Definitions

Networked-device vulnerability scans (e.g., Nessus) must be performed and remediated at least twice a year.

Must connect to UVA servers through approved secure on-Grounds networks (More Secure Network, Secure Clinical Subnet, eduroam wireless), or from home using one of the UVA supported VPNs
 

 An administrative account is an account that is used interactively by administrators or other persons for service administration or management.

Antimalware is a type of software program designed to prevent, detect, and remove malicious software (malware) on an electronic device.  Although it is similar to antivirus, it has important differences from antivirus. Antimalware has more advanced features such as behavior monitoring that scans for suspicious behavior or files on the device. It can prevent malware from installing.  It addresses spyware, spam, and other threat issues that antivirus usually does not.

Authentication Certificate is a digital certificate which is used to gain access to a system for secure electronic dealings. It is an electronic document that contains information on (1) the entity it belongs to, (2) the entity it was issued by, (3) unique serial number or some other unique identification, (4) valid dates and, (5) a digital fingerprint.

Standard security controls that must be in place on all University-owned computing devices to ensure they are in compliance with University Policies. These include, but are not limited to, anti-virus software, password protection, and regular software updates.

Character classes: For the purposes of authentication and password complexity, there are four possible character classes: 

• Upper case alphabetic (e.g. A-Z)
• Lower case alphabetic (e.g. a-z)
• Numeric (e.g. 0-9)
• Special characters (e.g.!@#$%~).

A password with all four character classes might be:  "Always b3 Secure." 

1. it has upper case alphabetic: "A" and "S"
2. it has lower case alphabetic: "always b ecure"
3. it has a number: "3"
4. it has a special character: "." (period)

Additional protective controls, beyond baseline security measures, put in place on a workstation to offset a specific increase in data security risk.

Data that is a public record available to anyone in accordance with the Virginia Freedom of Information Act but is also not intentionally made public (see the definition of public data).  Examples include salary information, employee name and title, meeting minutes, specific e-mail messages (for a complete list, see Code of Virginia § 2.2-3700 Virginia Freedom of Information Act).

Text, numbers, graphics, images, sound, or video and in any format, electronic or paper.  The University regards data maintained in support of a functional unit's operation as University data if they meet at least one of the following criteria: If

1. at least two administrative operations of the University use the data and consider the data essential;
2. integration of related information requires the data;
3. the University needs to verify the quality of the data to comply with legal and administrative requirements for supporting statistical and historical information externally;
4. a broad cross section of University employees refers to or maintains the data; or
5. the University needs the data to plan.

Some examples of such University-owned data include student course grades, patient records, employee salary information, research, vendor payments, and the University's annual Common Data Set.

Data loss prevention (DLP) is a set of tools and processes used to ensure that highly sensitive data (HSD) is not lost, misused, transmitted, or accessed by unauthorized users.  At UVA, it can refer to scanning to identify where highly sensitive data (e.g., social security numbers (SSNs) and credit card numbers) are stored or emailed and remove them.

Data Stewards are University (Academic Division, the Medical Center, and the College at Wise) have operational oversight for the life cycle of a specific data domain including the definition, intake, and usage of the data. Data Stewards will oversee the development, maintenance, and enforcement of appropriate policies, standards, and procedures for the use of data in their functional areas, including defining criteria for data access authorization and have final sign-off authority for users seeking to access, retrieve, manipulate, or view data for their respective data domains.  
Data Stewards are assigned by, and are accountable to, Data Trustees. Institutional data stewards help define, implement, and enforce data management policies and procedures within their specific data domain. Institutional data stewards have delegated responsibility for all aspects of how data is acquired, used, stored and protected throughout its entire lifecycle from acquisition through disposition. Each Data Domain (or subdomain) has a Data Trustee and a Data Steward. Deputy Data Stewards are appointed as needed by Data Stewards to complete data stewardship activities. 

Individuals who acknowledge acceptance of their responsibilities, as described in this policy, and its associated standards and procedures, to protect and appropriately use data to which they are given access; and meet all prerequisite requirements, e.g., attend training before being granted access.

The entire collection of data for which a University employee assigned the role and responsibilities of a Data Trustee, Data Steward, or Deputy Data Steward is responsible. The data domain also includes rules and processes related to the data.

Electronic equipment, whether owned by the University or an individual, that has a processor, storage device, or persistent memory, including, but not limited to: desktop computers, laptops, tablets, cameras, audio recorders, smart phones and other mobile devices, as well as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, network-aware devices with embedded electronic systems (i.e. “Internet of Things”), supervisory control and data acquisition (SCADA) and industrial control systems, etc

Electronically Stored Information (ESI) is information created, manipulated, stored, or accessed in digital or electronic form.

As used in this policy, includes all faculty (teaching, research, administrative and professional), professional research staff, university and classified staff employed by the University in any capacity, whether full-time or part-time, and all those employees in a wage or temporary status.

Endpoint is an individual-use device that is University-owned and serves a University business purpose.  Personal individual-use devices are excluded.

