UW System Administrative Policy 1000

Information Security: General Terms and Definitions

Original Issuance Date: October 13, 2020

Last Revision Date: March 4, 2024

1.     Policy Purpose

The purpose of this policy is to provide a list of general terms and definitions that are used in the 1000 series of the UW System Administrative policy set.

2.     Responsible UW System Officer

Associate Vice President for Information Security

3.     Scope

This policy is applicable to the 1000 series of UW System Administrative policies and procedures.

4.     Background

The President of the University of Wisconsin System is empowered to establish information security polices under Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology (IT) environment in support of its mission. This policy provides general definitions for all the Information Security policies promulgated by the University of Wisconsin System.

5.     Definitions

Account Types: Accounts fall into 3 types below:

  • User Accounts: Accounts that are uniquely associated with a specific person.
  • Shared Accounts: Accounts that can be accessed by multiple Users to allow them to appear as a single business entity or accomplish a single shared function.
  • Service Accounts: Non-interactive accounts that are for systems, devices, or processes, including for Application Programming Interfaces (APIs) and OpenID Connect (OIDC).

Advance Threat Protection: A category of security solutions that defend against sophisticated malware or hacking based attacks targeting sensitive data.

Authentication: The process of verifying that someone who holds an account on an IT system is who they purport to be.

Authentication Assurance: The degree of confidence an IT resource uses to verify the claimed identity of an account requesting access. May be used in conjunction with Identity Assurance and referred to as Identity and Authentication (I&A) Assurance.

Authorizations: Access privileges granted to a User. UW System defines 3 levels of Authorizations to reflect a minimum of 3 tiers of user privilege and the associated required controls.

  • Standard Authorizations: Authorizations provided to Users for Non-public Information Technology Resources that do not require Privileged Authorizations.
  • Privileged Authorizations: Authorizations provided to Users trusted to access data or perform security-relevant functions that Users with Standard Authorizations are not authorized to perform.
  • Highly Privileged Authorizations: Authorizations provided to a small group of Users trusted to access highly restricted data or perform security-relevant functions that require higher Identity and Authentication Assurance than Privileged Authorizations to achieve acceptable risk.

Availability: Ensuring timely and reliable access to and use of information.

Compensating Control: A physical, technical or administrative control used by an organization instead of a recommended security control, that provides equivalent or comparable protection for an information system.

Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Control: Any physical, administrative, management, technical, or legal method that is used to prevent, detect or correct risks. Controls are also known as safeguards or countermeasures. Examples include but are not limited to policies, procedures, programs, techniques, technologies, guidelines, and organizational structures.

Data: Information collected, stored, transferred or reported for any purpose, whether electronic or hard copy.

Data Backup: A copy of files and programs made to facilitate recovery of the data and service if necessary.

Data Breach: The intentional or unintentional release of secure or private/confidential information to an untrusted environment.

Data Classification:

UW System uses the following qualifiers to classify data:

  1. High Risk: The loss of confidentiality, integrity, or availability of data could result in a significant operational, financial, legal, or reputational impact to the organization.
  2. Moderate Risk: The loss of confidentiality, integrity or availability of data could result in a moderate operational, financial, legal, or reputational impact to the organization.
  3. Low Risk: The loss of confidentiality, integrity, or availability of data could result in negligible operational, financial, legal, or reputational impact to the organization.

Data Custodian: A term describing a UW System employee that has been given formal responsibility for the security of the asset or the data hosted on the asset. It does not mean that the asset belongs to the owner in a legal sense.

Data Domain: High-level categories of Institutional Data. Data Domains are created for the purpose of assigning accountability and responsibility for the data.

Data Privacy: Encompasses how and when information is collected, accessed, processed and disclosed, and whether the disclosure involves consent or notice.

Data Security: Encompasses the administrative, technical, and physical measures used to protect information. Data privacy cannot exist without data security.

Data Steward: Data experts who are appointed by Data Trustees to perform data actions within their specific Data Domains and are responsible for overseeing the lifecycle of one or more sets of institutional data. Data Stewards collaborate with institutional Security, Privacy, Data Officers, and Risk Executives to ensure that appropriate controls are in place to protect individual privacy and the data in a manner commensurate with its value to the institution.

Data Subject: An identified or identifiable natural person to which Personal Data applies.

Data Trustee: Maintains primary responsibility for a specific Data Domain. As such, the trustee is the individual charged with executive control of their Data Domain. Trustees are charged with appointment of Data Stewards within their Data Domain.

Digital Credentials: A user’s identification and authentication information, typically a username and password.

