Begin Main Content Area

​IT Policy Glossary

Click on the letters to navigate: A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, R, S, T, U, V, W

A

Return to top of page
Term
​Definition ​Points of Reference
​Accessibility Conformance Report (ACR)
​A completed Voluntary Product Accessibility Template® (VPAT) that details a digital product’s (software, hardware, electronic content, and support documentation) level of conformance with digital accessibility standards.
​ACC001
​Accessible
​Refers to a site, work environment, service, or program that is easy to approach, enter, operate, participate in, and/or use safely and with dignity by a person with a disability.​ITP-ACC001
​Access Point​A wireless local access network (WLAN) transmitter/receiver that acts as a connection between wireless clients and wired networks.​ITP-NET001
​Account​The online credential being presented as representing a person.​ITP-SEC039
​Account Lockout
​The disabling or suspension of an account ID, generally as a result of a number of failed attempts to authenticate with that account ID.
​ITP-SEC007
​Active Directory
​A management tool for managing directory-based identity-related services.
​ITP-SEC035
​Administrative Accounts
​Accounts used by a specific Privileged User having administrative level role(s), with access to all standard user and privileged operations.  These can be, but are not limited to, accounts which manage other user accounts and roles, accounts which can bypass an application and directly modify the contents of the application’s backend database, accounts with universal access to all the application’s data regardless of its nature (including PII, PHI, etc.), or accounts which can uninstall or reconfigure server software.  Users of these accounts are not necessarily IT staff but may be business managers administering agency application access and privileges for other workers. 
​ITP-SEC038
​Advanced Persistent Threat Endpoint Protection
​A capability that allows for detection and containment of advanced malware
​ITP-SEC001
​Adverse Opinion
​The most severe opinion that a Certified Public Accountant (CPA) firm can provide. Misleading or incomplete financial statements may lead auditors to give an Adverse Opinion. An Adverse Opinion in the context of a SOC report often means that the users cannot place any reliance on the Service Organization’s system.
​ITP-SEC040
​Agency Data Steward
​A functional role that facilitates the efficient sharing of agency/business area data assets, coordinates the collection of data for optimized Commonwealth collaboration, and  understands the data policies and privacy involved with data use by:
  • Acting as point of contact/expert for agency/program area data related decisions
  • Facilitates collaboration between other agencies and for Commonwealth enterprise data sharing initiatives
  • Facilitates agency data governance and participates in enterprise level data governance meetings
  • Assists with validating data quality
  •  Ensures data definitions and metadata are maintained
  • Works with IT to design and organize data
  • Consults with Agency Office of Chief Counsel to ensure appropriate data legal reviews
​ITP-INF015
​Agency/Delivery Center Personnel
​Employees responsible for the management of agency electronic media data cleansing.
​ITP-SEC015
​Agency Fiscal Officer (AFO)
​A Commonwealth Agency employee designated by that agency to apply funding information to each order initiated by a Telecommunications Officer (TMO) before it is routed to a
telecom supplier for fulfillment. AFOs also review and approve monthly invoices from the telecom suppliers before those invoices are submitted for payment to the supplier.
​ITP-NET003
​Agency Records Coordinator
​The employee appointed by the agency head to have agency-wide responsibility for managing and coordinating the agency’s records management program. 
​ITP-INFRM001
​Aggregations
​The process of consolidating data values into a single value. For example, sales data could be collected daily and then aggregated at the week or month level. The data can then be referred to as aggregate data. Aggregation is synonymous with summarization, and aggregate data is synonymous with summary data.
​ITP-INF004
​Agile Model
​A highly iterative software application development model that involves an interactive, cross-functional, and focused team approach to build software solutions in a time boxed (sprints) development methodology.  The Agile model uses feedback and checklists, tightly integrated cross functional teams, and multi-faceted iterations or sprints to quickly build custom software applications.  The feedback is driven by regular tests and releases of the evolving software.
​ITP-SFT000
​Algorithm​A series of discrete, conditional instructions. In computing, algorithms enumerate a list of operations to carry out. An algorithm informs a computer of the steps it must take to deliver a desired result.​ITP-BUS012
​Amendment
​A written alteration in specifications, delivery point, rate of delivery, period of performance, price, quantity, or other provisions of any contract. (i.e. dollar thresholds, modifications/revisions, terms and conditions, billing/payment structures, authorization, and specification of scope change)
​ITP-BUS002
​American National Standards Institute (ANSI)​ANSI serves as a quasi-national standards organization. It provides area charters for groups that establish standards in specific fields. ANSI is unique among the world’s standards groups as a nongovernmental body granted the sole vote for the United States in the International Standards Organization (ISO).​ITP-INF001
​Anomaly
​An unplanned unexpected variable that differs from expectations.
​ITP-BUS012
​Anonymous FTP
​Allows anyone with an Internet connection to access FTP connections to the site, including uploading or downloading files, without having to log in with a username and password.
ITP-​SFT005
​Anonymous logon (login)
​Access to a system which does not require any information on the person accessing the system.​ITP-SEC039
​Anti-Virus Protection
​A capability to detect and quarantine both known and unknown malware through static signatures, heuristic signatures, and machine learning. 
​ITP-SEC001
​Appliance
​A device that consists of hardware and software packaged together to accomplish a specific function(s) or provide a predefined service.
​ITP-SEC041
​Application Inactivity
​The length of time an application is accessed (i.e., the account ID is logged in) without any interaction with the user.
​ITP-SEC007
​Application Inventory
​A centrally managed repository used to capture data and assess risk profiles for all enterprise and agency-level applications that support the business needs of the commonwealth.
​ITP-SFT000
​Application Lifecycle Management (ALM)
​A tool or set of tools that aids the development teams in the entire application development and product lifecycle management (e.g., governance, development, and maintenance). It encompasses requirements management, software architecture, programming, software testing, software maintenance, change management, continuous integration, project management, defect management, versioning and release management.
​ITP-SFT000
​Application Programming Interface (API)​API or Web API as used in the context of Keystone Login, is an interface containing multiple web-exposed endpoints to a defined request-response data transfer system and/or messaging system​ITP-SEC039
​Application Software
​Often called productivity programs or end-user programs because they enable the user to complete tasks, such as creating documents, spreadsheets, databases, and publications, doing online research, sending email, designing graphics, and running businesses. 
​ITP-SFT000
​Archived Digital Content
Digital Content that is no longer actively available to endusers but is still subject to a record retention schedule.
​ITP-ACC001
​Artificial Intelligence (AI)​A technology used to emulate human performance typically by learning, coming to its own conclusions, appearing to understand complex content, engaging in natural dialog with people, enhancing human cognitive performance (also known as cognitive computing), or conducting the execution of nonroutine tasks.​ITP-BUS012
​Assertions
​A confident statement of fact or belief made by management regarding certain aspects of their business. Usually comprised of management’s description of the system they are providing and how the system is designed and operating.
​ITP-SEC040
​Assistive Technology (AT)
​Any item, piece of equipment, software program, or product that is used to increase, maintain, or improve the functional capabilities of people with a Disability. Examples include: keyboards, pointing devices, screen reader software, educational software, eye-gaze and head trackers, speech recognition software, screen magnifiers, joysticks, etc.
​ITP-ACC001
​Authentication
​The process of establishing confidence in the validity of a person’s logon account, usually as a prerequisite for granting access to resources in an information system.​ITP-SEC039
​Authentication Method​The type of authentication being used to validate a person’s logon account.  There are three categories: 1. Something you know (e.g. PIN, password, shared information) 2. Something you possess (e.g. token, smart card, digital certificate) 3. Something you are (biometrics – e.g. fingerprint, voice, iris, face)​ITP-SEC039
​Authentic Record
​A record that is what it purports to be; it was duly issued by an authorized person or Agency and has been preserved without any alteration that would impair its use as an Authentic Record.
​ITP-INF000
​Authorization​The process of verifying that an authenticated account is permitted to have access to a system based on the person’s business responsibilities.​ITP-SEC039
​Authorized Users​(MD version) Commonwealth of Pennsylvania employees, contractors, consultants, volunteers, or any other user who utilizes or has access to IT Resources.

