Information Security Policy Glossary
Below are definitions of key terms used in UC Berkeley's Information Security Policies. For a list of all policies, visit our A-Z Policy Catalog
|Administrative Official||See “Unit Head”|
|Application Coordinator||See “Service Manager”|
|Asset||A term used to collectively refer to IT Resources and Institutional Information (both defined in this glossary).|
|Authentication||The process of verifying that an individual, entity, or application is who, or what, it claims to be. For example, this might involve validating personal identity documents, requiring a username and passphrase, biometric verification, or verifying the authenticity of a website with a digital certificate.|
|Availability Level||The degree to which Institutional Information and IT Resources must be accessible and operational to meet business needs. All UC Institutional Information and IT Resources are classified into one of four Availability Levels based on the level of business impact their loss of availability or service would have on UC, with A4 causing the highest level of impact and A1 causing a minimal level of impact.|
|Berkeley Campus Data||See “Institutional Information”|
|Berkeley IT Resources||See “IT Resources”|
|CIO||The Chief Information Officer (CIO) is the senior executive responsible for information technology or information system functions throughout Campus.|
|CISO||The Chief Information Security Officer (CISO) is the role responsible for security functions throughout Campus, including assisting in the interpretation and application of information security policies.|
|Cloud Service||A cloud service is any service that is hosted remotely and provided over the Internet. For the purposes of UC Berkeley’s Minimum Security Standards (MSSND and MSSEI), a cloud service refers to any service hosted at a non-Campus location.|
|CRE||The Cyber-risk Responsible Executive (CRE) is an individual in a senior management or academic position who reports to the chancellor or top Campus executive. The CRE is accountable for all information risk assessments, security strategies, planning and budgeting, incident management, and information security implementation.|
|Critical IT Infrastructure||1. IT Resources that manage unrelated sets of Institutional Information or sets of large or particularly sensitive Institutional Information.
2. IT Resources that meet two conditions: a) Several information systems rely on the resource such that a security issue with the resource would affect multiple systems. b) The default or standard method for securing the system is inappropriate due to an elevated level of risk, complexity, or the specialized nature of the IT Resource
|Data Custodian (legacy)||See “Service Provider”|
|FERPA-Protected Student Records||Student records protected under the Federal Family Educational Rights and Privacy Act of 1974 (FERPA) include, but are not limited to:
|High Risk Data||Information classified at UC Protection Level 4 (P4)|
|Individual Devices||End-user workstations that do not meet the definition of "Privileged Access Devices" or "Institutional Devices"|
|Individually-Owned Data||Data which is defined as an individual’s own personal information that is not considered "Institutional Information"|
|Institution||University of California|
|Institutional Information||A term that broadly describes all data and information created, received and/or collected by UC relating to the activities or operations of the university, regardless of where the data is stored. Institutional Information does not include Individually-Owned Data.|
|Institutional Information Proprietor||The individual, group, committee, or board responsible for the Institutional Information and processes supporting a University function. Proprietor responsibilities include, but are not limited to: ensuring compliance with University policy regarding the classification, protection, access to, and release of information according to procedures established by UC, the Location, or the department, as applicable to the situation. Proprietors are also responsible for ensuring compliance with federal or state law or regulation.|
|IT Resources||A term that broadly describes IT infrastructure, software, and/or hardware with computing and networking capability. This includes:
|IT Resource Proprietor||The individual responsible for the IT Resources and processes supporting a University function. Proprietor responsibilities include, but are not limited to: ensuring compliance with University policy regarding the classification, protection, access to, location, and disposition of IT Resources. Proprietors are also responsible for ensuring compliance with federal or state law or regulation.|
|IT Service Provider||See “Service Provider”|
|IT Workforce Member||A Workforce Member who is assigned specific information technology (IT) duties or responsibilities.
This applies to individuals working for the university in any capacity, whether paid or unpaid, including student employees, volunteers, and contingent workers.
|Low Risk Data||Information classified at UC Protection Level 2 (P2)|
|Minimal Risk Data||Information classified at UC Protection Level 1 (P1)|
|Moderate Risk Data||Information classified at UC Protection Level 3 (P3)|
|Notice-Triggering Information||See “Statutory Requirement for Notification” below.|
A passphrase is a type of password. They are generally longer than a traditional password and can contain spaces in between words such as: "This May Be One Way To Remember".
|Personnel Records||Academic Personnel Records include, but are not limited to: confidential academic review records, non-confidential academic review records and "personal" information (as defined in Section 160 of the Academic Personnel Manual [PDF]).
