Definitions

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

View All

Authentication Certificate

Authentication Certificate is a digital certificate which is used to gain access to a system for secure electronic dealings. It is an electronic document that contains information on (1) the entity it belongs to, (2) the entity it was issued by, (3) unique serial number or some other unique identification, (4) valid dates and, (5) a digital fingerprint.

Authorizing Official

An individual at the University who is authorized to grant a request to access Electronically Stored Information (ESI).  This may include an individual who has been designated, either permanently or temporarily, by another individual to serve in the role of authorizing official on their behalf. The authorizing official (a.k.a approver) typically would be from within the same department, business unit, or reporting area, and must be at least two levels above the affected individual(s) on an organizational chart (except where the affected individual is the president or vice-president). The authorizing official is a person in a higher-level position of authority who is able to determine appropriateness and reasonableness after reviewing the applicable policies and standards related to the request. For most situations, the authorizing official will be either the department chairs or heads or their assigned designee, or the President or delegated representative, such as the Vice-Presidents and Deans or their assigned designee, depending on the affected user and requested access.

Baseline Security Measures

Standard security controls that must be in place on all University-owned computing devices to ensure they are in compliance with University Policies. These include, but are not limited to, anti-virus software, password protection, and regular software updates.

bridge letter

A bridge letter is a letter from a vendor that attests to the continued validity and accuracy of the provided external assessment (no significant changes in their environment or threat landscape) between the report end date and the current date.  UVA requires that a bridge letter may span no more than six months from the report end data and the date of UVA's request for an external assessment report.

Character classes

Character classes: For the purposes of authentication and password complexity, there are four possible character classes: 

  • Upper case alphabetic (e.g. A-Z)
  • Lower case alphabetic (e.g. a-z)
  • Numeric (e.g. 0-9)
  • Special characters (e.g.!@#$%~).

A password with all four character classes might be:  "Always b3 Secure.

  1. it has upper case alphabetic: "A" and "S"
  2. it has lower case alphabetic: "always b ecure"
  3. it has a number: "3"
  4. it has a special character: "." (period)

Classified Data

Classified Data, as defined in UVA policy, IRM-003: Data Protection of University Information, are: Data whose sensitivity level falls within a hierarchical schema established by the federal government according to the degree to which unauthorized disclosure would damage national security.  Access to classified data typically requires a formal security clearance level relative to the sensitivity of the classified data for which the access is requested.  Ranging from most sensitive to least, those levels include Top Secret, Secret, Confidential, and Public Trust. The misuse of classified data may incur criminal penalties and significant reputational damage.

Compensating Controls

Additional protective controls, beyond baseline security measures, put in place on a workstation to offset a specific increase in data security risk.

Contractor Employee

An individual who is an employee of a firm that has a formal contractual relationship with the University and has been assigned to work at the University for the duration of the contract.

Controlled Data

Data that is a public record available to anyone in accordance with the Virginia Freedom of Information Act but is also not intentionally made public (see the definition of public data).  Examples include salary information, employee name and title, meeting minutes, specific e-mail messages (for a complete list, see Code of Virginia § 2.2-3700 Virginia Freedom of Information Act).

Controlled Technology

For purposes of this policy, this term includes any item, component, material, software, source code, object code, or other commodity specifically identified on the Commerce Control List [Part 774 of the Export Administration Regulations (EAR)] or U.S. Munitions List [Part 121 of the International Traffic in Arms Regulations (ITAR)]. This term also includes information to the extent required in the applicable regulation.