The capacity for data users to enter, modify, delete, view, copy, or download data.
An administrative account is an account that is used interactively by administrators or other persons for service administration or management.
Antimalware is a type of software program designed to prevent, detect, and remove malicious software (malware) on an electronic device. Although it is similar to antivirus, it has important differences from antivirus. Antimalware has more advanced features such as behavior monitoring that scans for suspicious behavior or files on the device. It can prevent malware from installing. It addresses spyware, spam, and other threat issues that antivirus usually does not.
Authentication Certificate is a digital certificate which is used to gain access to a system for secure electronic dealings. It is an electronic document that contains information on (1) the entity it belongs to, (2) the entity it was issued by, (3) unique serial number or some other unique identification, (4) valid dates and, (5) a digital fingerprint.
An individual at the University who is authorized to grant a request to access Electronically Stored Information (ESI). This may include an individual who has been designated, either permanently or temporarily, by another individual to serve in the role of authorizing official on their behalf. The authorizing official (a.k.a approver) typically would be from within the same department, business unit, or reporting area, and must be at least two levels above the affected individual(s) on an organizational chart (except where the affected individual is the president or vice-president). The authorizing official is a person in a higher-level position of authority who is able to determine appropriateness and reasonableness after reviewing the applicable policies and standards related to the request. For most situations, the authorizing official will be either the department chairs or heads or their assigned designee, or the President or delegated representative, such as the Vice-Presidents and Deans or their assigned designee, depending on the affected user and requested access.
Standard security controls that must be in place on all University-owned computing devices to ensure they are in compliance with University Policies. These include, but are not limited to, anti-virus software, password protection, and regular software updates.
A bridge letter is a letter from a vendor that attests to the continued validity and accuracy of the provided external assessment (no significant changes in their environment or threat landscape) between the report end date and the current date. UVA requires that a bridge letter may span no more than six months from the report end data and the date of UVA's request for an external assessment report.
Character classes: For the purposes of authentication and password complexity, there are four possible character classes:
- Upper case alphabetic (e.g. A-Z)
- Lower case alphabetic (e.g. a-z)
- Numeric (e.g. 0-9)
- Special characters ([email protected]#$%~).
A password with all four character classes might be: "Always b3 Secure."
- it has upper case alphabetic: "A" and "S"
- it has lower case alphabetic: "always b ecure"
- it has a number: "3"
- it has a special character: "." (period)
Classified Data, as defined in UVA policy, IRM-003: Data Protection of University Information, are: Data whose sensitivity level falls within a hierarchical schema established by the federal government according to the degree to which unauthorized disclosure would damage national security. Access to classified data typically requires a formal security clearance level relative to the sensitivity of the classified data for which the access is requested. Ranging from most sensitive to least, those levels include Top Secret, Secret, Confidential, and Public Trust. The misuse of classified data may incur criminal penalties and significant reputational damage.
Additional protective controls, beyond baseline security measures, put in place on a workstation to offset a specific increase in data security risk.
An individual who is an employee of a firm that has a formal contractual relationship with the University and has been assigned to work at the University for the duration of the contract.
Data that is a public record available to anyone in accordance with the Virginia Freedom of Information Act but is also not intentionally made public (see the definition of public data). Examples include salary information, employee name and title, meeting minutes, specific e-mail messages (for a complete list, see Code of Virginia § 2.2-3700 Virginia Freedom of Information Act).
For purposes of this policy, this term includes any item, component, material, software, source code, object code, or other commodity specifically identified on the Commerce Control List [Part 774 of the Export Administration Regulations (EAR)] or U.S. Munitions List [Part 121 of the International Traffic in Arms Regulations (ITAR)]. This term also includes information to the extent required in the applicable regulation.
Text, numbers, graphics, images, sound, or video and in any format, electronic or paper. The University regards data maintained in support of a functional unit's operation as University data if they meet at least one of the following criteria: If
- at least two administrative operations of the University use the data and consider the data essential;
- integration of related information requires the data;
- the University needs to verify the quality of the data to comply with legal and administrative requirements for supporting statistical and historical information externally;
- a broad cross section of University employees refers to or maintains the data; or
- the University needs the data to plan.
