Glossary of IIT Terminology

Glossary of terms used in Information Technology Requirements, Guidelines, and Processes.

• Authentication Information - Authentication information is data used to prove the identity of an individual, system, or service. Examples include passwords, shared secrets, cryptographic private keys, and hash tables.
• Authorized Users - Any individual, including but not limited to, faculty, staff, students, contractors, and guests authorized by the College to access information technology resources or electronic Information Resources and is current in their privileges. 
• Availability -The ability for authorized users to access and retrieve data whenever they need it.
• Business and Financial Resources Office - The Business and Financial Resources Office supports institutional functions including accounting, accounts payable, accounts receivable, budget, management advisory services, payroll, and procurement. Auxiliary services functions under the finance team include the AACC Bookstore and event and food services.
• Confidential and Sensitive Information - Information that is deemed under applicable law. Personally identifiable information, personally identifiable education records, individually identifiable health information, personally identifiable financial information, and payment card information are examples of Confidential and Sensitive Information covered under the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm–Leach–Bliley Act (GLBA aka Financial Services Modernization Act of 1999) and Payment Card Industry Data Security Standard (PCI DSS), respectively.
• Confidential Information (CI) - Consists of non-public information about a person or an entity that, if disclosed, could reasonably be expected to place the person or the entity at risk of criminal or civil liability, or damage the person or entity's financial standing, employability, privacy, or reputation.   
  • Personal Information such as name, address, phone number, gender, ethnicity, physical description, date of birth, place of birth, dependent information, or email address.
  • Unique Identifiers such as social security numbers, social insurance numbers, driver's license information, state identification card numbers, and passport information.
  • Financial Information such as credit and debit card information, financial account information, tax records, and payment history.
  • Personnel Information such as payroll information, leave slips, salary, benefits information, and performance evaluations.
  • Security Credentials such as user ID’s, passwords, security codes, and documentation regarding authorization and access.
  • Student academic records.
  • Search committee data.
  • Medical and employment history.
  • Proprietary or intellectual property in which the college asserts ownership that is created by college employees in connection with their work.
  • License keys (products and services).
  • Legally binding documentation affecting the college such as contracts, confidential agreements between the college and third parties, non-disclosure agreements, and information accepted and handled per legal agreements.
  • RFP responses.
  • Vendor Information
• Confidentiality - A set of rules or a promise that limits access or places restrictions on any information that is being shared.
• Cloud-Based Systems - Include resources that are hosted by third parties on behalf of the College and include, but not limited to, the following use-cases: Infrastructure-as-a-service, Platform-as-a-Service, and Software-as-a-Service.
• Contractor - A person or a company that undertakes a contract to provide materials or labor to perform a service.
• Customer - any individual who receives a financial product or service from the College.
• Data - Element(s) of Information in the form of facts, such as numbers, words, names, or descriptions of things from which "understandable information" can be derived.
• Data Owners - College employees who are responsible for determining Data categorizations, working with the Information Security Program in performing risk assessments and developing the appropriate procedures to implement the ITRs in their respective areas of responsibility.
• Electronic Communication - Any means of transmitting and receiving messages over electronic media including, but not limited to, a smartphone, cell phone, telephone, fax, tablet, or computer.
• Employee - College staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.
• Information System - Inter-related components of Information Technology Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
• Encryption - A procedure that renders the contents of an electronic message or file unintelligible to anyone not authorized to read it. The message is encoded mathematically with a string of characters called a data encryption key.
• Family Educational Rights and Privacy Act (FERPA) - A federal law that protects the privacy of student education records. "Education records" are "those records, files documents, and other materials which 1) contain information directly related to a student; and 2) are maintained by an educational institution.” (20 U.S.C. § 1232g(a)(4)(A); 34 CFR § 99.3). FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education.   
• Family Educational Rights and Privacy Act (FERPA) Sensitivity Level - This sensitivity level is used if the Family Educational Rights and Privacy Act governs the release of information. The document or email will be encrypted. All Data Users can use this sensitivity label. 
• Financial – General - Use this sensitivity label if the document or email contains financial data, either for a person or for the college. The document or email will be encrypted. All Data Users can use this sensitivity label.
• Financial Service - Includes offering or servicing student loans, receiving income tax information from a student or a student’s parent when offering a financial aid package, reviewing credit reports in connection with providing a loan to a student or prospective student, engaging in debt collection activities, and leasing real or personal property to students for their benefit.
• General - Business data that is not intended for public consumption. However, the document can be shared with external partners, as required. The document is not encrypted. All Data Users can use this sensitivity label.
• Gramm-Leach-Bliley Act (GLBA) aka Financial Services Modernization Act of 1999 -  A federal law that requires “financial institutions,” including, but not limited to, colleges and universities, to protect the privacy of their customers, including information that customers provide to a financial institution that would not be available publicly (“personally identifiable financial information (PIFI)”). Therefore, the College has a responsibility to secure the personal records of its students and employees. To ensure this protection, GLBA mandates that all financial institutions establish appropriate administrative, technical, and physical safeguards. GLBA also requires financial institutions to provide notice to customers about their privacy policies and practices, but institutions of higher education are generally exempt from this requirement, because they already do so under FERPA.  
