IT Glossary of Terms

Effective: to be determined
Updated/Revised: under review
Contact: Office of the CIO


A process that performs some sequence of operations; a specialized computer coding sequence designed to limit or restrict the use or access of sensitive information.

Items of ownership that have value (e.g., Data or information stored on ISU's networks are considered assets, and their safekeeping is the responsibility of the owner or steward.)

Attack Vectors
A path or means by which someone with malicious intent can gain access to a computer or network; common attack vectors include viruses, e-mail attachments, Web pages, pop-up windows, instant messages, chat rooms, etc.

The process of confirming a user's identity to grant (or deny) access to secured data. The most common types are usernames and passwords.

Granting permission for a person, or group, to perform specific acts or gain access to secured data.

Best Practices
Definition to be written.

Data that is transmitted or stored unencrypted; plaintext.

The individual(s) in charge of guarding, protecting and maintaining specific assets or property.

Information that has been converted into a form capable of being moved, processed, analyzed, and/or stored.

Data Custodian
Individual or entity in possession or control of data and is responsible for the safe-keeping, transport, storage, and implementation of policies, procedure, and guidelines applicable to the data. The custodians, including entities contracted for outsourced services to the university, must:

  • implement controls specified by the data steward;
  • provide physical and procedural safeguards for the data and other IT resources using the data;
  • implement monitoring techniques and procedures for detecting, reporting, and investigating security incidents (through their own action or by delegation) based on the Minimum Security Standards.

Data Steward
University office represented by an executive officer. The data steward has policy-level and planning responsibilities for data owned by the university in their functional areas. Data stewards, as a group, are responsible for recommending policies, establishing procedures and guidelines for university-wide data administration activities. Data stewards may delegate the implementation of university policies, standards, and guidelines to data custodians.

Data User
Individual, automated application, or process that is authorized by the data steward to create, enter, edit, and access data. Users have the responsibility to:

  • Use the data only for the purpose specified by the data steward;
  • Comply with controls established by the data steward
  • Prevent disclosure of confidential or sensitive data
  • Report suspected security incidents that may have breached the confidentiality of data.

Disclosure Request
A request for information not otherwise available to the requestor. A disclosure request is often used to gain information related to a legal case.

Discovery in Litigation
Part of the pre-trial litigation process. Each party requests relevant information and documents from the other side in an attempt to "discover" relevant facts.

E-mail Bomb
Sending huge volumes of e-mail to an address in an attempt to overflow the mailbox, or overwhelm the server where the e-mail address is hosted in a denial-of-service attack (DDoS).

The process of using an algorithm (specialized computer code) to make information unreadable to anyone, except those with the key.

The degree to which a security failure has the potential to result in harm or loss. There are three levels:

  • Low
    Limited damage to operations or assets, and that do not involve risk for individuals. These incidents require minor corrective actions or repairs within the designated custodial structure. Communication is usually required only within the affected unit.
  • Moderate
    Cause short-term degradation or partial loss of the university's mission capability; that affect or disadvantage only subsets of the university community; or result in limited loss or damage to significant assets. These incidents require corrective actions or repairs that can normally be handled within the designated custodial structure. They usually involve only internal communications, and normally will not require the involvement of high-level administration.
  • High
    Cause an extensive loss of the university's mission capability; result in a loss of major assets; pose a significant threat to the well-being or lives of large numbers of individuals; or damage the reputation of the university. These incidents require substantial allocation of human resources to correct; may require communication to external agencies or law enforcement and the public; and often require the involvement of high-level administration within the university.

InCommon Bronze
The InCommon Federation creates and supports a common framework for shared management of access to online resources in support of education and research in the United States. InCommon Bronze is the lowest level of trustworthiness assigned to any authorized user.

InCommon Silver
The InCommon Federation creates and supports a common framework for shared management of access to online resources in support of education and research in the United States. InCommon Silver provides an additional level of trust above the Bronze level for Identity Providers that require this enhancement.

Processed data that has gained meaning. Usually put in a form more understandable for viewing and analyzing.

Information Processing
The handling of information by computers in accordance with strictly defined systems of procedure.

Information System
The hardware, software, and procedures used for information processing.

ISU High Password Strength
The PIN (numeric-only) or password, and the controls used to limit online guessing attacks, shall ensure that an attack targeted against a given identity Subject's PIN or password shall have a probability of success of less than 2^16 (1 in 16,384) success over the life of the PIN or password.

ISU Moderate Password Strength
The PIN (numeric-only) or password, and the controls used to limit on-line guessing attacks shall ensure that an attack targeted against a given identity Subject's PIN or password shall have a probability of success of less than 2^10 (1 chance in 1,024) success over the life of the PIN or password.

Local Area Network; a system for linking a number of microcomputers, terminals, work stations, etc. with each other or with a mainframe computer,  to share data, printers, information, programs, disks, etc.

