Definition of Terms Used in Policies and Reports

SEC-08 Data Sharing Policy

Access Control

The process of granting or denying specific requests to

Obtain and use information and related information processing services and/or systems; and
Enter specific physical facilities (e.g., buildings, offices and other facilities).

Source:

EA-04-01-S IPv6 Implementation Standard

Access Control List (ACL)

A list of permissions associated with a system resource (object or facility).

Source:

Security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

Accounts Payable

Amounts owed to private persons or organizations for goods and/or services received by the state. Accounts Payable does not include amounts due to other agencies, funds, or other governments.

Source:

Administrative and Financial System Investment Approval

Accounts Receivable

Amounts due from private persons or organizations for goods, and/or services furnished by the state. Accounts Receivable does not include amounts due from other agencies, funds, or other governments.

Source:

Administrative and Financial System Investment Approval

Administrative Revisions

General content changes like an organization, name, phone number, mailbox or URL in a policy or standard or a clarification or other revision that does not change the effect of the policy or standard.

Agency

State office, department, division, bureau, board, commission, including offices headed by a statewide elected official.

Application

A computer program or set of programs that meet a defined set of business needs. See also Application System.

Source:

SEC-12 Information Technology Disaster Recovery Planning

Application System

An interconnected set of IT resources under the same direct management control that meets a defined set of business needs.

Appointment Change

An action that indicates a change to an employee's appointment within the agency or movement of an employee between different agencies without a break in service - may include but not limited to movement to another position, adjustment of hours worked, changes from salaried to hourly, or reallocation of a position

Source:

Administrative and Financial System Investment Approval

Approver

The approver is responsible for deciding whether a change if fit to proceed to implementation by examining the evidence in the change request.

Artificial Intelligence

A technology module or service that is built, integrated, or implemented in order to assist with or fully determine predictions, recommendations or decisions.

Source:

MGMT-01-01-S Technology Portfolio Foundation - Applications

Asset

See Information Technology (IT) Assets/Resources

Attack

An attempt to bypass security controls on an IT system to compromise the data.

Audit

Independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures and to recommend any indicated changes in controls, policy, or procedures.

Audit Log

A chronological record of system activities, including records of system accesses and operations performed in a discrete period.

Audit Record

An individual entry in an audit log related to an audited event.

Audit Record Reduction

A process that manipulates collected audit information and organizes it into a summary format that is more meaningful to analysts.

Authentication

Security measures designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.

Sources:

SEC-06-01-S Identification and Authentication Security Standard

Authorization

Access privileges granted to a user, program, application, or process or the act of granting such privileges.

Source:

SEC-06-01-S Identification and Authentication Security Standard

Authenticator:

Something the claimant possesses and controls or knows (typically a cryptographic module or password) that is used to authenticate the claimant’s identity.

Source:

Authenticity

Property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.

Availability

The timely, reliable access to data and information services for authorized users.

Source:

Administrative and Financial System Investment Approval

Benefits Management

Advantage, privilege, right, or financial reimbursement (such as that made under an insurance policy, medical plan, or pension plan)

Source:

Backup

A copy of files and programs made to facilitate recovery if necessary.

Sources:

dministrative and Financial System Investment Approval

Biometric

Measurable physical characteristics or personal behavioral traits used to identify, or verify the claimed identity, of an individual.

Breach

Loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for another than authorized purpose.

Budgetary Control

The control or management of a governmental unit in accordance with an approved budget for the purpose of keeping expenditures within the limitations of available appropriations and available revenues.

Source:

Budgeting

A plan of financial operation embodying an estimate of proposed expenditures for a given period of time or purpose and the proposed means of financing them.

Source:

Administrative and Financial System Investment Approval

Business Analytics

Business analytics includes all forms of data analysis of extremely large, complex data sets (big data) that are manipulated for business (mission) consumption

Source:

Administrative and Financial System Investment Approval

Business Application/System

An application or system which has a direct impact on the delivery of services to department/agency employees, clients or consumers.

Source:

MGMT-03 Business Application/System Governance

Business Continuity

The activities performed by the agency to ensure critical functions are available to entities needing access to those functions. Business continuity is related to restoring normal day-to-day functions in the event of service disruptions. Business continuity planning is different than disaster recovery planning.

Source:

SEC-12 Information Technology Disaster Recovery Planning

Business Criticality

The measure of how reliant the success of an organization's mission is on a system. Four levels of criticality may be assigned:

Mission Critical: Requires near continuous availability. If unavailable, may result in widespread impacts to the agency’s ability to meet agency mission and statutory requirements including significant disruptions to operations and revenue, carries major risks to health/safety, or the environment, and/or carries risk of irreparable damage to the organization’s public reputation and compromise the continuity of government.” May also be called ‘Mission Essential.’
User Productivity: If unavailable, there is impact to employee productivity but out of the line of service to customer.
Historical: Historical reference. No bearing on business operations or customers.
Business Essential: If unavailable, may result in impacts to agency operations, including negative customer satisfaction; compliance violation, non-public damage to organization’s reputation, and/or direct revenues impact.

Sources:

MGMT-01-01-S Technology Portfolio Foundation - Applications

SEC-12 Information Technology Disaster Recovery Planning

Business Impact Analysis

The process of evaluating an information system's requirements, functions, and interdependencies used to characterize system contingency requirements and priorities and the effect that a disruption might have on them.