Disaster Recovery (DR) Plan: A written plan with detailed procedures to restore IT systems after a significant disruption of services that will let the organization operate at an acceptable level.

Employee: Faculty, staff, or students who are employed by an institution, whether compensated or unpaid.

Endpoint: Desktop computers, servers, laptops, or tablet computers with access to the internet.

Equivalent Control: See Compensating Control.

External Network: A network not controlled by the organization.

Federated Identity Provider: An external Identity Provider with a trust agreement and processes that allows for the sharing of Identity and Authentication information for access control decisions across a set of networked systems.

Federation: A process that allows the conveyance of Identity and Authentication information across a set of networked systems.

High Impact System: A system that is identified as instrumental to continued business operations, including administrative and academic missions. This includes systems that if made unavailable or compromised, would cause a major disruption to daily operations or would be significantly expensive to restore, as well as systems with data that if compromised, would cause significant financial or reputational harm.

High Risk: See Data Classification.

Identity: An attribute or set of attributes that uniquely describes a user of an information technology environment. Examples of Identity include accounts and Users in an Identity Provider.

Identity Assurance: The process of providing sufficient information to establish an Identity (identity proofing) and the degree of confidence that a person’s claimed Identity is their real Identity. This includes attributes bound to that Identity. May be used in conjunction with Authentication Assurance and referred to as Identity and Authentication (I&A) Assurance.

Identity Provider: An information system that provides Identity and Authentication information for IT resources.

Indicators of Compromise (IOC): Artifacts observed on a system or network that, with high confidence, indicate potential malicious activity.

Information Security Incident Response Team (ISIRT): A team consisting of personnel with the technical, administrative, and communication skills required to facilitate a prompt and thorough response to security incidents.

Inherent Risk: Level of risk before risk treatment controls are applied.

Institution: All research and comprehensive UW System universities and associated branch campuses, UW Shared Services, and UW System Administration.

Integrity: Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

IT Asset: Physical hardware or software used to process, store, or transmit data, including virtual instances and in cloud environments.

IT Asset Management (ITAM): The set of business practices that join financial, contractual and inventory functions to support life cycle management and strategic decision making for the IT environment. See IT Asset for additional information.

IT Asset Owner: UW employee or team responsible for making technical or operational decisions about the asset which includes patching, testing patches or evaluating the risk of not remediating vulnerabilities.

IT Inventory: One or more authoritative sources for IT Asset information.

Low Risk: See Data Classification.

Malware: Software or firmware intended to perform an unauthorized process that will have an adverse impact on the confidentiality, integrity, or availability of any information system.

Managed Interface: An interface that provides boundary protection capabilities using automated mechanisms or devices.

Moderate Risk: See Data Classification.

Multi-Factor Authentication (MFA): A security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.

National Institute for Standards and Technology (NIST): A measurements standards laboratory and non-regulatory agency working under the U.S. Department of Commerce.

Network Backbone Connection: An interconnection between two managed network devices with no attached clients. Used for high-speed and high-volume data transmission and controlled by a single administrative entity.

Network Security Zone: A group of logical or physical network segments with a defined level of network security for the connected systems, users, and data within an overall network architecture.

Non-public Information Technology Resources: Any information technology resources that is not intended to be accessed by the general public and requires authentication of the user using digital credentials.

Passphrase: A secret consisting of a sequence of words or other text that a claimant uses to authenticate their identity. A passphrase is similar to a password in usage but is generally longer for added security.

Password: A secret that a claimant uses to authenticate his or her identity. Passwords are typically character strings.

Passwordless Authentication: Authentication process that does not use a memorized secret. Common authenticators include certificates, security tokens, one-time Passwords, or biometrics.

Patch Management: The process to identify, deploy, install and verify successful patching.

Penetration Testing: The mimicking of real‐world attacks, in an attempt to verify the security features or identify methods to circumvent the security features of an application, system, or network, often involving execution of attacks on production systems and data, utilizing tools and techniques employed by malicious actors

Personal Data: The collective definition of PII and PHI.

Personal Identifiable Information (PII): Information which can be used to distinguish or trace the identity of an individual alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual.

Privileged Access Management (PAM): Tools and technologies that manage and protect accounts, credentials, and commands that offer an elevated level of technical access. These tools may include privileged account and session management functions including Password vaulting, privilege elevation and delegation management, enhanced monitoring and logging, command proxying, and emergency access workflows.

Protected Health Information (PHI):  Any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity) and can be linked to a specific individual. This includes any part of a patient’s medical record or payment history.

Recovery Point Objective (RPO): The point in time to which the UW institution’s data must be recovered after an outage.

