Access
The ability to view information and, when applicable, change, delete, duplicate, or transfer it.
Administrative Data
Data that the University generates or collects for operational purposes. It does not include data collected during faculty research.
Application Custodian
The University designated individual responsible for serving as a steward of the application or system, or for provisioning access.
Authorized Individual
An employee, consultant, volunteer or other individual who needs access to University information to perform an activity on behalf of the University.
Authentication
A verification that substantiates a person's identity.
Compensating Control
An alternate but effective means of meeting a security requirement.
Compliance Officer
The University designated individual responsible for a broad type of data (e.g., HIPAA, PCI DSS, FERPA), or data set (e.g., research data) across the University, consistent with University policy and all applicable state and federal laws, and contractual agreements.
Control
A control is any administrative, management, technical, or legal method that is used to prevent, detect or correct risks. Controls are also known as safeguards or countermeasures. Controls include practices, policies, procedures, programs, and technologies.
Control Level
A level assigned to a control at each security level.
- Required- Must apply the control.
- Recommended- Should apply the control. It is not required due to limitations in available technology or because the control could potentially place an undue burden on a unit to implement. Units should evaluate the implications of not implementing the control and determine whether or not a compensating control has or can be implemented.
- Optional- Evaluate and apply the control as appropriate.
Data
Information collected, stored, transferred, or reported for any purpose, whether electronically or on hard copy.
Data Custodian
The University designated individual responsible for serving as a steward of University data in a particular area (e.g., principal investigator (PI)).
Data Owner
The individual with primary authority and accountability for specified information (e.g., a specific business function) or type of data (e.g., research). Where there is a designated University compliance officer, the compliance officer is the data owner.
Enterprise System or Application
System or application that is designated by the Vice President for Information Technology or designee as Enterprise. Enterprise Systems or Applications are typically used across one or more campuses.
Health Care Component
Unit(s) of the University that provide health care or are part of the health plan or are designated by the University as health care components covered under HIPAA. These covered health care components include units that provide health care ("Provider Components") and the Health Plan of the University.
Information Technology Resource (IT resource)
Facilities, technologies, and information resources used for University information processing, transfer, storage, and communications. Included in this definition are computer labs, classroom technologies, computing and electronic communications devices and services, e-mail, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, and instructional materials. This definition is not all inclusive but rather reflects examples of equipment, supplies and services. This also includes services that are University owned, leased, operated or provided by the University or otherwise connected to University resources, such as cloud and Software-as-a-Service (SaaS) or Infrastructure-as-a-Service (IaaS), or any other connected/hosted service.
Internal Audiences
For the purpose of sharing administrative data, internal audiences are current employees with a business need to know, requiring access to the data to perform their job duties.
Multi-user System
Any system used by multiple people. Examples include: workstation (e.g., Windows, Mac computer) used by multiple individuals, server (e.g., application, database, web, print, authentication, virtual), medical device, storage area network (SAN), network attached storage (NAS), software application, database. When appropriate, a system used by multiple individuals sequentially may use the single-user designation.
Private Data
For the purposes of this policy, private-highly restricted and private-restricted are defined in Administrative Policy: Data Security Classification.
Providers
Individuals or units who provide data in any form to those audiences requesting either aggregated data or detail unit record data.
Public Data
Public data is defined by Minnesota Statutes as “data collected, created, received, maintained or disseminated by a government entity” unless classified as private by statute or federal law. For purposes of the Sharing Data with University Educational and Administrative Audiences procedure and the Sharing Data with University Faculty and Researchers procedure, public data are those administrative data elements that are non-FERPA suppressed. All other data are considered private. For a list of public and private data elements see the list of examples provided through Administrative Policy Public Access to University Information.
Security Level
A level (high, medium, or low) assigned to data or IT resource following the process in Administrative Policy: Data Security Classification.
Security Violation
Any action that does not comply with system security concepts, policies, processes, or procedures.
Server
A computer which provides services for other computers connected to it via a network. Common examples are file servers, web servers, mail servers, and database servers.
Single-user System
Any system primarily used by a single person at a time. Examples include: workstation (e.g., Windows, Mac computer), laptop, tablet/pad, mobile device (e.g., smart phone), software application, and database. When appropriate, a system used by multiple individuals sequentially may use the multi-user designation.
Standard
Defines information security controls by which an individual or IT resource within the scope must adhere to.
Supervisor
The person to whom an individual directly reports. For those seeking access to information not published publicly, or access to centrally supported systems, it is the person designated by the Dean, Director or Department Head to function in that role for information/data access purposes.
Unauthorized Disclosure
The act of providing information to any person or entity not specifically authorized to receive such information, whether inside or outside of the University community.
Unit
Any organizational entity within the University. Includes, but is not limited to colleges, departments, centers, institutes, offices and programs.
Unit Record Data
Data that is considered non-aggregated data at the lowest level of detail (e.g., individual student or employee level data).
University Community Member
A University community member is a student, faculty or staff member, University guest, volunteer, contractor, or employee of an affiliated entity.
University Data Custodian
The University designated individual responsible for serving as steward of University data when data crosses organizational and system boundaries.
University Data Network
The University data network includes University telecommunications facilities such as the UM data network with all wired or wireless links including departmental networks, ResNet, UM Wireless, academic and administrative network facilities, network facilities serving affiliates or tenants, and system campus networks.
University Data
Information collected, manipulated, stored, reported or presented in any format, on any medium, by any unit of the University, unless contractually identified as owned by another entity.
University-Owned Computers
All computers purchased using University related funds, irrespective of whether the source of those funds is the legislature, research grants, sponsored, foundation or departmental budgets.
User Level Account
An account on a system that is authorized to run programs and applications, and use the system, but does not have the ability to directly install programs and applications, or change the system configuration. Examples of accounts that are not user level accounts include the root account on Unix-like systems, and user level account with administrative privileges or Administrator account on Windows systems.