(ITP version) Commonwealth employees, contracted resources, consultants, volunteers, or any other users who have been granted access to, and are authorized by the Commonwealth to use, Commonwealth IT Resources.
​MD 205.34
MD 205.42
MD 240.11
​Authorizing Official (AO)
​Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.


​ITP-SEC005
​Authors
People who produce digital content, including but not limited to web developers, designers, writers, etc.
​ITP-ACC001
​Authoring Tool Accessibility Guidelines (ATAG)
ATAG are an industryrecognized standard published by the Web Accessibility Initiative (WAI) of the World Wide Web Consortium (W3C) that addresses Authoring Tools. ATAG includes three levels of conformance: A, AA, and AAA.
​ITP-ACC001
​Authoring Tools
​Software and services that Authors use to produce digital content, including but not limited to content management tools.
​ITP-ACC001
​Availability​Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.​44 U.S.C. Section 3542, Federal Information Processing Standards (FIPS) 199
​Availability (SLA-defined)​A service level metric that measures the percentage of time the application is available during the applicable Measurement Window. This measurement is by application, not by server instance. Calculation: A = (T-M-D) / (T-M) x 100%. A = Availability, T = Total Monthly Minutes, M = Approved Maintenance Time, D = Downtime
N/A

B

Return to top of page
Term
​Definition
​Point of Reference
​Basic Mobile Device
​ A portable device used for basic purposes; making/receiving calls and sending/receiving text messages. 
​ITP-TEL001
​Best Value
​A determination that is made indicating which choice is the most economically advantageous. It is determined through a systematic analysis and comparison of the of the total cost and total benefits of ownership for a group of products or solutions. 
​ITP-SFT001
​Bias
​Erroneous or prejudiced assumptions in artificial intelligence and machine learning processes that may affect generative output.
​ITP-BUS014
​Break-the-Glass Account
​An account used in emergency situations, based upon prestaged user accounts, managed in a way that can make them available with reasonable administrative overhead.  Typically, these accounts are created, and the user ID and passwords locked away in a cabinet, desk, or sealed envelope, so that their use is restricted, and it is obvious when they have been used. 
​ITP-SEC038
​Business Intelligence (BI) Dashboard
​A graphical user interface that is an information management tool which provides at-a-glance views of KPIs or Metrics and key data points to monitor the health of a business, department, or specific process, through a single point of access. BI Dashboards visually track, analyze, and display preconfigured or customer defined statistics, insights, and visualization into current data. A BI Dashboard enables business users to interact with data and drill into bits and pieces of information they might need, at any time, or any place to make data-driven decisions. 
​ITP-INF012
​Business Intelligence (BI) Report
​The process of utilizing BI software to collect, visualize, and analyze business or technical data for the purpose of finding relevant and actionable insights into operational or business trends.
​ITP-INF011
​Business Partner
​Any entity identified by statute, regulation, or contract as being an agent of the Commonwealth of Pennsylvania. A business partner connection is an interface for connecting business partners to the Commonwealth of Pennsylvania (COPA) network.​ITP-NET008
​Business Process
​A series of steps or activities designed to accomplish a specific business outcome.
​ITP-BUS010
​Business Process Management (BPM)​A functional discipline that uses various tools and methods to discover, model, analyze, measure, improve, optimize, and better align Business Processes with business goals. ITP-BUS010
​Business Process Owner
​ A member of the program area, usually at a managerial level, who is responsible for the content of an end-to-end Business Process as well as for the activities completed via the Business Process.
​ITP-SFT008
​Business Proposal
​An artifact used to identify a priority business need and gain commitment from respective areas for potential resources (e.g., budget, internal or external resources) to address the business need.
​ITP-BUS001
​Business Rules Engine (BRE)
A specific collection of design-time and runtime software that enables an enterprise to explicitly define, analyze, execute, audit, and maintain a wide variety of business logic, collectively referred to as “rules”. A BRE can be purchased independently or comes embedded in a business process management suite (BPMS). A BRE enables IT and business staff to define rules using decision trees, decision tables, pseudo natural language, programming-like code, or other representation techniques.
​ITP-INT006

