Information Security Glossary


Academic Technology Organization that supports Canvas, classroom technology, media and faculty instructional technology training.
Access Control Access control is the process of limiting access to resources of a system only to authorized programs, processes, or other systems (in a network). Access control policies make sure users are who they say they are and that they have appropriate access to University data.
A software program that performs a specific function directly for a user and can be executed without access to the higher system-wide privileges.
  APT Advanced Persistent Threat. Characterized by complex attacks employing sophisticated levels of expertise and significant resources, using multiple digital and physical attack vectors to specifically target an organization, establishing and extending footholds in systems over an extended period of time.
The logical and physical design of a network. 


Attempt to gain unauthorized access to an information systems services, resources, and information or the attempt to compromise an IS’s integrity, availability, or confidentiality.
 Attack Vector An attack vector is a pathway or method used by a hacker to illegally access a network or computer in an attempt to exploit system vulnerabilities.


The process of verifying that an individual, entity, or application is who, or what, it claims to be. 

Security measures designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.

  Authorization Access privileges granted to a user, program, or process.
  Availability The state that exists when data can be accessed or a requested service provided within an acceptable period of time.
 Banner OSU's ERP system for HR, Student Information System (SIS), Finance, payroll, etc.
 Certificate Digitally signed document that binds a public key with an identity.  The certificate contains, at a minimum, the identity of the issuing Certification Authority, the user identification information, and the user’s public key
  CISO The Chief Information Security Officer. Charged with managing the information security program and ensuring the confidentiality, availability, and integrity of organizational information assets.
  Common Vulnerability Scoring System       (CVSS) An open framework for communicating the characteristics and severity of software vulnerabilities.
  Confidentiality The state that exists when information is held in confidence and protected from unauthorized disclosure.
  Confidential Information

Confidential information is the most restrictive information classification.  This classification pertains to information that could have serious negative consequences to the university or individuals if compromised or disclosed to those lacking appropriate approvals for access. Examples include:

  • Social Security Number
  • Driver’s License/State-issued Identification Number
  • Visa/Passport Number
  • Credit Card Number
  • Bank Account Number

To find out more about the different classes of OSU data, visit our Data Classification by Element page

Configuration Management A collection of activities focused on establishing and maintaining the integrity of information technology products and information systems.

Continuous Monitoring

Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization's financial and operational environment.
Cybersecurity The process of protecting information by preventing, detecting, and responding to attacks.
Cybersecurity Event A cybersecurity change that may have an impact on University operations.
NIST SP 800-61
Cybersecurity Incident

A cybersecurity event that has been determined to have an impact on the University prompting the need for response and recovery.

NIST Cybersecurity Framework Version 1.1

Domain A logical structure, group or sphere of influence over which control is exercised
Elevated Access

Access that is granted that allows the performance of functions ordinary users are not authorized to perform.  

Email Services Email providers and on-premise email servers. (e.g. Exchange Online, Exchange 2016, Unix Mail)
Employment Scam

Cyber criminals posing as legitimate employers spoof company websites and post fake job openings to lure victims. Cyber criminals will conduct fake interviews and even offer positions to victims before requesting PII such as Social Security numbers and bank account information. Go to our Community Awareness page to learn more. 

Endpoint Any device that can be connected to a network, including computers, laptops, mobile phones, tablets and servers.

The Family Educational Rights and Privacy Act is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Examples of FERPA-protected information are:

  • Grades
  • Transcripts
  • Class lists
  • Student course schedules
HECVAT Higher Education Community Vendor Assessment Tool. The HECVAT is a questionnaire framework specifically designed for higher education to measure vendor risk.
HIPAA Health Insurance Portability and Accountability Act - protects patient info
IAM Identity and Access Management.
Information System An integrated set of components for collecting, storing, and processing data and for providing information, knowledge, and digital products.
Information Technology System and Resource Owners
The accountable person or Unit within the University manages a system or resource across the system or resource’s lifecycle.  A System and Resource Owner is assigned to systems that are hosted by other entities, such as when UIT or a cloud service provider is hosting the System or Resource.
ISCM Information Security Continuous Monitoring. A process to analyze data, report findings, respond to findings and review and update the ISCM strategy and program
IT Pros A group designed to promote information sharing & community for all technology professionals across Oregon State University.
Least Privilege Principle The principle that users and programs should only have the necessary privileges to complete their tasks.

