SAM 5300 Definitions

0-9 | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

A

Agency: When used lower case (agency), refers to any office, department, board, bureau, commission or other organizational entity within state government. When capitalized (Agency), the term refers to one of the state’s super agencies such as the State and Consumer Services Agency or the Health and Human Services Agency. Also see State Entity.
Accreditation: The approval by management or an independent accrediting organization of the security component or system.
Alert: Notification that a potential disaster situation is imminent, exists, or has occurred; usually includes a directive for personnel to stand by for possible activation.
Application Recovery: The component of Disaster Recovery that deals specifically with the restoration of business system software and data after the processing platform has been restored or replaced.
Application Systems: The applications that an agency purchases and/or develops to achieve personal productivity and program support benefits.
Architecture: The guidelines or blueprints that an agency follows in designing, acquiring, and implementing information technology solutions. Organizationally approved definitions, specifications, and standards are the primary components in an agency’s information technology architecture.
Audit Trail: A chronological set of logs and records used to provide evidence of a system’s performance or personnel activity that took place on the system, and used to detect and identify intruders.
Authentication: Verifying the identity of a user, process, or device, as a prerequisite to allowing access to resources in an information system.
Authorization: The act of granting a user, program, process or device access to information assets after proper identification and authentication are obtained.
Availability: The reliability and accessibility of information assets to authorized personnel in a timely manner.

B

Backup (Data): A process by which data is copied in some form so as to be available and used if the original data from which it originated is lost, destroyed or corrupted.
Baseline (Project): An approved time phased plan for project work against which project execution is compared to measure and manage cost and schedule performance.
Baseline Configuration: A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.
Baseline Security: The minimum security controls required for safeguarding an information asset based on its identified needs for confidentiality, integrity, and/or availability protection.
Baselining: Monitoring resources to determine typical utilization patterns so that significant deviations can be detected.
Boundary Protection: Monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communication, through the use of boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels).
Business Continuity Management Program: An ongoing governance process supported by senior management and resourced to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products/services through exercising, rehearsal, testing, training, maintenance.
Business Continuity Plan (BCP): A plan that documents arrangements and procedures that enable an organization to respond to an event that lasts for an unacceptable period of time and return to performing its critical business functions after an interruption. Related Terms: Business resumption plan, continuity plan, contingency plan, disaster recovery plan, recovery plan
Business Impact Analysis (BIA): A process designed to prioritize business functions by assessing the potential quantitative (financial) and qualitative (non-financial) impact that might result if an organization was to experience a disruption.
Business Strategy: An agency’s business strategy is its overall plan for accomplishing its mission in a changing environment with the resources it can reasonably expect to be available. Such a strategy typically addresses the agency’s statutory mission and historical role, the expectations of its key stakeholders (individuals and organizations that affect the agency or that the agency affects), the factors that are critical to its success as an organization, the agency’s internal strengths and weaknesses, and the political, social, economic, and technological forces in its environment that support or constrain its programs. Business strategies articulate the key issues that must be successfully addressed by the agency and identify the priorities and required resources for proposed actions. A strategy may have a time frame that is as short as a few months, if there is a limited window of opportunity for significant change. However, most agency business strategies present a three- to five-year perspective, with some agencies finding it useful to extend their strategic vision as much as ten to twenty years into the future. Strategic planning is not a one-time effort; it is a fundamental, continuing management process that allows the agency to respond in an effective manner to a changing environment.

C

California Project Management Methodology (CA- PMM)

The California Project Management Methodology (CA-PMM) is a customized, orchestrated project management workflow derived from the Project Management Institute’s process groups. The CA-PMM identifies 500 hours of effort to be the threshold for requiring CA-PMM project management disciplines. While smaller endeavors are not subject to the CA-PMM, they should still be planned and managed effectively.

Categorization

The characterization of an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information system would have on organizational operations, organizational assets, individuals, other organizations, and the Nation.

Certification

A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Chain of Custody

A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.

Chain of Evidence

A process and record that shows who obtained the evidence; where and when the evidence was obtained; who secured the evidence; and who had control or possession of the evidence. The “sequencing” of the chain of evidence follows this order: collection and identification; analysis; storage; preservation; presentation in court; return to owner.

Classification

The characterization of information based on an assessment of legal and regulatory requirements, and the potential impact that a loss of confidentiality, integrity, or availability of such information would have on organizational operations, organizational assets, individuals, other organizations, and the Nation.

Cloud Computing

A Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Cold Site

An alternate facility that already has in place the environmental infrastructure required to recover critical business functions or information systems, but does not have any pre-installed computer hardware, telecommunications equipment, communication lines, etc. These must be provisioned at time of disaster.

