Definition of Terms Used in Policies and Reports


The ability to use, modify, or affect an IT system or to gain entry to a physical area or location.

Access Control

The process of granting or denying specific requests to

  1. Obtain and use information and related information processing services and/or systems; and
  2. Enter specific physical facilities (e.g., buildings, offices and other facilities).

Access Control List (ACL)

A list of permissions associated with a system resource (object or facility).

Source: EA-04-01-S IPv6 Implementation Standard


Security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

Administrative Revisions

General content changes like an organization, name, phone number, mailbox or URL in a policy or standard or a clarification or other revision that does not change the effect of the policy or standard.


State office, department, division, bureau, board, commission, including offices headed by a statewide elected official.


A computer program or set of programs that meet a defined set of business needs. See also Application System.

Application System

An interconnected set of IT resources under the same direct management control that meets a defined set of business needs.


The approver is responsible for deciding whether a change if fit to proceed to implementation by examining the evidence in the change request.

Artificial Intelligence

A technology module or service that is built, integrated, or implemented in order to assist with or fully determine predictions, recommendations or decisions.

Source: MGMT-01-01-S Technology Portfolio Foundation - Applications


See Information Technology (IT) Assets/Resources


An attempt to bypass security controls on an IT system to compromise the data


Independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures and to recommend any indicated changes in controls, policy, or procedures.

Audit Log

A chronological record of system activities, including records of system accesses and operations performed in a discrete period.

Audit Record

An individual entry in an audit log related to an audited event.

Audit Record Reduction

A process that manipulates collected audit information and organizes it into a summary format that is more meaningful to analysts.


Security measures designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.


Access privileges granted to a user, program, application, or process or the act of granting such privileges.


Property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.


The timely, reliable access to data and information services for authorized users.


A copy of files and programs made to facilitate recovery if necessary.


Measurable physical characteristics or personal behavioral traits used to identify, or verify the claimed identity, of an individual.


Loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for another than authorized purpose.

Business Application/System

An application or system which has a direct impact on the delivery of services to department/agency employees, clients or consumers.

Business Continuity

The activities performed by the agency to ensure critical functions are available to entities needing access to those functions. Business continuity is related to restoring normal day-to-day functions in the event of service disruptions. Business continuity planning is different than disaster recovery planning.

Business Criticality

The measure of how reliant the success of an organization's mission is on a system. Four levels of criticality may be assigned:

  • Mission Critical: Requires near continuous availability. If unavailable, may result in widespread impacts to the agency’s ability to meet agency mission and statutory requirements including significant disruptions to operations and revenue, carries major risks to health/safety, or the environment, and/or carries risk of irreparable damage to the organization’s public reputation and compromise the continuity of government.” May also be called ‘Mission Essential.’
  • User Productivity: If unavailable, there is impact to employee productivity but out of the line of service to customer.
  • Historical: Historical reference. No bearing on business operations or customers.
  • Business Essential: If unavailable, may result in impacts to agency operations, including negative customer satisfaction; compliance violation, non-public damage to organization’s reputation, and/or direct revenues impact.


SEC-12 Information Technology Disaster Recovery Planning

MGMT-01-01-S Technology Portfolio Foundation - Applications


Business Impact Analysis

The process of evaluating an information system's requirements, functions, and interdependencies used to characterize system contingency requirements and priorities and the effect that a disruption might have on them.


The addition, modification or removal of any authorized, planned, or supported service or service component that could have an effect on IT services.

Cloud Computing

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Cloud Service

Services available via a remote cloud computing service provider rather than an on-site system. These scalable solutions are managed by a third party and provide access to computing services such as analytics or networking via the Internet.


The exchange or sharing of data including, but not limited to, text, IM, email, voice records and other records.

Confidential Information

See also Data Classification Standard


Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.

Configuration Baseline

A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.

Configuration Control

Process for controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modifications before, during, and after system implementation.

Continuity of Operations Planning (COOP)

The effort to ensure that mission-essential functions continue to be performed during a wide range of emergencies which could be localized or widespread.


Includes any firm, provider, organization, individual, or other entity performing the business activities of the agency. It will also include any subcontractor retained by Contractor as permitted under the terms of the Contract. Also: third-party.

Controlled Area

Any area or space for which an organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system.


