Carnegie Mellon University

Glossary of Terms

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z


Access Controls Controls that are put in place to ensure that only approved individuals have access to data and information systems.

Administrator Access – A level of access above that of a normal user.  This definition is intentionally vague to allow the flexibility to accommodate varying systems and authentication mechanisms.  In a traditional Microsoft Windows environment, members of the Power Users, Local Administrators, Domain Administrators and Enterprise Administrators groups would all be considered to have Administrator Access.  In a traditional UNIX or Linux environment, users with root level access or the ability to sudo would be considered to have Administrator Access.  In an application environment, users with ‘super-user’ or system administrator roles and responsibilities would be considered to have Administrator Access.  In theory, this guidance applies to any user account in that utilization of access rights is reserved solely for the intended business purpose.

Adware - Software that displays unwanted (and sometimes irritating) pop-up adverts which can appear on your computer or mobile device. Some forms of adware are highly manipulative and create an open door for other malicious programs.

Agent - Any third-party that has been contracted by the University to provide a set of services and who stores, processes or transmits Institutional Data as part of those services.

Applications – Programs that run on an Information System that provide functionality for users. Applications can be local or software as a service.

Authentication Verifier - a piece of information that is held in confidence by an individual and used to prove that the person is who they say they are. In some instances, an Authentication Verifier may be shared amongst a small group of individuals. An Authentication Verifier may also be used to prove the identity of a system or service. Examples include, but are not limited to:

  • Passwords
  • Shared secrets
  • Cryptographic private keys


BaitingA type of social engineering attack where a scammer uses a false promise to lure a victim into a trap which may steal personal and financial information or inflict the system with malware.

Bulk Email - An email sent to a group of recipients with or without their expressed willingness to be a recipient.  Bulk Email is often thought of as email sent to a large number of recipients; however, these Guidelines should be evaluated for appropriateness even in situations that involve a small number of recipients.  In general, Bulk Email excludes the following:

  • Interdepartmental emails sent during the standard course of business
  • Messages sent to a single distribution list, such as an Andrew Mailman Mailing List, following the guidelines set forth by the list moderator

Business EmailAny email that is used to conduct official university business.

Business Email CompromiseForm of phishing attack where a criminal impersonates a person of authority such as an executive, president, supervisor, dean, etc. The scammer attempts to get an employee or vendor to transfer funds or sensitive information.


Certificate Authority - Issues and manages security credentials and public keys for the encryption of network traffic TLS/SSL).

Compromised Computer - Any computing resources whose confidentiality, integrity or availability has been adversely impacted, either intentionally or unintentionally, by an untrusted source.  A compromise can occur either through manual interaction by the untrusted source or through automation.  Gaining unauthorized access to a computer by impersonating a legitimate user or through exploitation of software vulnerabilities would constitute a compromise.  Exploiting a loophole in a computer’s configuration would also constitute a compromise.  Depending on the circumstances, a computer infected with a virus, worm, trojan or other malicious software may be considered a compromise.  Symptoms of a Compromised Computer include, but are not limited to, the following:

  • Unexpected or unexplainable disk activity is perceived on the computer
  • Unexpected or unexplainable performance degradation is perceived on the computer
  • Unexpected and unexplainable modification of data is perceived on the computer
  • The computer’s logs (e.g., system logs, application logs, etc.) contain suspicious entries that indicate logins from unusual locations at odd times or from unrecognized accounts
  • The computer’s logs (e.g., system logs, application logs, etc.) contain suspicious entries that indicate unusual or unexpected connections to services or connections to unfamiliar services
  • A complaint is received from a third-party regarding suspicious activity originating from the computer
  • Unexpected or unexplainable modification of data

Computing Policy - Sets forth University guidelines for use of computing resources. Includes privacy guidelines which protect confidential information.  

Confidential Data - A generalized term that typically represents data classified as Restricted, according to the data classification scheme defined in this Guideline. This term is often used interchangeably with sensitive data.

Console – Local access to a system, including through a KVM switch.  If your system lost its network connection, where would you go to log into it.  This is usually, but not always at the local keyboard and monitor for the system.

Controlled Technical Information (CTI) -  “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination" per DFARS 252.204-7012.


