9-2 Information Technology Use and Security Policy Manual - Glossary
Return to IT Use and Security Policy Manual Table of Contents
Approved by: Board of Supervisors of the County of Sonoma (“County”), and the Boards of Directors of the Northern Sonoma County Air Pollution Control District, the Russian River County Sanitation District, Sonoma Valley County Sanitation District, Occidental County Sanitation District, South Park County Sanitation District, and the Board of Directors of the Sonoma County Agricultural Preservation and Open Space District (collectively referred to hereinafter as “Special Districts”), and the Sonoma County Water Agency (“Agency”), and the Board of Commissioners of the Sonoma County Community Development Commission (“Commission”). The County, Special Districts, Agency and Commission are collectively referred to herein as “Local Agencies” or singularly as “Local Agency.”
Read next: Development and Revision History
A | B | C | D | E | G | H | I | L | M | N | P | R | S | T | U | V | W
Accountability - The system’s ability to determine the actions and behavior of a single user within a system. Accountability shows that a particular user performed a particular action. Audit logs and monitoring are used to track a user’s activity.
Administrative Measures – Defines and guides an individual’s actions to preserve the security of IT resources and data; e.g., policies, procedures, security awareness training. Also referred to as administrative controls.
Administrator Accounts - Accounts that have elevated privilege to IT resources. Such accounts have the capability to circumvent security controls, configure systems, and may create other accounts as well as assign access rights to them. These accounts are limited to staff whose business function requires the use of such an account.
Availability - Ensures information is accessible to authorized users when required.
Authentication - A procedure to unambiguously establish the identity of a user, machine, device or application process before allowing access to an information resource. Authentication is typically with a password but other credentials such as digital certificates may be used
Authorization - Determines which IT resources, User, machine, device or application process is entitled to access.
Back-Up - The process of making copies of data to be used in the event of a data loss.
Breach Notification - Notification required to individuals or agencies in the event of a data breach.
Change – Any notable alteration to a system, data, and/or its configuration that could affect information security, compliance and reliable service delivery.
Compliance - Ensures compliance with laws and regulations and County policies, standards and procedures relevant to information security.
Confidential Data - Information protected from use and/or disclosure by law, regulation or standard, and for which the highest level of security measures are required.
Confidentiality - Ensures information is accessible to only those authorized to have access.
Controls – Administrative, technical, or physical measures and actions taken to try and protect systems, includes safeguards and countermeasures.
Countermeasures – Controls applied to mitigate risk; reactive in nature.
County – The County of Sonoma
Credit Card Information – Credit card number (primary account number or PAN) and one or more of the following: cardholder name, service code, expiration date.
Data – Local Agency information that is stored, processed or transmitted in electronic, optical or digital form.
Data Breach – An information security incident in which confidential data is copied, transmitted, viewed, stolen or used by an unauthorized individual.
Data Center - Centralized storage facility that houses computer, network and telecommunications equipment.
Data Classification – A method of assigning a level of sensitivity to data to determine the extent to which it needs to be controlled and secured.
Data Custodian – Individual responsible for maintaining the confidentiality, integrity and availability of data.
Data Owner – Local Agency Department Head/General Manager or other individual authorized by law, regulation or policy to collect and manage the data that supports their business operations.
Data Steward – Individual assigned by the Data Owner to protect the confidentiality, integrity, and availability of the data that supports their business operations.
Decryption – The process of converting encrypted data back into its original form, so it can be understood.
Designee – Individual designated by a Local Agency Department Head/General Manager to perform some duty or carry out a specific role.
E-Discovery:
- Discovery documents produced in electronic formats rather than hardcopy.
- A process that includes electronic documents and email into a collection of "discoverable" documents for litigation. This normally involves both software and a process that searches and indexes files on hard drives or other electronic media. Extracts metadata automatically for use as an index.
- The process of finding, identifying, locating, retrieving, and reviewing potentially relevant data in designated computer systems.
- The process of identifying, preserving, collecting, processing, searching, reviewing and producing Electronically Stored Information(ESI) that may be relevant to a civil, criminal, or regulatory matter.