Recovery Time Objective (RTO): The maximum length of time an information system’s components can be in the recovery phase before negatively impacting the UW institution’s mission or business processes.

Remote Access: User-initiated access through an External Network to a system on a secure network. Does not apply to systems designed for public access, e.g., public web servers, public directory servers, or domain name servers.

Research Network: Networks that support research and do not provide administrative services, may require transmitting large amounts of data, and may have unconventional configurations that evolve rapidly. Considered a type of Network Security Zone.

Residual Risk: The threat that remains after all efforts to identify and eliminate risk have been made.

Risk: A function of the likelihood of a given threat-source exercising a specific vulnerability, and the resulting impact of that adverse event on the organization.

Risk Acceptance: A response in which the organization decides to take no action to address the risk and continues to operate with the risk in place.

Risk Appetite: The amount and type of risk that an organization is willing to accept in order to meet their strategic objectives.

Risk Assessment: The process of taking identified risks and analyzing their potential severity of impact and likelihood of occurrence.

Risk Executive: The person who is ultimately responsible for the management, monitoring and control of all identified risks, including the approval of any mitigating controls and/or risk acceptance. The Risk Executive should be an executive or director, (e.g., Dean or their appointee, department chair, director of a research lab, etc.,) within the academic / functional unit, or in the line of authority above that unit. The Risk Executive must have the authority to accept the risk of operating the system on behalf of the institution and should be in the unit which is responsible for risk acceptance.

Risk Management: The ongoing process of assessing risks and implementing plans to address them.

Risk Mitigation: Prioritizing, evaluating, and implementing the appropriate risk-reducing controls and countermeasures recommended from the risk management process.

Risk Treatment: The process of managing assessed or identified risks. Risk treatment options are risk avoidance (withdraw from), sharing (transfer), modification (reduce or mitigate) and retention (acceptance).

Safeguard: Protective measures prescribed to meet the security requirements specified for an information system.  Safeguards may include security features, processes, management constraints, personnel security, and security of physical structure, areas, and devices.

Secret: Commonly referred to as a passphrase, password, or if numeric, a PIN. A secret value of sufficient complexity and secrecy intended to be impractical for an attacker to guess or otherwise discover the correct secret value.

Security Controls: Safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.

Security Incident: Any irregular, adverse, or uncontrolled event that threatens the confidentiality, integrity, or availability of any UW System information asset, system, network or storage media, or any violation or imminent threat of violation of any UW System information security policies, acceptable use policies, or standard security practices. See also Data Breach.

Split Tunneling: A method that routes organization-specific traffic through the virtual private network tunnel but routes other traffic through the remote user’s default gateway.

Standards: A specific set of minimum characteristics or requirements, usually measurable, that must be met in order to comply.

System Boundary: Defines the components of the information systems under the authority of the institution.

Threat: Any circumstance or event with the potential to adversely impact the organizational operations, organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Threat Intelligence: Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.

Transit Peer Link: A connection to an external backbone service that is similar to a Network Backbone Connection in that it has no attached clients and is used for high-speed and high-volume data transmission.

Trusted Network Security Zone: A Network Security Zone with an institution-defined trust level based on the security services and standards for control and management commensurate with the risk and classification of the connected systems and data transmitted. Example controls include firewalls, access control lists, virtual private networks, intrusion detection systems, and network access control policy enforcement.

Untrusted Network Security Zone: Network Zones that are public with no minimum standards for control or management, e.g., the Internet is an Untrusted Network Security Zone.

User: A person, organization, system, or process authorized to access an IT resource.

User Affiliation: The relationship(s) a person has with the institution that may be used to define requirements for their associated Identities and accounts including Authorizations and lifecycle management. Affiliations typically include students, faculty, staff, researchers, alumni, emeritus, retirees, guests, prospective students, special students, partners, consultants, contractors, volunteers, and vendors.

Vulnerability: Weakness in an information system, system security procedure, internal control, or implementation that could be exploited or triggered by a threat source.

Vulnerability Assessment: Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

Vulnerability Management: The process to identify, analyze, and manage vulnerabilities.

Vulnerability Scanning: The technique used to identify vulnerabilities of IT systems.

Zero Trust Architecture: A network architecture that replaces perimeter security with controls to secure applications and data based on user and device authentication, contextual data, (e.g., user location, endpoint status, and service requested), and continuous monitoring.

6.     Policy Statement

7.     Related Documents

Regent Policy Document 25-5, Information Technology: Information Security
UW System Information Security Program
UW System Information Security Incident Response Plan

8.   Policy History

Revision 2:               March 4, 2024

Revision 1:              March 8, 2022

First approved:      October 13, 2020

9.  Scheduled Review

December 2024