NYS Information Technology Policies, Standards, and Best Practice Guidelines
| Term | Definition |
|---|---|
| Account Archived | Accounts that have not been used for x years are off-loaded via long-term storage solutions. |
| Account Disabled | Account is in an unusable state and can only be made usable again through an administrative action. |
| Account Locked | Account is not useable until either an administrator resets a token or the end-user resets the token through one of the forgotten password self-service functions. |
| Account Promotion | The process of changing the Security Level of an account from a lower level to a higher level using applicable Identification Methods. |
| Action(s) |
Actions triggering this advance notice requirement, include the following:
|
| Address of Record | The official location where an individual can be found that is on record with a trusted or authoritative entity such as a government agency, the individual’s employer, financial institution, or utility company. The address of record always includes the residential street address of an individual and may also include the mailing address of the individual. |
| Alphanumeric | Describes the combined set of all letters in the alphabet and the numbers 0 through 9. It is useful to group letters and numbers together because many programs treat them identically and differently from punctuation characters. For example, most operating systems allow you to use any letters or numbers in filenames but prohibit many punctuation characters. Your computer manual would express this rule by stating: "Filenames may be composed of alphanumeric characters." |
| Alt Attribute | Will mean an attribute used in the <img> tag to describe the image. |
| Applicant | A person who has applied for a certificate and the certificate issuance procedure is not yet completed. |
| Application Owner | The point of contact for an NYSDS Application. |
| Assistive Technology Devices | Will mean any item, piece of equipment, or product system, whether acquired commercially, modified, or customized, that is used to increase, maintain, or improve functional capabilities of individuals with disabilities. |
| Authenticated Scan | A credential based scan that provides sufficient access to allow the vulnerability scan engine to scan the operating system and all applications running on the system. |
| Authentication | The process of establishing confidence in the identity of users or information systems. |
| Authentication Method | The authentication mechanism used at the time of user account login. |
| Authentication Token | See Token |
| Authorization | Access privileges granted to a user, program, or process or the act of granting those privileges. |
| Automated Attendance & Leave System | shall mean a computer-based application that facilitates the preparation, review, auditing and reporting of employees' records of attendance and accrual balances, and the processing of appropriate payroll transactions. |
| Availability | The extent to which information is operational, accessible, functional and usable upon demand by an authorized entity (e.g., a system or user). |
| Best Practice Guideline | shall mean a case study and/or analysis which provides a benchmark for good business and IT practices in achieving a desired result. The analysis or case study highlights one or several proposed products, technology fields, analytical methodologies or IT solutions which constitute a good approach for other entities pursuing similar solutions. While not mandatory, best practices guidelines are intended:
|
| Biometrics | In computer security, biometrics refers to authentication techniques that rely on measurable physical characteristics that can be automatically checked. Examples include computer analysis of fingerprints or speech. |
| Bitrate | In digital multimedia, bitrate is the number of bits used per unit of time to represent a continuous medium such as audio or video after source coding (data compression). In this sense it corresponds to the term digital bandwidth consumption. While often referred to as "speed," bitrate does not measure distance/time but quantity/time. |
| Breach | Acquiring of information by a person without valid authorization or through unauthorized acquisition. |
| Bulk Load Registration | An account creation process used for the initial loading of a large number of user accounts. |
| Business analysis and risk assessment | Defined by the ESRA regulation as "identifying and evaluating various factors relevant to the selection of an electronic signature for use or acceptance in an electronic transaction. Such factors include, but are not limited to, relationships between parties to an electronic transaction, value of the transaction, risk of intrusion, risk of repudiation of an electronic signature, risk of fraud, functionality and convenience, business necessity and the cost of employing a particular electronic signature process." |
| Business owner | Person who authorized the project, or a designated employee. |
| Certified copy | A duplicate of an original official document, certified as an exact reproduction by the officer responsible for issuing /keeping the original.. |
| Checksum | A simple error-detection scheme in which each transmitted message is accompanied by a numerical value based on the number of set bits in the message. The receiving station then applies the same formula to the message and checks to make sure the accompanying numerical value is the same. If not, the receiver can assume that the message has been garbled. |
| Claimant | A party whose identity is to be verified using an authentication protocol. |
| Clear gif | shall mean a graphic with a unique identifier, similar to a cookie, used to track the online movements of users. Clear gifs are also known as pixel tags, web beacons, or web bugs. |
| Clear text | Any message or text that is not rendered unintelligible through an encryption or hashing algorithm. |