Communication

4989.1 For the purpose of interpreting this policy, communication is the requesting, sending, transmitting, or receiving of electronic data via cable, telephone wire, wireless, or other communication facility

Communications

Local area and wide area network components, including linkages with other organizations. See also Telecommunications

Communications Recovery

The component of Disaster Recovery which deals with the restoration or rerouting of an organization’s telecommunication network, or its components, in the event of loss.

Compensating Security Controls

The management, operational, and technical security controls employed in lieu of the controls prescribed in the National Institute of Standards and Technology (NIST) Special Publication 800-53 security control baselines that provide equivalent or comparable protection for an information asset or organization. [NIST SP 800-53, Adapted]

Confidential Information

Information maintained by state agencies that are exempt from disclosure under the provisions of the California Public Records Act (Government Code sections 7920.000-7931.000) or has restrictions on disclosure in accordance with other applicable state or federal laws. See SAM Section 5305.5.

Confidentiality

A security principle that works to ensure that information is not disclosed to unauthorized persons.

Contact List

A list of team members and/or key personnel, including their backups, to be contacted during an event. The list will include the necessary contact information (i.e. home phone, pager, cell, etc.) and in many cases it is considered confidential. Related Terms: Call Tree

Continuing Costs

Costs associated with the operation and maintenance of an information technology system or application after development and implementation of the system.

Continuous Monitoring

Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.

Cost/Benefit Analysis

An assessment that is performed to ensure the cost of a safeguard does not outweigh the benefit of the safeguard.

Countermeasures

Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.

Critical Application

An application that is so important to the agency that its loss or unavailability is unacceptable. With a critical application, even short-term unavailability of the information provided by the application would have a significant negative impact on the health and safety of the public or state workers; on the fiscal or legal integrity of state operations; or on the continuation of essential agency programs.

Critical Infrastructure

Critical infrastructure provides the essential services that underpin American society and serve as the backbone of our nation and state’s economy, security, and health.
Assets identified as essential to the state, U.S. society and the economy, public health, safety, economic security, or any combination thereof. These include, as examples, facilities, systems and services within the following sectors:

Chemical
Commercial Facilities
Communications (telecommunications)
Critical Manufacturing
Dams and their control systems
Defense Industrial Base (police, military)
Emergency Services (first responders, police, military)
Energy [electricity generation, transmission and distribution; gas production, transport and distribution; and oil and oil products production, transport and distribution; heating (e.g. natural gas, fuel oil, district heating)]
Financial Services (banking, clearing)
Food and Agriculture (agriculture, food production and distribution)
Government Facilities
Healthcare and Public Health (hospitals, ambulances)
Information Technology
Nuclear Reactors, Materials, and Waste
Transportation Systems (fuel supply, railway network, airports, ports, harbors, inland shipping)
Water and Wastewater Systems [water supply, drinking water, waste water/sewage, stemming of surface water (e.g. dikes and sluices)]

Sources: U.S. Department of Homeland Security and Critical Infrastructures Protection Act of 2001, 42 U.S.C. 5195c(e)
Note: See Critical Infrastructure FAQ for further assistance with the process of identifying critical infrastructure.

Critical Infrastructure Controls

Networks and systems controlling assets so vital to the state that the incapacity or destruction of those networks, systems, or assets would have a debilitating impact on public health, safety, economic security, or any combination thereof.

Source: Government Code Section 8592.30

Critical infrastructure information

Information not customarily in the public domain pertaining to any of the following:

Actual, potential, or threatened interference with, or an attack on, compromise of, or incapacitation of critical infrastructure controls by either physical or computer-based attack or other similar conduct, including, but not limited to, the misuse of, or unauthorized access to, all types of communications and data transmission systems, that violates federal, state, or local law or harms public health, safety, or economic security, or any combination thereof.
The ability of critical infrastructure controls to resist any interference, compromise, or incapacitation, including, but not limited to, any planned or past assessment or estimate of the vulnerability of critical infrastructure.
Any planned or past operational problem or solution regarding critical infrastructure controls, including, but not limited to, repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to interference, compromise, or incapacitation of critical infrastructure controls.

Source: Government Code Section 8592.30

Criticality

A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.

Cross Site Scripting (XSS)

A vulnerability that allows attackers to inject malicious code into an otherwise benign website. These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between the website and client. Websites are vulnerable if they display user supplied data from requests or forms without sanitizing the data so that it is not executable.

Custodian of Information

Personnel or organizational unit (such as a data center or information processing facility) responsible as caretaker for the proper use and protection of information assets on behalf of the information asset owner.

