demilitarized Zone (DMZ)
  A way of configuring a network that separates Internet-facing systems from internal systems for security purposes.
  • Sometimes referred to as a perimeter network, the DMZ is a physical or logical sub-network that contains and exposes an organization’s external-facing services to a usually larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN).
• Denial of Service
  A method of computer hacking that floods the Internet entry point(s) to an organization with fake messages, preventing valid messages from getting through.
  • An attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A Distributed Denial of Service (DDoS) attack is a type of DoS attack where multiple compromised systems, which are often infected with a Trojan horse, are used to target a single system.
• Digital Certificate
  see Security Certificate
• Domain Name Server (DNS)
  The Internet’s equivalent of a phone book.
  • DNS maintains a directory of domain names and translate them to Internet Protocol (IP) addresses so that specific computers can be identified and have messages delivered to them (think of a postman knowing how to deliver a letter to the correct house).
• DVD
  A type of compact disk able to store large amounts of data, especially high-resolution audiovisual material.
• Electronic Communication Services (ECS)
  Technology that allows one person to communicate directly with another (or a group) using computers.
  • Most commonly refers to email, but also includes instant messaging, texting, collaboration platforms (Google Groups, Spaces, etc.), video streaming, video and web conferencing, etc.
• Electronic Discovery (eDiscovery or e-Discovery)
  The discovery of records, documents, or other content (such as email) that are kept in an electronic form
• Electronic Media
  Technology that stores and accesses data in electronic form.
  • In contrast to static media (e.g. print media). Digital Content is stored on Electronic Media.
• Encryption
  The process of converting data to an unrecognizable or “encrypted” form.
  • Encryption is commonly used to protect sensitive information so that only authorized parties can view it.
• Enterprise Computing
  The sum of computer systems, applications, and infrastructure designed to support large, complex organizations or business functions.
  • Usually seen as a collection of big business software solutions to common problems, such as resource management and streamlining processes, running on an enterprise network, and using specialized technologies like high-performance servers.
  • Today, enterprise computing can be supported using Cloud services such as Software as a Service (SaaS), Infrastructure as a Service (IaaS), etc.
• Email Header
  In an email, the body (content text) is always preceded by a header section (not normally visible to the user) that identifies particular routing information of the message (including the sender, recipient, date, and subject).
• Family Education Rights and Privacy Act (FERPA)
  A Federal law that protects the privacy of student education records.
  • FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
• Federal Information Processing Standard (FIPS)
  U.S. government standard for information technology and computer security.
  • The FIPS program is run by the National Institute of Standards and Technology (NIST). NIST FIPS 140 is the cryptography standard program required by the U.S. federal government for the protection of sensitive data.
• File Integrity Monitoring (FIM)
  A way of checking that a file has not been interfered with or corrupted.
  • An internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and a known good baseline. This comparison method often involves calculating a known cryptographic checksum of the file’s original baseline and comparing it with the calculated checksum of the current state of the file.
• Firewall
  Technology that acts as a gatekeeper to prevent malicious traffic from entering a network. The moat around a castle that only allowed entry via a drawbridge acted as an early physical version of a firewall.
  • A network security system that monitors and controls the incoming and outgoing network traffic, usually based on predetermined security rules.
• Floppy Disk
  (aka floppy, diskette, or just disk). An older type of disk storage (not used today).
  • Composed of a disk of thin and flexible magnetic storage medium, sealed in a rectangular plastic enclosure lined with fabric that removes dust particles.
• Gramm Leach Bliley Act (GLBA)
  A federal government regulation to which CCC is required to adhere and that imposes strict requirements regarding information security.
  • Also known as the Financial Services Modernization Act of 1999, (Pub.L. 106–102, 113 Stat. 1338, enacted November 12, 1999) is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies, and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. Has since been expanded to any institution that processes federal funds (e.g. student financial aid).
• Hard Disk (HDD)
  A data storage device that uses magnetic storage to store and retrieve digital information using one or more rigid, rapidly rotating disks (platters) coated with magnetic material.