Some examples of such University-owned data include student course grades, patient records, employee salary information, research, vendor payments, and the University's annual Common Data Set.
University and Medical Center officials who have responsibility for confirming that requests for access correctly map to what the data users need in the way of access to the specific components of a given application required to perform job duties, and for which they have appropriate training. (The Data Access Approver will be either the Data Steward, the Deputy Data Steward, or the Executive Data Steward.)
Data loss prevention (DLP) is a set of tools and processes used to ensure that highly sensitive data (HSD) is not lost, misused, transmitted, or accessed by unauthorized users. It often refers to scanning to identify where highly sensitive data (e.g., social security numbers (SSNs) and credit card numbers) are stored or emailed.
The person designated by the VP or Dean to provide oversight of data security for the organization. If no individual is designated, the person responsible for providing oversight of IT for the organization will fulfill this role.
University and Medical Center officials who have responsibility for determining the purpose and function of data within their assigned data domains. They (1) work to protect the accuracy, integrity, and (as appropriate) confidentiality of data; (2) have final sign-off authority for users seeking to access, retrieve, manipulate, or view data for their respective data domains. May delegate final sign-off authority to Deputy Data Stewards they appoint, but retain accountability for decisions; and (3) work to make certain users have an understanding of the data to which they have access.
Individuals who acknowledge acceptance of their responsibilities, as described in this policy, and its associated standards and procedures, to protect and appropriately use data to which they are given access; and meet all prerequisite requirements, e.g., attend training before being granted access.
Individuals who authorize or reject access requests based upon approval criteria established by the Data Stewards who appoint them.
The entire collection of data for which a University employee assigned the role and responsibilities of an Executive Data Steward, Data Steward, or Deputy Data Steward is responsible. The data domain also includes rules and processes related to the data.
Includes telephone communications, so-called "phone mail," or voicemail, e-mail, computer files, text files, and any data traversing the University network or stored on University equipment.
Electronic equipment, whether owned by the University or an individual, that has a processor, storage device, or persistent memory, including, but not limited to: desktop computers, laptops, tablets, cameras, audio recorders, smart phones and other mobile devices, as well as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, network-aware devices with embedded electronic systems (i.e. “Internet of Things”), supervisory control and data acquisition (SCADA) and industrial control systems, etc
All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).
Electronically Stored Information (ESI) is information created, manipulated, stored, or accessed in digital or electronic form.
A level of permission that allows the user to install software and change configuration settings on a workstation (also known as administrator or admin privileges)
As used in this policy, includes all faculty (teaching, research, administrative and professional), professional research staff, university and classified staff employed by the University in any capacity, whether full-time or part-time, and all those employees in a wage or temporary status.
An individual who is an employee (2), contractor employee, medical center employee, and/or foundation employee, as well anyone else to whom University IT resources have been extended. These include, but are not limited to, recently terminated employees whose access to University IT resources have not yet been terminated, deleted, or transferred, and individuals whose University IT resources continue between periods of employment. This also includes student workers, volunteers, and other individuals who may be using state-owned or University IT resources and carrying out University work.
System settings or software installed on a workstation in addition to baseline security measures to provide compensating controls in one or more of the following three modes to offset the risk assumed by granting increased privileges:
- Monitoring Mode: Logs user activity such as installing software
- Practical Security Settings: Requires user to verify software installs before proceeding. This activity must be logged in a location the user would not be able to alter
- Highest Practical Security Settings: Requires that any installed software be added to an “allowlist” of permitted software by an Workstation Manager before allowing it to be installed
Senior University and Medical Center officials who have planning and policy-level responsibilities for a large subset of the institution’s data resources. They: (1) oversee the implementation of this policy for their data domains; (2) determine the appropriate classification of institutional data (highly sensitive, sensitive, controlled data, and not sensitive) in consultation with executive management and appropriate others; and (3) appoint Data Stewards for their data domains.