C

Return to top of page
​Term
​Definition
​Point of Reference
​Capital Planning
​The management and decision-making process associated with the planning, selection, control, and evaluation of investments in resources.​N/A
​Categorization
The process of placing data into groups or types of data that are in some way similar to each other, based on characteristics of the data
​ITP-SEC019
​Centralized Licensing Agreements (CLA)
​A license agreement or enrollment for the purchase of licenses by the Office of Administration (“OA”) to provide licenses to the Enterprise.
​ITP-BUSFM013
​Chain of Custody
​The chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence.
​ITP-SEC015
​Chain of Custody Tracking Form
​The document utilized by agencies to track all electronic media transfers throughout the process involving the sanitization and/or destruction of commonwealth electronic media.
​ITP-SEC015
​Change Management​A process responsible for formal assessment of a new or changed IT service to mitigate risks and impacts.
ITP-SYM010
​Change Order
​A printed or electronic order signed by the Contracting Officer directing the contractor to make changes that are authorized by the changes clause of the contract. Change Orders may be either with the consent of the contractor or a unilateral order by the Contracting Officer.
​ITP-BUS002
​Chatbot​An artificial intelligence (AI) program that simulates interactive human conversation by using key pre-calculated user phrases and auditory or text-based signals. A chatbot is known as an artificial conversational entity (ACE), chat robot, talk bot, chatterbot or chatterbox.​ITP-BUS012
​CIA Triad​Three fundamental tenets of information security: Confidentiality, Integrity, Availability​Cybersecurity and Cyberwar (Singer & Friedman)
​Citizen
​A person, business, or other entity obtaining services, either directly or indirectly, from the Commonwealth of Pennsylvania.
​ITP-INF003
​Citizen Experience
​The full series of interactions or steps that a Citizen takes when seeking a Service or a series of Services and has a discrete beginning and end.
​ITP-INF003
​Citizen Experience Goals
​Measurable outcomes related to the Citizen Experience that Agencies identify to drive performance improvement and inform Citizen expectations for services delivery.
​ITP-INF003
​Citizen Experience Standards
​A set of rules, principles, and current best practices common to all Agencies under the Governor’s Jurisdiction that guide the delivery of Services to Citizens.
​ITP-INF003
​Citizen Profile
​The unique data associated with a Citizen and contains information that is used by the Enterprise to facilitate a specific Service for the Citizen.
​ITP-INF003
​Classification
The process of assigning labels to data according to a predetermined set of principles, which define that data class based on the treatment and use of the data.
​ITP-SEC019
​Computing Service 
​Any service that is hosted by or within a Service Organizations or its subcontractor(s) (Subservice Organization(s)) managed infrastructure regardless of deployment model (public, private, or hybrid) or type such as, but not limited to, software-as-a-service (SaaS) for web-based applications, infrastructure-as-a-service (IaaS) for Internet-based access to storage and computing power, and platform-as-a-service (PaaS) that gives developers the tools to build and host web applications. Solutions deployed through traditional hosting methods and without the use of NIST Cloud capabilities (i.e., rapid elasticity, resource pooling, measured service, broad network access, and on demand self-service) are also included. 
​ITP-SEC040
​Cloud Service Provider (CSP) 
​An entity (private or public) that provides cloud-based platforms, infrastructure, applications, security, and/or storage services for another entity/organization.
​ITP-SEC040
Cloud Storage 
​Infrastructure as a Services (IaaS) deployment model that provides block, file and/or object storage services delivered through various protocols. The service can be stand-alone with no requirement for additional managed services or be bundled with additional managed services.
​ITP-SEC040
Computing Services Use Case Review (Use Case Review)
An established process to ensure the procurement and use of any Computing Services is aligned with the Commonwealth’s overall business and IT vision, strategy, goals, and policies. This process includes representation and review from all domains to proactively identify, manage, and mitigate risk, if any, with the Computing Services being considered. As part of Use Case Review, the Service Organization  is required to complete the Computing Services Requirements (CSR) document that is specific to the Computing Services being considered. Any procurement or use of a Computing Services requires prior approval from the Enterprise Architecture Review Committee (EARC). 