Sources:

SEC-12 Information Technology Disaster Recovery Planning

MGMT-03 Business Application/System Governance

Business Owner/Steward

The bullets below are common attributes to look for or cultivate in a business owner/steward:

Deep knowledge of business operations and how the application/system impacts these operations
Organizational authority to commit resources when needed
Ability and authority to bring people together to make timely and binding decisions
Ability and authority to make decisions when formal governance structures won't or can't make them
Commitment to the documented governance processes and activities
Has direct access to the agency director as needed for escalation or accountability
Able to communicate effectively with internal and external stakeholders, particularly around critical system issues and impacts
Will commit the time to perform the role

Source:

Cached Map Service

A map service which uses a map tiling scheme designed to support high performance and scalability. Cached map services need to use the same coordinate system in order to overlay in a web client applications.

Source:

Administrative and Financial System Investment Approval

Capital Asset Management/Fixed Asset Management

The Management of tangible or intangible assets held and used in state operations, which have a service life of more than one year and meet the state's capitalization policy. Capital assets of the state include land, infrastructure, and improvements to land, buildings, leasehold improvements, vehicles, furnishings, equipment, collections, and all other tangible and intangible assets that are used in state operations

Source:

Cash Flows

The cash receipts and cash payments of a government during a period. It categorizes cash activity as resulting from operating, noncapital financing, capital financing and investing activities

Source:

Administrative and Financial System Investment Approval

Change

The addition, modification or removal of any authorized, planned, or supported service or service component that could have an effect on IT services.

Source:

SEC-05 Change Management Policy

Cloud Computing

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Cloud Service

Services available via a remote cloud computing service provider rather than an on-site system. These scalable solutions are managed by a third party and provide access to computing services such as analytics or networking via the Internet.

Source:

SEC-11-01-S Information Security Risk Assessment Standard

Communication

The exchange or sharing of data including, but not limited to, text, IM, email, voice records and other records.

Confidential Information

Confidentiality

Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.

Configuration Baseline

A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.

Source:

Configuration Control

Process for controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modifications before, during, and after system implementation.

Source:

Continuity of Operations Planning (COOP)

The effort to ensure that mission-essential functions continue to be performed during a wide range of emergencies which could be localized or widespread.

Sources:

SEC-12 Information Technology Disaster Recovery Planning

Contractor

Includes any firm, provider, organization, individual, or other entity performing the business activities of the agency. It will also include any subcontractor retained by Contractor as permitted under the terms of the Contract. Also: third-party.

Controlled Area

Any area or space for which an organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system.

Controls

The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature. See Also: Security Control

Source:

Cost Pools

The basic financial groupings of cost data. The smaller list simplifies reporting and provides a finance view of IT spend and represents the logical accounting buckets for IT charges. Cost Pools are mapped on the Chart of Accounts. For the State of Washington, Cost Pool mapping is generally done by mapping Objects, Sub-Objects, and/or Sub-Sub-Objects to a Cost Pool.

Covered Technology

All public-facing content, including websites, applications, documents and media, blog posts, and social media content. Certain non-public-facing content that must also comply. Examples include: All electronic content used for official business to communicate: emergency notifications, initial or final decisions adjudicating administrative claims or proceedings, internal or external program or policy announcements, notices of benefits, program eligibility, employment opportunities or personnel actions, formal acknowledgements or receipts, questionnaires or surveys, templates or forms, educational or training materials, and web-based intranets.

Critical Issue

A known system defect or enhancement request that if left unresolved could significantly impact business operations, compliance with statute or policy, the integrity of the system or data or otherwise create a public health, safety or other significant risk areas.

Critical System

Any information system whose "failure" could threaten the system's environment or the existence of the agency which operates the system. "Failure" in this context does not mean failure to conform to a specification but means any potentially threatening system behavior.

Criticality

A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. See also: Business Criticality

Custodian

Agency head, or third-party organization manager if processing is outsourced, who processes personal information according to the instructions provided by the Owner.

Cybersecurity Incident

Any attempted, successful, or imminent threat of unauthorized electronic and/or physical access, use, exposure, disclosure, ~~breach~~, modification, loss, or destruction of information; interference with Information Technology operations; or significant violation of agency or state policy.

Source:

SEC-08 Data Sharing Policy

Data

A subset of Information. A representation of information, knowledge, facts, concepts, computer software, or computer programs or instructions. Data may be in any form, in storage media, or as stored in the memory of the computer or in transit or presented on a display device.

Sources:

Data at Rest

Data that is not being accessed and is stored on a physical or logical medium. Examples may be files stored on file servers, records in databases, documents on flash drives, hard disks etc. See also Media

Source:

Standard 113.30: TBM Taxonomy.

Data Center

Data Centers are facilities that house and protect critical IT equipment supporting delivery of government services including the space, power, environment controls, racks, cabling and external labor.

We distinguish between Agency Data Centers, and the State Data Centers because by statute we are directed to migrate TO the State Data Center and away from Agency Data Centers.

See State Data Center.

Source:

Data in Transit

Data that travels through an email, web, collaborative work applications such as Microsoft Teams or any other type of private or public communication channel.

Source:

Data in Use

Data while actively in use by one or more applications for its treatment or and consumed or accessed by users.