An export is any shipment or transmission of controlled technology out of the U.S. The term "deemed export" is commonly used to refer to the release of controlled information (as specified in the regulations) to a foreign national in the U.S. Under the regulations, such a transfer is deemed to be an export to the individual’s home country.
An individual who is an employee of one of the officially recognized University-related foundations.
Gift card scams are usually phishing emails that appear to come from someone you know, often somebody you think is important, such as supervisor or senior colleague or a family member with an emergency - asking if you can do them a favor or give "urgent help". It often starts with an email that says, "Available?". The email typically asks you to only use email to respond because the sender is occupied (in a meeting) and currently unable to take calls. The scammer replies to the your response, asking you to purchase gift cards, scratch off the back to reveal the gift card codes, and send pictures of the cards to them via reply email. The person promise to pay you back as soon as they are back in the office! Don't fall for it. Those numbers on the back of a gift card let the scammer immediately get the money you loaded onto the card by purchasing it. And once they’ve done that, the scammers and your money are gone, usually without a trace.
Hardware token (sometimes called an authentication or security token) is a physical object, usually a small hardware device, that the owner carries to authorize access to a restricted resource. The user's interaction with a login system proves that the user physically possesses a token specific and unique to that user. Examples include plugging a security token into the workstation or using a key fob or identity badge to swipe or hold up to an authentication device.
Highly sensitive data (HSD), as defined in the UVA Policy IRM-003: Data Protection of University Information, are: data that require restrictions on access under the law or that may be protected from release in accordance with applicable law or regulation, such as Virginia Code § 18.2-186.6. Breach of Personal Information Notification. Highly Sensitive data (HSD) currently include personal information that can lead to identity theft. HSD also includes health information that reveals an individual’s health condition and/or medical history.
Specific examples include, but are not limited to:
- Any store or file of passwords or user-ids and passwords on any multi-user system or computer.
- Personal information that, if exposed, can lead to identity theft. This may include a personal identifier (e.g., name, date of birth) as well as one of the following elements:
- Social security number;
- Driver’s license number or state identification card number issued in lieu of a driver’s license number;
- Passport number;
- Financial account number in combination with any required security code, access code, or password that would permit access to a financial account;
- Credit card or debit card number, including any cardholder data in any form on a payment card: or
- Military Identification Number.
Also considered HSD are any form of personally identifying information in combination with social security number (SSN), driver’s license number, passport number, financial account number and required security code, and/or military ID number. For example, computing ID and driver’s license number, or home address and SSN.
Note that credit card numbers can never be stored either alone or in combination with any other identifiers.
- Health information is any information that, if exposed, can reveal an individual’s health condition and/or history of health services use, including information defined by Health Insurance Portability and Accountability Act (HIPAA) as protected health information (PHI).
- Cardholder Data (CHD): Primary cardholder account number that identifies the issuer and a particular cardholder account, which can include cardholder name, expiration date and/or service code.
Individual-use electronic devices, as defined in the UVA Policy: IRM-003: Data Protection of University Information, are: electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, smart phones, and other mobile devices. For purposes of this policy, the term does not include shared purpose devices, such as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, clinical workstations, medical devices (e.g., EKG machines), etc.
Individual-use electronic media, as defined in the UVA Policy: IRM-003: Data Protection of University Information, are: all media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and any externally attached storage devices (e.g., thumb drives).
Any event that, regardless of accidental or malicious cause, results in:
- disclosure of University data to someone unauthorized to access it,
- unauthorized alteration of University data,
- loss of data which the University is legally or contractually bound to protect or which support critical University functions,
- disrupted information technology service,
- a violation of the University’s information security policies.
Examples of such incidents include, but are not limited to:
- Malicious software installations on electronic devices that store University data not routinely made available to the general public, e.g., employee evaluations, or data the University is legally or contractually bound to protect, e.g., social security numbers, credit card numbers, Protected Health Information (PHI), research data, etc.
- Loss or theft of electronic devices, electronic media, or paper records that contain University data not routinely made available to the general public or data the University is legally or contractually bound to protect.
- Defacement of a University website.