The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature. See Also: Security Control

Cost Pools

The basic financial groupings of cost data. The smaller list simplifies reporting and provides a finance view of IT spend and represents the logical accounting buckets for IT charges. Cost Pools are mapped on the Chart of Accounts. For the State of Washington, Cost Pool mapping is generally done by mapping Objects, Sub-Objects, and/or Sub-Sub-Objects to a Cost Pool.

Covered Technology

All public-facing content, including websites, applications, documents and media, blog posts, and social media content. Certain non-public-facing content that must also comply. Examples include: All electronic content used for official business to communicate: emergency notifications, initial or final decisions adjudicating administrative claims or proceedings, internal or external program or policy announcements, notices of benefits, program eligibility, employment opportunities or personnel actions, formal acknowledgements or receipts, questionnaires or surveys, templates or forms, educational or training materials, and web-based intranets.

Critical Issue

A known system defect or enhancement request that if left unresolved could significantly impact business operations, compliance with statute or policy, the integrity of the system or data or otherwise create a public health, safety or other significant risk areas.

Critical System

Any information system whose "failure" could threaten the system's environment or the existence of the agency which operates the system. "Failure" in this context does not mean failure to conform to a specification but means any potentially threatening system behavior.


A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. See also: Business Criticality


Agency head, or third-party organization manager if processing is outsourced, who processes personal information according to the instructions provided by the Owner.


A subset of Information. A representation of information, knowledge, facts, concepts, computer software, or computer programs or instructions. Data may be in any form, in storage media, or as stored in the memory of the computer or in transit or presented on a display device.

Data at Rest

Data that is not being accessed and is stored on a physical or logical medium. Examples may be files stored on file servers, records in databases, documents on flash drives, hard disks etc. See also Media

Data Center

NOTE: these are the definitions used in the TBM program and also reside in Standard 113.30: TBM Taxonomy.

Data Centers are facilities that house and protect critical IT equipment supporting delivery of government services including the space, power, environment controls, racks, cabling and external labor.

We distinguish between Agency Data Centers, and the State Data Centers because by statute we are directed to migrate TO the State Data Center and away from Agency Data Centers.

State Data Centers include:

  • The Olympia-based State Data Center (SDC) operated by WaTech.
  • The Quincy-based Disaster Recovery Services Data Center leased by WaTech.

Data in Transit

Data that travels through an email, web, collaborative work applications such as Microsoft Teams or any other type of private or public communication channel.

Data in Use

Data while actively in use by one or more applications for its treatment or and consumed or accessed by users.

Data Owner

Has policy-level responsibility for establishing rules and use of data based on applied classification.Responsible for the day-to-day management of data assets; this includes electronic and hard-copy information.

Data Processing

The collective set of data actions (i.e., the complete data life cycle, including, but not limited to collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal).

Data Retention Policy

A key part of the lifecycle of information or data. Such a policy (or schedule) describes how long an agency needs to keep a piece of information (record), where it's stored and how to dispose of the record when its time.

Disaster Recovery

Restarting technology operations after an outage using processes, policies and procedures prepared for recovery or continuation of mission-essential technology infrastructure after a disaster.

These processes are found in a DR Plan. DR is a subset of business continuity and COOP.

The three principal goals of DR are to:

  • Save data,
  • Save hardware, software and facilities, and
  • Resume critical processes/restore data

Other Facilities such as Computer rooms and MDF/IDF/telco closets that house IT equipment primarily supporting local building operations in corporate headquarters, call centers or other general purpose office buildings.


A perimeter network or screened subnet separating an internal network that is more trusted from an external network that is less trusted. Can be a network created by connecting two firewalls. Systems that are externally accessible but need some protections are usually located on DMZ networks.

Dublin Core Metadata Element Set

Establises a standard for cross-domain resource description and has been standardized as the ISO Standard 15836:2009.

Electronic Messaging System

Any device or application that will provide the capability of exchanging digital communication between two or more parties. Examples are email, electronic messaging, instant messaging, and text messaging.


The process of changing plaintext into ciphertext for security, integrity and privacy.

End of Support

For the purpose of this policy, this is defined is the latest date a manufacturer will provide security patches. Some manufacturers have an end of mainstream support date and an extended end-of support date. In these cases, after the end of mainstream support, no additional software feature/function enhancements or fixes are issued but security patches are until the end of extended support. The recommended best practice is to migrate before end of mainstream support.