| Click-through | shall mean a message on a user's computer screen, requiring that the user respond to a question and, as a result, provide information by clicking on an icon. |
| Client-side image map | Will mean HTML code delivered to the browser that provides coordinates to "hot spots" users may click on inside a given image. |
| Collaborative Computing Device | Collaborative computing devices may include, but are not limited to, networked white boards, cameras, and microphones that are connected to NYS IT systems for the purposes of conducting government business collaboratively. |
| Computer Network Defense(CND) | Using defensive measures in order to protect information, information systems, and networks from threats. |
| Computer Security Incident | A computer security incident is defined by NIST as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. A computer security incident is also defined as any event that adversely affects the confidentiality, integrity, or availability of system and its data. |
| Confidentiality | "The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. |
| Consolidated Log Infrastructure | The hardware, software, networks, and media used to generate, transmit, store, analyze, and dispose of log data. |
| Control | An action taken to enhance the likelihood that established goals or objectives will be achieved (in the context of this policy, generally an action taken to reduce risk.) |
| Cookie | shall mean a unique text file stored on a user's computer by an Internet browser. These text files are used as a means of distinguishing among users of a website and as a means of customizing the website according to the user's preferences and interests. A cookie will not include personal information unless the user has volunteered that information. |
| Collect | shall have the same meaning as defined in State Technology Law §202. This shall mean to store information, including via cookie technology, for purposes of retrieval at a later time to initiate communication with or make determinations about the person who is the subject of such information. |
| Credential | An object that authoritatively binds an identity to a token possessed and controlled by a person or entity. |
| Credential Service Provider (CSP) | A trusted entity that issues or registers tokens and issues electronic credentials. |
| Criticality | The degree to which an SE depends on the information or information system for the success of a mission or of a business function. |
| Cryptographic | Related to cryptography which is (i) The mathematical science used to secure the confidentiality and authentication of data by replacing it with a transformed version that can be reconverted to reveal the original data only by someone holding the proper cryptographic algorithm and key (ii) A discipline that embodies the principles, means, and methods for transforming data in order to hide its information content, prevent its undetected modification, and/or prevent its unauthorized uses. |
| Cryptographic Keys | Data used to encrypt or decrypt a message or information. |
| Data | A subset of information in an electronic format that allows it to be retrieved or transmitted. |
| Delegated Administrator | An administrator account, either a PO Delegated Administrator or an Entitlement Administrator. |
| Deprecated | Will mean an element or attribute that is being phased out and will no longer be supported, or any elements or attributes that are currently not supported. A list of deprecated terms is provided by the World Wide Web Consortium at http://www.w3.org/TR/REC-html40/index/elements.html. |
| Deprovision | The act of retiring a user’s identity and terminating his or her access to IT systems and services. |
| Descriptive Link | Will mean a link to a page that provides a description of the image, commonly referred to as a D link. |
| Device-independent Event Handler | Will mean that an array of input (e.g., mouse, keyboard, microphones, pointing devices) or output (e.g., monitors, speech synthesizers, Braille devices) devices are able to interface with the content. |
| Device-specific Event Handler | Will mean that a specific input or output device is required to interface with the content. |
| Digital Object | Any discrete set of digital data that can be individually selected and manipulated. This can include shapes, pictures, string of numbers, or characters that appear on a display screen as well as less tangible software entities. |
| Digital Signatures | Digital signatures - The result of a cryptographic transformation of data that, when properly implemented, provides a mechanism for verifying origin authentication, data integrity, and signatory non-repudiation. |
| Directory Services Administrator (DSA) | The primary contact for each Participating Organization. |
| Disclose | shall have the same meaning as defined in State Technology Law §202. This shall mean to reveal, release, transfer, disseminate or otherwise communicate information orally, in writing or by electronic or other means, other than to the person who is the subject of such information. |
| Discretionary Access Controls | Access Controls which are enforced by Entitlements, based on the need-to-know defined by the Entitlement Delegated Administrator. |
| Document Type Definition | Will mean HTML directive which provides information to the browser about the syntax used to markup the content. |
| e-Authentication | Also known as electronic authentication. The process of establishing confidence in user identities electronically presented to an information system. |
| e-Government | The use of computer technology to provide faster, more convenient, and better delivery of government services to customers by reducing paper processes and the need to go to government offices for the service. Customers in e-Government can include citizens, businesses, and other governments. Typically, these services are available over the Internet on a government agency’s website or a government portal, like NY.GOV ID. |