Malware is a catch-all term for any type of malicious software designed to harm or exploit any programmable device, service or network

How to Recognize, Remove, and Avoid Malware

Multi-factor authentication (MFA) MFA is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login. MFA increases security because even if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space, computing device, network, or database. The University uses DUO multi-factor authentication.
National Vulnerability Database (NVD):  NVD is the U.S. government repository of standards-based vulnerability management data. It is represented using the Security Content Automation Protocol (SCAP)
OIS The Office of Information Security is responsible for Oregon State University's rules and practices for secure computing.
Operational Technology Programmable systems or devices that interact with the physical environment.
Patching A “repair job” for a piece of programming; also known as a “fix”. A patch is the immediate solution to an identified problem that is provided to users; it can sometimes be downloaded from the software maker's Web site.
Penetration Testing A specialized type of assessment that is conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries.
Personally Identifiable Information (PII) Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
Phishing Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. To learn more, visit our Community Awareness page.
Ransomware Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.
Remote Access The ability of an organization’s users to access its non-public computing resources from locations other than the organization’s facilities.
Risk A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

NIST SP 800-137

Risk Assessment

Process of analyzing threats to and vulnerabilities of an IS, and the potential impact resulting from the loss of information or capabilities of a system.  This analysis is used as a basis for identifying appropriate and cost-effective security countermeasures.  


Risk Management The process of identifying, assessing, and responding to risk.
Sensitive Data

Sensitive Information is data that is commonly used to conduct OSU business, which by its nature or regulation, may have legal and/or generally expected obligations for non-disclosure outside of authorized individuals. Examples include:

  • Common Identifiers: Date of Birth, Place of Birth, Mother’s Maiden Name
  • Demographic Information such as race, ethnicity, gender, sexual orientation or identity when personally identifiable
  • Admission applications
  • Employment Applications
  • Employee Performance Evaluations

To find out more about the different classes of OSU data, visit our Data Classification by Element page.

Single Sign On (SSO) An authentication method that allows users to sign in using one set of credentials to multiple independent software systems. Using SSO means a user doesn't have to sign into every application they use. With SSO, users can access all needed applications without being required to authenticate using different credentials.
System Administrator A person who is granted elevated access or permissions for a particular system or information resource.  A system administrator will perform a wide range of duties to support the effective and secure operation of a system or information resource over the lifecycle of that system or information resource.
System Development Life Cycle (SDLC) The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal.
UIT University Information technology. UIT is the central IT organization for OSU, and maintains a stable environment and enables innovation through modern tools that are accessible and easy to use.
Unit A functional group within the University, such as a Division, a College, a Center or a research project.
University Oregon State University
University Digital Identity The unique representation of a natural person when interacting with University Information Technology systems and data.
Unrestricted Data

Unrestricted Information is data intended for appropriate general use within the university. Examples include:

  • Directory Information
  • Website pages
  • Homework
  • Course schedules

To find out more about the different classes of OSU data, visit our Data Classification by Element page.

Users Individuals who access and use University Institutional Information and IT Resources.
Vendor A commercial supplier of software or hardware.
Vulnerability Assessment Systematic examination of an information system or product to determine the adequacy of security and privacy measures, identify security and privacy deficiencies, provide data from which to predict the effectiveness of proposed security and privacy measures, and confirm the adequacy of such measures after implementation. 
Vulnerability Management The process of identifying, categorizing, prioritizing, and resolving vulnerabilities in operating systems (OS), enterprise applications (whether in the cloud or on-premises), browsers, and end-user applications. An ongoing process, vulnerability management seeks to continually identify vulnerabilities that can be remediated through patching and configuration of security settings. 
Zero-Trust A zero-trust architecture focuses on moving the security boundary around resources, such as data, instead of network segments.