D

Data: A representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by humans or by automated means.
Data Custodian: See Custodian of Information
Data Processing: The systematic performance of operations upon data, e.g., handling, merging, sorting, computing. Synonymous with information processing.
Data Processing System: A system, including computer systems and associated personnel, that performs input, processing, storage, output, and control functions to accomplish a sequence of operations on data.
Data Storage: The retaining of data/information on any of a variety of mediums (i.e., magnetic disk, optical disk, or magnetic tape) from which the data can be retrieved.
Data Transmission: The conveying of data from one functional unit to one or more additional functional units through the transmission of signals by wire, radio, light beam, or any other electromagnetic means. (Voice or video transmissions are not considered data transmission for the purposes of state policy.)
Defense-in-Depth: Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.
Demilitarized Zone (DMZ): Perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network’s information security policies for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks.
Denial of Service (DoS): The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.)
Desktop and Mobile Computer Software: Commercially licensed software necessary for the operation, use, and/or security of desktop and mobile computers.
Desktop and Mobile Computer Supplies: Consumable commodities used for data storage, printing, and/or other IT supplies as defined in SAM Section 4919.2.
Desktop and Mobile Computing: For the purposes of this policy, desktop and mobile computing is the use of desktop and mobile computing commodities in support of state agencies’ business operations.
Desktop and Mobile Computing Commodities: Hardware and software commonly required for most state employees to perform daily business transactions such as desktop computers, mobile computers, (e.g., personal digital assistants, laptop computers, smartphones), desktop and mobile computer software, servers, server software, peripheral devices (e.g., printers), supplies, and LAN infrastructure.
Desktop and Mobile Computing Servers: Computer servers necessary for the operation, use, and/or security of desktop and mobile computers.
Desktop and Mobile Server Software: Commercially licensed server software necessary for the operation, use, and/or security of desktop and mobile computers.
Desktop Computers: Computing devices, generally designed to remain in a fixed location, that can connect by cable, telephone wire, wireless transmission, or via any Internet connection to an agency’s IT infrastructure and/or data systems.
Development: Activities or costs associated with the analysis, design, programming, staff training, data conversion, acquisition, and implementation of new information technology applications.
Direct Application Access Architecture: A high-level remote access architecture that allows teleworkers to access an individual application directly, without using remote access software. (From SIMM 5360A)
Disaster: A condition in which an information asset is unavailable, as a result of a natural or man-made occurrence, that is of sufficient duration to cause significant disruption in the accomplishment of agency program objectives, as determined by agency management.
Disaster Recovery: See Technology Recovery
Disaster Recovery Plan (DRP): See Technology Recovery Plan
Disaster Recovery Planning: The technical component of business continuity planning.

E

Electronic and Information Technology (EIT or E&IT): Includes information technology and any equipment or interconnected system or subsystem of equipment that is used in the creation, conversion, or duplication of data or information. The term electronic and information technology includes, but is not limited to, telecommunications products (such as telephones), information Kiosks and transaction machines, World Wide Web sites, multimedia, and office equipment such as copiers and fax machines.
Emergency: A sudden, unexpected occurrence that poses a clear and imminent danger, requiring immediate action to prevent or mitigate the loss or impairment of life, health, property, or essential public services. SAM Section 6560, specifies that emergency expenditures cannot exceed $25,000, unless approved by the Department of Finance.
Encryption: Conversion of plaintext to ciphertext through the use of a FIPS validated cryptographic algorithm. [FIPS 140-2]
End-to-End Encryption: Encryption of information at its origin and decryption at its intended destination without intermediate decryption.
Equipment: An agency’s hardware platforms and components ranging from individual personal computers to mainframes and associated peripherals. See also IT Equipment

F

Facilities: The electrical, ventilation, fire suppression, physical security, wiring, and other components required to support an agency’s information technology capability, including the physical structure itself.
Federated Data Center: A centralized Tier III-equivalent data center providing participating state departments the ability to operate their own environment with a degree of independence in the overall management of their server infrastructure. Federated Data Center (FDC) services will evolve to provide, at a minimum, shared network, storage, and backup infrastructures. Additionally, agencies can plan utilization of the FDC as a disaster recovery site.
FIPS-Validated Cryptography: A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP).
Funding: Current and projected funding for information technology planning, acquisition, development, and operations activities.

G

Guideline: Recommended actions that describe leading practices which support policies, standards and procedures.

H

Hardening: A defense strategy to protect against attacks by removing vulnerable and unnecessary services, patching security holes, and securing access controls.
Hardware: See IT equipment.
Hot Site: An alternate facility that already has in place the computer, telecommunications, and environmental infrastructure required to recover critical business functions or information systems. Related Terms: Alternate Site, Cold Site, Warm Site

I

Implementation Control

The referenced standard or procedure that must be used to comply with minimum security controls.

Incident

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Incident Response Plan

The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information assets.

Individual

A person who is the subject of the state entity’s personal information collection.

Information Asset

(1) All categories of paper and automated information, including (but not limited to) records, files, and data bases; and (2) information technology facilities, equipment (including personal computer systems), and software owned or leased by state agencies

Information Asset Custodian

Information Integrity

The condition in which information or programs are preserved for their intended purpose; including the accuracy and completeness of information systems and the data maintained within those systems.