| Electronic Evidence | Electronic evidence as defined by the US DOJ Electronic Crime Scene Investigation is information and data of investigative value that is stored on or transmitted by an electronic device. |
| Electronic Record (E-record) | Shall have the same meaning as defined in State Technology Law §102. This shall mean "information, evidencing any act, transaction, occurrence, event, or other activity, produced or stored by electronic means and capable of being accurately reproduced in forms perceptible by human sensory capabilities." This definition is consistent with the definition of "records" in the laws that govern the admissibility of records in legal proceedings (Civil Practice Law and Rules sec. 4518), the retention and disposition of government records (Arts and Cultural Affairs Law Art. sections 57.05 and 57.17), and the Freedom of Information Law (Public Officers Law Art. 6, sec. 86). |
| Electronic Signature (E-signature) | Shall have the same meaning as defined in State Technology Law §102. This shall mean "an electronic sound, symbol, or process, attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the record." This definition conforms to the definition found in the Federal E-Sign Law. |
| Elements | Will mean HTML tags. |
| Embedded Base | Shall mean the collective existing systems of state government entities. |
| Encoder | A device used to change a signal (such as a bitstream) or data into a code. The code may serve any of a number of purposes such as compressing information for transmission or storage, encrypting or adding redundancies to the input code, or translating from one code to another. This is usually done by means of a programmed algorithm, especially if any part of the code is digital. |
| Encoding | The process of preparing content for sending to viewers. Audio and video is converted to a format that matches the chosen distribution technique and attributes, and is also compressed. |
| Encryption | A technique used to protect the confidentiality of information. The process transforms ("encrypts") readable information into unintelligible text through an algorithm and associated cryptographic key(s). |
| Enterprise | For the purposes of this document, enterprise is defined as all state government entities in New York. In some instances, enterprise expands beyond the State to include federal and local government partners in an effort to leverage resources across jurisdictions and expand information sharing capabilities. |
| Enterprise Architecture (EA) | Enterprise Architecture is a top-down, business strategic-driven process that coordinates the parallel, internally consistent development of enterprise business, information, and technology architectures, as well as the enterprise application portfolio. It represents the encompassing expression of the enterprise's key program, information, application, and technology strategies and their impact on program functions and processes. Conducted within an appropriate, collaborative organization/governance context, EA artifacts consist of a common requirements vision (CRV) and conceptual architecture (CA), as well as current- and future-state models of four key components:
|
| Enterprise Application Portfolio (EAP) | The Enterprise Application Portfolio is a collection of integrated application systems required to satisfy program information needs, including the existing and planned inventory of applications and components, complete with relationships to supported information and business processes, and engineered linkages to the enterprise technical architecture and infrastructure services. |
| Enterprise Business Architecture (EBA) | The Enterprise Business Architecture is a business vision-driven, disciplined process that decomposes the enterprise's program strategies, the assets and processes required to execute them, as well as their impact on program functions. |
| Enterprise Identity and Access Management (EIAM) Service | The architecture and solutions that support the EIAM ecosystem and encompass the former New York State Directory Services, now NY.GOV Services. |
| Enterprise Identity and Access Management (EIAM) ecosystem | The identity assurance policies, standards, process, procedures and solutions that contribute to the EIAM framework. |
| Enterprise Information Architecture (EIA) | The Enterprise Information Architecture is a business driven process that details the enterprise's information strategies, its extended information value chain, and the impact on technical architecture. The EIA delineates the key information artifacts of business events, models, and information flows, provides logically consistent information management principles, and enables rapid business decision making and information sharing. |
| Enterprise Technical Architecture (ETA) | An Enterprise Business Architecture (EBA), and/or Enterprise Information Architecture (EIA)-driven, structured process that details the enterprise's technology strategies, its extended technology linkages, and their impact on program/project initiatives. |
| Entitlement Administrator | An administrator account which is able to grant and remove NYSDS Application entitlements to User Accounts, potentially across POs. |
| Event Handler | Will mean triggers which are fired when certain keyboard or mouse activity is detected such as clicked, focus, etc. |
| Entropy | A measure of the amount of uncertainty that an attacker faces to determine the value of a secret such as a password. Entropy is usually stated in bits. See NIST 800-63 Recommendation for Electronic Authentication, Appendix A. |
| Existing System | shall mean a commercial or homegrown system which is deployed prior to the effective date of a standard, and includes, without limitation, hardware, software, development tools, applications and protocols. |