Data Steward - A senior-level employee of the University who oversees the lifecycle of one or more sets of Institutional Data. See the Information Security Roles and Responsibilities for more information.

Dumpster DivingA scammer will search for sensitive information in the garbage when it hasn’t been properly sanitized or destroyed.


Electronic Protected Health Information (EPHI) - Any Protected Health Information ("PHI") that is stored in or transmitted by electronic media. For the purpose of this definition, electronic media includes:

  • Electronic storage media includes computer hard drives and any removable and/or transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card.
  • Transmission media used to exchange information already in electronic storage media. Transmission media includes, for example, the Internet, an extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks and the physical movement of removable and/or transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media because the information being exchanged did not exists in electronic form before the transmission.

Electronic Media - Media that records and/or stores data using an electronic process. This includes but is not limited to internal and external hard drives, CDs, DVDs, Floppy Disks, USB drives, ZIP disks, magnetic tapes and SD cards.

Event – An exception to the normal operation of IT infrastructure, systems, or services. Not all events become incidents.

Export Controlled Materials - Any information or materials that are subject to United States export control regulations including, but not limited to, the Export Administration Regulations (EAR) published by the U.S. Department of Commerce and the International Traffic in Arms Regulations (ITAR) published by the U.S. Department of State. See the Office of Research Integrity and Compliance's FAQ on Export Control for more information.

Extortion Scam A type of scam where someone threatens, coerces, or blackmails the victim into providing a form of payment or service.


Family Educational Rights and Privacy Act (FERPA) - Provides students with the righ to inspect and revise their student records for accuracy, while also prohibiting the disclosure of these records or other personal information on the student without consent.

Federal Tax Information (FTI) - Any return, return information or taxpayer information that is entrusted to the University by the Internal Revenue Services. See Internal Revenue Service Publication 1075 Exhibit 2 for more information.

For Official Use Only (FOUO) - Documents and data labeled or marked for Official Use Only are a pre-cursor of Controlled Unclassified Information (CUI) as defined by National Archives (NARA).


General Data Protection Guidelines (GDPR) Regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The European Union which defines personal data as any information that can identify a natural person, directly or indirectly, by reference to an identifier including:

  • Name
  • An Identification number
  • Location data
  • An online identifier
  • One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Gramm-Leach-Bliley Act (GLBA) - Governs the protection of personal information in the hands of banks, insurance companies and other companies in the financial service industry.


Health Insurance Portability and Accountability Act (HIPAA) - Protects information held by a covered entity that concerns health status, provision of health care or payment for health care that can be linked to an individual. Its Privacy rule regulates the collection and disclosure of such information and imposes requirements for securing this data.

Hypertext Transfer Protocol Secure (HTTPS) – The protocol where encrypted HTTP data is transferred over a secure connection.


Identifiers – How a system, user, or service is uniquely identified.  For users, this is usually their username, for a system or service, it may be a hostname, a combination of host and port.

Incident – An event that, as assessed by ISO staff, violates the University Computing Policy; Information Security Policy; other University policy, standards, or code of conduct; or threatens the confidentiality, integrity, or availability of Information Systems or Institutional Data.

Information Security Policy - Establishes the University's commitment and requirement to protect the confidentiality, integrity and availability of Institutional Data as well as any Information Systems that store, process, or transmit Institutional Data.

Information System – Any electronic system that can be used to store, process or transmit data.  This includes but is not limited to servers, desktop computers, laptops, multi-function printers, PDAs, smart phones and tablet devices.

Insider Threat - According to CERT, insider threats are current or former employees, contractors, or business partners who have access to an organization’s restricted data and may use their access to threaten the confidentiality, integrity or availability of an organization’s information or systems.

Institutional Data - All data owned or licensed by the University.



Keylogger – A type of surveillance technology used to record and monitor each keystroke typed on a device keyboard. Scammers use keyloggers as a spyware tool to steal personal information, login information, and sensitive enterprise data.


Least Privilege An information security principle whereby a user or service is provisioned the minimum amount of access necessary to perform a defined set of tasks.

Log contentThe events and actions being logged. ISO publishes recommended log content at


Malware - Short for malicious software, is a term for viruses, worms, trojans and other harmful computer programs that scammers use to cause damage and gain access to sensitive information on a single computer, server, or computer network.