Information Management Strategy

An agency’s information management strategy is the agency’s comprehensive plan for using information technology to address its business needs, i.e., to successfully carry out its programmatic mission. Ideally, the agency’s information management strategy represents one aspect of a well-defined overall agency business strategy and is therefore closely aligned to its business strategy. If the agency has not established a business strategy, agency staff who are responsible for the agency information management strategy must make assumptions based on their knowledge of the agency’s overall mission, its program resources and priorities, and the changing nature of its environment.

Information Processing

The systematic performance of operations upon data, e.g., handling, merging, sorting, computing. Synonymous with data processing.

Information Security

The protection of information assets from a wide range of threats in order to provide for their confidentiality, integrity, and availability. Information security supports business continuity, minimizes business risk, and maximizes return on investments and business opportunities.

Information Security Architecture

An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.

Information Security Program Plan

Formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.

Information System Authorization

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.

Information System Security Lifecycle

The phases through which an information system passes, typically characterized as initiation, development, operation, and termination (i.e., sanitization, disposal and/or destruction).

Information Technology

Information technology means all computerized and auxiliary automated information handling, including systems design and analysis, conversion of data, computer programming, information storage and retrieval, voice, video, data communications, requisite systems controls, and simulation. The term “information technology” is commonly abbreviated as “IT”.

Information Technology Administrators

The agency’s IT staff such as those individuals responsible for support and security of the IT infrastructure. (SIMM 5360A)

Information Technology Asset Management

The effective tracking and managing of IT assets for an agency’s program and enterprise IT infrastructure and production systems, including the ability to identify and classify agency-owned hardware and software, telecommunications, maintenance costs and expenditures, support requirements (e.g., state staff, vendor support), and the ongoing refresh activities necessary to maintain the agency’s IT assets.

Information Technology Equipment

Information Technology devices used in the processing of data electronically. The following are examples of IT equipment: 1. Mainframes and all related features and peripheral units, including processor storage, console devices, channel devices, etc.; 2. Minicomputers, midrange computers, personal computers, laptops, tablets, smart phones and all peripheral units associated with such computers; 3. Special purpose systems including word processing, Optical Character Recognition (OCR), bar code readers/scanners, and photo composition; 4. Communication devices used for transmission of data such as: modems, data sets, mutiplexors, concentrators, routers, switches, local area networks, private branch exchanges, network control equipment, or microwave or satellite communications systems; and 5. Input-output (peripheral) units (off-line or on-line) including: display screens, optical character readers, magnetic tape units, mass storage devices, printers, video display units, data entry devices, plotters, scanners, or any device used as a terminal to a computer and control units for these devices. See also Equipment

Information Technology Infrastructure

An agency’s information technology platform for the support of agency programs and management. Included in the infrastructure are equipment, software, communication networks.

Source: SAM Section 4989.1

Information Technology Personnel

All state personnel employed in IT or telecommunications classifications as defined by the Department of Personnel Administration or by the Trustees of the California State University and Colleges, and all personnel of other classifications in state agencies who perform information technology activities for at least 50 percent of their time. Users of personal computers and office automation are not included in this category unless they are in information technology classifications or spend at least 50 percent of their time performing information technology activities.

Information Technology Procurement

Any contract, interagency agreement or purchase estimate to conduct any activity listed below, or any combination of these activities is to be considered an “information technology procurement.” 1. IT facility preparation, operation and maintenance. 2 Development and implementation of application systems or programs, or changes to application systems or programs to meet new or modified needs, or maintenance, including: feasibility study preparation, systems analysis, systems design, purchase and installation of software, programming, conversion of data or programs, documentation of systems and procedures, and project appraisal or assessment. 3. Operation of application systems or programs including handling, assembling, or editing of input-output data or media where information technology equipment or information technology personnel are used. 4. Services or equipment received through an EDP Master Agreement. SAM Section 5207. 5. Acquisition, installation, operation, and maintenance of data processing equipment. 6. Other installation management activities including performance measurement, system tuning, and capacity management. 7. Employment of personnel in support of, or directly related to, any of the above activities, including: administration, technical services, clerical services, travel, training, and preparation of periodic and special reports. 8. Control functions directly related to any of the above activities.

Information Technology Supplies

All consumable items and necessities (excluding equipment defined as IT equipment) to support information technology activities and IT personnel, including: 1. Documents (such as standards and procedures manuals, vendor-supplied systems documentation, and educational or training manuals); 2. Equipment supplies (such as printer forms, punch card stock, disk packs, “floppy” disks, magnetic tape, and printer ribbons or cartridges); and 3. Furniture (such as terminal tables and printer stands).

Input-Output Unit/Device

A unit or device in an IT system by which data may be entered into the system, received from the system, or both.

