Texas Security and Risk Management
Glossary of Terms
Copyright(c), 1995 - Management Analytics - All Rights Reserved
- Access. To approach, view, instruct, communicate with, store data
in, retrieve data from, or otherwise make use of computers or
- Access control. The enforcement of specified authorization rules
based on positive identification of users and the systems or data they
are permitted to access.
- Access password. A password used to authorize access to data and
distributed to all those who are authorized similar access.
- Agency. An agency of state government means a department,
commission, board, office, council, or other entity in the executive or
judicial branch of government that is created by the constitution or a
statute of this state, including a university system or institution of
higher education as defined by Section 61.003, Education Code.
- Authentication. The process that verifies the claimed identity of
a station, originator, or individual as established by an identification
- Authorization. Positive determination by the owner of an
information resource that a specific individual may access that
information resource, or validation that a positively identified user
has the need and the owner's permission to access the resource.
- Confidential information. Information maintained by state agencies
that is exempt from disclosure under the provisions of the Public
Records Act or other applicable state or federal laws. The controlling
factor for confidential information is dissemination.
- Critical information resource. That resource determined by agency
management to be essential to the agency's critical mission and
functions, the loss of which would have an unacceptable impact.
- Custodian of an information resource. Guardian or caretaker; the
holder of data; the agent charged with the resource owner's requirements
for processing, telecommunications, protection controls, and output
distribution for the resource. The custodian is normally a provider of
- Data. A representation of facts or concepts in an organized manner
in order that it may be stored, communicated, interpreted, or processed
by automated means.
- Data integrity. The state that exists when computerized
information is predictably related to its source and has been subjected
to only those processes which have been authorized by the appropriate
- Data security or computer security. Those measures, procedures, or
controls which provide an acceptable degree of safety of information
resources from accidental or intentional disclosure, modification, or
- Disaster. A condition in which an information resource is
unavailable, as a result of a natural or man-made occurrence, that is of
sufficient duration to cause significant disruption in the
accomplishment of agency program objectives, as determined by agency
- Disclosure. Unauthorized access to confidential or sensitive
- Encryption. The process of cryptographically converting plain text
electronic data into a form unintelligible to anyone except the intended
- Exposure. Vulnerability to loss resulting from accidental or
intentional disclosure, modification, or destruction of information
- FIPS PUB (Nr.). Federal Information Processing Standard
Publication (Nr.), a federal standard issued by the National Institute
of Science and Technology (formerly the National Bureau of Standards).
- Information. That which is extracted from a compilation of data in
response to a specific need.
- Information resources. The procedures, equipment, facilities,
software and data which are designed, built, operated and maintained to
collect, record, process, store, retrieve, display and transmit
- Information Resources Manager (IRM). The person designated by the
head of each state agency to have oversight responsibility for all
information resources within the agency.
- Information Security Function. The elements, structure, objectives
and resources needed to establish an agency level security program. Its
role is to provide leadership to the agency information processing
community in the areas of information security, integrity and privacy.
- Information Security Officer (ISO). The person designated by the
Information Resources Manager to administer the agency's information
security program. The ISO is the agency's internal and external point
of contact for all information security matters.
- Owner of an information resource. The manager or agent responsible
for the function which is supported by the resource.
- Password. A protected word or string of characters which serves as
authentication of a person's identity (personal password), or which may
be used to grant or deny access to private or shared data (access
- Personal identifier or user identification code. A data item
associated with a specific individual which represents the identity of
that individual and may be known by other individuals.
- Risk. The likelihood or probability that a loss of information
resources or breach of security will occur.
- Risk analysis. An evaluation of system assets and their
vulnerabilities to threats. Risk analysis estimates potential losses
that may result from threats.
- Risk management. Decisions to accept exposure or to reduce
vulnerabilities by either mitigating the risks or applying cost
- Security administrator. The person charged with monitoring and
implementing security controls and procedures for a system. Whereas
each agency will have one Information Security Officer, technical
management may designate a number of security administrators.
- Security controls. Hardware, programs, procedures, policies, and
physical safeguards which are put in place to assure the integrity and
protection of information and the means of processing it.
- Security incident or breach. An event which results in
unauthorized access, loss, disclosure, modification or destruction of
information resources whether accidental or deliberate.
- Security standard. A required procedure or management control.
- Sensitive information. Information maintained by state agencies
that requires special precautions to protect it from unauthorized
modification or deletion. Sensitive information may be either public or
confidential. It is information that requires a higher than normal
assurance of accuracy and completeness. The controlling factor for
sensitive information is that of integrity.
- System control data. Data files such as programs, password files,
security tables, authorization tables, etc., which, if not adequately
protected, could permit unauthorized access to information resources.
- User of an information resource. An individual or automated
application that is authorized access to the resource by the owner, in
accordance with the owner's procedures and rules.