1210.1 Definition of Terms
Cloud Computing Services: Application and infrastructure resources accessed via the internet. Could computing includes, but is not limited to:
- Use of servers or information technology services of any type that are not hosted by the CSU or Cal Poly (e.g., social networking applications, file storage, content hosting)
- Software as a Service (SaaS): an application hosted, maintained, and updated by a third-party vendor and available to users over the Internet
- Platform as a Service (Paas): a platform, hosted by a third-party vendor, on which the customer can develop and run applications
- Infrastructure as a Service (IaaS): infrastructure such as hardware, virtual services, and operating systems provided by a third-party vendor
Electronic Device: Electronic equipment, whether owned by the University or an individual, that has a processor, storage device, or persistent memory, including, but not limited to: desktop computers, laptops, tablets, cameras, audio recorders, smart phones and other mobile devices, as well as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, network-aware devices with embedded electronic systems (i.e., “Internet of Things”), supervisory control and data acquisition (SCADA), and industrial control systems, etc.
Electronic Media: All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).
Information Security Incident: Any event that, regardless of accidental or malicious cause, results in:
- disclosure of University data, whether electronic or in printed form, to someone unauthorized to access it,
- unauthorized alteration of University data,
- loss of data which the University is legally or contractually bound to protect, or supporting critical University functions,
- disrupted information technology service, or
- a violation of the University’s Information Security policies.
Examples of such incidents include, but are not limited to:
- Malicious software installations on electronic devices that store University data not routinely made available to the general public, e.g., employee evaluations, or data the University is legally or contractually bound to protect (e.g., social security numbers, credit card numbers, Protected Health Information (PHI), research data, etc.).
- Loss or theft of electronic devices, electronic media, or paper records containing University data not routinely made available to the general public or data the University is legally or contractually bound to protect.
- Defacement of a University website.
- Unauthorized use of a computing account.
- Use of information technology resources for unethical or unlawful purposes (incidents involving employees and pornography should be reported directly to University Human Resources).
- Contact from the FBI, Secret Service, Department of Homeland Security or other law enforcement organizations regarding a University electronic device that may have been used to commit a crime.
Information Technology (IT) Resources: All resources owned, leased, managed, controlled, or contracted by the University involving networking, computing, electronic communication, and the management and storage of electronic data regardless of the source of funds including, but not limited to:
- Networks (virtual and physical), networking equipment, and associated wiring including, but not limited to: gateways, routers, switches, wireless access points, concentrators, firewalls, and Internet-protocol telephony devices;
- Cloud computing services: Software as a Service, Platform as a Service, and Infrastructure as a service;
- Electronic devices containing computer processors including, but not limited to: computers, laptops, desktops, servers (virtual or physical), smart phones, tablets, digital assistants, printers, copiers, network-aware devices with embedded electronic systems (i.e., “Internet of things”), and supervisory control and data acquisition (SCADA), and industrial control systems;
- Electronic data storage devices including, but not limited to: hard drives, solid state drives, optical disks (e.g., CDs, DVDs), thumb drives, and magnetic tape;
- Software including, but not limited to: applications, databases, content management systems, web services, and print services;
- Electronic data in transmission and at rest;
- Network and communications access and associated privileges; and
- Account access and associated privileges to any other IT resource.
Risk Management: The process to identify, control, and manage the impact of potential harmful events, commensurate with the value of the protected assets. Risk management includes impact analysis, risk assessment, and continuity planning.
User: Anyone who uses University information technology (IT) resources. This includes all account holders and users of University IT resources including, but not limited to: students, applicants, employees, contractors, auxiliary organization employees, guests, and affiliates of any kind.