​Commercial-off-the-Shelf (COTS) 
​Also, referred to as Modifiable Off-the-Shelf (MOTS). Is a targeted business solution software that is commercially produced, easy to install and are then adapted to interoperate with existing system components. An important distinction is that COTS software is locally hosted and is typically more customizable as opposed to Software as a Service (SaaS), which is hosted by a third party and generally less customizable.
​ITP-SFT001
​Common Vulnerabilities and Exposures (CVE ID)
​A list of publicly disclosed computer flaws that have been given an identification number. These are provided by either the manufacturer of the software or MITRE/NIST.  
​ITP-SEC023
​Common Vulnerability Scoring System (CVSS)
​An open framework for communicating the characteristics and severity of software vulnerabilities.
​ITP-SEC005
​Common Weakness Enumeration (CWE ID)
​A category system for software weaknesses and vulnerabilities that have been given an identification number. These are provided by MITRE/NIST.
​ITP-SEC023
​Commonwealth Application Certification and Accreditation (CA)2​A security assessment for Commonwealth IT systems involved in the transmission or storage of electronic transactions such as electronic records and electronic signatures.​MD 210.12
ITP-SEC005
​Commonwealth Data 
​Consists of, but is not limited to, data is that intellectual property of the Commonwealth, data that is protected by law, order, regulation, directive or policy and any other sensitive or confidential data that requires security controls and compliance standards.
​ITP-SEC040
​Commonwealth Data Center (Data Center)
​Facilities used to host Commonwealth IT assets and data.  These include the Enterprise Data Center (EDC) and Pennsylvania Compute Service (PACS) as well as agency owned facilities. 
​ITP-SEC038
​Commonwealth Enterprise Storage Solutions 
Information technology services, applications, or programs procured, obtained, created, or licensed by the Office of Administration for the storage or maintenance of records, data, or other information controlled, maintained, or possessed by the Commonwealth and its agencies. Commonwealth Enterprise Storage Solutions include, but are not limited to, the suite of applications provided as part of Microsoft 365 (Outlook 365, OneDrive, SharePoint, etc.) and the PACS environment (Pennsylvania Compute Services).
​ITP-SEC019
​Commonwealth Network
​A collection of servers, mainframes, networking devices and IT Resources that are interconnected, either by cable, wireless connection, or logically, and are physically or operationally controlled and security-managed by the Commonwealth or a contracted third-party vendor on behalf of the Commonwealth.
​MD 535.09 
​Commonwealth of PA Procurement and Architectural Review (COPPAR)​The former review mechanism used by the Office for Information Technology to review agency requests for policy waivers and large IT-related procurements. (This has been replaced by Technology Investment and Policy Review (TIPR)).​ITP-BUS000
ITP-BUS004
ITP-SEC000
​Commonwealth Point of Presence (CPOP)
​Locations that provide access to the enterprise network backbone, which is comprised of COPANET and any extended backbone delivered by enterprise telecommunications providers.
​ITP-NET018
​Complementary User Entity Controls (“CUEC”)
​Controls for SOC 1 and SOC 2 reports that management of the Service Organization assumes, in the design of the Service Organization’s system, will be implemented by user entities and are necessary to achieve the control objectives stated in management’s description of the Service Organization’s system.
​ITP-SEC040
​Confidentiality
​Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.​44 U.S.C. Section 3542, Federal Information Processing Standards (FIPS) 199
​Configuration Item (CI)
​Any service component, infrastructure element, or other item that needs to be managed in order to ensure the successful delivery of IT services.  
​ITP-SYM010
​Connection​Includes remote access system (RAS), a tool used to connect remotely to the commonwealth network. Authorized Users may need to connect to the network from home or another remote location, to perform their job functions. Remote access is coordinated by the Office of Administration, Office for Information Technology (OA/OIT), and users must have the Cisco virtual private network (VPN) client on their computer and a valid digital certificate. Connection does not include connecting with Authorized User devices to Office Outlook Web Access.
​MD 240.11
​Consultant
​A person identified as an expert in a particular field whom the Commonwealth engages under contract to provide professional advice and/or services to the Commonwealth for a specific purpose and duration.  A Consultant is not a Commonwealth employee.
​N/A
​Controller
​Network device which controls the access points within a wireless network.
​ITP-NET001
​COPA-Campus wireless
​Enterprise wireless network that bridges participating agencies’ networks to allow wireless roaming capability.
​ITP-NET001
​Corrective Action Plan (CAP)
​A detailed plan outlining a set of actions identified to remedy an unsatisfactory performance. A CAP includes time limits and goals.
​ITP-SEC040
​Component Management
​The manager that handles all the components and the run time services such as session management, synchronous/asynchronous client notifications, and executing business logic.
​ITP-PLT019
​Contract Change Request (CCR)
​Contractual document utilized to modify, change, or delete a service and/or product within a contract.
​ITP-NET003
​Contract Extension
​Contractual provision that gives parties the right to renew or extend the term of an agreement.
​ITP-BUS002
​Contract Manager (CM)
​Individual responsible for managing the day-to-day activities of a contract post award. 
​ITP-SEC040
​Contract Value
​Total dollar amount of the entire contract term (the base term and all estimated costs for option years)
​ITP-BUS002
​Contracted Resource
​A person whose services, under contract, are provided to the Commonwealth as an independent contractor for a specific purpose and duration.  A Contracted Resource is not a Commonwealth employee.
​ITP-SEC009
​Contracting Officer
​One who is authorized to enter into contracts for supplies and Services.
​ITP-BUS002
​CONUS
​The continental United States and Hawaii.
​ITP-SEC000
​Corrective Action Plan (CAP)
​A detailed plan outlining a set of actions identified to remedy an unsatisfactory performance. A CAP includes time limits and goals.
​ITP-SEC040
​Cost-to-Carry
​Current level of services. The focus is on activities and intended accomplishments.  When budgeting, Cost-to-Carry includes the future cost consequences of current program policy.
​ITP-BUS001
​Custom Built Application Software 
​The designing of software applications for a specific user or group of users within an organization. Such application software is designed to address specific user needs precisely as opposed to the more traditional and widespread off-the-shelf application software. Custom built application software meets unique business requirements.
​ITP-SFT000
​​Cyber Security Incident
​​Any occurrence involving the unauthorized or accidental modification, destruction, disclosure, loss, damage, misuse, or access to information technology resources such as systems, files and databases.  It also includes the violation or imminent threat of violation of computer security policies, acceptable use policies, and standard security practices.
​ITP-SEC024
Cybersecurity Risk Management Program
Set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from security events that are not prevented.
ITP-SEC040