A computer or other device connected to a computer network. An endpoint may offer information resources, services and applications to users or other endpoints on the Network. Endpoints can include, but may not be limited to, desktop computers, laptop computers, network servers, portable computing devices (Android/iOS tablets and smart phones), embedded control systems and Internet of Things (IoT) devices. See also: Mobile Device.

Enterprise Mobility Management (EMM)

Software that allows agency support staff to not only manage a container on the mobile device, but also control the flow of information between the mobile device and agency computing resources such as collaboration software, cloud storage, shared applications. Additional functions may include: issuance, inventory tracking, policy enforcement on the device.

Enterprise Service

An Enterprise service is a service that all state government agencies with a certain business need or process are required to use. Agencies must not adopt a similar service unless they have an approved waiver. Enterprise Services can support common administrative business processes such as accounting, payroll, etc., or they can include Information Technology applications or services commonly used by agencies.

Enterprise Service Business Owner

The agency accountable and/or responsible to make policy or business decisions regarding an Enterprise Service. Some Enterprise Services also have a service owner.

Enterprise Service Owner

The enterprise service owner is the agency that implements the business owner's decisions and plans and performs many of the service's implementation and operational activities.

Environmental Security

Physical protection against damage from fire, flood, wind, earthquake, explosion, civil unrest, and other forms of natural and man-made risk.

Equivalent Access

Providing users with disabilities with content and interaction that is similar or identical to that provided to users without disabilities, in a form that produces a similar user experience. Users should be provided direct access to the same content unless providing direct access to that content is not possible due to technical or legal limitations.


Any observable occurrence in a system and/or network. Events sometimes provide indication that an incident is occurring.

Executive Sponsor

The senior executive responsible to the agency and the State CIO/WaTech for the project.


A computer network that an organization uses for application data traffic between the organization and its business partners.


A Quality Assurance (QA) provider's assessment of the project's use of project management best practices, as well as their assessment of deficiencies or gaps in the application of those best practices that may have an adverse impact on the project. Findings are assumed to require corrective actions.


An inter-network connection device that restricts data communication traffic between two connected networks. A firewall may be either an application installed on a general-purpose computer or a dedicated platform (appliance), which forwards or rejects/drops packets on a network. Typically, firewalls are used to define zone borders. Firewalls generally have rules restricting which ports are open.

Generative Artificial Intelligence

A machine-based technology that can create content, including text, images, audio, or video, when prompted by a user. Generative AI technologies learn patterns and relationships from large amounts of data, which enables systems to generate new content that may be similar, but not identical, to the underlying training data.

Source: MGMT-01-01-S Technology Portfolio Foundation - Applications


The processes, groups and activities an agency takes to ensure compliance with its Information Technology policies, standards and procedures with the goal of meeting business requirements.


A guideline is a compilation of best practice offered in support of a policy or standard.


A collection of tools, techniques, and best practices to protect technology, applications, systems, infrastructure, firmware, etc. with the goal of reducing security risk by eliminating potential attack vectors and condensing the system's attack surface.


The process of verifying the identity of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system.


Copies of files and data that cannot be altered or tampered with for a preset period of time.


SEC-04-01-S Data Backup and Recovery Standard

MGMT-01-01-S Technology Portfolio Foundation - Applications


The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.


The implementer deploys the change into production. The implementer is the person who records the implementation results.


Any attempted, successful, or imminent threat of unauthorized electronic and/or physical access, use, exposure, disclosure, breach, modification, loss, or destruction of information; interference with Information Technology operations; or significant violation of agency or State policy.

Incident Response

The mitigation of violations of security policies and recommended practices.

Independent Project Quality Assurance

The work of one or more professionals responsible for monitoring and assessing the health and effectiveness of project management plans and processes as well as an overall assessment of a projects's short and longer term risks. To preserve independence, the QA provider(s) report outside the project management organizational structure, generally to the project's Executive Sponsor and the State CIO. In Washington state government, independent Project QA is considered different than product or technical quality assurance which might include testing and other independent verification and validation activities.

Information Security Program

Formalized Information Security Policies, standards and procedures that are documented describing the program management safeguards and common controls in place or those planned for meeting the Agency's information security requirements.

