Information Security Glossary of Terms

The following list includes acronyms and terms as well as the preferred spelling and capitalization for words that are commonly used in Utah State University Information Security.

Artificial Intelligence (AI)

Includes systems or algorithms to predict, recommend, or advance defined objectives or tasks that have historically required a human.

Capacity of Resource

Some Resources have a limit that can be exceeded by certain uses, either causing the Resource to underperform or exceed service or license capacity.

CIS Controls

A set of best practices developed by the Center for Internet Security aimed at safeguarding systems and data from cyber threats.

Chief Information Security Officer (CISO)

A role responsible for developing, maintaining, and overseeing the organization’s information security program. The CISO ensures that security standards, procedures, and best practices are documented, updated, and made accessible to support compliance with laws, policies, and evolving security needs.

Compromise

Loss of exclusive, authorized control of an IT Resource to an unauthorized person or to unauthorized software resulting in exploitation, control, and/or use of the IT Resource beyond USU’s purpose or intent for that IT Resource.

Credentials

UserID/PIN, username/passcode or other secrets or keys used to gain access to a restricted Resource.

Data Asset Inventory

A comprehensive list of data assets owned or managed by an organization, used for classification and protection purposes.

Data Stewards

Data Stewards are management level officials (Controller, Registrar, Directors, Managers, etc.) who have operational level responsibility for specific data or services that may include PII and/or CID. Data Stewards are responsible for: coordinating with Data Trustees, classifying specific data as PII or CID, authorizing specific data users to access data as needed for their job functions, and enforcing the policies, procedures, programs, and practices that apply.

Data Trustees

Data Trustees are USU Administrative Officers (President, Provost, Vice Presidents, Deans, etc.) who have oversight responsibilities for data governed by or used within their divisions. The responsibilities of Data Trustees include: designating data stewards, ensuring the establishment of practices that will protect and preserve the PII and CID collected and/or used, development of processes for reviewing and approving data transfer, integration, and use requests by other units, and designing and implementing workflows and/or procedures to reduce risk.

Device

Any electronic equipment, such as laptops, desktops, smartphones, or tablets, used to access, store, or process organizational data.

Endpoint Security

Measures implemented to protect devices such as laptops, desktops, and mobile devices that are connected to an organization’s network from threats such as unauthorized access and malware.

Export Control Regulations

U.S. laws that restrict the export of certain sensitive technologies, information, and software, particularly those related to defense and national security.

Incident Management Plan

The process of reporting any event that compromises the security of information systems, including data breaches and unauthorized access.

Institutional Data

Refer to Institutional Information.

Institutional Information

Refers to any information that is collected, created, maintained, shared with or by, or generally managed by Utah State University (USU) in support of its academic, research, administrative, or operational functions. This includes all data held within university-owned or managed systems, networks, and storage—regardless of format or medium—and encompasses personal data as part of this broader category.

NIST Cybersecurity Framework

A set of standards, guidelines, and practices developed by the National Institute of Standards and Technology to help organizations manage and reduce cybersecurity risks.

Personal Data

Personal Data, also known as Personally Identifiable Information (PII), includes any information that can identify an individual. These identifiers fall into two categories: Direct Identifiers and Indirect Identifiers. Direct Identifiers are clear pieces of information, like names or ID numbers, that directly identify someone. Indirect Identifiers are less obvious and may not identify someone on their own, but when combined with other data points (such as gender, ZIP code, and age), they can reveal an individual’s identity.

Privilege

While access is generally granted to everyone in a relevant role, the right is retained by the University to revoke that access when it is in the interest of the University, such as to protect the Resource from use in violation of policy or use in excess of capacity.

Research Administrators

A term referring to university staff who manage compliance requirements related to sponsored research, conflict of interest, export control, human subjects research, and other regulatory areas. Research Administrators facilitate adherence to university policies and federal regulations, coordinate with institutional offices such as the Office of Research and the Chief Information Security Officer (CISO), and assist in securing research data and reporting security incidents.

Resource

Any service, data, or device provided by the University or on behalf of the University, including, but not limited to, networks, IT infrastructure, end-user devices, peripherals, central or departmental servers, cloud services, networks, storage, applications, databases, service subscriptions, etc.

Resource Owners

Resource Owners are directed to establish and communicate procedures and access controls specific to the Resource they control in alignment with the purpose of this or other related policies.

Resource Users

Users of any Resource are responsible to understand and comply with this Policy, and all established procedures and controls specific to a particular Resource.

Restricted Resources

Some Resources are available only to individuals in particular roles while other Resources (USU homepage, for instance) are available without restriction and without authentication by the user.

Role

A category of user who is given access to a particular restricted Resource; may be as general as faculty or student, or as specific as advisor or auditor.

System Administrators or Support

Technicians are IT professionals with assigned responsibilities to technically manage IT resources, computers, software, and services which store, process or transmit PII and/or CID. They are responsible for technical system and service data preservation, system-level security features, and to configure, secure, and maintain such according to best practices, policies, procedures, and software that apply to the services and systems they are assigned to support.

Terms of Use

A document outlining the acceptable behavior, responsibilities, and practices that users must agree to for access and use of an organization’s resources.

Third-party

Refers to any external entity that interacts with the institution but is not directly part of it. This includes service providers, vendors, research collaborators, government agencies, industry partners, and other affiliated organizations that may influence the university’s data security, privacy policies, research integrity, or operational practices.

University Systems

Any software, hardware, network, or cloud-based system used to gather, process, transmit, or store data in support of university operations, whether managed by central IT, individual departments, or external service providers acting on behalf of the university.

User

Any individual or organization granted access to University Systems, information systems, and/or technology resources. This includes students, faculty, staff, temporary staff, university employees, agents, contractors, consultants, volunteers, visiting scholars, affiliated personnel through third-party contractors, and any other individuals who interact with or have authorized access to university-owned or managed Institutional Information. Users are expected to adhere to university policies, promptly report any suspected or confirmed security incidents, and follow best practices for information security as outlined by the university’s guidelines, including those outlined in the Terms of Use.

Vendor Management Plan

A structured approach to managing third-party vendors and service providers to ensure they meet an organization’s operational, security, and compliance requirements. It includes processes for evaluating, selecting, contracting, monitoring, and offboarding vendors, as well as establishing clear guidelines for performance, risk management, and adherence to regulatory and contractual obligations.