L

Least Privilege: The principle that a security architecture is designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function, and users are granted access to only those information assets they need to perform their official duties.
Lifecycle: The anticipated length of time that the information technology system or application can be expected to be efficient, cost- effective and continue to meet the agency’s programmatic requirements. Synonymous with operational life system.
Local Area Network (LAN): Two or more desktop or mobile computers at the same site connected by cable, telephone wire, wireless or other communication facility providing the ability to communicate or to access shared data storage, printers, or other desktop and mobile computing commodities.

M

Maintenance: Activities or costs associated with the ONGOING UPKEEP of operational applications of information technology. Maintenance includes correcting flaws, optimizing existing systems or applications, responding to minor changes in specified user requirements, renewal of equipment maintenance agreements, and meeting normal workload increases using substantially the same equipment, facilities, personnel, supplies and software.
Metrics: Tools designed to facilitate decision-making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data.
Mission Critical Activities: The critical operational and/or business support activities (either provided internally or outsourced) required by the organization to achieve its objective(s) i.e. services and/or products.
Mission Critical Business Functions: The critical operational and/or business support functions that could not be interrupted or unavailable for more than a mandated or predetermined timeframe without significantly jeopardizing the organization. An example of a business function is a logical grouping of processes/activities that produce a product and/or service such as Accounting, Staffing, Customer Service, etc. Related Terms: Critical Business Function, Essential Functions, Critical Resources
Mission-Critical Applications: Applications that support business activities or processes that could not be interrupted or unavailable for the Recovery Time Objective (RTO) defined by the agency without significantly jeopardizing the organization.
Mobile Computers: Portable-computing devices that can connect by cable, telephone wire, wireless transmission, or via any Internet connection to an agency’s IT infrastructure and/or data systems.
Mobile Computing Device: Portable-computing devices that can connect by cable, telephone wire, wireless transmission, or via any Internet connection to an agency’s IT infrastructure and/or data systems. (See SAM Section 4989.1).
Mobile Web: Mobile Web refers to browser-based access to the Internet or Web applications using a mobile device, such as a smart phone, connected to a wireless network.
Mobilization of Personnel: To organize (people, resources, etc.) for active service or use in any emergency, drive, etc.
Multi-factor authentication: Authentication based on two or more of the following: something you know (i.e., password), something you have (i.e., token or smartcard), or something you are (i.e., a biometric). (SIMM 5360A) Also see: Two-factor Authentication
Multi-homed Connection: A host connected to two or more networks or having two or more network addresses. For example, a computer may be connected to a serial line and a LAN or to multiple LANs. (SIMM 5360A)

N

Need-To-Know: A method of isolating information resources based on a user’s need to have access to that resource in order to perform their job but no more. The terms ‘need-to know” and “least privilege” express the same idea. Need-to-know is generally applied to people, while least privilege is generally applied to processes.
Network Equipment: Equipment facilitating the use of a computer network. This includes routers, switches, hubs, gateways, access points, network bridges, modems, firewalls, and other related hardware and software.
Network-level Connection: The connection provides access to a state private network through a tunneling or a remote desktop access architecture and the software and data that reside on the internal information assets. (SIMM 5360A)
Non-State Entity: A business, organization, or individual that is not a State entity, but requires access to State information assets in conducting business with the State. (This definition includes, but is not limited to, researchers, vendors, consultants, and their employees, and entities associated with federal and local government and other states.)

O

Open Source Software: Software that includes distribution terms that comply with the following criteria provided by the Open Source Initiative: (The open source definition used here is from the Open Source Initiative and is licensed under a Creative Commons Attribution 2.5 License (http://creativecommons.org/licenses/by/2.5/) 1. Free Redistribution: The software can be given as part of a package with other applications; 2. Source Code: The code must either be distributed with the software or easily accessible; 3. Derived Works: The code can be altered and distributed by the new author under the same license conditions as the product on which it is based; 4. Integrity of the author’s source code: Derived works must not interfere with the original author’s intent or work; 5. No discrimination against persons or groups; 6. No discrimination against fields of endeavor: Distributed software cannot be restricted in who can use it based on their intent; 7. Distribution of license: The rights of the program must apply to all to whom the program is re-distributed without need for an additional license; 8. License must not be specific to a product; Meaning that an operating system product cannot be restricted to be free only if used with another specific product; 9. License must not contaminate other software; and 10. License must be technology-neutral.
Operations: Activities or costs associated with the CONTINUED USE of applications of information technology. Operations includes personnel associated with computer operations, including network operations, job control, scheduling, key entry, and the costs of computer time or other resources for processing.
Operations Life: See Life Cycle
Outsource: The procuring of services or products from an outside supplier or manufacturer due to lack of resources, knowledge, or timeliness, or to cut costs. Related Terms: Outside Source
Owner of Information Assets: An organizational unit having responsibility for making classification, categorization and control decisions regarding information assets.