Data Owner

Has policy-level responsibility for establishing rules and use of data based on applied classification. Responsible for the day-to-day management of data assets; this includes electronic and hard-copy information.

Data Processing

The collective set of data actions (i.e., the complete data life cycle, including, but not limited to collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal).

Data Retention Policy

A key part of the lifecycle of information or data. Such a policy (or schedule) describes how long an agency needs to keep a piece of information (record), where it's stored and how to dispose of the record when its time.

Source:

Disaster Recovery (DR)

Restarting technology operations after an outage using processes, policies and procedures prepared for recovery or continuation of mission-essential technology infrastructure after a disaster.

These processes are found in a DR Plan. DR is a subset of business continuity and COOP.

The three principal goals of DR are to:

Save data,
Save hardware, software and facilities, and
Resume critical processes/restore data

Other Facilities such as Computer rooms and MDF/IDF/telco closets that house IT equipment primarily supporting local building operations in corporate headquarters, call centers or other general purpose office buildings.

Source:

SEC-12 Information Technology Disaster Recovery Planning

DMZ

A perimeter network or screened subnet separating an internal network that is more trusted from an external network that is less trusted. Can be a network created by connecting two firewalls. Systems that are externally accessible but need some protections are usually located on DMZ networks.

Dublin Core Metadata Element Set

Establishes a standard for cross-domain resource description and has been standardized as the ISO Standard 15836:2009.

Dynamic Map Service

A map service which renders a map image on demand directly from a live data source.

Source:

Electronic Messaging System

Any device or application that will provide the capability of exchanging digital communication between two or more parties. Examples are email, electronic messaging, instant messaging, and text messaging.

Encryption

The process of changing plaintext into ciphertext for security, integrity and privacy.

Source:

SEC-04-09-S Endpoint Detection and Response Standard

End of Support

End of Support is defined is the latest date a manufacturer will provide security patches. Some manufacturers have an end of mainstream support date and an extended end-of support date. In these cases, after the end of mainstream support, no additional software feature/function enhancements or fixes are issued but security patches are until the end of extended support. The recommended best practice is to migrate before end of mainstream support.

Endpoint

A computer or other device connected to a computer network. An endpoint may offer information resources, services and applications to users or other endpoints on the Network. Endpoints can include, but may not be limited to, desktop computers, laptop computers, network servers, portable computing devices (Android/iOS tablets and smart phones), embedded control systems and Internet of Things (IoT) devices. See also: Mobile Device.

Source:

SEC-04-09-S Endpoint Detection and Response Standard

Endpoint Detection and Response (EDR)

A cybersecurity technology that continually monitors an "endpoint" to mitigate malicious cyber threats. See Endpoint.

Source:

Enterprise Mobility Management (EMM)

Software that allows agency support staff to not only manage a container on the mobile device, but also control the flow of information between the mobile device and agency computing resources such as collaboration software, cloud storage, shared applications. Additional functions may include: issuance, inventory tracking, policy enforcement on the device.

Sources:

SEC-04-07-S Non-Agency Issued Device Security Standard

Enterprise Service

An Enterprise service is a service that all state government agencies with a certain business need or process are required to use. Agencies must not adopt a similar service unless they have an approved waiver. Enterprise Services can support common administrative business processes such as accounting, payroll, etc., or they can include Information Technology applications or services commonly used by agencies.

Source:

EA-02 Establishing an Enterprise Service Policy

Enterprise Service Business Owner

The agency accountable and/or responsible to make policy or business decisions regarding an Enterprise Service. Some Enterprise Services also have a service owner.

Enterprise Service Owner

The enterprise service owner is the agency that implements the business owner's decisions and plans and performs many of the service's implementation and operational activities.

Environmental Security

Physical protection against damage from fire, flood, wind, earthquake, explosion, civil unrest, and other forms of natural and man-made risk.

Equivalent Access

Providing users with disabilities with content and interaction that is similar or identical to that provided to users without disabilities, in a form that produces a similar user experience. Users should be provided direct access to the same content unless providing direct access to that content is not possible due to technical or legal limitations.

Event

Any observable occurrence in a system and/or network. Events sometimes provide indication that an incident is occurring.

Executive Sponsor

The senior executive responsible to the agency and the State CIO/WaTech for the project.

Extranet

A computer network that an organization uses for application data traffic between the organization and its business partners.

Finding

A Quality Assurance (QA) provider's assessment of the project's use of project management best practices, as well as their assessment of deficiencies or gaps in the application of those best practices that may have an adverse impact on the project. Findings are assumed to require corrective actions.

Firewall

An inter-network connection device that restricts data communication traffic between two connected networks. A firewall may be either an application installed on a general-purpose computer or a dedicated platform (appliance), which forwards or rejects/drops packets on a network. Typically, firewalls are used to define zone borders. Firewalls generally have rules restricting which ports are open.

Source:

SEC-04-04-S Firewall Standard

General Ledger

A ledger containing the accounts in which are recorded, in detail or in summary, all transactions of the state.

Source:

Administrative and Financial System Investment Approval

General Ledger Reconciliation

The process of correlating one set of records with another set of records and/or a physical inventory count that involves identifying, explaining, and correcting differences.