Efficiency - Ensures that implemented security safeguards do not unduly interfere with efficient and effective service delivery.
Electronic Protected Health Information (ePHI) – Individually identifiable health information that is transmitted by electronic media, or maintained in electronic media.
Electronically Stored Information(ESI) - Writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations—stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form
Elevated Privilege – Administrative permission to IT resources. See also – Administrator Accounts.
Encryption - A process that transforms readable data into a form that appears random and unreadable to unauthorized users.
Exploit - A process or tool that will attack a vulnerability in an asset.
Guest Account – Also, known as a Guest User ID, used to access very limited network resources (i.e., the Internet
Guidelines – General recommendations or instructions that provide a framework for achieving compliance with information security policies.
High-Risk application – The loss of confidentiality, integrity, or availability of the data or system that could have a significant adverse impact on the county’s operations.
Identification - Means to distinguish individual users, machines, devices and application processes. Multiple identifiers can be associated with a given subject for different purposes. An individual user, for example, may be known by an account name in a Microsoft windows domain, by the distinguished name on a digital certificate or by a Microsoft windows issued security identifier.
Information Security Incident – An Information Security Incident is defined as any adverse event that compromises the security of Local Agency IT resources or data, or otherwise violates Local Agency or County Information Security Policy.
Information Security Incidents may involve:
- Attempts (either failed or successful) to gain unauthorized access to Local Agency IT resources
- Unwanted disruption or denial of service
- Unauthorized or inappropriate use of Local Agency IT resources
- Unauthorized change to a Local Agency IT resource’s hardware, firmware or software
- Virus, worm or other malicious code attacks
- Loss, or unauthorized disclosure, use or access of Confidential Data
- Compromised User account or password
- Loss or theft of any Local Agency IT resource
Information Security Representative – Individual designated by Local Agency Department Head/General manager who is responsible for coordinating information security within their Local Agency.
Information Security Steering Committee - Coordinating body for all County information security-related activities and is composed of the County Privacy Officer, Information Security Officer and individuals designated by the IT Governance Council.
Information Technology (IT) Resources - Information Technology (IT) resources include but are not limited to the following:
- Computers and any electronic device including personally owned devices, which, create, store or process Local Agency data:
- Servers, workstations, desktops, mainframes, copiers, faxes, related peripherals;
- Mobile Devices
- Portable computers such as laptops, notebooks, netbooks, and tablet computers
- Portable storage media such as tapes, compact disks (CDs), digital versatile disks (DVDs), flash drives, and universal serial bus (USB) drives
- Smart Phones, pagers, digital cameras, cell phones, digital voice recorders
- Electronic messaging systems e.g., electronic mail (e-mail), instant messaging;
- Network connections (wired and wireless) and IT infrastructure including, routers, switches, firewalls and;
- County licensed or developed software
Information Technology (IT) Resource Owner - . Individual assigned from within the Local Agency who is responsible for ensuring appropriate protection from unauthorized use, access, disclosure, modification, loss or deletion.
Integrity – Ensures information is complete, accurate and protected against unauthorized modification.
Litigation Hold - A written directive advising data custodians of certain documents to preserve all data including Electronically Stored Information(ESI) that may relate to a legal action.
Local Information Services Provider – Provider of network infrastructure, network access, data storage or e-mail services to Local Agencies. This refers to the County Information Systems Department, Human Services Department Information Integration Division, Sonoma County Sheriff's Office Technical Services Bureau, and County Water Agency Computer Application and Instrumentation Support Section.
Logical Measures– Please see technical measures.
Logon Banner - Notice presented to an individual prior to accessing Local Agency IT Resources, which prohibits unauthorized access, and includes notice of monitoring and recording an individual’s activities.
Malicious Software (Malware) – Programming or files developed for the purpose of doing harm. Malware includes, viruses, worms, Trojan horses, etc.