P

Partnerships: Relationships with other public and private sector organizations that support and enable the agency’s pursuit and use of information technology.
Peer-to-Peer Technology: Computer software, file sharing program, or protocol, other than computer and network operating system, that has as its primary function the capability to allow the computer on which the technology is used to designate files available for transmission to another computer using the technology, to transmit files directly to another computer using the technology, and to request the transmission of files from another computer using the technology.
People: An agency’s technical staff, user community groups, and executive steering and oversight committees that are charged with information technology planning, approval, development, management, operations, and security responsibilities.
Peripheral Unit/Device: With respect to a particular processing unit or device, any equipment that can communicate directly with that unit or device.
Personnel: Employees, volunteers, contractors, sub-contractors commissioned , employed by or otherwise engaged in the performance of work associated with administration of a state entity program.
Phishing: A digital form of social engineering that uses authentic- looking—but bogus—emails to request information from users or direct them to a fake Web site that requests information.
Physical Security: The measures designed to safeguard personnel; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard them against unauthorized access, damage, and theft.
Plan of Action and Milestones – (POA&M): A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
Plans: Detailed designs or methods for aligning information technology activities with agency business strategies and accomplishing business objectives. Typical agency information technology plans include strategic, risk management, and operational recovery.
Policy: A high-level directive that describes mandatory or prohibited actions, applicable to individuals who fall within the scope of the policy, which aim to protect State information assets.
Portal Architecture: A high-level remote access architecture that is based on a server that offers teleworkers access to one or more applications through a single, centralized interface. (SIMM 5360A)
Privacy: The right of individuals and organizations to control the collection, storage, and dissemination of information about themselves.
Privacy Impact Assessment (PIA): An analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.
Procedure: A specific series of actions an individual must take in order to comply with policies and standards.
Professional Development: Use of recognized industry organizations and certifications. Implies a guarantee of meeting a standard through application of evaluation or measurement criteria.
Program: A sequence of instructions suitable for processing. See information processing or data processing.
Programming: The designing, writing, testing, debugging, and documentation of programs.
Project: An endeavor with a defined beginning and end (usually time- constrained, and often constrained by funding or deliverables), undertaken to meet unique goals and objectives, typically to bring about beneficial change or added value. (See information technology project.)
Project Oversight: An independent review and analysis to determine if the project is on track to be completed within the estimated schedule and cost, and will provide the functionality required by the sponsoring business entity. Project oversight identifies and quantifies any issues and risks affecting these project components.
Proprietary Software: Computer programs which are the legal property of one party, the use of which is made available to a second or more parties, usually under contract or licensing agreement.
Public Facing Application: Any web-facing application designed and delivered with the intent of access by individuals or organizations over the public internet. Public facing applications are exposed to the broadest base of potential users (e.g. citizens), and are accessed via a web-browser.
Public Information: Any information prepared, owned, used, or retained by a state agency and not specifically exempt from the disclosure requirements of the California Public Records Act (Government Code sections 7920.000-7931.000) or other applicable state or federal laws.

R

Recovery Point Objective (RPO)

The maximum amount of data loss an organization can sustain during an event.

Recovery Prioritization

The ordering of critical activities and their dependencies are established during the Business Impact Analysis (BIA) and Strategic-planning phase. The continuity plans will be implemented in the order necessary at the time of the event. Related Terms: Priority Classification, Prioritization

Recovery Strategy

An approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major outage. Plans and methodologies are determined by the organizations strategy. There may be more than one solution to fulfill an organization’s strategy. Examples: Internal or external hot-site, or cold-site, Alternate Work Area reciprocal agreement, Mobile Recovery, Quick Ship / Drop Ship, Consortium-based solutions, etc. Related Terms: Business Continuity Strategy, Recovery Strategy, Continuity Strategy, Resumption Strategy

Recovery Team

A team responsible for developing, maintaining, and activating the business recovery procedures and complying with the organization’s BCM program. Related Terms: Disaster Recovery Team, Key Personnel, IT Personnel, Business Recovery Teams

Recovery Time Objective (RTO)

The period of time within which systems, applications, or functions must be recovered after an outage (e.g. one business day). RTO’s are used as the basis for the development of recovery strategies, and as a determinant as to whether or not to implement the recovery strategies during a disaster situation. Related Terms: Maximum Allowable Downtime/Outage.

Reengineering of the Business Process

The search for, and implementation of, radical changes in business processes that result in dramatic efficiencies, reductions in turnaround time, improvements in quality, or improvements in customer service.

Remediation

The act of correcting a vulnerability or eliminating a threat.

Remediation Plan

A plan to perform the remediation of one or more threats or vulnerabilities facing an organization’s systems. The plan typically includes options to remove threats and vulnerabilities and priorities for performing the remediation.