Source:

Administrative and Financial System Investment Approval

Generative Artificial Intelligence

A machine-based technology that can create content, including text, images, audio, or video, when prompted by a user. Generative AI technologies learn patterns and relationships from large amounts of data, which enables systems to generate new content that may be similar, but not identical, to the underlying training data.

Source:

MGMT-01-01-S Technology Portfolio Foundation - Applications

Geodetic Control

Set of control points whose coordinates are established by geodetic surveying methods such as classical line-of-sight triangulation, traverse, geodetic leveling, and gravimetric or satellite surveys such as Doppler or GPS. The newer technologies have resulted in more accurate horizontal and vertical control points on the earth's surface and serve as the basis for current vertical and horizonal datum.

Geographic Coordinate System (GCS)

Use a three-dimensional spherical surface to define locations on the earth. A point is referenced by its longitude and latitude values.

Administrative and Financial System Investment Approval

Governance

The processes, groups and activities an agency takes to ensure compliance with its Information Technology policies, standards and procedures with the goal of meeting business requirements.

Government Accounting

The composite activity of analyzing, recording, summarizing, reporting, and interpreting the financial transactions of a governmental entity.

Source:

Grievance

A formal complaint filed by a union on behalf of an employee or group of employees alleging a violation, misapplication or misinterpretation of one or more terms of the parties' collective bargaining agreement.  Note: Collective bargaining agreements vary and a particular agreement may define this term differently.

Source:

Administrative and Financial System Investment Approval

Guideline

A guideline is a compilation of best practice offered in support of a policy or standard.

Source:

POL-01 Technology Policies, Standards, and Procedures

Hardening

A collection of tools, techniques, and best practices to protect technology, applications, systems, infrastructure, firmware, etc. with the goal of reducing security risk by eliminating potential attack vectors and condensing the system's attack surface.

Hiring

The process of onboarding a new employee into Washington state service.

Source:

Administrative and Financial System Investment Approval

Horizontal Datum

A reference surface against which locations on the earth are described, most commonly using latitude and longitude coordinates.

Source:

SEC-06-01-S Identification and Authentication Security Standard

Identification

The process of verifying the identity of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system.

Identifier:

A sequence of characters used to identify or refer to a person, object, device, organization, etc. Depending on the application, it may be an identifying name or something more abstract (e.g., a string consisting of an IP address and timestamp).

Source:

Immutable

Copies of files and data that cannot be altered or tampered with for a preset period of time.

Sources:

MGMT-01-01-S Technology Portfolio Foundation - Applications

Impact

The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

Sources:

Implementer

The implementer deploys the change into production. The implementer is the person who records the implementation results.

Incident Response

The mitigation of violations of security policies and recommended practices.

Independent Project Quality Assurance

The work of one or more professionals responsible for monitoring and assessing the health and effectiveness of project management plans and processes as well as an overall assessment of a projects's short and longer term risks. To preserve independence, the QA provider(s) report outside the project management organizational structure, generally to the project's Executive Sponsor and the State CIO. In Washington state government, independent Project QA is considered different than product or technical quality assurance which might include testing and other independent verification and validation activities.

Information Security Program

Formalized Information Security Policies, standards and procedures that are documented describing the program management safeguards and common controls in place or those planned for meeting the Agency's information security requirements.

Information System

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Sources:

SEC-11-01-S Information Security Risk Assessment Standard

Information Technology (IT)

Per RCW 43.105.020, "Information Technology" includes, but is not limited to, all electronic technology systems and services, automated information handling, system design and analysis, conversion of data, computer programming, information storage and retrieval, telecommunications, requisite system controls, simulation, electronic commerce, radio technologies, and all related interactions between people and machines.

Sources:

RCW 43.105.020: Definitions (10)

PM-01 IT Investments and Approval Oversight Policy

SEC-03 Information Security and Privacy Awareness Training Policy

Information Technology (IT) Assets/Resources

Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards).

Source:

SEC-11-01-S Information Security Risk Assessment Standard

Information Technology (IT) Asset Owner

An asset owner is a person responsible for the day-to-day management of assets. This includes electronic and hard-copy information and hardware, software, services, people, and facilities.

Information Technology (IT) Expenditures

Within the TBM Program, the source financial information used for identifying IT expenditures is from the statewide Agency Financial Reporting System (AFRS) and based on these components:

New IT acquisitions (coded in AFRS as Project Type X).
IT maintenance and operations (coded in AFRS as Project Type Y).
Data processing services (AFRS Sub-Object EL).

NOTE: AFRS Sub-Object EL is defined in the OFM State Administrative and Accounting Manual (SAAM) 75.70.20 as "Charges by state agencies for information technology services. Examples include computing services, hosting services, network services, web services, statewide systems (AFRS, HRMS, etc.), and planning and policy assessment by agencies such as the Department Enterprise Services, the Office of Financial Management, Office of the Chief Information Officer and WaTech."

Information Technology (IT) Infrastructure

IT infrastructure consists of the equipment, systems, software, and services used in common across an organization, regardless of mission/program/project.

Information Technology Resource Tower (ITRT)

IT Resource Towers (ITRT) are functional IT groupings that can be used to benchmark to industry. They can be split into more granular ITRT Sub-Towers to gain visibility into specific functions within a tower. They also map up to utilization data in Accelerators, as well as to Applications and Services. The translation of financial information into functional IT towers (ITRTs) involves mapping from Cost Centers, and combining GL, Labor and Asset allocations.