- Unauthorized use of a computing account.
- Use of information technology resources for unethical or unlawful purposes (incidents involving employees and pornography should be reported directly to University Human Resources).
- Contact from the FBI, Secret Service, Department of Homeland Security or other law enforcement organizations regarding a University electronic device that may have been used to commit a crime.
Information Technology (IT) resources, as defined in UVA policy, IRM-002: Acceptable Use of the University’s Information Technology Resources, are: All resources owned, leased, managed, controlled, or contracted by the University involving networking, computing, electronic communication, and the management and storage of electronic data including, but not limited to:
- Networks (virtual and physical), networking equipment, and associated wiring including, but not limited to: gateways, routers, switches, wireless access points, concentrators, firewalls, and Internet-protocol telephony devices;
- Electronic devices containing computer processors including, but not limited to: computers, laptops, desktops, servers (virtual or physical), smart phones, tablets, digital assistants, printers, copiers, network-aware devices with embedded electronic systems (i.e., “Internet of things”), and supervisory control and data acquisition (SCADA) and industrial control systems;
- Electronic data storage devices including, but not limited to: hard drives, solid state drives, optical disks (e.g., CDs, DVDs), thumb drives, and magnetic tape;
- Software including, but not limited to: applications, databases, content management systems, web services, and print services;
- Electronic data in transmission and at rest;
- Network and communications access and associated privileges; and
- Account access and associated privileges to any other IT resource.
Gathering information and initial fact-finding to determine whether an allegation or apparent instance of research misconduct warrants an investigation.
Internal Use Data, as defined in the UVA Policy IRM-003: Data Protection of University Information, are: data that is a public record available to anyone in accordance with the Virginia Freedom of Information Act (FOIA) but is also not intentionally made public (see the definition of public data). Examples may include salary information, contracts, and specific email correspondence not otherwise protected by a FOIA exemption. For a complete list, see Code of Virginia § 2.2-3700 Virginia Freedom of Information Act.
The formal examination and evaluation of all relevant facts to determine if misconduct has occurred, and, if so, to determine the responsible person and the seriousness of the misconduct.
Legitimate educational interest, as referenced in UVA policy: STU-002: Rights of Students at the University of Virginia Pursuant to the Family Educational Rights and Privacy Act (FERPA), refers to the need of school officials, including those performing the functions described below, to access specific Education Records in the course of performing their duties for UVA.School officials are those individuals who engage in the instructional, supervisory, advisory, administrative, governance, public safety, research, and support functions of UVA. They need not necessarily be paid employees of UVA. School officials include but are not limited to:
- Those UVA students who, pursuant to their duties as officers in officially recognized honor societies, periodicals, and other activities that recognize or encourage superior academic achievement, require personally identifiable information (e.g., grades) from students' education records to determine the satisfaction of specified eligibility requirements;
- Those UVA students who, pursuant to their duties as members of official UVA committees (e.g., scholarship committees), require personally identifiable information from Education Records;
- Those UVA students who, pursuant to the authority granted by the Board of Visitors under the terms of the Honor System and the University Judiciary System, require personally identifiable information from Education Records to investigate, adjudicate, or advise students involved in an alleged violation of the Honor Code or the Standards of Conduct;
- Those persons, companies, or agencies under UVA’s direct control, with whom UVA has contracted to provide services that UVA itself would provide otherwise.
Logging requirement: All access to Highly Sensitive Data (HSD) must be logged. Logging of access to other UVA data types is recommended.
Managed devices include all network connected devices that are managed or administered by someone other than the end-user. Formerly known as centrally or departmentally managed devices.
Medical Center employees, as defined in multiple UVA policies, are: Individuals employed by the University of Virginia Medical Center in any capacity.
A University mission critical system is any factor (e.g., component, equipment, personnel, process, procedure, software, server) that is essential to a business operation or a unit. When a mission critical system fails or is interrupted, business operations are significantly impacted. It is indispensable to continuing operations.
Must expire every sets the maximum number of days before a password must expire and require changing.