| Explicit Indication | A signal or alert to user(s) physically present providing notice that a collaborative computing device sensor has been activated. |
| Extranet | An intranet that is available to an authorized user outside the formal boundaries of the organization. |
| Federated Architecture | A cornerstone of informed and consistent technology investments requires the implementation of a federated architecture. A federated model allows individual agency decision-making while leveraging shared services where appropriate. This ensures interoperability and provides shared services which will maximize the use of agencies resources. Smaller agencies with limited resources are provided an IT infrastructure which ensures the integrity of the entire system and delivery of consistent high-quality services to all constituents. Federated Architecture is the structured expression of the State’s key business, information, application, and technology strategies and their resulting impact on business functions and processes. To be successful in the development of a Technical Architecture, an organization must understand and account for the larger Federated Architecture context. Federated Architecture typically consists of current and future State models of four key components: Enterprise Business Architecture (EBA), Enterprise Information Architecture (EIA), Enterprise Application Portfolio (EAP), and Enterprise Technical Architecture (ETA). The technical architecture was developed in 2003. Shared domains, which are supported and maintained by ITS or a lead agency, provide functionality for agencies without the overhead of maintaining the requisite infrastructure for the on-going operation, support, and maintenance of these applications. Using a federated architecture approach enables agencies to maintain diversity and uniqueness, while enabling process integration and information sharing, providing interoperability and driving down costs. |
| Frames | Will mean a Web browser feature that enables a Web Page to be displayed in an individual, independently scrollable window on a screen. |
| Functional text | Will mean text that when read conveys an accurate message as to what is being displayed by the script. |
| Fundamental Alteration | A major change or modification of the critical function or nature of a program or service. |
| Governmental Entity | Shall have the same meaning as defined in State Technology Law §102. This shall mean "any state department, board, bureau, division, commission, committee, public authority, public benefit corporation, council, office, or other governmental entity or officer of the state having statewide authority, except the state legislature, and any political subdivision of the state." |
| Gramm-Leach-Bliley | Gramm-Leach-Bliley was passed in 1999, and included provisions that limit the ability of financial institutions to disclose "non-public personal information" about consumers to non-affiliated third parties. It also requires financial institutions to provide customers with their privacy policies and practices with respect to non-public personal information. |
| Guideline | Non-mandatory suggested course of action. |
| Hashing | The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data. The numeric value changes if the information is modified therefore making any modifications obvious. |
| HIPAA (Health Insurance Portability and Accountability Act) | HIPAA is a federal act helping to set a national standard for protecting the security and integrity of medical records when they are kept in electronic form. |
| Homegrown System | shall mean an automated system which a state government entity develops or has developed for its own, or another state government entity's use. |
| Identification Method | The technique used to obtain information regarding the user’s identity; typically done as part of user account creation or promotion. |
| Identity Assurance Level (IAL) | The degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued, and the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued. |
| Impact | The magnitude of harm that could be caused by a threat. |
| Independently verified | Information provided by a user is verified to a source that is independent of the user (most often a trusted database) that the claimed identity exists and is consistent with the identity and address information provided. An independently verified destination is where credentials and tokens are issued or renewed in a manner that binds the verified user with an independently verified
|
| Incident Response | The manual and automated procedures used to respond to reported network intrusions (real or suspected); network failures and errors; and other undesirable events. |
| Incident Response Stakeholders | IR Stakeholders are any individuals – technical or non-technical, directly responding to or overseeing IR activities. |
| Information | Any representation of facts, concepts or instructions created, stored (in temporary or permanent form), filed, produced or reproduced, regardless of the form or media. This may include, but is not limited to the data contained in reports, files, folders, memoranda, statements, examinations, transcripts, images, communications, electronic or hard copy. |
| Information Classification | See Table 1 of Guideline G07-001. |
| Information Maturity | Information Maturity is defined as the relative ability or inability of an organization to ensure data is of high-quality, accurate, available and utilized by the jurisdiction to make informed program decisions. |
| Information Owner | An individual or organizational unit responsible for making classification and control decisions regarding use of information. |