Information System

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Information Technology (IT)

Per RCW 43.105.020, "Information Technology" includes, but is not limited to, all electronic technology systems and services, automated information handling, system design and analysis, conversion of data, computer programming, information storage and retrieval, telecommunications, requisite system controls, simulation, electronic commerce, radio technologies, and all related interactions between people and machines.

Information Technology (IT) Assets/Resources

Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards).

Information Technology (IT) Asset Owner

An asset owner is a person responsible for the day-to-day management of assets. This includes electronic and hard-copy information and hardware, software, services, people, and facilities.

Information Technology (IT) Expenditures

Within the TBM Program, the source financial information used for identifying IT expenditures is from the statewide Agency Financial Reporting System (AFRS) and based on these components:

  • New IT acquisitions (coded in AFRS as Project Type X).
  • IT maintenance and operations (coded in AFRS as Project Type Y).
  • Data processing services (AFRS Sub-Object EL).

NOTE: AFRS Sub-Object EL is defined in the OFM State Administrative and Accounting Manual (SAAM) 75.70.20 as "Charges by state agencies for information technology services. Examples include computing services, hosting services, network services, web services, statewide systems (AFRS, HRMS, etc.), and planning and policy assessment by agencies such as the Department Enterprise Services, the Office of Financial Management, Office of the Chief Information Officer and WaTech."

Information Technology (IT) Infrastructure

IT infrastructure consists of the equipment, systems, software, and services used in common across an organization, regardless of mission/program/project.

Information Technology Resource Tower (ITRT)

IT Resource Towers (ITRT) are functional IT groupings that can be used to benchmark to industry. They can be split into more granular ITRT Sub-Towers to gain visibility into specific functions within a tower. They also map up to utilization data in Accelerators, as well as to Applications and Services. The translation of financial information into functional IT towers (ITRTs) involves mapping from Cost Centers, and combining GL, Labor and Asset allocations.

Inherent Risk

Inherent risk is the impact and likelihood of a risk in the absence of controls


Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

Internal System or Network

An IT system or network designed and intended for use only by state of Washington employees, contractors, and business partners. A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Internet Control Message Protocol (ICMP)

The International Organization for Standardization develops and publishes international standards.

Source: EA-04-01-S IPv6 Implementation Standard


The International Organization for Standardization develops and publishes international standards.

Intrusion Detection Systems (IDS)

Security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.

Intrusion Prevention Systems (IPS)

System that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets.

K-20 Educational Network

A high-speed, high-capacity network that connects colleges, universities, K-12 school districts and libraries across Washington state. K-12 schools and educational organizations rely on the K-20 network to run hundreds of data-based applications that support school administration, distance learning and operations.

Key Management

Activities involving the handling of cryptographic keys and other related security parameters (e.g., initialization vectors) during the entire lifecycle of the keys, including their generation, storage, establishment, entry and output, use and destruction.

Least Privilege

The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.

Litigation Hold (aka Preservation Order or Hold Order)

A temporary suspension of the Agency's document retention/destruction policies for the documents that may be, or are reasonably anticipated to be, relevant to a lawsuit. It is a stipulation requiring the Agency to preserve all data, information and records (files, both electronic and physical, email and instant messages, voice recordings, video recordings, etc.) that may relate to a legal action involving the Agency. A litigation hold ensures that the documents relating to the litigation are not destroyed and are available for the discovery process prior to litigation.

Major Project

A project subject to State CIO/WaTech oversight based on the IT Project Assessment tool, a statute or some other factor as determined by the State CIO.

Malicious Code

Software (such as a Trojan horse) that appears to perform a useful or desirable function but gains unauthorized access to system resources or tricks a user into executing other malicious logic.


Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.


Retrievable retention of data. Electronic, electrostatic, or electrical hardware or other elements (media) into which data may be entered, and from which data may be retrieved. This includes but is not limited to: Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.

Media Sanitization

The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means. There are four methods:

  • Disposal: most basic form of sanitization, where media is tossed out with no special disposition.
  • Clear: level of media sanitization that would protect the confidentiality of information against a robust keyboard attack.
  • Purge: media sanitization process that protects the confidentiality of information against a laboratory attack.
  • Destroy: the ultimate form of sanitization, including disintegration, incineration, pulverizing, shredding and melting.


Data about data. Metadata is a summary document providing content, quality, type, creation and spatial information about a dataset or other resource (for example, MP3 files, books, reports, websites, satellite images or DIS dataset).