Mobile Devices - The following is a representative and non-inclusive list of mobile devices:
- Portable computers such as laptops, notebooks, netbooks, and tablet computers
- Pagers, digital cameras, cell phones, digital voice recorders
- Portable storage media such as tapes, CDs, DVDs, flash drives, and USB drives
- Smart Phones
Notice Triggering Data– Data if breached requires notification to individuals and/or agencies.
Patch - Software to repair a defect in an operating system, application or device.
Personal Information– Information containing any of the following in combination with a first initial or first name and a last name:
- Social Security number;
- driver's license number or California Identification Card number;
- an account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
- medical information, including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional or;
- Health insurance information.
Personally owned Devices- The following is a representative and non-inclusive list of mobile devices wholly owned by a user to work on or access Local Agency data:
- Portable computers such as laptops, notebooks, netbooks, and tablet computers
- Pagers, digital cameras, cell phones, digital voice recorders
- Portable storage media such as tapes, CDs, DVDs, flash drives, and USB drives
- Smart Phones
Physical Measures– Controls the physical access to preserve the security of IT resources and data; e.g., locked doors, surveillance cameras, proximity identification cards. Also referred to as physical controls.
Piggybacking - The attempt to gain physical access that has not previously been authorized i.e.; one person following another without individually swiping his or her Proximity Identification Card.
Policy – High level statements providing information security directive and mandates for the County workforce.
Public Data - Information that is available for general access without review by the Data Owner and/or County Counsel.
Procedure – Step-by-step instructions for reinforcing information security policies.
Restricted Data - Information that requires special precautions to protect from unauthorized use, access, or disclosure.
Safeguards – Controls applied to mitigate potential risk; proactive in nature.
Security – Preservation of the confidentiality, integrity and availability of IT resources and data.
Security Measures – A combination of controls and safeguards to preserve the security of IT resources and data.
Secure Socket Layer(SSL)- Encryption technology that provides a secure connection between a web system and a user’s web browser.
Sensitive Information– Information classified as either Confidential - Information protected from use and/or disclosure by law, regulation or standard, and for which the highest level of security measures, or Restricted - Information that requires special precautions to protect from unauthorized use, access, or disclosure.
Shared Account (also known as a Shared User ID) – Account shared among more than one individual for a specific business purpose (i.e., an e-mail resource/calendar).
Standards –Defined minimum requirements to ensure compliance with an information security policy.
Store – The placement of data in either temporary or permanent memory (that is, in “storage”), such that the information can be accessed or retrieved.
Storage – See Store.
Strong passwords- Passwords provide the first line of defense against unauthorized access to your computer. The stronger your password, the more protected your computer will be from malicious individuals and malware. Passwords may not contain two consecutive characters of the user's full name or User ID (Account Name).
The strong password contains characters from three of the following categories:
- Password must be 8 characters in length.
- Passwords must combine three or more of:
- Uppercase letters of European languages (A through Z)
- Lowercase letters of European languages (A through Z)
- Base 10 digits (0 through 9).
- Non-alphanumeric characters (special characters) (for example, $, #, %)
Technical Measures–Utilizes technology to preserve the security of IT resources and data, e.g., anti-virus software, encryption, firewalls. Also referred to as logical controls.
Telework - A work flexibility arrangement under which an employee performs the duties and responsibilities of such employee’s positions, and other authorized activities, from an approved worksite other that the location from which the employee would otherwise work.
Third-Party – Any non-County individual or organization that develops, installs, delivers, manages, monitors, or supports any Local Agency IT Resource.
Threat - Any potential danger to an IT Resource.
Transport Layer Security (TLS) - secure protocol that provide communication security in the county work. TLS is the successor to SSL.
User – Workforce members authorized to access Local Agency IT Resources.
User Provisioning– Creation, maintenance, privilege assignment and deactivation of individual accounts.
User ID – Unique identifier assigned to an individual, for example, JSMITH.
Vulnerability - A flaw or weakness in system security procedures, design, implementation, or internal controls that might be exercised (whether accidentally or intentionally) and cause a security breach or a violation of the system’s security policy.
Workforce – Employees or any other individual performing work on behalf of or with approval of Local Agencies.