Inherent Risk

Inherent risk is the impact and likelihood of a risk in the absence of controls

Source:

Integrity

Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

Source:

SEC-06-01-S Identification and Authentication Security Standard

Interactive Login

The process by which an end-user actively engages with a system's login interface to gain access. This involves manually entering their credentials into the login screen, such as a username and password/passphrase. The system then authenticates these credentials to verify the user's identity and initiates a session if the credentials are valid.

Source:

Internal System or Network

An IT system or network designed and intended for use only by state of Washington employees, contractors, and business partners. A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Internet Control Message Protocol (ICMP)

The International Organization for Standardization develops and publishes international standards.

SEC-06-01-S Identification and Authentication Security Standard

ISO

The International Organization for Standardization develops and publishes international standards.

Intrusion Detection Systems (IDS)

Security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.

Intrusion Prevention Systems (IPS)

System that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets.

K-20 Educational Network

A high-speed, high-capacity network that connects colleges, universities, K-12 school districts and libraries across Washington state. K-12 schools and educational organizations rely on the K-20 network to run hundreds of data-based applications that support school administration, distance learning and operations.

Key Management

Activities involving the handling of cryptographic keys and other related security parameters (e.g., initialization vectors) during the entire lifecycle of the keys, including their generation, storage, establishment, entry and output, use and destruction.

Least Privilege

The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.

Sources:

Litigation Hold (aka Preservation Order or Hold Order)

A temporary suspension of the Agency's document retention/destruction policies for the documents that may be, or are reasonably anticipated to be, relevant to a lawsuit. It is a stipulation requiring the Agency to preserve all data, information and records (files, both electronic and physical, email and instant messages, voice recordings, video recordings, etc.) that may relate to a legal action involving the Agency. A litigation hold ensures that the documents relating to the litigation are not destroyed and are available for the discovery process prior to litigation.

Major Project

A project subject to State CIO/WaTech oversight based on the IT Project Assessment tool, a statute or some other factor as determined by the State CIO.

Malicious Code

Software (such as a Trojan horse) that appears to perform a useful or desirable function but gains unauthorized access to system resources or tricks a user into executing other malicious logic.

Malware

Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.

Map Cache

A collection of prerendered map images defined by a map tiling scheme.

Source:

Map Projection

A mathematical model used to transform spherical geographic coordinates on the earth's curved surface to a planimetric Cartesian coordinate system.

Source:

Map Service

A service available across the Web which uses standardized protocols including XML and SOAP to transmit images.

Source:

Map Tiling Scheme

A specification which defines the coordinate system, scales, geographic extent, dpi, tile size, and tile system origin of a set of hierarchically organized static map images that compose a map cache.

Source:

USER-03 Mobile Device Usage Policy

Media

Retrievable retention of data. Electronic, electrostatic, or electrical hardware or other elements (media) into which data may be entered, and from which data may be retrieved. This includes but is not limited to: Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.

Source: SEC-04-02-S Media Sanitization and Disposal Standard

Media Sanitization

The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means. There are four methods:

Disposal: most basic form of sanitization, where media is tossed out with no special disposition.
Clear: level of media sanitization that would protect the confidentiality of information against a robust keyboard attack.
Purge: media sanitization process that protects the confidentiality of information against a laboratory attack.
Destroy: the ultimate form of sanitization, including disintegration, incineration, pulverizing, shredding and melting.

Source: SEC-04-02-S Media Sanitization and Disposal Standard

Metadata

Data about data. Metadata is a summary document providing content, quality, type, creation and spatial information about a dataset or other resource (for example, MP3 files, books, reports, websites, satellite images or DIS dataset).

Mobile Device

A portable computing device that:

Has a small form factor such that it can easily be carried by a single individual.
Is designed to operate without a physical connection (e.g., wirelessly transmit or receive information).
Possesses local, non-removable or removable data storage.
Includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations.

Examples include smart phones, tablets, and e-readers. This policy is not meant to apply to: cars, boats, airplanes, laptop computers, desktop computers, unpiloted aerial vehicles (drones), gps receivers, radios.

Sources:

USER-03 Mobile Device Usage Policy

Mobile Device Management (MDM)

Software that allows agency support staff to manage a "sandbox" or container on a mobile device where state data and applications can be added, deleted, or monitored. Additional functions may include: issuance, inventory tracking, policy enforcement on the device.

Sources:

SEC-04-07-S Non-Agency Issued Device Security Standard

Multi-factor Authentication (MFA)

An authentication system or an authenticator that requires more than one authentication factor for successful authentication. Multi-factor authentication can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors.

Sources:

MGMT-01-01-S Technology Portfolio Foundation - Applications

SEC-04-04-S Firewall Standard

SEC-04-07-S Non-Agency Issued Device Security Standard

Network

Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.

Sources:

SEC-04-04-S Firewall Standard

Network Device

A device available to other computers on a network. Examples include servers, firewalls, routers, switches, workstations, networked Supervisory Control and Data Acquisition (SCADA) systems, and networked printers (multifunction devices).

Nibble Boundary

A network mask that aligns with a boundary of 4 bits. It is used to keep addressing plans easily readable and understandable 1. In an IPv6 prefix, each hexadecimal character represents one nibble, which is 4 bits. Therefore, the prefix length of a delegated prefix should always be a multiple of 4.