| Information Security | The concepts, techniques and measures used to protect information from accidental or intentional unauthorized access, modification, destruction, disclosure or temporary or permanent loss. |
| Information Technology Resources | Equipment or services used to input, store, process, transmit, and output information, including, but not limited to, desktops, laptops, mobile devices, servers, telephones, fax machines, copiers, printers, Internet, email, and social media sites. |
| Integrity | The property that data has not been altered or destroyed from its intended form or content in an unintentional or an unauthorized manner. |
| Internet | shall have the same meaning as defined in State Technology Law §202. This shall mean a system of linked computer networks, international in scope, that facilitate DATA transmission and exchange. |
| Internet Protocol Address or IP Address | shall mean a numerical identifier assigned either to a user's Internet service provider or directly to a user's computer. |
| Intranet | A network belonging to an organization, available only to the organization's members, employees or others with authorization. |
| Least Privilege | Granting users, programs or processes only the access they specifically need to perform their business task and no more. |
| Level of Assurance (LoA) | See Identity Assurance Level (IAL) |
| Log Management Infrastructure | The hardware, software, networks, and media used to generate, transmit, store, analyze, and dispose of log data. |
| Longdesc Attribute | Will mean an attribute which references a text file containing a longer version of the alt attribute contents. |
| Management Authority | The entity authorized by the NYS Chief Information Officer (CIO) to implement, manage, and interpret this Trust Model. . |
| Major Upgrade | shall include, but not be limited to, such things as:
|
| Mandatory Access Controls | Access Controls which are enforced by the NYSDS, based on the Security Level and allowable Authentication Methods of the NYSDS Application. |
| Mandatory Standard | shall mean a standard which must be complied with by state government. Exemptions are not granted or considered from mandatory standards. |
| Mobile Device | A computing device in a small form factor that has at least one network connection interface, non-removable and/or removable storage, and is portable, including but not limited to smartphones, Personal Digital Assistants (PDAs), tablets, laptops, smart watches and wearable devices. |
| Multi-Factor Authentication | Using more than one of the following factors to authenticate to a system:
|
| Network Owner | An individual or organizational unit responsible for operating and maintaining the physical and virtual infrastructure which comprises the network, including responsibility for establishing the procedures to be used for maintenance and upgrades. |
| Noframes | Will mean a web page displayed without frames. |
| Nonce | A value used in security protocols that is never repeated with the same key. For example, nonces used as challenges in challenge-response authentication protocols must not be repeated until authentication keys are changed. Otherwise, there is a possibility of a replay attack. Using a nonce as a challenge is a different requirement than a random challenge, because a nonce is not necessarily unpredictable. |
| NYS Directory Services (NYSDS) | The infrastructure run by NYS ITS which enables the centralization of authentication and access control for applications on the NYeNet, and which provides single sign-on functionality for applications on the NYeNet. |
| NYSDS Application | An NYSDS Application is an application whose authentication and authorization is controlled by the NYSDS. |
| NYSDS User | Any person authorized to access the NYSDS. |
| NYSDS User Account | An account in the NYSDS as identified by a User ID. An NYSDS User Account may be authorized to perform specific functions within the NYSDS. |
| Online Service | A service accessed via the Internet or other networks which provides access to citizens, businesses, business partners, other State Entities, local government entities, and the State workforce. |
| Participating Organization | The State Government entity, political subdivision of the State, corporation, trust, estate, incorporated or unincorporated association or other legal entity that either establishes and maintains user accounts on the NYSDS, and/or provides applications which use the NYSDS. |
| Password Expiration | The frequency in which a user is required to choose a new password (i.e., forced to change the password after x days). |
| Penetration Testing | Test of the overall strength of an SE's defenses (technology, processes, people) by simulating the objectives and actions of an attacker. |
| Persistent Cookie | shall mean a cookie that remains on the user's computer. |
| Personal information | shall have the same meaning as defined in State Technology Law §202. This shall mean any information concerning a natural person which, because of name, number, symbol, mark or other identifier, can be used to identify that natural person. |
| Personal, Private or Sensitive Information (PPSI) | Any information where unauthorized access, disclosure, modification, destruction or disruption of access to or use of such information could severely impact the SE, its critical functions, its employees, its customers, third parties, or citizens of New York. This term shall be deemed to include, but is not limited to, the information encompassed in existing statutory definitions[1]. PPSI includes, but is not limited to:
|
| Persons with Disabilities | Will have the same meaning as defined in State Executive Law §292. This will mean (a) a physical, mental or medical impairment resulting from anatomical, physiological, genetic or neurological conditions which prevents the exercise of a normal bodily function or is demonstrable by medically accepted clinical or laboratory diagnostic techniques or (b) a record of such an impairment or (c) a condition regard by others as such an impairment. |