• Hardcopy
  A printed version on paper of data held in a computer.
• Hardware
  The collection of physical components that constitute a computer system (a desktop computer, a server in a data center, a network switch, a printer, etc.)
• Health Insurance Portability and Accountability Act (HIPAA)
  A federal government regulation to which CCC is required to adhere and that imposes strict information security requirements regarding the protection of medical records.
  • Enacted by the United States Congress and signed by President Bill Clinton in 1996. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
• Hot Fix
  A hotfix or quick-fix engineering update (QFE update) is a targeted emergency software deployment.
  • Hot Fixes are applied to quickly solve a problem (e.g. a software bug) that is seriously impacting normal operations. Typically, they are replaced by better-engineered and fully tested patches or new version releases.
• IaaS (See Cloud Computing)
• Information Asset
  Any form of electronic technology that can be used to view, access, store, transport, or process data. Examples include personal computers, mobile devices, servers, USB drives, IoT devices, printers, physical and wireless network devices (routers, switches, access points, etc.), cloud services, 3rd party software and applications, code libraries, and internally developed programs and scripts. Paper documents are not an information asset as defined by this policy as paper is not electronic in nature.
• Injection Flaw
  A software vulnerability that can be exploited by hackers.
  • A class of security vulnerability that allows a user to “break out” of the web application context. If your web application takes user input and inserts that user input into a back-end database, shell command, or operating system call, your application may be susceptible to an injection flaw.
• Integrity
  Safeguarding the accuracy and completeness of information assets.
• Internet
  A global network that facilitates electronic communication of data between any participating parties.
  • A network of networks that consists of private, public, academic, business, and government networks of local to global scope linked by a broad array of electronic, wireless, and optical networking technologies.
• Internet Protocol Address (IP Address)
  Uniquely identifies a computing device so that it can send and receive messages with other devices on a network.
  • A numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication.
• iPaaS (See Cloud Computing)
• IT Resource
  (At CCC) All Information Technology (IT) resources that are the property of CCC and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic, and library computing facilities; college-wide data, video, and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines, and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.
  • IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.
• Information Security Manager (ISM)
  Manager of the CCC Information Security team, reporting to the CIO.
• Jailbreak
  In the context of information technology this refers to an Apple IoS device that has been modified to allow the user to install applications outside of the Apple App Store. Jailbroken devices are less secure then their non-jailbroken counterparts as applications outside of the Apple App Store are more frequently bundled with malware.
• Lightweight Directory Access Protocol (LDAP)
  A standard that is implemented by systems that manage electronic address and access requests (e.g. Active Directory).
  • A software protocol for enabling the location of organizations, individuals, and other resources (such as files and devices) on a network.
• Malware
  Short for “malicious software,” malware refers to software programs designed to damage or do other unwanted actions on a computer system. Common examples of malware include viruses, worms, Trojan horses, and spyware.
• Mass Mailing
  A form of communication in which the same message is broadcast to multiple recipients. Can be achieved by physical or digital methods.
• Memory
  The computer hardware component is used to store data for immediate use by the CPU (as opposed to data that is persistently stored on the computer’s hard disk).
• Multi-Factor Authentication (MFA)
  A method of authentication that requires 2 or more factors to uniquely identify a user. This is a commonly used approach to prevent an attacker from gaining access to an account despite having access to user authentication information. MFA requires an authenticator from at least 2 of the following categories:
  • Something you know, such as a username/password combination or a PIN number
  • Something you have, such as a cell phone, badge, or id card
  • Something you are, such as a fingerprint or facial recognition
• National Institute of Standards and Technology (NIST)
  A measurement standards laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness.
• Network
  (In IT) The technology that carries messages between one computer and another.
