WVNET Security Policy & Procedure

7.0 Definitions

7.1 Access

To approach or use an information resource.

7.1.1 Unauthorized Access

7.1.1.1

Access to employee, student, patient, donor or customer information not necessary to carry out job-related responsibilities.

7.1.1.2

Access to any records of a employee, student, patient, donor, or customer for which you are not legally responsible or for which you do not have signed authorization.

7.1.1.3

Release of employee, student, patient, donor, or customer information to unauthorized internal users.

7.1.1.4

Release of more employee, student, patient, donor, or customer information to an authorized individual than is essential to meeting the stated purpose of an approved request.

7.1.1.5

Release of information protected by WVNET, State, and Federal guidelines, policies, regulations, statutes, and procedures pertaining to confidentiality and privacy, including, but not limited to, the Family Educational Rights and Privacy Act of 1974 (FERPA), the Electronic Communications Privacy Act of 1986, the Federal Privacy Act of 1976, and WV Code 18-2-2f.

7.2 Access Control

The enforcement of specified authorization rules based on positive identification of users and the systems or data they are permitted to access.

7.3 Authentication

The process of verifying the identity of a user.

7.4 Chief Information Officer

The person responsible for WVNET information resources.

7.5 Confidentiality Agreement

An agreement that every WVNET employee must sign.

7.6 Custodian of Information

The person or unit assigned to supply services associated with the data.

7.7 Employee

Individuals employed on a temporary or permanent basis by WVNET; as well as contractors, contractor's employees, and individuals who are determined by WVNET to be subject to this policy.

7.8 Encryption

Process of encoding electronic data that makes it unintelligible to anyone except the intended recipient.

7.9 Firewall

Specialized computers and programs, residing in a virtual area between an organization's network and outside networks, which are designed to check the origin and type of incoming data in order to control access, and block suspicious behavior or high-risk activity.

7.10 Information Assets

Any of the data, hardware, software, network, documentation, and personnel used to manage and process information.

7.11 Information Classification (or class)

An assessment of the importance of the information resource. This classification may have multiple dimensions. On the Privacy dimension: Confidential, Private, and Public. On the Value dimension: Mission Critical, Essential, and Desirable.

7.12 Information Custodian

The person or unit assigned to supply services associated with the data e.g., database administration, systems administration.

7.13 Information Owner

The person(s) ultimately responsible for an application and its data viability. In those cases where an information owner is not specifically defined the CIO is the default owner.

7.14 Information User

A person authorized to access an information resource.

7.15 Information Security

Those measures, procedures, and controls that provide an acceptable degree of safety for information resources, protecting them from accidental or intentional disclosure, modification, or destruction.

7.16 Information Security Officer (ISO)

The person designated by the agency head to administer the agency's information security program. The ISO is the agency s internal and external point of contact for all information security matters.

7.17 Password

A string of characters known to a computer system or network and to a user who must enter the password in order to gain access to an information resource.

7.18 Risk Analysis

The evaluation of system assets and their vulnerabilities to threats in order to identify what safeguards are needed.

7.19 Security Incident

An event that results in unauthorized access, loss, disclosure, modification, or destruction of information resources, whether deliberate or accidental.

7.20 Threat

Includes any person, condition or circumstance that endangers the security of information, or information systems, in the context of information security.

7.21 Userid

The code that a user enters when starting a time-sharing session or logging onto an Email session on a WVNET server (to identify the user) is a userid. Each userid is a unique code on a WVNET server.

To Section 2: Back to Beginning