D

Return to top of page
​Term
​Definition
​Point of Reference
​Dashboards and Visualizations
​Visualizations and presentation of data to end users that enable them to analyze, discover, plan, and predict. 
​ITP-INF012
​Data
​A value or set of values representing a specific concept or concepts. Data becomes “information” when analyzed and possibly combined with other data in order to extract meaning, and to provide context.​ITP-INF013 (pending)
project-open-data.cio.gov
​Data Architecture​Describes the data structures used by a business and its applications. The architecture sets the data standards for all information systems in the organization and communicates a model of the interactions of data in those systems.​ITP-INF013 (pending)
​Data At Rest
​Data that is not actively moving from device to device or network to network such as data stored on a hard drive, laptop, flash drive, archived or stored in some other way.
​ITP-SEC031
​Data Breach
​An unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of a system, data or personal information maintained by the entity that causes, or the entity reasonably believes has caused, or will cause loss or injury to any resident of this Commonwealth.
​ITP-SEC025
​Data Element Encryption​A technique that encrypts individual data elements instead of encrypting an entire file or database. Common examples of data element encryption include column level database encryption and encryption of a Social Security Number (SSN) before writing it to a file. Data element encryption is used to selectively apply encryption, and may be used to reduce encryption/decryption overhead, to protect different elements with different keys, or to simplify adding encryption to applications.​ITP-SEC031
​Data Exchange
​Data from a source system that is restructured for the target system for the purpose of accurately representing the source data. Data Exchanges rely on implementing data languages such as Extensible Markup Language (XML) and JavaScript Object Notation (JSON).
​ITP-INF000
​Data In Transit
​Any type of information that is actively moving between systems, applications, or locations. 
ITP-​SEC031
​Data Integration Technology
​Technology that facilitates the consolidation and reconciliation of dispersed data maintained by agencies in multiple, heterogeneous systems for analytical purposes. Data can be accessed, extracted, moved, loaded, validated, and transformed.
​ITP-INF004
​Data Lake
​A system or repository of data stored in its natural or raw format, usually object blobs or files. A Data Lake is usually a single store of data including raw copies of source system data, sensor data, social data, etc., and transformed data used for tasks such as reporting, visualization, advanced analytics, and machine learning. A Data Lake can include structured data from relational databases (rows and columns), semistructured data (CSV, logs, XML, JSON), unstructured data (emails, documents, PDFs), and binary data (images, audio, video).
​ITP-INF004
​Data Life Cycle Management
​The management of information that is in an electronic format throughout its existence, from creation to final disposal, across various systems and media and within various operational constraints.
​ITP-INFRM001
​Data Mart
​A subset of the enterprise data warehouse that is designed for a particular line of business, such as sales, marketing, or finance. 
​ITP-INF004
​Data Migration
​Utilizing a design for data extraction and data loading for the purpose of permanently relocating data from one system/application to another system/application.
​ITP-INF000
​Data Mining
​Data Mining is the process of sifting through large amounts of data to produce data content relationships. It also refers to the technique by which a user utilizes software tools to look for particular patterns or trends. This technique can uncover future trends and behaviors, allowing businesses to make proactive, knowledge-driven decisions. Often performed by leveraging Artificial Intelligence or Machine Learning.
​ITP-INF004
​Data Model
​An abstract model that organizes elements of data and standardizes how they relate to one another and to the properties of entities. Data Warehouse: A storage architecture designed to hold data extracted from transaction systems, operational data stores and external sources. The warehouse then combines that data in an aggregate, summary form suitable for enterprisewide data analysis and reporting for predefined business needs.
​ITP-INF004
​Data Owner
​Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