Mobile Device

A portable computing device that:

  1. Has a small form factor such that it can easily be carried by a single individual.
  2. Is designed to operate without a physical connection (e.g., wirelessly transmit or receive information).
  3. Possesses local, non-removable or removable data storage.
  4. Includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations.

Examples include smart phones, tablets, and e-readers. This policy is not meant to apply to: cars, boats, airplanes, laptop computers, desktop computers, unpiloted aerial vehicles (drones), gps receivers, radios.

Mobile Device Management (MDM)

Software that allows agency support staff to manage a "sandbox" or container on a mobile device where state data and applications can be added, deleted, or monitored. Additional functions may include: issuance, inventory tracking, policy enforcement on the device.

Multi-factor Authentication (MFA)

An authentication system or an authenticator that requires more than one authentication factor for successful authentication. Multi-factor authentication can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors.


MGMT-01-01-S Technology Portfolio Foundation - Applications


Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.

Network Device

A device available to other computers on a network. Examples include servers, firewalls, routers, switches, workstations, networked Supervisory Control and Data Acquisition (SCADA) systems, and networked printers (multifunction devices).

Nibble Boundary

A network mask that aligns with a boundary of 4 bits. It is used to keep addressing plans easily readable and understandable 1. In an IPv6 prefix, each hexadecimal character represents one nibble, which is 4 bits. Therefore, the prefix length of a delegated prefix should always be a multiple of 4.

Source: EA-04-01-S IPv6 Implementation Standard


Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information.


A unique string of characters that, in conjunction with a logon ID, authenticates a user's identity.

Patch Management

The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes, and service packs.

Penetration Test

A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system. Also: Pen Test

Personal Information

Information that is identifiable, directly or indirectly, to a specific individual.

Source: DATA-03 Privacy and Data Protection Policy

Physical Security

Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media in an IT facility.


High level statements of intention and direction of an organization as formally expressed by its top management. A policy expresses what must to be accomplished or achieved and the roles and responsibilities of the various entities.

Portable Electronic Device

Electronic devices having the capability to store, record, and/or transmit text, images/video, or audio data. Examples of such devices include, but are not limited to: pagers, laptops, cellular telephones, radios, compact disc and cassette players/recorders, portable digital assistant, audio devices, watches with input capability, and reminder recorders. Also: Mobile Device


An established or official way of doing something.


Operation or set of operations performed upon personal information that can include, but is not limited to, the collection, retention, logging, generation, transformation, use, disclosure, transfer and disposal of personal information.

Source: DATA-03 Privacy and Data Protection Policy


See Data Processing

Quality Assurance Plan

A document that describes how the QA Practitioner will deliver its service.

Quality Assurance Solicitation

A Request for Proposal, a Request for Quote and Qualification, an interagency agreement proposal or an agency recruitment or any other effort that is intended to result in the acquisition or hire of a QA resource.


A type of malware that attempts to deny a user or organization access to data or systems, usually through encryption, until a sum of money or other currency is paid, or forcing the user or organization to take an action


The QA Practitioners suggested course of action to address a negative Finding.


Recordings of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items).

Recovery Point Objective (RPO)

The point in time to which data must be recovered after an outage.

Recovery Procedure

Actions necessary to restore data files of an information system and computational capability after a system failure.

Recovery Time Objective (RTO)

The maximum tolerable length of time that a computer, system, network or application can be down after a failure or disaster occurs.

Remote Access

Access to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network.


The requestor submits the change request.

Residual Risk

The potential for the occurrence of an adverse event after adjusting for the impact of all in-place controls.


The capability of remaining or returning to a normal situation after an event by having multiple ways of performing a function. This may include people, processes or technology. Generally speaking, this means there would be no single point of failure that could stop a process.


Refers to any objects of interests such as books, reports, datasets, services, applications, websites, satellite images, videos, etc.


A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of:

  1. The adverse impacts that would arise if the circumstance or event occurs; and
  2. The likelihood of occurrence.

Risk Acceptance

The level of Residual Risk that has been determined to be a reasonable level of potential loss/disruption for a specific IT system.

Risk Appetite

The types and amount of risk, on a broad level, a business unit or organization is willing to accept in its pursuit of value.