Non-Repudiation

Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information.

Source:

SEC-06-01-S Identification and Authentication Security Standard

Organizational User

An employee or an individual whom the organization deems to have equivalent status to an employee, including a contractor, guest researcher, or individual detailed from another organization. Policies and procedures for granting the equivalent status of employees to individuals may include need-to-know, relationship to the organization, and citizenship.

Source:

Passphrase

A passphrase combines words, numbers, and symbols to secure online accounts or systems. Unlike traditional passwords, which are typically shorter and composed of random characters, passphrases are longer and can be easier to remember.

Source:

SEC-06-01-S Identification and Authentication Security Standard

Password

A unique string of characters that, in conjunction with a logon ID, authenticates a user's identity.

Source:

SEC-06-01-S Identification and Authentication Security Standard

Patch Management

The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes, and service packs.

Penetration Test

A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system. Also: Pen Test

Personal Information

Information that is identifiable, directly or indirectly, to a specific individual.

Source: DATA-03 Privacy and Data Protection Policy

Physical Security

Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media in an IT facility.

Policy

High level statements of intention and direction of an organization as formally expressed by its top management. A policy expresses what must to be accomplished or achieved and the roles and responsibilities of the various entities.

Portable Electronic Device

Electronic devices having the capability to store, record, and/or transmit text, images/video, or audio data. Examples of such devices include, but are not limited to: pagers, laptops, cellular telephones, radios, compact disc and cassette players/recorders, portable digital assistant, audio devices, watches with input capability, and reminder recorders. Also: Mobile Device

Privileged Account

Accounts with permissions to change system configurations, or create, modify, or delete users.

Source:

DATA-03 Privacy and Data Protection Policy

Procedure

An established or official way of doing something.

Process

Operation or set of operations performed upon personal information that can include, but is not limited to, the collection, retention, logging, generation, transformation, use, disclosure, transfer and disposal of personal information.

Sources:

SEC-04 Asset Management Policy

Processing

See Data Processing

Projected Coordinate Systems (PCS)

Are defined on a flat, two-dimensional surface and always based on a GCS.

Source:

Quality Assurance Plan

A document that describes how the QA Practitioner will deliver its service.

Quality Assurance Solicitation

A Request for Proposal, a Request for Quote and Qualification, an interagency agreement proposal or an agency recruitment or any other effort that is intended to result in the acquisition or hire of a QA resource.

Ransomware

A type of malware that attempts to deny a user or organization access to data or systems, usually through encryption, until a sum of money or other currency is paid, or forcing the user or organization to take an action

Recommendation

The QA Practitioners suggested course of action to address a negative Finding.

Record

Recordings of evidence of activities performed or results achieved (e.g., forms, reports, test results), which serve as a basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items).

Recovery Point Objective (RPO)

The point in time to which data must be recovered after an outage.

Source:

Recovery Procedure

Actions necessary to restore data files of an information system and computational capability after a system failure.

Source:

Recovery Time Objective (RTO)

The maximum tolerable length of time that a computer, system, network or application can be down after a failure or disaster occurs.

Source:

Remote Access

Access to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network.

Source:

Requestor

The requestor submits the change request.

Residual Risk

The potential for the occurrence of an adverse event after adjusting for the impact of all in-place controls.

Source:

Resilient/Resiliancy

The capability of remaining or returning to a normal situation after an event by having multiple ways of performing a function. This may include people, processes or technology. Generally speaking, this means there would be no single point of failure that could stop a process.

Resources

Refers to any objects of interests such as books, reports, datasets, services, applications, websites, satellite images, videos, etc.

Risk

A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of:

The adverse impacts that would arise if the circumstance or event occurs; and
The likelihood of occurrence.

Risk Acceptance

The level of Residual Risk that has been determined to be a reasonable level of potential loss/disruption for a specific IT system.

Risk Appetite

The types and amount of risk, on a broad level, a business unit or organization is willing to accept in its pursuit of value.

Source:

SEC-11-01-S Information Security Risk Assessment Standard

Risk Assessment

The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, the assessment incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.

Sources:

Risk Management

The program and supporting processes to manage information security risk levels to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes:

Establishing the context for risk-related activities,
Assessing risk,
Responding to risk once determined, and
Monitoring risk over time.

Source:

Risk Mitigation

A decision, action, or practice intended to reduce the level of risk associated with one or more threat events, threat scenarios, or vulnerabilities.

Risk Profile

A prioritized inventory of the most significant risks identified and assessed through the risk assessment process versus a complete inventory of risks.

Risk Register

A repository that contains the information about identified risks, results of Risk Analysis (impact, probability, effects), as well as Risk Response Plans. Used to monitor and control risks associated with a system, application or asset lifecycle.

Risk Tolerance

The agency's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives. Note: Risk tolerance can be influenced by legal or regulatory requirements.

Risk Treatment Plan (RTP)

Process to modify risk.

Sources:

SEC-02 Security Assessment and Authorization Policy

Safeguard

A mechanism (software, hardware, configuration, etc.) that protects something, such as information.

Sanitization

The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.