  • A network is a primary component of technology infrastructure and consists of hardware (e.g. routers, switches) that control and direct traffic; transport technologies (e.g. cables, fiber, wireless radio waves) that transport messages from Point A to Point B; and standards (e.g. Internet Protocol, Ethernet) that facilitate a common understanding of the messages being sent and how they are to be processed.
  • End points (or nodes) on a network are the senders and receivers of the messages and are usually computers (e.g. servers, desktops, laptops) – but can also be technology such as machine controllers, audio/visual devices, etc.
  • The Internet of Things (IoT) largely replaces people interacting across a network with machines and other technology devices interacting across a network, often using artificial intelligence (AI).
• Network Address Translation (NAT)
  A technology for more efficiently managing communication across a network.
  • A method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.
• Network Layer
  A technical definition for the part of a network that is involved in data transmission.
  • The third level of the Open Systems Interconnection Model (OSI Model) and the layer that provides data routing paths for network communication. Data is transferred in the form of packets via logical network paths in an ordered format controlled by the network layer.
• Network Time Protocol (NTP)
  Maintains consistent timekeeping in a network to synchronize all the network components
  • A networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use.
• Network Topology
  The arrangement of the various elements (links, nodes, etc.) of a communication network.
  • Essentially, it is the structure of a network and may be depicted logically or physically – much like a house can be described in architectural blueprints or by physically inspecting the building.
• Open Network
  A Wi-Fi network that is accessible to any device within range and does not require user authentication to join the network. Traffic traversing open networks is not encrypted by the Wi-Fi network and relies on user side encryption technologies such as a VPN to ensure privacy and security of data.
• Open Web Application Security Project (OWASP)
  An organization that provides unbiased and practical, cost-effective information about computer and Internet applications.
• Operating System
• A software component that provides the means for a user to interact with hardware and launch applications. Examples include Microsoft Windows, MacOS, IoS, Android, and Linux.
• Operational Maintenance
  Activities undertaken to update/maintain technological resources that are repetitive/recurring and where the risk(s) of conducting activities are well established. Examples of operational maintenance include:
  • installation of Operating System updates
  • installation of commonly used application (i.e. Web Browser) updates
• Optical Disk
  A common form of electronic media technology (e.g. CD, DVD).
  • A flat, usually circular disc that encodes binary data (bits) in the form of pits (binary value of 0 or off, due to lack of reflection when read) and lands (binary value of 1 or on, due to a reflection when read) on a special material (often aluminum) on one of its flat surfaces.
• PaaS (See Cloud Computing)
• Packet
  A unit of data sent over a network. Most data networks break messages into packets that are reassembled by the receiving computer.
  • A formatted unit of data carried by a packet-switched network. Computer communications links that do not support packets, such as traditional point-to-point telecommunications links, simply transmit data as a bit stream.
• Payment Card Industry Data Security Standard (PCI DSS)
  (Commonly just PCI) A data security standard that promotes the safety of credit card holder data across the globe.
• Penetration (Pen) Test
  Testing a computer system, network, or Web application to find vulnerabilities that an attacker could exploit.
• Personally, Identifiable Information (PII)
  Any data or combination of data that could potentially identify a specific individual.
  • Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
• Physical Security Steward
  An individual assigned the responsibility of overseeing the physical security of technological resources. Individuals selected for this role are not required to be trained technologists. Physical Security Stewards will routinely interact (directly or indirectly) with technology resource(s), shall be capable of detecting deviations from normal and expected operations, and shall report all security incidents to the ITS Security Team
• Pirated
  Use or reproduction of another’s work for profit without permission, usually in contravention of patent or copyright. Common forms of pirated digital information are music and movies.
• Platter
  Also known as hard disk, the circular disk on which magnetic data is stored in a hard disk drive.
• Platform
  The collection of hardware and software technologies used to host an application or service
• Privacy
  Generally speaking, privacy applies to individuals and confidentiality applies to their information. For any given study, the specific protections needed will depend on the nature of the study and the risks involved.
• Proprietary