Risk Assessment

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, the assessment incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

Risk Management

The program and supporting processes to manage information security risk levels to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes:

  1. Establishing the context for risk-related activities,
  2. Assessing risk,
  3. Responding to risk once determined, and
  4. Monitoring risk over time.

Risk Mitigation

A decision, action, or practice intended to reduce the level of risk associated with one or more threat events, threat scenarios, or vulnerabilities.

Risk Profile

A prioritized inventory of the most significant risks identified and assessed through the risk assessment process versus a complete inventory of risks.

Risk Register

A repository that contains the information about identified risks, results of Risk Analysis (impact, probability, effects), as well as Risk Response Plans. Used to monitor and control risks associated with a system, application or asset lifecycle.

Risk Tolerance

The agency's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives. Note: Risk tolerance can be influenced by legal or regulatory requirements.

Risk Treatment Plan (RTP)

Process to modify risk


A mechanism (software, hardware, configuration, etc.) that protects something, such as information.


The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.

Secure Segmentation

Secure segmentation is defined as implementing methods that allow for secure communication between various levels of segmented environments. These environments typically involve 4 basic segment groups:

  • Outside (Trust no one).
  • Services (Trust limited to defined segmentation lines).
  • Internal (Trust limited to defined group).
  • External users (Trust limited to defined group).

The methods for securing these segments may include but are not limited to firewall and switch/router configurations and router/switch ACLs.


A condition that results from the establishment and maintenance of protective measures that enable an organization to perform its mission or critical functions despite risks posed by threats to its use of systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the organization's risk management approach.

Security Administrator

A security administrator performs information security functions for servers and other hosts, as well as networks.

Security Control

A safeguard or countermeasure prescribed for an information system, or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements including but not limited those defined in the WaTech IT security standards.

Security Domain

A domain within which behaviors, interactions, and outcomes occur and that is defined by a governing security policy. Note: A security domain is defined by rules for users, processes, systems, and services that apply to activity within the domain and activity with similar entities in other domains.

Security Event

A security change that may have an impact on organizational operations (including mission, capabilities, or reputation).


The degree to which an IT system or application requires protection (to ensure confidentiality, integrity, and availability) which is determined by an evaluation of the nature and criticality of the data processed, the relation of the system to the organization missions and the economic value of the system components.

Service Agreement

Represents a commitment between a service provider and one or more customers and addresses specific aspects of the service, such as responsibilities, details on the type of service, expected performance level (e.g., reliability, acceptable quality, and response times), and requirements for reporting, resolution, and termination.


A service is a means of delivering value to customers by facilitating outcomes that customers want to achieve without the ownership of specific costs and risks.

Service Disruption

An unplanned event that causes an information system to be inoperable for a period of time.

Simple Network Management Protocol (SNMP)

A standard TCP/IP protocol for network management. Network administrators use SNMP to monitor and map network availability, performance, and error rates. To work with SNMP, network devices utilize a distributed data store called the Management Information Base (MIB). All SNMP-compliant devices contain a MIB which supplies the pertinent attributes of a device. Some attributes are fixed or “hard-coded” in the MIB, while others are dynamic values calculated by agent software running on the device.

Source: EA-04-01-S IPv6 Implementation Standard


SMART is a mnemonic for Specific, Measurable, Achievable, Relevant and Time bound. These characteristics are helpful to remember when identifying project objectives.

Software as a Service (SaaS)

The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, except for limited user-specific application configuration settings.


Documents that support policies and indicate how and what kind of technology and business processes must be implemented, used and maintained to meet policy objectives.

Start of a Project

For the purposes of project investment, approval, oversight and quality assurance, the start of the project is at the beginning of planning.

State Government Network (SGN)

The shared, internal enterprise network bounded by a WaTech-managed security layer. The WaTech-managed security layer is defined as firewalls, proxy servers, security appliances, secure gateways, and other centrally managed security services.

Source: SEC-04-05-S Network Security Standard

Storage Media

See Media

Sunset Review

A mandatory periodic review of a technical policy and standard that:

  • Determines the continued need for the policy or standard, and
  • Evaluates the full content of the policy or standard for accuracy, clarity and completeness.

Sunset reviews may occur ahead of the published sunset review date if needed.


An interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.

System Components

The discrete information technology assets comprising a system. This includes hardware, software, and firmware.

