# Terms & Definitions ### **Administrator Accounts** Dedicated accounts with elevated privileges used for managing aspects of computer systems, domains, or entire enterprise IT infrastructure. Common subtypes include root accounts, local administrator accounts, domain administrator accounts, and network or security appliance administrator accounts. ### **Air Gap** An interface between two systems that are not physically connected and have no automated logical connection. Data transfer through the interface is performed manually and under human control. ### **Application** A program or group of programs hosted on enterprise assets and designed for end-users. Applications are considered software assets and can include web, database, cloud-based, and mobile applications. They consist of multiple components, including services and libraries. ### **Asset** Anything of value to an organization, including computing devices, IT systems, networks, circuits, software, virtual computing platforms, and related hardware such as locks and keyboards. ### **Asset Inventory** A register or comprehensive list of an enterprise’s assets, including specific information about these assets. ### **Asset Owner** The department, business unit, or individual responsible for an enterprise asset. ### **Authentication Systems** Mechanisms used to identify users by associating requests with a set of identifying credentials. Examples include Active Directory, Multi-Factor Authentication (MFA), biometrics, and tokens. ### **Authorization Systems** Systems determining access levels or privileges related to system resources. Examples include Active Directory, access control lists, and role-based access control lists. ### **Cloud Environment** A virtualized environment providing on-demand network access to configurable resources. Characteristics include on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Services include SaaS, PaaS, and IaaS. ### **Community Members** Faculty, staff, students, and affiliates of Harvard University who are subject to the policies and responsible for adhering to security requirements, including completing training and protecting data and systems. ### **Confidentiality** Ensuring information is not disclosed to unauthorized entities and covers data in storage, processing, and transit. ### **Configuration** The possible conditions and specifications for describing or arranging a system component. A mechanism must exist to manage configuration settings. ### **Configuration Baseline** A set of specifications for a system or component that is reviewed and agreed upon, which can only be changed through formal procedures. It serves as a basis for future modifications. ### **Configuration Management** Activities focused on establishing and maintaining the integrity of IT products and systems through controlling change processes throughout the system development lifecycle. ### **Configuration Management Plan** Describes the roles, responsibilities, policies, and procedures for managing the configuration of products and systems. ### **Data Steward** A custodian responsible for a data set, ensuring data accuracy, compliance with regulations, and addressing questions and concerns about its use. ### **Database** An organized collection of data stored electronically, often managed by Database Management Systems (DMS). ### **Dissociability** The ability to separate data processing from individual identities, beyond operational requirements. ### **End-User Devices** IT assets used by enterprise members for work or personal purposes, including desktops, laptops, smartphones, tablets, and workstations. ### **Enterprise Assets** Assets capable of storing or processing data, including end-user devices, network devices, IoT devices, and servers in various environments. ### **Enterprise Asset Identifier** A unique identifier, often a sticker or tag, for tracking assets within an inventory. ### **Exceptions** Formal requests for deviations from a policy or standard, reviewed and approved by designated authorities when adhering to a policy is impractical or poses a significant challenge. ### **Internal** Data intended for a specific audience but not publicly available. ### **Library** Pre-written code and data used to aid software program development. ### **Minimum Necessary** Minimize the collection and use of personal information to what is essential for legitimate institutional purposes. ### **Mobile End-User Devices** Smaller, enterprise-issued devices like smartphones and tablets, considered a subset of portable end-user devices. ### **Network Devices** Devices facilitating communication in a network, including routers and switches, consisting of both hardware and virtual components. ### **Network Infrastructure** Resources enabling connectivity and communication within a network, which can be cloud-based, physical, or virtual. ### **Non-Computing/Internet of Things (IoT) Devices** Devices that connect and exchange data over the internet without performing computational processes, such as printers and security sensors. ### **Non-Public** Information not intended for public disclosure. ### **Operating System** System software managing hardware and resources, considered a software asset. Types include single-user, multi-tasking, real-time, and embedded systems. ### **Personally Identifiable Information (PII)** Information that can trace an individual’s identity, alone or linked with other data. ### **Personally Owned Devices** Individual computing devices owned by community members but used for university business purposes. Such devices must meet Harvard's security and configuration standards to ensure the protection of university data and systems. ### **Physical Environment** The physical hardware enabling network communication between devices. ### **Portable End-User Devices** Devices capable of wireless connections, including laptops and mobile devices. ### **Principle of Least Privilege** Limit access to the minimum necessary to perform a function, applying to system and user permissions. ### **Processing** The operations performed on data, including PII, which may involve collection, use, disclosure, and disposal. ### **Public Information** Information made available to the public without distribution restrictions. ### **Regulated** Data subject to legislation or regulation, including MA 201 CMR 19, HIPAA, FERPA, and GDPR. ### **Remote Devices** Assets capable of remote network connection, including end-user and network devices. ### **Remote File Systems** Systems enabling application access to files stored remotely, using network connections. ### **Removable Media** Storage devices removable while the system is operational, allowing data transfer between systems. ### **Restricted** Data requiring higher security standards, sometimes stipulated by contractual or regulatory requirements. ### **Risk** The potential threat posed by an event or circumstance, including its impact severity and likelihood. ### **Sensitive Information** Private information protected from loss, where disclosure could harm individuals or the organization. ### **Servers** Devices providing resources or services within a network. ### **Service** Software functionalities that provide access based on the requestor’s identity according to enterprise policies. ### **Service Accounts** Accounts with escalated privileges used for applications and processes, not intended for manual user operations. ### **Shared Responsibility Model** In cloud computing, security responsibilities are divided between the cloud provider and the user. ### **Social Engineering** Malicious activities exploiting human interactions to gain sensitive information. ### **Software Assets** Programs and information systems used within an enterprise asset, including operating systems and applications. ### **System Stewards** Individuals or groups responsible for managing Harvard's IT services or systems, ensuring compliance with Minimum Standards, enabling secure operation, and providing security incident response. ### **University Data** Data generated as part of university business, covered broadly by university policy. ### **User** Anyone operating an enterprise asset, including employees and third-party vendors. ### **User Accounts** Standard accounts with limited privileges for general tasks, distinct from administrator accounts. ### **Virtual Environment** Technology simulating hardware for running software environments, fundamental to cloud computing.