| Physical and Environmental Security | Measures taken to protect systems and physical infrastructure against threats associated with their physical environment. Physical and environmental security controls include the following broad areas:
|
| Physical Infrastructure | A generic description of any area containing non end-user IT equipment and subsidiary hardware, e.g.:
|
| Physically Secured Area | Area that is secured by an access control systems (ACS) comprising the following requirements. The ACS will:
|
| Plaintext | In cryptography, plaintext refers to any message that is not encrypted and therefore easily read and understood. |
| PO Delegated Administrator | An administrator account which is able to manage user accounts owned by a PO. |
| Policy | shall mean a prescribed or proscribed course of action or behavior which is to be followed with respect to the acquisition, deployment, implementation or use of information technology resources. |
| Portable Storage Device | A storage device that is capable of being physically transported, including but not limited to USB/flash drives/thumb drives, external hard drives, tapes, CDs, DVDs and cameras. |
| Portal | The classic intranet portal site functions as an informational hub (i.e., topical tree listing of sites combined with a search engine), aggregating links that connect the portal's constituency of visitors to related information sources. Portals are typically positioned as starting points for users. Private sector examples include AOL and Yahoo. |
| Portfolio Management | Portfolio Management is a structured approach to categorize, evaluate, prioritize, purchase, and manage an organization's technology assets in projects based on current and future economic drivers and on the accessible balance of value/risk desired by the organization. |
| Preferred Technology Standard |
shall mean a standard which must be complied with by state government, unless the state government entity obtains an exemption from the standard because of technical or other operational deficiencies. (See, New York Statewide Technology Policy No. P02-001, Process for Establishing Statewide Policies& Standards, Part 8, for exemption criteria.) |
| Pretty Good Privacy (PGP) | A technique for encrypting messages developed by Philip Zimmerman. PGP is one of the most common ways to protect messages on the Internet because it is effective, easy to use, and free. PGP is based on the public-key method, which uses two keys -- one is a public key that you disseminate to anyone from whom you want to receive a message. The other is a private key that you use to decrypt messages that you receive. To encrypt a message using PGP, you need the PGP encryption package, which is available for free from a number of sources. The official repository is at the Massachusetts Institute of Technology. |
| Privacy | The right of individuals to determine for themselves when, how and to what extent information about them is communicated to others. |
| Private Information | As defined in State Technology Law, shall mean personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired:
|
| Private Key | A cryptographic key kept secret or known only by the holder. Private keys can be used to create e-signatures or decrypt messages or files. The same private key used to sign should not be used to decrypt. |
| Privileged Account | A privileged account is an account which provides increased access and requires additional authorization. Examples include a network, system or security administrator account. |
| Procedure | shall mean a set of administrative instructions for implementation of a policy or standard. |
| Public Key Encryption | A system of cryptography that employs two computationally related alphanumerics usually known as a key pair. A private key, known only to the holder, is used to create an e-signature or decrypt, and the other or public key known to others is used to verify the e-signature or encrypt. Public key cryptography is often employed within the context of a public key infrastructure (PKI). |
| Public Key Infrastructure (PKI) | The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based asymmetric or public key cryptographic system. The PKI consists of systems that collaborate to provide and implement e-signatures, encryption, and authentication services. |
| Re-issuance | A new credential is created with a new identity and/or a new token. For example, a password token is re-issued by having the user select a new password. |
| Registration Authority (RA) | A trusted entity that establishes and vouches for the identity of an applicant to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s). |
| Relying Party | An entity that relies upon the claimant’s token and credentials or a verifier's assertion of a claimant’s identity, typically to process a transaction or grant access to information or a system. |
| Remote Access | Any access coming into the NYS government’s network from outsides the NYS private, trusted network. Any and all wireless networks are considered remote access. |
| Renewal | The usage or validity period of the token and credential is extended without changing the token or re-verifying the user’s identity. Examples of tokens that would be renewed or extended include hard tokens, out of band tokens, one time passwords, and soft tokens. |
| Residual Risk | The remaining potential risks after all IT security measures are applied. |
| Revalidate | Re-confirming the validation process for a previously validated electronic signature. |
| Risk | A function of the likelihood that a given threat will exploit a potential vulnerability and have an adverse impact on an organization. |
| Risk Assessment | The process of identifying threats to information or information systems, determining the likelihood of occurrence of the threat, and identifying system vulnerabilities that could be exploited by the threat. |