Network connected devices include all systems, whether personally or University-owned or managed, connecting to the University’s network. This includes, but is not limited to, computers, laptops, desktops, servers (virtual or physical and including shared drives), smart phones, tablets, digital assistants, printers, copiers, routers, switches, firewall hardware, network-aware devices with embedded electronic systems (i.e., “Internet of Things”; IoT), and supervisory control and data acquisition (SCADA) and industrial control systems.
All users except for those whose sole affiliation with the University is student or applicant.
Password history determines the number of unique new passwords that have to be associated with and used by a user before an old password can be reused again. This ensures that old passwords are not reused often or continually.
phishing is the sending of emails claiming to be from a reputable source (e.g., a company or friend) in order to get you to reveal personal information, such as personally identifiable information, banking and/or credit card details, or passwords. A phishing email may try to get you to download malware onto your computer or phone by opening or saving the email's attachment.
Refers to information that is linked to a person’s identity, such as Social Security Number (SSN), driver’s license number, military ID, protected health information (PHI), etc.
Consult the defintion of highly senstive data in the UVA Policy: IRM-003: Data Protection of University Information for additional information about protected information.
Public data, as defined in the UVA Policy IRM-003: Data Protection of University Information, are: data intentionally made public and are therefore classified as not sensitive. Any data that are published and broadly available are, of course, included in this classification. University policy holds that the volume of data classified as not sensitive should be as large as possible because widespread availability of such information will enable others to make creative contributions in pursuit of the University's mission.
IT resources that are available to broad groups of users within the University community. They include, but are not limited to: public-access computer facilities, shared multi-user computing systems, and the network services that Information Technology Services (ITS) and all other University schools and departments manage. The word “public,” in this context, describes a resource that is available broadly to members of the University community. It does not imply that these resources are available to persons from outside the University community.
Public Record, as defined in two UVA policies, is: Any writing or recording — regardless of whether it is a paper record, an electronic file, an audio or video recording or any other format — that is prepared or owned by, or in the possession of a public body or its officers, employees, or agents in the transaction of public business. Commonwealth of Virginia Code § 2.2-3701. All public records are presumed to be open and may be withheld only if a statutory exemption applies.
Ransomware is a form of malware in which rogue software code effectively holds a user's computer hostage until a "ransom" fee is paid. Access to the user's computers files are blocked, often by encrypting them. Most ransomware attacks are the result of clicking on an infected email attachment or visiting hacked or malicious websites.
Any document, file, computer program, database, image, recording, or other means of expressing information in either electronic or non-electronic form.
Any data, document, computer file, computer diskette, or any other written or non-written account or object that reasonably may be expected to provide evidence or information regarding the proposed, conducted, or reported research that constitutes the subject of an allegation of research misconduct. A research record includes, but is not limited to, grant or contract applications, whether funded or unfunded; grant or contract progress and other reports; laboratory notebooks; notes; correspondence; videos; photographs; X-ray film; slides; biological materials; computer files and printouts; manuscripts and publications; equipment use logs; laboratory procurement records; animal facility records; human and animal subject protocols; consent forms; medical charts; and patient research files. A research record is one type of University record.
Risk Management, as defined in the UVA Policy IRM-004: Information Security of University Technology Resources, is: the process to identify, control and manage the impact of potential harmful events, commensurate with the value of the protected assets. Risk management includes impact analysis, risk assessment, and continuity planning.
Sensitive data, as defined in the UVA Policy IRM-003: Data Protection of University Information, are: data, records, and files that:
- may be withheld from release under the Virginia Freedom of Information Act (FOIA),
- are not public records,
- do not enable identity theft,
- are not protected health information (PHI).
Examples include information concerning the prevention of or response to cyber-attacks, or information that describes a security system used to control access to or use of an automated data processing or telecommunications system, or research records that do not contain Highly Sensitive Data, University ID numbers, i.e., those printed on University ID cards, and/or Family Educational Rights and Privacy Act-protected data not covered under the definition of “Highly Sensitive” data. This category of data also includes any data or record covered by the exemptions listed in the Commonwealth of Virginia Freedom of Information Act).