Tablet PC

A portable general-purpose computer contained within a single small form factor LCD display sized to approximately match that of a traditional writing paper tablet. A tablet PC utilizes a touch screen as the primary input source. Typically, either wireless (802.11) or mobile (4G) networks are used for connectivity with limited physical port options. Examples of Tablet PC's include iPad, Motorola Xoom, HP Elitebook, Samsung Galaxy, Sony Tablet S, Toshiba Thrive, Acer Iconia, Kindle Fire, Nook tablet, etc.

Technology Business Management (TBM)

A set of best practices for running IT like a business - and more importantly for effectively and consistently (using a data-driven agreed upon framework) communicating not just the cost of IT, but also attributing that cost to business services. Key to TBM is the ability of IT and business leaders to have data-driven discussions about cost and value of IT to best support business goals.

TBM Categorization

Within the TBM Program, agencies are responsible for categorizing and documenting their costs to the program taxonomies. The TBM Program provides templates that agencies use to capture and submit categorization to the program.

TBM Cost Center

The cost center used in the TBM program is agency defined. Agencies can select up to three fields coded in the statewide Agency Financial Reporting System (AFRS) for their TBM Cost Center.

TBM Project

This term, as used in TBM policy and accompanying standards is defined per our current TBM product. A 'project' is a discrete area within the product in which datasets, models, metrics and reports reside; these are configured according to specific business rules defined by the project administrator. Agency-specific projects allow for greater reporting accuracy than the multi-agency project, which allows less granularity and customization of business rules.

Technology Tower

This is an updated industry term for IT Resource Towers (ITRT). The ITRT are functional IT groupings that can be used to benchmark to industry. They can be split into more granular ITRT Sub-Towers to gain visibility into specific functions within a tower. They also map up to utilization data in Accelerators, as well as to Applications and Services. The translation of financial information into functional IT towers (ITRTs) involves mapping from Cost Centers, and combining GL, Labor and Asset allocations.

Third-Party Agency

A Washington State agency that provides IT services to another Washington State agency.


Any circumstance or event (human, physical, or environmental) with the potential to cause harm to an IT system in the form of destruction, disclosure, adverse modification of data, and/or denial of service by exploiting vulnerability.

Threat Intelligence

Information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.

Threat Source

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.


Is something that the claimant possesses and controls (such as a key or password) that is used to authenticate a claim.


System or network that in which there exists a level of confidence (based on rigorous analysis and testing) that the security principals and mechanisms (e.g., separation, isolation, least privilege, discretionary and non-discretionary access control, trusted path, authentication, and security policy enforcement) are correctly implemented and operate as intended even in the presence of adversarial activity.


The encapsulation of one protocol inside of another.

Source: EA-04-01-S IPv6 Implementation Standard

Undue Burden

In determining whether an action would result in an undue burden, an agency shall consider all agency resources available to the program or component for which the covered technology is being developed, procured, maintained, or used.


System, network, or process that has not been evaluated or examined for correctness and adherence to the security policy. Characterized by absence of trusted status. Assumed to be unreliable, untruthful, and inaccurate unless proven otherwise.


Commercial supplier of software or hardware, or services.

Verification and Validation

The process of determining whether the requirements for a system or component are complete and correct, the products of each development phase fulfill the requirements or conditions imposed by the previous phase, and the final system or component complies with specified requirements.

Virtual Teletype (VTY)

A command line interface (CLI) created in a router and used to facilitate a connection to the daemon via Telnet, a network protocol used in local area networks. 

Source: EA-04-01-S IPv6 Implementation Standard


A virtual network built on top of existing networks that can provide a secure communications mechanism for data and IP information transmitted between networks.

SEC-04-05-S Network Security Standard


Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Vulnerability Assessment

A systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

Vulnerability Management

An Information System Continuous Monitoring (ISCM) capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.

Vulnerability Scanning

A technique used to identify hosts/host attributes and associated vulnerabilities.


An ad hoc or standing group of subject matter experts who support the development and maintenance of policies, standards and/or guidelines.


  • Zero-Day Vulnerability: An unknown security vulnerability or software flaw that a threat actor can target with malicious code such as a virus.
  • Zero-Day Exploit: The technique or tactic a malicious actor uses to leverage the vulnerability to attack a system.
  • Zero-Day Attack: Occurs when a hacker releases malware to exploit the software vulnerability before the flaw is patched.