Multi-Factor AuthenticationThe process by which more than one factor of authentication is used to verify the identity of a user requesting access to resources.  There are three common factors of authentication: something you know (e.g., password, pin, etc.), something you have (e.g., smart card, digital certificate, etc.) and something you are (e.g., fingerprint, retinal pattern, etc.).  Use of username and password combination is considered single-factor authentication, even if multiple passwords are required.  Username and password used in conjunction with a smartcard is two-factor authentication.  Multi-factor authentication represents the use of two or three factors.


Network Vulnerability Scanning - Identifies computers with network vulnerabilities that are actively being exploited or have a high likelihood of being exploited.

Non-Privileged User - Any user who does not possess elevated access to manage user accounts and data or authorization to configure and alter systems.

Non-public Information - Any information that is classified as Private or Restricted Information according to the data classification scheme defined in the Guidelines for Data Classification.


Open Mail Relays – Mail systems which allow unauthenticated email messages to be sent from an off-campus sender to another off-campus sender using an on-campus machine as a relay point. This allows spammers to send out their spam messages, and to the uninitiated, it appears that the spam originated from the on-campus "relay" machine.


Payment Card Industry Data Security Standards (PCI-DSS) - A set of security standards designed to ensure that all companies that accept, process, stores, or transmit credit card information maintain a secure environment. Carnegie Mellon University is contractually obligated to follow PCI-DSS.

Payment Card Information - A credit card number (also referred to as a primary account number or PAN) in combination with one or more of the following data elements:

  • Cardholder name
  • Service code
  • Expiration date
  • CVC2, CVV2 or CID value
  • PIN or PIN block
  • Contents of a credit card’s magnetic stripe

Payment Card Information is also governed by the University’s PCI DSS Policy and Guidelines (login required)

Personal Data from European Union (EU) - The EU’s General Data Protection Regulation (GDPR) defines personal data as any information that can identify a natural person, directly or indirectly, by reference to an identifier including:

  • Name
  • An identification number
  • Location data
  • An online identifier
  • One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Any personal data that is collected from individuals in European Economic Area (EEA) countries is subject to GDPR. For questions, send email to

Personally Identifiable Education Records - Any Education Records that contain one or more of the following personal identifiers:

  • Name of the student
  • Name of the student’s parent(s) or family member(s)
  • Social security number
  • Student number
  • A list of personal characteristics that would make the student’s identity easily traceable
  • Any other information or identifier that would make the student’s identity easily traceable

See Carnegie Mellon University’s Policy on Student Privacy Rights for more information on what constitutes an Education Record.

Personally Identifiable Information - A subset of Non-public Information defined by various state and federal regulations.  For the purpose of meeting security breach notification requirements, PII is defined as a person’s first name or first initial and last name in combination with one or more of the following data elements:

  • Social security number
  • State issued driver’s license number
  • State-issued identification card number
  • Financial account number in combination with a security code, access code or password that would permit access to the account
  • Medical and/or health insurance information

Phishing The process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email, SMS text messaging, or by phone. Phishing messages create a sense of urgency, curiosity, or fear in the recipients of the message. The message will prod victims into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.

Privileged User – Any user who can alter the configuration of the system, specifically the security configuration. These users also have access to manage user accounts and data that is not available to common users. May also be referred to as ‘super-user’ or ‘root-user’ in other corresponding documents. 

  • In a traditional Microsoft Windows environment, members of the Local Administrators, Domain Administrators and Enterprise Administrators groups would all be considered to have privileged access.
  • In a traditional UNIX or Linux environment, users with root level access or the ability to sudo would be considered to have privileged access.  In an application environment, users with ‘super-user’ or system administrator roles and responsibilities would be considered to have privileged access.

Protected Health Information (PHI) - "individually identifiable health information" transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium by a Covered Component, as defined in Carnegie Mellon’s HIPAA Policy. PHI is considered individually identifiable if it contains one or more of the following identifiers:

  • Name
  • Address (all geographic subdivisions smaller than state including street address, city, county, precinct or zip code)
  • All elements of dates (except year) related to an individual including birth date, admissions date, discharge date, date of death and exact age (if over 89)
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate number
  • Device identifiers and serial numbers
  • Universal Resources Locators (URLs)
  • Internet protocol (IP) addresses
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic or code that could identify an individual

Per Carnegie Mellon University’s HIPAA Policy, PHI does not include education records or treatment records covered by the Family Educational Rights and Privacy Act or employment records held by the University in its role as an employer.