System settings or software installed on a workstation in addition to baseline security measures to provide compensating controls in one or more of the following three modes to offset the risk assumed by granting increased privileges:

• Monitoring Mode: Logs user activity such as installing software
• Practical Security Settings: Requires user to verify software installs before proceeding. This activity must be logged in a location the user would not be able to alter
• Highest Practical Security Settings: Requires that any installed software be added to an “allowlist” of permitted software by an Workstation Manager before allowing it to be installed

An export is any shipment or transmission of controlled technology out of the U.S. The term "deemed export" is commonly used to refer to the release of controlled information (as specified in the regulations) to a foreign national in the U.S. Under the regulations, such a transfer is deemed to be an export to the individual’s home country.

Gift card scams are usually phishing emails that appear to come from someone you know, often somebody you think is important, such as supervisor or senior colleague or a family member with an emergency - asking if you can do them a favor  or give "urgent help".  It often starts with an email that says, "Available?". The email typically asks you to only use email to respond because the sender is occupied (in a meeting) and currently unable to take calls.  The scammer replies to the your response, asking you to purchase gift cards, scratch off the back to reveal the gift card codes, and send pictures of the cards to them via reply email.  The person promise to pay you back as soon as they are back in the office!  Don't fall for it. Those numbers on the back of a gift card let the scammer immediately get the money you loaded onto the card by purchasing it. And once they’ve done that, the scammers and your money are gone, usually without a trace.

Highly sensitive data (HSD), as defined in the UVA Policy IRM-003: Data Protection of University Information, are: data that require restrictions on access under the law or that may be protected from release in accordance with applicable law or regulation, such as Virginia Code § 18.2-186.6. Breach of Personal Information Notification. Highly Sensitive data (HSD) currently include personal information that can lead to identity theft. HSD also includes health information that reveals an individual’s health condition and/or medical history.

Specific examples include, but are not limited to:

• Any store or file of passwords or user-ids and passwords on any multi-user system or computer.
• Personal information that, if exposed, can lead to identity theft. This may include a personal identifier (e.g., name, date of birth) as well as one of the following elements:
  • Social security number;
  • Driver’s license number or state identification card number issued in lieu of a driver’s license number;
  • Passport number;
  • Financial account number in combination with any required security code, access code, or password that would permit access to a financial account;
  • Credit card or debit card number, including any cardholder data in any form on a payment card: or
  • Military Identification Number.
• Health information is any information that, if exposed, can reveal an individual’s health condition and/or history of health services use, including information defined by Health Insurance Portability and Accountability Act (HIPAA) as protected health information (PHI).
• Cardholder Data (CHD):  Primary cardholder account number that identifies the issuer and a particular cardholder account, which can include cardholder name, expiration date and/or service code.

Note that credit card numbers can never be stored either alone or in combination with any other identifiers.

Also considered HSD are any form of personally identifying information in combination with social security number (SSN), driver’s license number, passport number, financial account number and required security code, and/or military ID number. For example, computing ID and driver’s license number, or home address and SSN.

Incidental discovery is happening upon a vulnerability in an unplanned or circumstantial manner, not as part of a plan or intention to uncover or explore a vulnerability.

Individual-use electronic media, as defined in the UVA Policy: IRM-003: Data Protection of University Information, are: all media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and any externally attached storage devices (e.g., thumb drives).

Information Technology (IT) resources, as defined in UVA policy, IRM-002: Acceptable Use of the University’s Information Technology Resources, are: All resources owned, leased, managed, controlled, or contracted by the University involving networking, computing, electronic communication, and the management and storage of electronic data including, but not limited to:

• Networks (virtual and physical), networking equipment, and associated wiring including, but not limited to: gateways, routers, switches, wireless access points, concentrators, firewalls, and Internet-protocol telephony devices;
• Electronic devices containing computer processors including, but not limited to: computers, laptops, desktops, servers (virtual or physical), smart phones, tablets, digital assistants, printers, copiers, network-aware devices with embedded electronic systems (i.e., “Internet of things”), and supervisory control and data acquisition (SCADA) and industrial control systems;
• Electronic data storage devices including, but not limited to: internal and external storage devices (e.g., solid state and hard drives, USB thumb drives, Bluetooth connected storage devices), magnetic tapes, diskettes, CDs, DVDs;
• Software including, but not limited to: applications, databases, content management systems, web services, and print services;
• Electronic data in transmission and at rest;
• Network and communications access and associated privileges; and
• Account access and associated privileges to any other IT resource.

Intentional testing is purposeful actions undertaken to discover or reveal a vulnerability.  It does not include exploiting or exploring a vulnerability.

The formal examination and evaluation of all relevant facts to determine if misconduct has occurred, and, if so, to determine the responsible person and the seriousness of the misconduct.

Logging requirement: All access to Highly Sensitive Data (HSD) must be logged.  Logging of access to other UVA data types is recommended.

Medical Center employees, as defined in multiple UVA policies, are: Individuals employed by the University of Virginia Medical Center in any capacity.