A computer program designed to damage, disrupt, or otherwise compromise a system, such as a Trojan or worm.

Multifactor Authentication (MFA)
A security system in which more than one form of authentication is required to verify access privileges. e.g., A single factor authentication only requires a user name and password (1 factor), while a multifactor authentication requires three or more methods of verification, such as a smart card, retinal scan, fingerprint or voice ID.

A unique identifier for each member of the Iowa State community; the Net-ID is the prefix to your Iowa State e-mail address, which appears before the e.g., the Net-ID for is "student."

A system containing any combination of computers, computer terminals, printers, audio or visual display devices, or telephones interconnected by telecommunication equipment or cables: used to transmit or receive information.

Definition to be written.

Belonging or controlled as property; e.g., Proprietary enrollment data are owned by the University registrar's office.

Proxy Access
A means by which authorized users can view specific confidential information stored on a computer network; a security barrier between ISU's internal network and the Internet, keeping others on the Internet from being able to obtain access to information that is located on ISU's internal network.

Qualified Controlled Device
A device, normally acting as a server, that stores data or executes an application. It has controls that match the minimum security standards for data classified as high. It includes attributes such as restricted physical access, sits behind a firewall, and is administrated by an IT professional to provide regular software updates and backups.

A source of danger; a possibility of incurring loss or damage. In general, risk is a composite of three factors: threats, vulnerabilities, and impact.

Risk Assessment
In information technology security, a systematic process used to determine the potential for any given information system to be subject to loss and to assess the impact of that loss. Risk assessment involves determining potential for and impact of a negative event by evaluating the nature of the information and information systems.

Risk Factors
Factors used to determine the level of risk include: the effect of the loss on the university's strategic missions; the extent of loss to major information systems; the potential for injury or damage to individual(s); the inconvenience or loss of productivity for subsets of the university community; the potential for damage to the university's reputation; the level of administrative involvement required; and the level at which the security problem can be resolved.

Risk Mitigation
Action taken to reduce risk to an acceptable level. An analysis evaluating costs, benefits, and impacts to the university will be critical in determining what, if any, action should be taken. Some options to reduce risk include:

  • Risk assumption - Accepting the potential risk and continuing operations of the IT system.
  • Risk avoidance - Risk mitigation by eliminating a risk cause and/or consequence.
  • Risk limitation - Risk mitigation by implementing controls reducing the negative impact of a threat exercising a vulnerability.
  • Risk transfer - Risk mitigation by using other options to compensate for a loss due to a security incident.

The state of being free from unacceptable risk. IT security focuses on reducing the risk of computing systems, communications systems, and information being misused, destroyed, or modified, or for information to be disclosed inappropriately either by intent or accident.

Security incident
An accidental or malicious act that uses a vulnerability, resulting in the potential negative impact.

Definition to be written.

Storage Media
A device for storing, recording and transporting data; e.g., USB Flash drive, data CD, external hard drive, remote server.

Subpoena duces tecum
A legal written request to summon a witness or the submit evidence, as records or documents, before a court or other deliberative body.

System Administrator
A person in charge of managing and maintaining a computer system or telecommunication system.

Actions or events that may compromise the confidentiality, integrity, availability, or authorized use. These threats may be human or non-human, natural, accidental, or deliberate. Examples:

  • Acts of malice by individuals or groups
  • Purposeful or malicious use of information or information systems
  • Natural or physical disasters such as fire, flood, hardware failures
  • Unintentional oversight, action, or inaction; data left open to unauthorized access; accidental deletion of data files; inadequate data backup procedures.

Trojan Horse
A Trojan horse is a method of secretly introducing a virus or malware program to a computer or computer network. At first, it appears to work as the user wants, but actually allowed unauthorized of access to a system. 

Synonymous with data user.

A malicious computer program that can copy itself and infect a computer. A virus can spread from one computer to another when transfered to the target computer through an e-mail attachment, file transfer over a network or the Internet, or with a portable storage medium such as a USB drive or floppy disk.

Security exposures that increase the potential for a failure of security. A narrow technical definition includes only those exposures created by software or hardware design. However, a broader definition includes exposure that can be inherent to an activity or practice. Examples:

  • Software or hardware that allows unauthorized access to information or information systems.
  • Business practices such as collecting and storing personal information that could, if revealed, be damaging to individuals.
  • Personal practices or procedures, such as improperly protecting one's password or providing inadequate physical environments for IT systems.

A virtual LAN; a group of hosts with a common set of requirements. They communicate as if they were attached to the same broadcast domain, regardless of their physical location. A VLAN has the same attributes as a physical LAN, but allows for end stations to be grouped together, even if they are not located on the same network switch.

A self-replicating malware program that uses a computer network to send copies of itself to other computers on the network without any user intervention.