Public Data – Data defined as Public occurs when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates. Examples of Public data include press releases, course information and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.

Private Data – Data defined as Private occurs when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.

Proxy ServerSystems which provide a method for storing Internet objects (web pages, ftp download programs and zip files, etc.) on a machine which is on a given subnet, and thus, closer to the client. By using a proxy server, users enjoy faster access to large files and the original distribution site sees less "heavy traffic", so everyone (potentially) wins.


Quid Pro Quo - A social engineering tactic which involves a criminal requesting the exchange of some type of sensitive information such as critical data, login credentials, or monetary value in exchange for a service.


Ransomware – A form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment.

Restricted Data – Data defined as Restricted occurs when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data.

Rootkit – A type of malware that is designed to remain hidden on a victim’s computer while providing the scammer the ability to remotely control the computer and potentially steal sensitive information and cause significant damage.


ScarewareSocial engineering attack which involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that grants remote access for the criminal or to pay the criminal in a form of bitcoin in order to preserve sensitive video that the criminal claims to have.

Segregation of Duties – Fundamentally, the individual that implements a change is not the individual that approves the change.  This allows for prevention and detection of fraud by one individual.

Sensitive Data - A generalized term that typically represents data classified as Restricted, according to the data classification scheme defined in this Guideline. This term is often used interchangeably with confidential data

Server BrokerMessages are passed through the Instant Message (IM) vendor only to initiate the communication between users, who then communicate directly with each other.

Server ProxyMessages pass through the Instant Message (IM) vendor’s computer and are forwarded to the user.

ServicesApplications or groups of applications that provide a service to users or other systems, and are generally well-known services, such as DNS, SSH, etc.

Shoulder Surfing – Spying on other individuals of a device in order to obtain personal access information such as usernames and passwords.

SmishingPhishing conducted via SMS text messages. Smishing is a security attack in which the user is tricked into downloading malware onto their smart phone or device.

Social Engineering – Tactic of manipulating, influencing, or deceiving a victim in order to gain control over a computer system, or to steal personal and financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

SpamUnsolicited mailing messages for marketing or other exploitative purposes.

Spear PhishingTargeted, sophisticated phishing messages personalized to victims. Spear phishers learn about the victim by spying on their personal email, social media and other online habits. The perpetrators use the information they have gathered to portray themselves as a legitimate entity and will create tailored messages to your interests in order to steal personal information

SPIMSpam over Instant Messaging

Spyware – A type of malware that will record activity on the victim’s computer and transmit the data elsewhere.

SSL/TLS – Secure Sockets Layer and Transport Layer Security are protocols that provide server and client authentication and encryption of communications.

Strong PasswordsA password that is reasonably difficult to guess in a short period of time either through human guessing or the use of specialized software. Typically contains both length and complexity.


Tailgating – Also known as “piggybacking”. A physical breach where an unauthorized person manipulates their way into a restricted or employee only authorized area through the use of social engineering tactics.

TrojansHidden programs on a system that perform a specific function once users are tricked into running them.


User – Member of the CMU community or anyone accessing an Information System, Institutional Data or CMU networks who may be affected by an incident.


Virus – Malicious programs that will attempt to spread from machine to machine. They can attach themselves to files and programs shared between computers in order to infect as many machines as possible.

VishingPhishing conducted over the phone by scammers portraying as a trustworthy entity in an attempt to convince the target to act.

Virtual Private Network (VPN)A secure connection, or tunnel, to the CMU network over the internet. A VPN connection will allow individuals to:

  • Access on-campus resources from off-campus, including campus printers, library resources and network shared drives
  • Transfer data securely from off-campus
  • Work securely over public Wi-Fi
  • Access a service on a restricted subnet


Worm – A type of malware which spreads through networks, finding security vulnerabilities in programs and operating systems to infect machines. A computer worm has the ability damage a computer, steal or delete information, and install bots.