The term moderately sensitive data has been changed to sensitive data. The definition remains the same.
See the definition for Sensitive Data

Network connected devices include all systems, whether personally or University-owned or managed, connecting to the University’s network. This includes, but is not limited to, computers, laptops, desktops, servers (virtual or physical and including shared drives), smart phones, tablets, digital assistants, printers, copiers, routers, switches, firewall hardware, network-aware devices with embedded electronic systems (i.e., “Internet of Things”; IoT), and supervisory control and data acquisition (SCADA) and industrial control systems.

Password history determines the number of unique new passwords that have to be associated with and used by a user before an old password can be reused again. This ensures that old passwords are not reused often or continually.

phishing is the sending of emails claiming to be from a reputable source (e.g., a company or friend) in order to get you to reveal personal information, such as personally identifiable information, banking and/or credit card details, or passwords. A phishing email may try to get you to download malware onto your computer or phone by opening or saving the email's attachment.  

Public data, as defined in the UVA Policy IRM-003: Data Protection of University Information, are: data intentionally made public and are therefore classified as not sensitive. Any data that are published and broadly available are, of course, included in this classification. University policy holds that the volume of data classified as not sensitive should be as large as possible because widespread availability of such information will enable others to make creative contributions in pursuit of the University's mission.

Public Record, as defined in two UVA policies, is:  Any writing or recording — regardless of whether it is a paper record, an electronic file, an audio or video recording or any other format — that is prepared or owned by, or in the possession of a public body or its officers, employees, or agents in the transaction of public business. Commonwealth of Virginia Code § 2.2-3701. All public records are presumed to be open and may be withheld only if a statutory exemption applies.

Ransomware is a form of malware in which rogue software code effectively holds a user's computer hostage until a "ransom" fee is paid.  Access to the user's computers files are blocked, often by encrypting them.  Most ransomware attacks are the result of clicking on an infected email attachment or visiting hacked or malicious websites.

Regulated data is defined as data that requires the university to implement specific privacy and security safeguards as mandated by federal, state, and/or local law, or university policy or agreement. Regulations or categories of data most applicable to UVA include, but is not limited to:
Family Educational Rights and Privacy Act (FERPA)
Controlled Data
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health Act (HITECH)
Social Security Numbers (SSNs)
Gramm Leach Bliley Act (GLBA)
Payment Card Industry Data Security Standards (PCI-DSS)
Export Controlled Research - International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR)
Controlled Unclassified Information (CUI)
Covered Defense Information (CDI) and Controlled Technical Information (CTI)
Classified Data 
Restricted Research Data, such as census data.

The Office of the Vice-President for Research provides guidance and assistance for some of these kinds of data.

Risk Management, as defined in the UVA Policy IRM-004: Information Security of University Technology Resources, is: the process to identify, control and manage the impact of potential harmful events, commensurate with the value of the protected assets. Risk management includes impact analysis, risk assessment, and continuity planning.

A Service account is a “non-human” account that is used to run services or applications.  Service accounts are not administrative accounts or other accounts used interactively by administrators or other persons.

The Service Organization Control 2 (SOC 2) was developed by the  American Institute of Certified Public Accountants (AICPA) to report on controls at a service organization relevant to security, availability, processing Integrity, and confidentiality or privacy.  The SOC 2 report provides detailed information and assurance about the controls at a service organization (e.g., cloud vendor) relevant to the security, availability, processing, integrity, and confidentiality (privacy) of customer data. 

Software token (sometimes called an authentication or security token) is a piece of two-factor authentication security.  The token is sent or stored on a device (e.g., smart phone or telephone) that the owner must have to authorize access to a restricted resource. The user's interaction with a login system proves that the user physically possesses a token specific and unique to that user.  Examples include using Duo-Authentication or Google Authenticator.

Temporary Elevated Privileges are any case where administrative access of an endpoint is explicitly granted by an endpoint manager for five (5) calendar days or fewer at a time

Two-step login process must be either a UVA-approved two-step authentication  (e.g., Duo-based) or another method that has been reviewed and approved by the University Information Security Office before use.

Recorded information that documents a transaction or activity by or with any appointed board member, officer, or employee of the University. Regardless of physical form or characteristic, the recorded information is a University record if it is produced, collected, received or retained in pursuance of law or in connection with the transaction of university business. The medium upon which such information is recorded has no bearing on the determination of whether the recording is a University record. University records include but are not limited to: personnel records, student records, research records, financial records, patient records and administrative records. Record formats/media include but are not limited to: email, electronic databases, electronic files, paper, audio, video and images (photographs).

User(s), as defined by the University's IRM-003: Data Protection of University Information, is anyone who uses University information technology (IT) resources. This includes all account holders and users of University IT resources including, but not limited to: students, applicants, faculty, staff, medical center employees, contractors, University-Associated Organization employees, guests, and affiliates of any kind.

vishing: is making phone calls or leaving voice messages claiming to be from a reputable company or colleague in order to get you to reveal personal information, such as bank details and credit card numbers or passwords.  It's a combination of ‘voice’ and ‘phishing,’

Vulnerability detection software is a service that scans an endpoint for current patch levels against a centralized database for known operating system and application vulnerabilities.