Remote Access

The connection of an information asset from an off-site location to an information asset on state IT infrastructure. (SIMM 5360A)

Remote Desktop Access Architecture

A high-level remote access architecture that gives a teleworker the ability to remotely control a particular desktop computer at the organization, most often the computer assigned to the user that resides at the organization’s office from a telework device. (SIMM 5360A)

Residual Risk

The remaining potential risk after all information security measures are applied.

Risk

The likelihood or probability that a loss of information assets or breach of security will occur.

Risk Analysis

The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment.

Source: SAM 5300.4, Definitions based on NIST Glossary of Key Information Security Terms

Risk Assessment

The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation, arising through the operation of an asset. Part of risk management, incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

Source: SAM 5300.4, Definitions based on NIST Glossary of Key Information Security Terms

Risk Assessment (Tier 1 – Organization/Enterprise Level)

Risks are addressed at the organization level. Decisions at this level affect the entire organization and are aimed at managing risk from a global perspective, including setting risk tolerance levels, prioritizing risk response actions, and ensuring that risk management processes are integrated with strategic objectives and operational activities. Tier 1 risk assessments can affect, for example: organization-wide information security and privacy programs, policies, procedures, and guidance; the types of appropriate risk responses (i.e., risk acceptance, avoidance, mitigation, sharing, or transfer); investment decisions for information technologies/systems; procurements; minimum organization-wide security controls; conformance to enterprise/security architectures; and monitoring strategies and ongoing authorizations of information systems and common controls. [NIST 800-30r1]

Risk Assessment (Tier 2 – Mission/Business Level)

Risks are considered at the mission/business process level. At this level, risk assessments are tailored to specific business processes, procedures, and the information flows, considering the importance of those processes, procedures, and flows to the organization’s overall objectives. Tier 2 risk assessments can affect, for example: enterprise architecture/security architecture design decisions; the selection of common controls; the selection of suppliers, services, and contractors to support organizational missions/business functions; the development of risk-aware mission/business processes; and the interpretation of information security policies with respect to organizational information systems and environments in which those systems operate. [NIST 800-30r1]

Risk Assessment (Tier 3 – Information Asset Level)

Risks are addressed at the information Asset level. This level is most closely associated with the day-to-day management of information assets and includes identifying, assessing, and responding to risks that impact IT systems and data. The focus is on implementing appropriate security controls to mitigate identified risks to an acceptable level, based on the organization’s risk tolerance. Tier 3 risk assessments can affect, for example: design decisions (including the selection, tailoring, and supplementation of security and privacy controls and the selection of information technology products for organizational information systems); implementation decisions (including whether specific information technology products or product configurations meet security control and privacy preserving requirements); and operational decisions (including the requisite level of monitoring activity, the frequency of ongoing information system authorizations, and system maintenance decisions). [NIST 800-30r1]

Risk Management

The process of managing risks to operations (including mission, functions, image, or reputation), assets, or individuals resulting from the operation of an information asset. It includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of security controls; and the formal authorization to operate the asset. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations.

Risk Mitigation

Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

Risk Response

Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.

Risk Tolerance

The level of risk an entity is willing to assume in order to achieve a potential desired result.

Root Cause Analysis

A principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.