Also referred to as Information Owner
​ITP-SEC005
​Data Warehousing
​A process for building decision support systems and a knowledgebased application environment in support of both everyday tactical decision making and long-term business strategy. Data warehouses and data warehouse applications are designed primarily to support the decision-making process by providing the decision makers with access to accurate and consolidated information from a variety of sources.
​ITP-INF004
​Dataset
​An organized collection of data.
​ITP-INF000
​Database Management System (DBMS)
​Software to manage a database that provides a common and controlled approach maintaining data integrity and accessibility in storing data, adding new data, and in modifying and retrieving existing data within a database. Security and backups are key components.​ITP-INF001
​Degauss
​Procedure that reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. Degaussing any electronic media will render the media permanently unusable.
​ITP-SEC015
​Demilitarized zone (DMZ)
​A perimeter network that protects an organization's internal local-area network (LAN) from untrusted traffic.
​OPD-SEC010A
​Development Application Software
​Known as computer programming tools, are used to translate and combine computer program source code and libraries.
​ITP-SFT000
​Development Phase
​A phase where the developer writes code and places in software repository. When ready, the code is placed into a testing environment that is not externally facing or accessible to the public.
​ITP-SEC005
​Digital Accessibility
​Digital Accessibility is providing Digital Content and Services that can be used by any user, including those with a visual, auditory, motor, speech, or cognitive Disability.
​ITP-ACC001
​Digital Accessibility Maturity Assessment
​A tool for measuring the degree of maturity attained in implementing and managing Digital Accessibility. The assessment will help people in agencies understand the dimensions of an accessibility program and allow them to plan and work to improve the accessibility of Digital Content and Services year over year.
​ITP-ACC001
​Digital Content and Services
The delivery of information and services to endusers via data, voice, or video technologies, which includes but is not limited to:
  • Electronic content: Websites and web-based materials (Internet & Intranet), Microsoft Office (Word, Excel, PowerPoint), Adobe InDesign and portable document format (PDF) documents, training materials (e.g., online training materials, tests, online surveys), multimedia (video/audio, MP4), social media, blogs, digital materials (e.g., documents, templates, forms, reports, surveys), graphics, GIFs, Computer Aided Design and Drafting (CADD) files, email, maps and infographics, electronic emergency notifications, and subscription services (e.g., news feeds, alert services, professional journals);
  • Software:  Web, desktop, server, and mobile client applications, AuthoringTools, associated infrastructure, and service offerings (Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS));
  • Hardware:  Computers, laptops, servers, tablets, printers, copiers, scanners, peripheral equipment (e.g., keyboards, mice), kiosks, and mobile phones;
  • Support documentation and services:  Training, consulting, advisory services, help desk or call center, automated self-service and technical support, and product informational materials.
​ITP-ACC001
​Dimension Tables
​Dimension Tables describe the entities, represented as hierarchical, categorical information such as time, departments, locations, and products. Dimension Tables are sometimes called lookupor reference tables.
​ITP-INF004
​Direct Internet Access (DIA)
​Any network service that delivers connectivity to the Internet without the use of the Commonwealth’s Enterprise Network and/or Enterprise Perimeter Security solution.
​ITP-NET018
​Disable
​An account may be Disabled either by setting the Active Directory (AD) userAccountControl attribute (set the 0x200 bit to 1) or by moving the account to a dead storage area where it will not be used for Authentication purposes
​ITP-SEC007
​Disability (with respect to an individual)
  • ​A physical or mental impairment that substantially limits one or more major life activities of an individual.
  • A record of such an impairment; or
  • Being regarded as having such an impairment.  For exemptions to the term Disability see Management Directive 205.25 Amended, Disability-Related Employment Policy.
​ITP-ACC001
​Disclaimer Opinion
​Is provided when auditors can’t express an opinion. This typically occurs when a Service Organization does not provide the auditors with adequate information to render an opinion, in which the CPA firm may disclaim their opinion.
​ITP-SEC040
​Disk Wipe
​Procedure that uses a single character to overwrite all addressable locations on a magnetic drive.
​ITP-SEC015
​Distributed Software Programs
​Computer programs that are developed and distributed to end users. They can range from simple user interfaces for data entry to complex applications that provide the users with tools for managing their information.
​ITP-INT003
​DNS Record
​A database record used to map a domain, URL, or hostname to an IP address (this includes, but is not limited to, domains that are requested via OPDNET005B). 
​​ITP-NET005
​DNS Zone
​Any distinct, contiguous portion of the domain name space in the DNS for which administrative responsibility has been delegated to a single manager.
​​ITP-NET005
​DoD 5220.22-M
​Known as the National Industrial Security Program, that stipulates the requirement of three passes where the entire magnetic drive is overwritten.
​ITP-SEC015
​​DoD Rated Degausser
​Department of Defense-type degaussers that meet or exceed DoD Type I or Type II media sanitization standards.

Type I: Equipment rated to degauss magnetic media having a maximum coercivity of 350 oersteds.