| Risk Management | A process that includes taking actions to assess risks and avoid or reduce risk to acceptable levels. |
| Screen Reader | Will mean a software application installed on the client machine which scans all textual data and reads it back aloud to the user through a synthesized voice. |
| Secure Sockets Layer (SSL) | This is a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, Web pages that require an SSL connection start with https: instead of http:. SSL has been approved by the Internet Engineering Task Force (IETF) as a standard. |
| Security Level | The degree of trust that is associated with a user account, based upon Identification Method; one of the attributes of a user account. |
| Self Registration | The degree of trust that is associated with a user account, based upon Identification Method; one of the attributes of a user account. |
| Sensitivity | A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection. |
| Server Side Image Map | Will mean a file which is directly read from the server by the browser which contains HTML code that provides coordinates to "hot spots" users may click on inside a given image. |
| Session Cookie | shall mean a cookie that is erased during browser operation or when the browser is closed. |
| Shared Secret | In the context of this Trust Model a “shared secret” refers to secret information shared by a user for the purpose of confirming that user’s identity. Shared secrets are often used to authenticate a user for the purposes of conveying a credential or resetting a credential such as a password. |
| Significant Change | Includes, but is not limited to:
|
| Single-Factor Authentication | Using one of the following to authenticate to a system:
|
| Smart Card | A hardware token that incorporates one or more integrated circuit (IC) chips to implement cryptographic functions and possesses some inherent resistance to tampering. |
| Sound Mixer | A device which takes two or more audio signals, mixes them together and provides one or more output signals. |
| Standard | Sets of rules for implementing policy. Standards make specific mention of technologies, methodologies, implementation procedures and other detail factors. |
| State | shall mean the State of New York. |
| State Agency | shall mean any department, board, bureau, commission, division, office, council, committee, or officer of the state. Such term shall not include the legislature or the judiciary. (Executive Law Section 205(4)) |
| State Entity | See State Government (Entity). |
| State Government [Entity] | shall have the same meaning as defined in Executive Order No. 117, first referenced above; and shall include all state agencies, departments, offices, divisions, boards, bureaus, commissions and other entities over which the Governor has executive power and the State University of New York, City University of New York and all public benefit corporations the heads of which are appointed by the Governor; provided, however, that universities shall be included within this definition to the extent of business and administrative functions of such universities common to State government. |
| Subscriber Equipment | is defined as hand-held, vehicular mounted and table top (FRAT) wireless radio transmission equipment used to send or receive voice or data communications through a network, including but not limited to two-way vehicular repeaters, and personal pagers. |
| Succession Planning | Succession Planning is a strategic approach towards workforce development, ensuring resource continuity by taking proactive steps to train employees and fill resource gaps in anticipated workforce turnover. |
| Supervisor | An individual responsible for day-to-day management or supervision of a User. |
| SWN Project Office | shall be defined as the program operation within the New York State Office of Information Technology Services which manages and supervises the Statewide Wireless Network (SWN) project. |
| Synchronized Text Captioning | Text transcript that is synchronized or coordinated in time with the audio and video track (also referred to as synchronized text captions). |
| Synchronized text Captions | Will mean a text transcript that is synchronized, or coordinated in time, with the audio and video track. |
| System | An interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, applications, and communications. |
| S/MIME | Short for Secure/MIME, a new version of the MIME protocol that supports encryption of messages. S/MIME is based on RSA's public-key encryption technology. It is expected that S/MIME will be widely implemented, which will make it possible for people to send secure e-mail messages to one another, even if they are using different e-mail clients. |
| Target Implementation Environment | The deployment environment in which the new or modified system is installed or fielded for use by a defined set of users after system acceptance has been completed. This is often referred to as the “production” environment. |
| Technology | shall have the same meaning as defined in Executive Law, § 205(5), being a good, service, or good and service that results in a digital, electronic or similar technical method of achieving a practical purpose or in improvements in productivity, including but not limited to, information management, equipment, software, operating systems, interface systems, interconnected systems, telecommunications, data management, networks, and network management, consulting, supplies, facilities, maintenance and training. The term "Technology" shall be deemed to include all tasks and products encompassed within the term "services", as defined in New York State Finance Law, § 160 (7). |