  Owned and/or produced by a specific entity. Relating to, or characteristic of, an owner or title holder proprietary rights.
• Port
  (In ITS) The endpoint of a network message. If network addresses are like a street address, port numbers are like suite or room numbers. Access to a network or computing resource can be controlled by identifying what messages are permitted to pass through a specific port.
  • A network port is a process-specific or application-specific software construct serving as a communication endpoint, which is used by the Transport Layer protocols of the Internet Protocol Suite, such as User Diagram Protocol (UDP) and Transmission Control Protocol (TCP).
• Port Address Translation (PAT)
  A technical mechanism for limiting the number of IP addresses is needed.
  • An extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address.
• Port Scanner
  An application designed to probe a server or host for open ports.
  • This is often used by administrators to verify the security policies of their networks and by attackers to identify services running on a host and exploit vulnerabilities.
• Production Environment (PROD)
  The technology environment is where software and other products are actually put into operation for their intended uses by end users.
  • This is a highly controlled and monitored environment and separate from the development, test, or other environments where software is not intended for production use.
• Red Flag Team
  A CCC committee focused on the prevention of Identity Theft in accordance with the GLBA Red Flags Rule.
  • GLBA requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations. By identifying red flags in advance, businesses will be better equipped to spot suspicious patterns that may arise – and take steps to prevent a red flag from escalating into a costly episode of identity theft. The Program must be documented and updated periodically. Updates must reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft. The Program must also have the approval of the Board of Directors or a designated Senior Management employee. The Board of Directors shall also have supervision of the implementation of the Program as well as training of the staff and oversight of service providers.
• Risk
  An uncertain event that may or may not occur, risks can have a positive outcome (opportunity) or a negative outcome (threat).
• Risk Profile
  An evaluation of an individual or organization’s willingness to take risks, as well as the threats to which an organization is exposed.
• Rooting
  In the context of information technology this refers to an Android device that has been modified to allow the user to have privileged access to the device. Rooted devices are less secure then their non-rooted counterparts as applications and processes may be able to access data and hardware resources that should be unavailable.
• Router
  A networking device that forwards data packets between computer networks.
• SaaS (See Cloud Computing)
• Sandbox Environment isolation of a computer system or network so that it can access only certain resources, programs, and files within that computer system or network.
• Security Certificate (Cert)
  An encrypted code, provided by a trusted authority, that validates to another party that you are whom you say you are.
  • Used to confirm identity, secure communications between parties and ensure the integrity of transmissions. For example, if a website has a valid certificate it means that a certificate authority has taken steps to verify that the web address actually belongs to that organization and that communication with that website is encrypted.
• Security Patch
  A fix for a known security threat.
  • The application of software or operating-system code that is intended to correct a vulnerability to hacking or viral infection.
• Secure Wipe
  Processes used for the removal of all data on storage media that renders previously stored data irretrievable.
• Server
  Hardware: a powerful computer designed for running enterprise applications, usually located in a datacenter.
  • Software: a computer program that accepts and responds to requests made by another program (known as a Client).
• Service Pack
  A software update from a manufacturer, consisting of requested enhancements and fixes for known bugs.
• Service Provider
  (In ITS) A company that provides its subscribers access to the Internet.
• Shoulder Surfing
  A technique used to observe keystrokes or data entry into a computer system. Shoulder surfing may or may not be done covertly and can be accomplished with or without the aid of technology.
• Signature
  (In ITS) Digital signatures are proxies for human signatures on electronic documents; malware/virus signatures are unique values that indicate the presence of malicious code used by antivirus software to detect infections.
• Social Media
  A form of digital communication that forms social networks between users, facilitated by centralized software platforms (Facebook, Instagram, etc.)
  • Computer-mediated technologies that allow the creation and sharing of information, ideas, career profiles, and other forms of expression via virtual communities and networks.
• Solid State Drive (SSD)