Secure Segmentation

Secure segmentation is defined as implementing methods that allow for secure communication between various levels of segmented environments. These environments typically involve 4 basic segment groups:

Outside (Trust no one).
Services (Trust limited to defined segmentation lines).
Internal (Trust limited to defined group).
External users (Trust limited to defined group).

The methods for securing these segments may include but are not limited to firewall and switch/router configurations and router/switch ACLs.

Security

A condition that results from the establishment and maintenance of protective measures that enable an organization to perform its mission or critical functions despite risks posed by threats to its use of systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the organization's risk management approach.

Security Domain

Security Administrator

A security administrator performs information security functions for servers and other hosts, as well as networks.

Source:

SEC-09-01-S Security Logging Standard

Security Control

A safeguard or countermeasure prescribed for an information system, or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements including but not limited those defined in the WaTech IT security standards.

Security Domain

A domain within which behaviors, interactions, and outcomes occur and that is defined by a governing security policy. Note: A security domain is defined by rules for users, processes, systems, and services that apply to activity within the domain and activity with similar entities in other domains.

Source:

Security Event

A security change that may have an impact on organizational operations (including mission, capabilities, or reputation).

Sensitivity

The degree to which an IT system or application requires protection (to ensure confidentiality, integrity, and availability) which is determined by an evaluation of the nature and criticality of the data processed, the relation of the system to the organization missions and the economic value of the system components.

Sources:

SEC-06-01-S Identification and Authentication Security Standard

Service Accounts

Service accounts are a special type of non-human privileged account used to execute applications and run automated services, virtual machine instances, and other processes.

Source:

Service Agreement

Represents a commitment between a service provider and one or more customers and addresses specific aspects of the service, such as responsibilities, details on the type of service, expected performance level (e.g., reliability, acceptable quality, and response times), and requirements for reporting, resolution, and termination.

Services

A service is a means of delivering value to customers by facilitating outcomes that customers want to achieve without the ownership of specific costs and risks.

Source:

SEC-12 Information Technology Disaster Recovery Planning

Service Disruption

An unplanned event that causes an information system to be inoperable for a period of time.

Simple Network Management Protocol (SNMP)

A standard TCP/IP protocol for network management. Network administrators use SNMP to monitor and map network availability, performance, and error rates. To work with SNMP, network devices utilize a distributed data store called the Management Information Base (MIB). All SNMP-compliant devices contain a MIB which supplies the pertinent attributes of a device. Some attributes are fixed or “hard-coded” in the MIB, while others are dynamic values calculated by agent software running on the device.

SMART

SMART is a mnemonic for Specific, Measurable, Achievable, Relevant and Time bound. These characteristics are helpful to remember when identifying project objectives.

Software as a Service (SaaS)

The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, except for limited user-specific application configuration settings.

Source:

SEC-12 Information Technology Disaster Recovery Planning

Standards

Documents that support policies and indicate how and what kind of technology and business processes must be implemented, used and maintained to meet policy objectives.

Start of a Project

For the purposes of project investment, approval, oversight and quality assurance, the start of the project is at the beginning of planning.

State Data Centers

See also Data Center

Includes:

The Olympia-based State Data Center (SDC) operated by WaTech.
The Quincy-based Disaster Recovery Services Data Center leased by WaTech.

Source:

EA-02-03-S Data Center Investments

State Government Network (SGN)

The shared, internal enterprise network bounded by a WaTech-managed security layer. The WaTech-managed security layer is defined as firewalls, proxy servers, security appliances, secure gateways, and other centrally managed security services.

Sources:

State Plane Coordinate Systems (SPCS)

Are PCS designed for applications within a state. Washington is divided into two zones - North and South.

Source:

SEC-12 Information Technology Disaster Recovery Planning

Storage Media

See Media

Sunset Review

A mandatory periodic review of a technical policy and standard that:

Determines the continued need for the policy or standard, and
Evaluates the full content of the policy or standard for accuracy, clarity and completeness.

Sunset reviews may occur ahead of the published sunset review date if needed.

System

An interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.

Source:

System Administrator

Individual who implements approved secure baseline configurations, incorporates secure configuration settings for IT products, and conducts/assists with configuration monitoring activities as needed.

Source:

SEC-06-01-S Identification and Authentication Security Standard

System Components

The discrete information technology assets comprising a system. This includes hardware, software, and firmware.

Source: SEC-04 Asset Management Policy

Tablet PC

A portable general-purpose computer contained within a single small form factor LCD display sized to approximately match that of a traditional writing paper tablet. A tablet PC utilizes a touch screen as the primary input source. Typically, either wireless (802.11) or mobile (4G) networks are used for connectivity with limited physical port options. Examples of Tablet PC's include iPad, Motorola Xoom, HP Elitebook, Samsung Galaxy, Sony Tablet S, Toshiba Thrive, Acer Iconia, Kindle Fire, Nook tablet, etc.

Technology Business Management (TBM)

A set of best practices for running IT like a business - and more importantly for effectively and consistently (using a data-driven agreed upon framework) communicating not just the cost of IT, but also attributing that cost to business services. Key to TBM is the ability of IT and business leaders to have data-driven discussions about cost and value of IT to best support business goals.

