The intent of this document is to provide a tool that will enable all McMaster constituents the opportunity to participate in discussions about Cyber Security and Privacy.

Account holder

The account holder is the individual for whom the account was provisioned, and the individual who is responsible for the account.

Accounts

Accounts are the full record of activity, communication, and content accessible to a Constituent who is a customer of a service. This includes, but is not limited to, email mailboxes, home directories, computer profiles, telephone voicemail, and University managed, sponsored, or branded social networking profiles.

Authentication

Authentication is the process by which a service, server, system, or computing device verifies the identity of a customer.

Authentication controls

Authentication controls are the mechanisms used to perform the verification. Examples of authentication controls include, but are not limited to, passwords, passphrases, personal identification numbers, swipe patterns, fingerprint recognition, and one time passwords.

Canadian Anti-SPAM Legislation (CASL)

Canadian Anti-Spam Legislation (CASL) protects Canadians from the threats related to digital communications, including spam, phishing and malware. (https://www.mcmaster.ca/privacy/casl/ and http://crtc.gc.ca/eng/internet/anti.htm)

Client computing device

A client computing device is used by a Constituent to access University information technology services, computing resources, or information. This may include, but is not limited to, desktop computers, laptops, netbooks, tablets, smartphones, PDAs and other specialized equipment.

Communication and collaboration services

Communication and collaboration services are defined as digital technologies with which constituents collaborate, communicate, share opinions, files, or other information. Services may include, but are not limited to: email, network storage, telephone, instant messaging, University managed, sponsored, or branded social networks, cloud services, printers, and online comments.

Computing Resource

A computing resource is any type of computer that is connected to the University data or telephony network. This includes but is not limited to servers, workstations, laptops, mobile devices, network appliances, telecommunication and teleconferencing devices, printers, automation hardware, and industrial control systems.

Confidential (information)

Confidential information requires strong controls against unauthorized disclosure, loss, and modification. Disclosure, loss, or unauthorized modification of confidential information may result in reputational damage, disruption to business, with high potential for financial consequence and legal liability. Confidential information should only be disclosed to authorized persons. Examples of Confidential information may include Personally Identifiable Information (PII), Personal Health Information (PHI) and credit card information (PCI). See the Information Classification Matrix for information handling guidance

Constituents

University Constituents are individuals that have an existing relationship with the University, including but not limited to adjunct professors, affiliates, alumni, external contractors, faculty, graduate students, guests, librarians, partners, postdoctoral fellows, retirees, staff, undergraduate students, visiting professors, visitors, and volunteers.

Copyright Modernization Act (CMA)

The Canadian Copyright Modernization Act (CMA) protects copyright owners from inappropriate access to their materials, and defines the responsibilities and liabilities of internet service providers. (http://laws-lois.justice.gc.ca/eng/annualstatutes/2012_20/FullText.html)

Credentials

Credentials are the mechanism used to authenticate an individual in order to provide access to an account. Credentials usually consist of a user identifier (e.g., MacID) and a password.

Delegate

A delegate is an individual for whom the account holder has authorized and arranged access to use the account.

Development (server)

Development computing resources are intended to be used to create new configurations and implementations.

Elevated Privilege

Accounts with elevated privilege are those that are used to configure service and resource settings, and the access privileges of other users. Such accounts include, but are not limited to, administrator, root, and service principal accounts. In most cases an account with elevated privilege is a named account to which administrative privilege or role(s) have been granted.

Externally accessible

An externally accessible resource accepts connection requests from a limited number of known external internet protocol addresses. Public facing and externally accessible resources have been included in the perimeter network access control list to allow these connections.

Internal (information)

Internal information requires some controls against unauthorized disclosure and modification, however the sensitivity and impact of disclosure is less than that for confidential information. Internal information is mostly routine business communication and documentation. See the Information Classification Matrix for information handling guidance

Internal (server)

An internal resource accepts connection requests only from other computers on the University network.

Payment Card Industry – Data Security Standard (PCI-DSS)

Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard that protects against credit card fraud, and to which compliance is required by any organization that handles, transmits, and / or stores cardholder data, or otherwise processes payments from major credit cards, including Visa, MasterCard, and American Express.

Personal Health Information (PHI)

Personal Health Information (PHI) is personally identifiable information related to an individual’s health care. This may include identifying information about an individual that relates to their physical or mental health; that consists of the health history of their family; that relates to payments or eligibility for health care; or, includes the individual’s health number.

Personally Identifiable Information (PII)

Personally identifiable information (PII) is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.

Portable storage device

Portable storage devices are any device or media which is easily transportable, upon which information can be stored. This definition is not restricted to purpose built storage devices such as CD/DVDs, removable hard drives, and USB flash drives, but also may include laptop computers, tablets, smart phones, PDAs, and any other portable computing device.

Primary user

The primary user of a client computing device is the owner of the device, or the person to whom the client computing device has been assigned for use.

Production (server)

Production computing resources are those that are used for handling live data and customer requests.

Public facing

A public facing resource accepts anonymous connection requests from any public internet protocol address. Public facing and externally accessible resources have been included in the perimeter network access control list to allow these connections.

Restricted

Restricted information requires very strong controls against unauthorized disclosure, loss, and modification. Disclosure, loss, or unauthorized modification of restricted information may result in significant reputational damage, significant disruption to business, as well as very serious financial consequence and legal liability. Restricted information must only be disclosed to authorized persons. Examples of restricted information include strategic organizational plans and financial information, and in-camera senate and board meetings. See the Information Classification Matrix for information handling guidance.

Role

A role is the set of connected privileges that are assigned to credentials to enable the owner to perform their functional responsibilities. Examples of roles include, but are not limited to, administrator, power user, user, or guest.

Service

A service is software, servers, systems, and / or business processes and policies that fulfill Constituents’ computing needs. Examples of services may include email, business process management (i.e., Mosaic), internet connectivity, deskside support, file storage and backup.

Service Owner

The service owner is the department head who is accountable for the service, and computing resources required to provide the service, within the organization.

Sponsored account

A sponsored account is any account for which the holder is not identifiable by the account name. Examples of sponsored accounts include, but are not limited to, shared accounts, role based accounts, generic accounts, and guest accounts.

Standard

Information Security enterprise standards are general statements outlining technical requirements that must be met in order to remain in compliance with the Information Security Policy.

Technical specialist

A Technical Specialist is an individual or team to whom the Service Owner has delegated the responsibility for configuring and maintaining the computing resources upon which the service is offered.

Test (server)

Test computing resources are those that are used to test new configurations and implementations before they are moved into production.

Unrestricted (information)

Unrestricted information requires controls against unauthorized modification. Disclosure, loss, or modification of unrestricted information may result in minimal reputational damage. Unrestricted information is authorized to be accessed by the public. Examples of unrestricted information may include brochures, news releases, and staff business contact information. See the Information Classification Matrix for information handling guidance