A Service account is a “non-human” account that is used to run services or applications. Service accounts are not administrative accounts or other accounts used interactively by administrators or other persons.
smishing: is the sending of a text messages claiming to be from a reputable source to get you to reveal personal information, such as passwords or credit card numbers, or to download malware onto your computer or phone. It is short for "SMS phishing."
The Service Organization Control 2 (SOC 2) was developed by the American Institute of Certified Public Accountants (AICPA) to report on controls at a service organization relevant to security, availability, processing Integrity, and confidentiality or privacy. The SOC 2 report provides detailed information and assurance about the controls at a service organization (e.g., cloud vendor) relevant to the security, availability, processing, integrity, and confidentiality (privacy) of customer data.
The Service Organization Control 2 (SOC 2) Type II report is an attestation of controls at a service organization over a minimum six-month period, where as a SOC 2 Type I report is an attestation of the operating effectiveness of controls at a service organization at a specific point in time. The SOC 2 Type II reports on the description of controls relevant to security, availability, processing integrity, and confidentiality or privacy provided by the service organization and attests that the controls are suitably designed, implemented, and effective.
Software token (sometimes called an authentication or security token) is a piece of two-factor authentication security. The token is sent or stored on a device (e.g., smart phone or telephone) that the owner must have to authorize access to a restricted resource. The user's interaction with a login system proves that the user physically possesses a token specific and unique to that user. Examples include using Duo-Authentication or Google Authenticator.
Supported operating systems and firmware are operating systems or firmware that are either supported by the vendor with continued patching or an open source that is supported with updates and/or patches by an active user community.
A control that limits an individual from having full elevated privileges during normal, day-to-day use.
Two-step or multi-factor authentication is an authentication method in which a person is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism:
- knowledge (something the user and only the user knows),
- possession (something the user and only the user has), and/or
- inherence (something the user and only the user is).
Any two-step or multi-factor authentication process at the University of Virginia must be:
a. a University-approved two factor authentication (e.g., Duo-based High Security VPN) or
b. a method that has been reviewed and approved by the University Information Security Office before use.
A good example of two-factor authentication is the withdrawing of money from an ATM. Only the correct combination of a bank card (something the user possesses) and a PIN (something the user knows) allows the transaction to be carried out.
Two-step login process must be either a UVA-approved two-step authentication (e.g., Duo-based High Security VPN) or another method that have been reviewed and approved by the University Information Security Office before use.
Unauthorized disclosure is the exposure, communication, and/or physical transfer of information to someone not authorized to view and/or receive it.
Recorded information that documents a transaction or activity by or with any appointed board member, officer, or employee of the University. Regardless of physical form or characteristic, the recorded information is a University record if it is produced, collected, received or retained in pursuance of law or in connection with the transaction of university business. The medium upon which such information is recorded has no bearing on the determination of whether the recording is a University record. University records include but are not limited to: personnel records, student records, research records, financial records, patient records and administrative records. Record formats/media include but are not limited to: email, electronic databases, electronic files, paper, audio, video and images (photographs).
User(s), as defined by the University's IRM-003: Data Protection of University Information, is anyone who uses University information technology (IT) resources. This includes all account holders and users of University IT resources including, but not limited to: students, applicants, faculty, staff, medical center employees, contractors, University-Associated Organization employees, guests, and affiliates of any kind.
A level of permission that allows users to access specific resources on the workstation and network, such as data files, applications, printers, and scanners.
vishing: is making phone calls or leaving voice messages claiming to be from a reputable company or colleague in order to get you to reveal personal information, such as bank details and credit card numbers or passwords. It's a combination of ‘voice’ and ‘phishing,’
Vulnerability detection software is a service that scans an endpoint for current patch levels against a centralized database for known operating system and application vulnerabilities.
A desktop computer, terminal, tablet, or laptop computer, intended for business or professional use
A highly-skilled IT professional responsible for the upkeep, configuration, and reliable operation of a workstation such as a Local Support Partner (LSP) or Desktop Support Technician.
Report an Information
Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.