S

Safeguards: Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.
Sanitization: Process to remove information from media such that information recovery is not possible. It includes removing all labels, markings, and activity logs.
Security and Privacy Awareness: Designed to focus attention on information security and privacy
Security and Privacy Education: Designed to integrate all security skills and competencies into a common body of knowledge, adding a multidisciplinary study of concepts, issues, and principles.
Security and Privacy Training: Designed to produce relevant and needed skills and competency
Security Banner: A banner presented on the opening screen that informs users of the security implications of accessing a computer resource.
Security Event: An observable occurrence in a network or system, such as a detected vulnerability, or observed signs of attack, anomalies, and suspicious or inappropriate activities.
Security Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Sensitive Information: Information maintained by state agencies that requires special precautions to protect it from unauthorized modification, or deletion. See SAM Section 5305.5. Sensitive information may be either public or confidential (as defined above).
Server Room: Any space that houses computer operations. Such computer operations could utilize mainframes, servers, or any computer resource functioning as a server.
Service Definitions: The types of services provided, accepted service levels, and service delivery time frames established for an agency’s information technology support organization.
Shut Down: Turning the power off in a controlled manner.
Smart Phone: A mobile computing device that provides advanced computing capability and connectivity, and runs a complete operating system and platform for application developers and users to install and run more advanced applications. (SIMM 5360A)
Software: 4819.2 Programs, procedures, rules, and any associated documentation pertaining to the operation of a system. (Contrast with hardware.) 4900.1 The set of operating system, utility, communications, user interface, and management programs that enable users to operate and control computers and develop application systems. The infrastructure includes elements owned by the agency and available under contract or through interagency agreement. For agencies that employ the services of a consolidated data center, for example, the required data center resources are considered part of the agency’s infrastructure.
Split Tunneling: The process of allowing a remote VPN user to access a public network, most commonly the Internet, at the same time that the user is allowed to access resources on the VPN. A disadvantage of this method is that it essentially renders the VPN vulnerable to attack as it is accessible through the public, non-secure network. (SIMM 5360A)
Standard: A detailed published specification that contains measurable, mandatory rules to be applied to a process, technology, and/or action in support of a policy.
State Entity: Any entity within the executive branch that is under the direct authority of the Governor, including, but not limited to, all agencies, departments, boards, bureaus, commissions, councils, institutions, offices, or other distinct governmental organization not specifically exempted from adherence to the legal and regulatory requirements related to information security and privacy set forth herein.
Statewide Information Management Manual: The Statewide Information Management Manual (SIMM) as structured by the Technology Agency contains instructions and guidelines as well as samples, models, forms and communication documents that state agencies either must use, or will find helpful to use, in complying with established state policy relating to IT. For clarity, references in SIMM to “Department of Finance” that are not related to budget documents such as Budget Change Proposals or Finance Letters, should be read as references to the “California Technology Agency”.
Strategic Planning Process for Information Technology: The process of aligning agency plans for, and uses of, information technology with the agency’s business strategies.
Strong Password: A minimum of eight characters using a combination of upper and lowercase letters, numbers and special characters. (SIMM 5360A)
System Standby: A low power mode for electronic devices such as computers, televisions, and remote controlled devices (aka “sleep mode”). These modes save significant electrical consumption compared to leaving a device fully on and idle but allow the user to avoid having to reset programming codes or wait for a machine to reboot.

T

Technology Letters: Letters issued by the Technology Agency conveying official communications regarding state information technology (IT), announcing new (or changes to existing) IT policies and procedures, or announcing new (or changes to existing) state IT services or standards.
Technology Recovery: The ability of an organization to respond to a disaster or an interruption in services by implementing a disaster recovery plan to stabilize and restore the organization’s critical functions. Formerly referred to as Disaster Recovery
Technology Recovery Plan: The management approved document that defines the resources, actions, tasks and data required to manage the technology recovery effort. Usually refers to the technology recovery effort. This is a component of the Business Continuity Management Program. Related Terms: Operational Recovery Plan (ORP), Business Continuity Management Plan, Recovery Plan, Business Resumption Plan. Formerly referred to as Disaster Recovery Plan.
Technology Recovery Planning: The technical component of business continuity planning. Formerly referred to as Disaster Recovery Planning.
Telecommunications: Includes voice and data communications, the transmission or reception of signals, writing, sounds, or intelligence of any nature by wire, radio, light beam, or any other electromagnetic means. See also Communications.
Telework: An arrangement in which an employee regularly performs officially assigned duties at home or an alternate work site. (SIMM 5360A)
Third-party: An individual or entity not identified or involved in the interaction or relationship between an individual data subject and the state entity.
Threat: A circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.
Tier III-Equivalent Data Center: Data Center facility consisting of multiple active power and cooling distribution paths; however, only one path is active. The facility has redundant components and is concurrently maintainable providing 99.982% availability.
Tunneling Architecture: A high-level remote access architecture that provides a secure tunnel between a telework device and a tunneling server through which application traffic may pass. Tunnels use cryptography to protect the confidentiality and integrity of the transmitted information between client device and the VPN gateway. (SIMM 5360A)
Two-factor Authentication: Authentication based on two of the following: something you know (i.e., password), something you have (i.e., token or smartcard), or something you are (i.e., a biometric). (SIMM 5360A) Also see: Multi-factor Authentication

U

User: A person who is specifically authorized to access and use information or another information asset, such operating a computer.

V

Validation: The process of evaluating software during or at the end of the development process to determine whether it satisfies specified requirements. [IEEE-STD-610]
Verification: The process of evaluating software to determine whether the products of a given development phase satisfy the conditions imposed at the start of that phase. [IEEE-STD-610]
Virtual Private Network (VPN): A virtual network, built on top of existing physical networks, that provides a secure communications tunnel for data and other information transmitted between networks. (SIMM 5360A)
Virtualization: A framework or methodology of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation, quality of service, and many others.
Vulnerability: A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

W

Web-based Connection: The connection provides access to one or more applications through a single centralized interface through a direct application access or portal architecture (typically a web- browser to a portal server located within the demilitarized zone [DMZ]). This type of connection creates an area that serves as a boundary between two or more networks and isolates the information asset from the internal private network. (SIMM 5360A)
Wide Area Network (WAN): Two or more physical locations connected by cable, wire, or other wireless transmission, providing the ability to communicate between locations and/or Internet connectivity.