Technical Owner/Steward

This is a list of the attributes and characteristics to look for in a technical owner/steward:

Understanding of technology operations and how the business application/system impacts these operations as well as how technology operations impact the business.
Organizational authority to make technology resources available when needed.
Ability and authority to bring people together to make timely and binding decisions.
Ability and authority to make decisions when formal governance structures won't or can't make them.
Commitment to the documented governance processes and activities.
Has the ear of the business owner/steward and the agency director when needed.
Able to communicate effectively with internal and external entities, particularly around critical system issues and impacts.
Ability to understand the cost and risk of business changes to be made under this policy.

Source:

MGMT-03 Business Application/System Governance

TBM Categorization

Within the TBM Program, agencies are responsible for categorizing and documenting their costs to the program taxonomies. The TBM Program provides templates that agencies use to capture and submit categorization to the program.

TBM Cost Center

The cost center used in the TBM program is agency defined. Agencies can select up to three fields coded in the statewide Agency Financial Reporting System (AFRS) for their TBM Cost Center.

TBM Project

This term, as used in TBM policy and accompanying standards is defined per our current TBM product. A 'project' is a discrete area within the product in which datasets, models, metrics and reports reside; these are configured according to specific business rules defined by the project administrator. Agency-specific projects allow for greater reporting accuracy than the multi-agency project, which allows less granularity and customization of business rules.

Technology Tower

This is an updated industry term for IT Resource Towers (ITRT). The ITRT are functional IT groupings that can be used to benchmark to industry. They can be split into more granular ITRT Sub-Towers to gain visibility into specific functions within a tower. They also map up to utilization data in Accelerators, as well as to Applications and Services. The translation of financial information into functional IT towers (ITRTs) involves mapping from Cost Centers, and combining GL, Labor and Asset allocations.

Third-Party Agency

A Washington State agency that provides IT services to another Washington State agency.

Source: SEC-04 Asset Management Policy

Threat

Any circumstance or event (human, physical, or environmental) with the potential to cause harm to an IT system in the form of destruction, disclosure, adverse modification of data, and/or denial of service by exploiting vulnerability.

Threat Intelligence

Information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.

Source:

SEC-11-01-S Information Security Risk Assessment Standard

Threat Source

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.

Source:

SEC-11-01-S Information Security Risk Assessment Standard

Token

Is something that the claimant possesses and controls (such as a key or password) that is used to authenticate a claim.

Trusted

System or network that in which there exists a level of confidence (based on rigorous analysis and testing) that the security principals and mechanisms (e.g., separation, isolation, least privilege, discretionary and non-discretionary access control, trusted path, authentication, and security policy enforcement) are correctly implemented and operate as intended even in the presence of adversarial activity.

Tunneling

The encapsulation of one protocol inside of another.

Undue Burden

In determining whether an action would result in an undue burden, an agency shall consider all agency resources available to the program or component for which the covered technology is being developed, procured, maintained, or used.

Untrusted

System, network, or process that has not been evaluated or examined for correctness and adherence to the security policy. Characterized by absence of trusted status. Assumed to be unreliable, untruthful, and inaccurate unless proven otherwise.

User

Employees, volunteers, and other persons whose conduct, in the performance of work for an agency, is under the direct control of the agency, whether or not they are paid by the agency. This includes, but may not be limited to, full and part time elected or appointed officials, employees, contractors, affiliates, associates, students, volunteers, and staff from third party entities who provide service to the agency.

Source:

SEC-04 Asset Management Policy

Vendor

Commercial supplier of software or hardware, or services.

Sources:

SEC-08 Data Sharing Policy

SEC-11-01-S Information Security Risk Assessment Standard

Verification and Validation

The process of determining whether the requirements for a system or component are complete and correct, the products of each development phase fulfill the requirements or conditions imposed by the previous phase, and the final system or component complies with specified requirements.

Vertical Datum

A reference surface against which elevation and depth are measured on the earth's surface.

Source:

Virtual Teletype (VTY)

A command line interface (CLI) created in a router and used to facilitate a connection to the daemon via Telnet, a network protocol used in local area networks.

VPN

A virtual network built on top of existing networks that can provide a secure communications mechanism for data and IP information transmitted between networks.

Source:

SEC-11-01-S Information Security Risk Assessment Standard

Vulnerability

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Source:

Vulnerability Assessment

A systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

Source:

Vulnerability Management

An Information System Continuous Monitoring (ISCM) capability that identifies vulnerabilities, known as Common Vulnerabilities and Exposures (CVEs), on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.

Vulnerability Scanning

A technique used to identify hosts/host attributes and associated vulnerabilities.

Web Mercator Auxiliary Sphere Coordinate System

A world coordinate system used by popular web mapping tools such as Google Maps, Bing Maps, ArcGIS Online, and others.

Source:

WGS 84 Coordinate System

Acronym for "World Geodetic System 1984. WGS84 is a commonly used geocentric horizontal datum.

Source:

Workgroup

An ad hoc or standing group of subject matter experts who support the development and maintenance of policies, standards and/or guidelines.

World Coordinate System

A cartesian coordinate system which represents the locations on the earth using a single worldwide coordinate grid.

Source:

Zero-Day

Zero-Day Vulnerability: An unknown security vulnerability or software flaw that a threat actor can target with malicious code such as a virus.
Zero-Day Exploit: The technique or tactic a malicious actor uses to leverage the vulnerability to attack a system.
Zero-Day Attack: Occurs when a hacker releases malware to exploit the software vulnerability before the flaw is patched.

Source: