The following terms are defined solely for the context of this Procedure.
- Analysis of Practices and Protections – a professionally and legally sound analysis of required, existing, and missing practices and protections (see definition) that mitigate or otherwise address the risks identified in the Risk Analysis. Also the Program Document that records this analysis.
- Asset Inventory – a set of records presenting to the Program the risk-oriented facts, such as location, owner, users, custodians, business value, sensitivity, and backup information, regarding the most critical forms of Sensitive Information and Sensitive Systems.
- Campus – a college, school, or university of the State University of New York.
- Catalog of Practices and Protections – a Program Document providing concise descriptions of identifiable practices and protections (see definition) with sufficient detail to enable managers, the general workforce, faculty, and students to identify and work effectively with the instances of each item in their domains.
- HIPAA-covered SUNY Campus – a Campus that the University has formally determined is covered under HIPAA. Such determination is based on the Campus's having identified at least one business function that meets the University's interpretation of HIPAA-covered, which in most cases is due to creating and/or having authorized access to protected health information (PHI) as defined by HIPAA. Most PHI is personal health records created or used in electronically billed health transactions conducted by Campus personnel.
- Information Security Incident Response Team – a formal group defined and maintained by the Program that readies the Campus to respond quickly and appropriately to security incidents, which are sudden, unplanned, adverse, locally impacting changes that threaten the security of Sensitive Information and Sensitive Systems and therefore require urgent and timely mitigating responses.
- Information Security Program – a formal management function, with written goals and charges, that seeks to address the full range of information security issues that affect the Campus and seeks to align its practices with applicable laws, regulations, policies, and standards of practice.
- ISO – Information Security Officer/Office/Oversight. An assigned person (Officer) or group (Office) or coordinated function (Oversight) that understands the Campus's information security risk, the Program, and the meaning and intent of the University standards for information security and who presents professionally and legally sound and timely advice to executive management regarding appropriate action, ensuring the Program is exposed to outside, professional perspective, especially that of the University's central information security oversight function.
- Practices and Protections – individual and group behavioral patterns (practices), such as using hard-to-guess passwords, and system/infrastructure configuration and tools (protections), such as anti-virus software, maintained by the Campus to remove or reduce the impact of threats to the security of its Sensitive Information and Sensitive Systems.
- Program – the Campus's information security program.
- Program Document – one of several major documents or sets of documents generated or maintained by one part of the Program and needed by another part of the Program.
- Professionally and legally sound – the characteristic of a Program whereby professional and legal information security analysts would find its structure, analysis, decisions, and responses reasonable and appropriate.
- Risk Analysis – a formal process of the Program wherein the Campus considers and records foreseeable threats and hazards, especially those that are well known and have high likelihood and impact, that could result in substantial harm or inconvenience to the University or to persons who are the subject of the personal information in its Asset Inventory. Also the Program Document that records this analysis.
- Senior Executive – one or more Campus executives with power to commit Campus funds and personnel that approve and oversee the Program.
- Sensitive Information – a policy-level security classification used by the University and Campuses to name in aggregate the formally declared set of standards-level categories of information, such as Social Security Number, being addressed, i.e., protected, by the Program.
- Sensitive System – a physical or digital container of Sensitive Information, such as a computer, network, database, application, building, room, cabinet, or other configurable component of the Campus infrastructure directly involved in the sheltering (i.e., housing and locking), storing, processing, or transmitting of Sensitive Information.
- University – the State University of New York.
- Workforce Inventory – a set of records regarding the workers having authorized access to the Sensitive Information and Sensitive Systems (i.e., the items presented in the Asset Inventory), presenting to the Program the risk-oriented facts, such as work location, work group and supervisor, security roles and object authorizations.