Staff Personnel Records (listed in Section 80 of the Personnel Policies for Staff Members) include, but are not limited to:
|Privileged Access Devices||Any device where credentials are used to provide privileged access (superuser, root, administrator, database administrator, or equivalent) to an institutional device. Physical, logical, and virtual devices included.|
|Proprietor||See “Institutional Information Proprietor” or “IT Resource Proprietor” as applicable.|
|Protected Data||A general term used to refer to information classified at UCB Protection Level 1 (PL1) / UC Protection Level 2 (P2) or higher.|
|Protected Data Applications||Information systems that handle, store, or transmit institutional data restricted by laws and policies, or that handle institutional data classified as UC P2 or higher as defined by the Berkeley Data Classification Standard|
|Protection Level||An assigned number representing the level of protection needed for Institutional Information or an IT Resource. The scale goes from the minimum level of protection (UCB Protection Level 0 / UC Protection Level 1) to the highest level of protection (UCB Protection Level 3 / UC Protection Level 4) and is based on the potential harm resulting from unauthorized access, disclosure, loss of privacy, compromised integrity, or violation of external obligations.|
|Provider||See “Service Provider”|
|Public Directory Information||
Information which may be disclosed to any party without the prior consent of the individual to whom the information pertains. This includes the following for academic and staff personnel, and students:
Student Directory Data (unless the student has requested that such information not be disclosed)
|Public Information||Information intended to be available to the public with no access restrictions|
|Researcher||UC faculty members, students or affiliates, including Principal Investigators, conducting research on behalf of UC. A Researcher is also a Workforce Member.|
|Resource Custodian||See “Service Provider”|
Risk acceptance is the process of deciding whether a risk is within the tolerances acceptable to an organization. This determination must take into consideration both the likelihood and impact of a negative event, the combination of which represents the “risk". In the context of information security, impacts may include:
Risk acceptance is one component of risk management, along with risk avoidance, risk mitigation, risk sharing, and risk transfer, and must occur at the level of campus authority that matches the potential risks.  NIST SP 800-39, Sec 3.3 (Activities, Task 3-1)
|Resource Proprietor||See “IT Resource Proprietor”|
|Security Contact||A Security Contact is a group of individuals who have been designated to receive and respond to security notices from UC Berkeley’s Information Security Office (ISO) for their department or for a specific set of IT Resources. Security Contacts must be associated with a Campus org node that rolls up to a Unit. They are accountable to their Unit Information Security Lead(s)|
|Security Lead||Also known as Unit Information Security Lead. A term for the Workforce Member(s) appointed by the Unit Head and assigned responsibility for ensuring tactical execution of information security activities including, but not limited to: implementing security controls; reviewing and updating risk assessments; devising procedures for the proper handling, storing and disposing of electronic media within the Unit; and reviewing access rights. These activities are performed in consultation with the Unit Head.|
|Service Manager||A Service Manager has overall accountability for defining a service, application, or system, ensuring services are delivered in accordance with agreed business requirements, and managing the service lifecycle.|
|Service Provider||Any UC group or organization providing IT services to one or more campus Units, including their own Unit. Synonyms: Data Custodian, Resource Custodian, Provider|
|Shared-Fate||If a data or system compromise would cause further and extensive compromise from multiple (even unrelated) sensitive systems, the data or system creating this "shared-fate" warrants an elevated UCB PL3 / UC P4.|
|Statutory Requirement for Notification||California State Civil Code 1798.29 and other legal statues, such as the Health Insurance Portability and Accountability Act (HIPAA), require notification to individuals in the event of a security breach of certain personal information. The Berkeley campus also refers to this data as "notice-triggering" information:
* California State Civil Code 1798.29 applies to personal medical information and personal health insurance information even under circumstances not covered by HIPAA. See section (h) for definitions under this law.
An external, third-party entity that provides goods or services to UC. These goods and services can include consulting services, hardware, integration services, software, systems, software-as-a-service (SaaS) and other cloud services. Non-UC entities that operate IT Resources or handle Institutional Information are considered Suppliers. Also see UC BFB IS-3 Electronic Information Security, Section 15 for additional information about Supplier relationships.
|Traffic Light Protocol||
The Traffic Light Protocol (TLP) was created to facilitate greater sharing of information. TLP is a set of designations used to ensure that sensitive information is shared with appropriate audiences. TLP uses four colors to define sharing boundaries to be applied by the recipient(s) indicating when and how sensitive information can be shared, and by facilitating more frequent and effective collaboration.
|Unit||In the context of information security, a Unit is a Campus academic or administrative entity led by a Campus appointed Unit Head with budgetary authority and resources of a level sufficient to accept and manage the organization’s information security risk. Units are the point of accountability and responsibility for Institutional Information and IT Resources. At UC Berkeley, the organizational level of a Unit in this context is Dean, VC, or AVC. Delegation is allowed if the delegation is explicit and includes budget and resources necessary to accept and manage information security risk at the delegated level, including covering an adverse information security event such as a data breach or system compromise.|
|Unit Head||Unit Heads are the executives accountable and responsible for overseeing the execution of UC and Campus information security policies within the Unit. At UC Berkeley, the default level of a Unit Head in this context is Dean, VC, AVC, or other accountable executive in a senior role who is responsible for Unit performance and administration. Delegation is allowed if it is explicit, documented, and the delegate has the budget and resources necessary to manage information security risk, including an adverse information security event such as a data breach or system compromise.|
|Unit Information Security Lead (UISL)||See “Security Lead”|
|Users||Individuals who access and use campus Institutional Information and IT Resources.|
|Workforce Manager||A person who supervises or manages other personnel or approves work or research on behalf of Campus.|
|Workforce Member||An employee, faculty, staff, volunteer, contractor, researcher, student worker, student supporting/performing research, medical center staff/personnel, clinician, student intern, student volunteer or person working for UC in any capacity or through any other augmentation to UC staffing levels.|