| Third Parties (Non-Government workforce) | Anyone directly or indirectly providing goods and services to the SE who is not under the direct control of the government entity (see workforce below). Such personnel are typically not subject to the rigorous selection and screening processes that apply to the government workforce. In addition, by their very nature, services provided by non-government workforce are typically of a short-term nature, focusing on clearly defined and narrow roles and responsibilities. This means that without impacting their overall effectiveness, their ‘need-to-know’ Agency information assets can be similarly defined and restricted. |
| Third Parties (Non-ITS workforce) | Anyone directly, or indirectly providing goods and services to ITS who is not under the direct control of the Agency (see workforce below). |
| Threat | A potential circumstance, entity or event capable of exploiting vulnerability and causing harm. Threats can come from natural causes, human actions, or environmental conditions. A threat does not present a risk when there is no vulnerability. |
| Token | Something that a user possesses and controls (typically a key or password) used to authenticate the user’s identity. A token incorporates one or more of the three factors of authentication: something you know (e.g., user-ID, password, personal identification number (PIN), or passcode); something you have (e.g., a one-time password authentication token, ‘smart card’); or something you are (e.g., fingerprint, retina scan). |
| Transaction | A discrete event between user and systems that supports a business or programmatic purpose. Typical transaction types are: Read; Write; Execute (a program); Purge. |
| Trust |
Trust is defined as:
|
| Trusted Organization | A State, local or Federal government entity with which the state entity has established a business relationship to issue credentials through a service level agreement, memorandum of understanding or other comparable mechanism, or, a private entity that has a similar contractual relationship with the government entity. The process for issuing credentials must be clearly documented and agreed by the Trust Model’s management authority. |
| Trusted Party | An entity with which the State Entity has established a business relationship through a service level agreement, memorandum of understanding, contract or other comparable mechanism. For purposes of this standard, the trusted party must be evaluated and accepted per the NYS Federation/Partner Process. |
| Trustworthy System | Computer hardware, software, and procedures that are reasonably secure from intrusion and misuse; provide a reasonable level of availability, reliability, and correct operation; are reasonably suited to performing their intended functions; and enforce the applicable security policy. A trustworthy system is not necessarily a "trusted system" as recognized in classified government nomenclature. |
| Undue Financial or Administrative Burden | Will mean significant difficulty or expense. In determining whether an action would result in an undue burden, state government entities must consider all resources available for use in the funding and operation of the service, program, or activity. |
| USA Patriot Act | To extend existing anti-money-laundering legislation beyond drug trafficking to terrorism funding, the US Congress passed the USA PATRIOT Act (Unifying and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) in October 2001. |
| User | Any State Entity, federal government entity, political subdivision, their employees or third party contractors or business associates, or any other individuals who are authorized by such entities to access a system for a legitimate government purpose. |
| User ID | A unique alphanumeric identifier within the NYSDS. |
| Verifier | An entity that verifies the claimant’s identity by verifying the claimant’s possession and control of a token using an authentication protocol. |
| Video Description | Video descriptions make videos, and other visual media, accessible to people who are blind or visually impaired by providing descriptive narration of key visual elements in programs. |
| Virtual Private Network (VPN) | A network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. |
| Visual Inspection | Inspection of valid current photo ID that contains the applicant’s picture and either address of record or nationality (e.g., driver’s license or Passport). Inspection will include comparing picture to applicant and recording ID number, address and date of birth. |
| Vulnerabilities | A weakness that can be accidentally triggered or intentionally exploited. |
| White balance | A setting in a camera that compensates for the differences in color temperature of the surrounding light. In both analog and digital electronic cameras that use CCD and CMOS sensors to capture the image, the white balance must be adjusted to ensure that all colors in the scene will be represented faithfully. It can be adjusted automatically by the camera, by selecting presets (tungsten, fluorescent, etc.) or by aiming the lens at a totally white surface (the white card) and selecting "lock white balance." Alternatively, a gray card with 18% gray is sometimes used. |
| Wireless Communications Infrastructure |
is defined to include:
where such Infrastructure:
|
| Wireless Communications Initiatives |
The following wireless communications initiatives ("initiatives") are subject to this policy:
|
| Wireless Technology | Technology that permits the transfer of information between separated points without physical connection. Currently wireless technologies use infrared, acoustic, radio frequency, and optical. |
| Workforce |
State employees, and other persons whose conduct, in the performance of work for the State Entity, is under the direct control of State Entity, whether or not they are paid by the State Entity. |
Contact Information
Questions concerning this glossary may be directed to the New York State Office of Information Technology Services by e-mailing policy@its.ny.gov.