• Software
  A set of instructions that tells a computer what to do.
  • Computer software is generally constructed as programs (applications) written in a specific language designed to run on computer hardware. Most common software’s are applications for business and personal use. More specialized computer software runs the operating systems of computers, operates machinery, creates artificial intelligence in robots, controls scientific instruments, etc.
• Software Development Lifecycle (SDLC)
  A process used by the software industry to design, develop, test, and deploy high-quality software.
• Spoofing
  A form of computer hacking in which one person or program successfully masquerades as another.
• SQL Injection
  (In ITS) A form of communication between computers in which information is commonly maintained for the duration of the transaction or session.
  • A stateful protocol requires keeping the internal state of the session on the server. A TCP connection-oriented session is a ‘stateful’ connection because both systems maintain information about the session itself during its life.
• Stateful
  (In IT) A form of communication between computers in which information is commonly maintained for the duration of the transaction or session.
  • A stateful protocol requires keeping the internal state of the session on the server. A TCP connection-oriented session is a ‘stateful’ connection because both systems maintain information about the session itself during its life.
• Steward

See Physical Security Steward

• Switch
  (In IT) A computer networking device.
  • A network switch (also called switching hub, bridging hub, officially MAC bridge) connects devices together on a computer network, by using packet switching to receive, process, and forward data to the destination device. Unlike less advanced network hubs, a network switch forwards data only to one or multiple devices that need to receive it, rather than broadcasting the same data out of each of its ports.
• System
  (In Information Technology [IT]) A computer system consists of hardware components that work with software components to achieve a defined outcome.
  • The main software component that runs on a system is an operating system that manages and provides services to other programs that can be run in the computer. Computer systems may also include peripheral devices such as printers, A/V equipment, operating machinery, etc.
• System Binary
  A package of program code that can be understood and executed by a computer’s operating system.
• TCP
  is connection-oriented and enables two-way communication between two endpoints after the three-way handshake. TCP is reliable because the protocol ensures that all data is fully transmitted and can be assembled by the receiver in the correct order.
• Technological Resources
  Any form of electronic technology that can be used to view, access, store, transport, share, or process data. Examples include personal computers, mobile devices, servers, USB drives, IoT devices, printers, wired and wireless networks, network devices (routers, switches, access points, etc.), cloud services, software (operating systems, applications, programs, scripts, virtual devices), teleconference systems, telephones, and email​​​​​​​

• Third Party (3rd Party)
  (In Information Technology [IT]) A vendor. Can be applied to any vendor (“third party provider”), but mostly used regarding “vendor software” to distinguish it from software developed “in house.”
• TPM

• USB “Thumb” Drive
  A portable data storage device that includes flash memory. Has a USB connector that plugs into the USB socket on a computer.
• User
  Any person who makes any use of any CCC IT resources from any location (whether authorized or not).
  • machinery, etc.
• Virtual Local Area Network (VLAN)
  A technical method of separating different areas of a network, usually for security reasons.
  • Any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). LAN is an abbreviation for local area network. To subdivide a network into virtual LANs, one configures network equipment.
• Virtual Private Network (VPN)
  A dedicated, secure connection between a client computer and a computer network. Usually used to support secure “remote access” to a network (e.g. working from home).
  • A VPN provides a secure communication channel over the Internet between a remote device (e.g. home computer) and CCC’s internal network. The VPN requires authentication to set up the channel and encrypts all traffic flowing through the channel.
• Virus
  (In ITS) A type of malicious software program (“malware”).
  • When executed, a virus replicates itself by modifying other computer programs and inserting its own code. Infected computer programs can include data files, memory resident code, or the “boot” sector of the hard drive.
• WEP

• WPA

• WPA2

• WPA3

• XPath
  Part of the XML coding language.
  • A syntax for defining parts of an XML document. XPath uses path expressions to navigate in XML documents. XPath contains a library of standard functions.

Responsible executive

Chief Information Officer

Last revision date

07-26-2023 srw