• Guideline - IIT guidelines are practices, standards, and principles that provide direction for the effective and secure use of information technology resources at AACC. These guidelines typically cover various aspects of IT operations, including but not limited to cyber security, data management, application and hardware usage, network infrastructure, compliance, disaster recovery and business continuity, user behavior, customer service, and AACC community support.
• HIPAA - Health Insurance Portability and Accountability Act of 1996; an Act to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.
• HIPAA Privacy Rule - A statute that (1) establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically, (2) requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization, and (3) gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).” (45 CFR § 160.103). The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer in education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232g.
• HITECH - Health Information Technology for Economic and Clinical Health Act is a part of the American Recovery and Reinvestment Act of 2009 that supports the adoption of electronic health records(EHRs) by providing financial incentives and strengthening privacy and security provisions. The HITECH Act aims to achieve meaningful use of EHRs, which means using them to improve the quality and efficiency of health care.
• Information System Custodian – A College staff member or other individual providing services to the College who is responsible for the development, procurement, compliance, and/or final disposition of an Information System.
• Information Technology Requirement (ITR) - ITRs consolidate technology-related policies and procedures into a single technology-centric classification framework. This framework enables IIT to be agile and flexible in response to the ever-evolving technology landscape. The classification of ITRs includes: ITRs (PVP approved), Guidelines (VP of IIT approved), and Processes (IIT Director approved).
• Information Technology Resource(s) - Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the College directly or by a third party under a contract with the College which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and the College’s network via a physical or wireless connection, regardless of the ownership of the Information Technology Resource connected to the network.
• Instructional - This sensitivity label designates documents that are used for instructional purposes. The document is not encrypted. All Data Users can use this sensitivity label.​​​​
• Integrity - The maintenance of, and the assurance of, data accuracy and consistency over its entire life cycle.
• Interactive login – a logon process whereby the user gains access to the network by entering a username and password in response to a dialog box.
• Non-Public Personal Information (NPI) - Which is (i) provided by a customer to the College, (ii) provided by another financial institution to the College, or (iii) otherwise obtained by the College for the purpose of offering a financial product or service.
• Personal Information - Any information concerning/related to an individual. Personal information includes (but not limited to) personally identifiable information, grades, home address, familial relations, life/biographical information, health, hobbies, electronic activity, geographic location.
• Payment Card Industry Data Security Standard (PCI DSS) - Payment Card Industry Data Security Standard: a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, automated teller machine (ATM), and point-of-sale (POS) cards. “Payment card information” is any personally identifiable information associated with a cardholder, such as the cardholder’s account number, account expiration date, name, address, or social security number. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered payment card information.
• Personally Identifiable Information (PII) - Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means; Data that can be used on its own or in combination with other information to trace or identify a person.  That may include, but not limited to: 
  • Name (in combination with other factors) 
  • Social Security Number
  • Tax Identification Numbers 
  • Financial Information such as credit and debit card information, financial account information, tax records, and payment history
  • Physical Address 
  • Telephone Number
  • Email Address 
  • Date of Birth 
  • Mother’s Maiden Name 
  • Driver’s License Information 
  • Passport Information 
  • Account Numbers
  • Information the college is bound by contract to protect
  • Information deemed confidential by college officials
• Principle of Least Privilege - Maintains that system users will be granted access to only those functions and data needed to perform their job duties.
• Processes - IIT processes refer to a series of structured activities or steps performed by technology personnel to achieve specific objectives related to the management, development, deployment, or maintenance of systems, services, or resources within the IIT Division. These processes are designed to ensure efficiency, reliability, security, and alignment with IIT’s strategies and goals. Processes are documented, standardized, and automated using various frameworks. Implementing effective IT processes will enable IIT to improve productivity, reduce costs, enhance service quality, and manage risk.
• Service Provider - Any person or entity that receives, maintains, processes, or otherwise is permitted access to data through its direct provision of financial services to the College. For the avoidance of doubt, the service provider includes software-as-a-service providers who contract with the College and related entities to receive data for the delivery of financial services. Service providers also include any person or entity that administers any aspect of the College’s participation in U.S. Department of Education Title IV programs.
• Student - An individual (including high school students and kids in college), that takes classes for credit or non-credit.
• System owners - College employees, including System Administrators, System Engineers, and Module Leaders, who are responsible for determining computing needs, and applicable System hardware and software, in their respective areas of responsibility and ensuring the functionality of each such System.
• User - A College community member, including but not limited to, staff, faculty, students, alumni, and individuals working on behalf of the College, including third party vendors, Contractors, consultants, volunteers, and other individuals who may have a need to access, use or control College Data or Information and Instructional Resources.

---