Terms & Definitions
Administrator Accounts
Dedicated accounts with elevated privileges used for managing aspects of computer systems, domains, or entire enterprise IT infrastructure. Common subtypes include root accounts, local administrator accounts, domain administrator accounts, and network or security appliance administrator accounts.
Air Gap
An interface between two systems that are not physically connected and have no automated logical connection. Data transfer through the interface is performed manually and under human control.
Application
A program or group of programs hosted on enterprise assets and designed for end-users. Applications are considered software assets and can include web, database, cloud-based, and mobile applications. They consist of multiple components, including services and libraries.
Asset
Anything of value to an organization, including computing devices, IT systems, networks, circuits, software, virtual computing platforms, and related hardware such as locks and keyboards.
Asset Inventory
A register or comprehensive list of an enterprise’s assets, including specific information about these assets.
Asset Owner
The department, business unit, or individual responsible for an enterprise asset.
Authentication Systems
Mechanisms used to identify users by associating requests with a set of identifying credentials. Examples include Active Directory, Multi-Factor Authentication (MFA), biometrics, and tokens.
Authorization Systems
Systems determining access levels or privileges related to system resources. Examples include Active Directory, access control lists, and role-based access control lists.
Cloud Environment
A virtualized environment providing on-demand network access to configurable resources. Characteristics include on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Services include SaaS, PaaS, and IaaS.
Community Members
Faculty, staff, students, and affiliates of Harvard University who are subject to the policies and responsible for adhering to security requirements, including completing training and protecting data and systems.
Confidentiality
Ensuring information is not disclosed to unauthorized entities and covers data in storage, processing, and transit.
Configuration
The possible conditions and specifications for describing or arranging a system component. A mechanism must exist to manage configuration settings.
Configuration Baseline
A set of specifications for a system or component that is reviewed and agreed upon, which can only be changed through formal procedures. It serves as a basis for future modifications.
Configuration Management
Activities focused on establishing and maintaining the integrity of IT products and systems through controlling change processes throughout the system development lifecycle.
Configuration Management Plan
Describes the roles, responsibilities, policies, and procedures for managing the configuration of products and systems.
Data Steward
A custodian responsible for a data set, ensuring data accuracy, compliance with regulations, and addressing questions and concerns about its use.
Database
An organized collection of data stored electronically, often managed by Database Management Systems (DMS).
Dissociability
The ability to separate data processing from individual identities, beyond operational requirements.
End-User Devices
IT assets used by enterprise members for work or personal purposes, including desktops, laptops, smartphones, tablets, and workstations.
Enterprise Assets
Assets capable of storing or processing data, including end-user devices, network devices, IoT devices, and servers in various environments.
Enterprise Asset Identifier
A unique identifier, often a sticker or tag, for tracking assets within an inventory.
Exceptions
Formal requests for deviations from a policy or standard, reviewed and approved by designated authorities when adhering to a policy is impractical or poses a significant challenge.
Internal
Data intended for a specific audience but not publicly available.
Library
Pre-written code and data used to aid software program development.
Minimum Necessary
Minimize the collection and use of personal information to what is essential for legitimate institutional purposes.
Mobile End-User Devices
Smaller, enterprise-issued devices like smartphones and tablets, considered a subset of portable end-user devices.
Network Devices
Devices facilitating communication in a network, including routers and switches, consisting of both hardware and virtual components.
Network Infrastructure
Resources enabling connectivity and communication within a network, which can be cloud-based, physical, or virtual.
Non-Computing/Internet of Things (IoT) Devices
Devices that connect and exchange data over the internet without performing computational processes, such as printers and security sensors.
Non-Public
Information not intended for public disclosure.
Operating System
System software managing hardware and resources, considered a software asset. Types include single-user, multi-tasking, real-time, and embedded systems.
Personally Identifiable Information (PII)
Information that can trace an individual’s identity, alone or linked with other data.
Personally Owned Devices
Individual computing devices owned by community members but used for university business purposes. Such devices must meet Harvard's security and configuration standards to ensure the protection of university data and systems.
Physical Environment
The physical hardware enabling network communication between devices.
Portable End-User Devices
Devices capable of wireless connections, including laptops and mobile devices.
Principle of Least Privilege
Limit access to the minimum necessary to perform a function, applying to system and user permissions.
Processing
The operations performed on data, including PII, which may involve collection, use, disclosure, and disposal.
Public Information
Information made available to the public without distribution restrictions.
Regulated
Data subject to legislation or regulation, including MA 201 CMR 19, HIPAA, FERPA, and GDPR.
Remote Devices
Assets capable of remote network connection, including end-user and network devices.
Remote File Systems
Systems enabling application access to files stored remotely, using network connections.
Removable Media
Storage devices removable while the system is operational, allowing data transfer between systems.
Restricted
Data requiring higher security standards, sometimes stipulated by contractual or regulatory requirements.
Risk
The potential threat posed by an event or circumstance, including its impact severity and likelihood.
Sensitive Information
Private information protected from loss, where disclosure could harm individuals or the organization.
Servers
Devices providing resources or services within a network.
Service
Software functionalities that provide access based on the requestor’s identity according to enterprise policies.
Service Accounts
Accounts with escalated privileges used for applications and processes, not intended for manual user operations.
Shared Responsibility Model
In cloud computing, security responsibilities are divided between the cloud provider and the user.
Social Engineering
Malicious activities exploiting human interactions to gain sensitive information.
Software Assets
Programs and information systems used within an enterprise asset, including operating systems and applications.
System Stewards
Individuals or groups responsible for managing Harvard's IT services or systems, ensuring compliance with Minimum Standards, enabling secure operation, and providing security incident response.
University Data
Data generated as part of university business, covered broadly by university policy.
User
Anyone operating an enterprise asset, including employees and third-party vendors.
User Accounts
Standard accounts with limited privileges for general tasks, distinct from administrator accounts.
Virtual Environment
Technology simulating hardware for running software environments, fundamental to cloud computing.