Type II: Equipment rated to degauss magnetic media having a maximum coercivity of 750 oersteds.
​ITP-SEC015
​Domain Controller
​A server that responds to security authentication requests within a Windows Server domain.
​ITP-NET005
​Domain Name Request:
​ITSM service request for DNS related requests.
​ITP-NET005
​Domain Name System (DNS)
​​​An Internet service that translates domain names into IP addresses.
​​ITP-NET005
​Drilldown
Is an application feature allowing business users to navigate from high level information to detailed information or transaction level
​ITP-INF012

E

Return to top of page
Term
​Definition
​Point of Reference
​eDiscovery
​Electronic discovery (also called e-discovery or eDiscovery) refers to any process in which electronically stored information is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. Electronically stored information, for the purpose of the Federal Rules of Civil Procedure, is information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software.​OA Legal
​e-Discovery​Any process in which electronically stored information (ESI) is identified, collected, searched, and analyzed for production in the discovery phase of litigation.​ITP-INF009
​Electronic​Relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.​MD 210.12
​Electronic Commerce (E-commerce)
​The activity of electronically maintaining relationships and conducting business transactions that include buying or selling information, services, and goods by means of computer telecommunications, networks, or over the internet.
​ITP-INT002
​Electronic Data Interchange (EDI)
​The concept of businesses electronically communicating information that was traditionally communicated on paper, such as purchase orders, invoices, or other information or data exchanges. EDI implies a sequence of messages between two parties, either of whom may serve as originator or recipient. The formatted data representing the documents may be transmitted from originator to recipient via telecommunications or physically transported on electronic storage media. The usual processing of received messages in EDI is by computer only. Human intervention in the processing of a received message is typically intended only for error conditions, for quality review, and for special situations.
​ITP-INT003
​Electronic Device
​Devices that contain electronic media which include, but are not limited to, PCs, printers, multifunction systems, scanners, fax machines, and handheld devices such as cellular phones, smartphones and tablets.
​ITP-SEC015
​Electronic Document Management Systems (EDMS)
​The use of a computer system and software to store, manage, and track electronic documents and electronic images of paper-based information captured through the use of a document scanner.
​ITP-INFRM007
​Electronic Media
​Material on which data are or may be recorded via an electrically based process, such as, but are not limited to, magnetic tape, magnetic disks (hard drives), solid state devices/SSD (flash drives, SD cards, SIM cards), optical discs (CDs, DVDs).
​ITP-SEC015
​Electronic Record​A record created, generated, sent, communicated, received, or stored by electronic means. This term includes permits, licenses, applications, and other documents required or issued by an executive agency.​MD 210.12
​Electronic Signature​(MD version) An electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.

(ITP version) an electronic sound, symbol, or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. Although Electronic Signatures are represented digitally (i.e., as a series of ones and zeros), they can take many forms and can be created by many different technologies. This should not be confused with the Digital Signature terminology, which is used in public key cryptography.
​MD 210.12



ITP-SEC006
​Electronic Storage System​A system to prepare, record, transfer, index, store, preserve, retrieve, and reproduce books and records by either electronically imaging hardcopy (paper) documents to an electronic storage media or transferring computerized books and records to an electronic storage media.​MD 210.12
IRS Rev. Procedure 97-22
​Electronic Transaction​The electronic sharing of information including: Electronic posting of data on a network. The exchange of an electronic record or electronic signature by an executive agency with a person or automated system to: facilitate access to restricted information; purchase, sell, or lease goods, services, or construction; transfer funds; facilitate the submission of an electronic record or electronic signature required or accepted by the commonwealth; or create a record upon which the commonwealth or another person will reasonably rely.​MD 210.12
​Electronically Stored Information (ESI)​Any data or information produced or received on commonwealth IT Resources that resides on commonwealth-managed storage solutions, either on premise or off premise (i.e. cloud storage, backup tapes).​ITP-INF009
​Emergency Change
Supports maintenance in response to a reported Incident, when a problem exists on any infrastructure component or service that is causing business disruptions to one or more agencies.
​ITP-SYM010
​Emergency Maintenance (Enterprise Services)​Maintenance necessary when a problem exists on any Enterprise infrastructure component or Enterprise Service that is causing major disruptions to one or more agencies.​ITP-SYM010
​Endpoint Detection and Response (EDR)
​A capability that provides:
• Real time indication on known tactics, techniques, and procedures (TTPs);
• The ability to monitor common applications and processes for exploitation and proactively block those exploitations; and
• The ability to detect and block lateral movement with the enterprise network.
​ITP-SEC001
​Endpoint Security
​An integrated solution that provides cybersecurity protection on endpoint devices including servers, desktops, laptops, and other mobile devices that should encompass the below capabilities:
 • The ability to integrate with different security solutions utilized by the Commonwealth; and
 • Automatically update signature files and scan engines.
​ITP-SEC001
​Enterprise Architecture​The analysis and documentation of an enterprise in its current and future states from an integrated strategy, business, and technology perspective.​N/A
​Enterprise Architecture Artifact​A documentation product such as a text document, diagram, spreadsheet, briefing slides, or video clip that document EA components in a consistent way across the entire architecture.​N/A
​Enterprise Architecture Component
​Changeable resources that provide capabilities at each level of a framework. Examples include strategic goals and initiatives, business services, web services, software applications, voice/data/mobile networks, buildings.​N/A
​Enterprise Class DBMS
​Integrates multiple business processes or applications into a single DBMS and hardware platform. This is in contrast to creating application-specific DBMSs.
ITP-​INF001
​Enterprise Content Management (ECM)
​The strategies, methods, and tools used to capture, manage, store, preserve, and deliver content and documents related to organizational processes.
​ITP-INFRM007
​Enterprise Information Security Office (EISO)​Office within the Office of Administration, Office for Information Technology tasked with managing the enterprise IT security posture for the commonwealth as it pertains to governance, risk, and compliance.​ITP-SEC000
​Enterprise IT Service Offering​An Enterprise IT Service Offering is made up from a combination of people, processes and technology that supports a customer's business. An Enterprise IT Service Offering is a means of delivering value to customers by facilitating the outcomes customers want to achieve without the ownership of costs and risks.​ITP-BUS007
​Enterprise Maintenance (Enterprise Services)​Maintenance is considered Enterprise if:
  • It affects any Enterprise infrastructure component or Enterprise service
  • It affects two or more agencies at one site
  • It affects two or more agencies at multiple sites
  • It affects one agency at multiple sites
​ITP-SYM010
​Enterprise Resource Planning (ERP) System
​A system of integrated software applications that is used to integrate core Business Processes (i.e., finance, human resources, payroll, procurement, plant maintenance, real estate, sales, and distribution, etc.)
​ITP-SFT008
​Enterprise Service Bus (ESB)
​Refers to a software architecture construct. This construct is typically implemented by technologies found in a category of middleware infrastructure products, based on recognized standards, which provide fundamental services for more complex architectures via an event-driven and standards-based messaging engine (the bus).​N/A
​Enterprise Service Catalog
​A document that describes the Enterprise IT Service Offerings.
​ITP-BUS007
​Enterprise Software
​Software, applications, or programs that are procured, obtained, created, licensed, or managed by the Office of Administration, Office for Information Technology (“OA/IT”) and used uniformly across multiple agencies.
​ITP-BUSFM013
​Enterprise Standard
​An Enterprise IT Service Offering that is required to be utilized and consumed by Agencies.
​ITP-BUS007
​Event (Security)​An observable occurrence in a system or network. Events include, but are not limited to, a user connecting to a file share, a server receiving a request for a Web page, a user sending electronic mail (e-mail), and a firewall blocking a connection attempt.​ITP-SEC021
​Event Correlation (Security)​The process of monitoring events in order to identify patterns that may signify attacks, intrusions, misuse or failure.​ITP-SEC021
​Executive Agency
​A department, board, commission, council, authority, officer, or agency subject to the policy, supervision, and control of the Governor.
​MD 210.12
​Expedited Investment Submissions
​Investment submissions that are in response to one of the following:

  • A security incident or highly probable threat associated with severe risk of hacking, virus or other malicious activity that could result in wide-spread outages, damage to mission critical assets, or compromises to systems and/or critical infrastructure. 
  • There could be a disruption of mission critical services impacting the health, safety, or welfare of citizens or Commonwealth employees.
  • Avoidance of significant financial losses.
  • Failures of critical infrastructure or equipment.
  • Unanticipated events that make it impossible for an agency to perform a statutory or critical function in a necessary timeframe.
  • Missed opportunity in which substantial benefits or opportunities will be lost if actions are not taken within a specific timeframe. 
  • An immediate or unexpected need where there is insufficient time to procure using more formal competitive procedures.

​ITP-BUS002
​Extract, Transform and Load (ETL)
​Refers to the methods involved in accessing and manipulating source data and loading it into a data warehouse.
​ITP-INF004


F

Return to top of page
​Term
​Definition
​Point of Reference
​Facilities Hardening
​A process intended to evaluate risks and reduce vulnerabilities related to the physical security of the building housing the infrastructure.
ITP-​BUS002
​Fact
​A value or measurement, which represents a Fact about the managed entity or system. Facts, as reported by the reporting entity, are said to be at raw level; Examples include sales, cost, and profit.
​ITP-INF004
​Fact Table
​A table in a Star Schema that contains Facts. A Fact Table typically has two types of columns: Those that contain Facts (e.g., numbers), and those that are foreign keys to Dimension Tables. The primary key of a Fact Table is usually a composite key constructed with all its foreign keys.
​ITP-INF004
​Fault Tolerance
​The ability of the server with no single point of failure to define policies for recovery and fail-over recovery in the case of the failure of one or more object or group of objects.
​ITP-PLT019
​Federal Information Processing Standards (FIPS)​A federal IT standard established by the National Institute of Standards and Technology​ITP-SEC000

​File Encryption
A technique that encrypts files on a file system without encrypting the file system itself or the entire disk.  A file encrypting application may include functionality to archive multiple files into a single file before or after encrypting, produce self-decrypting files, or automatically encrypt files or folders based on policies or locations.  File encryption is often used to protect files being sent through email or written to removable media.
​ITP-SEC031
​Forensic Analysis
​Evidence found in computers and digital storage media as part of a formal investigation using systematic and sound methods to examine digital media with the aim of identifying, preserving, recovering, analyzing, and presenting facts and opinions about the digital information.
​ITP-SEC024
​Forensic Response Servlet
​A capability for performing forensic captures on desktops, servers, laptops, and tablet devices which enables OA/OIT forensic team to investigate security incidents.
​ITP-INF001
​Freeware
​Software that is unsupported, available free of charge and can be used for an unlimited period of time in a manner consistent with its end-user agreement.
​ITP-SFT001
​Full Disk EncryptionA technique that encrypts files on a file system without encrypting the file system itself or the entire disk.  A file encrypting application may include functionality to archive multiple files into a single file before or after encrypting, produce self-decrypting files, or automatically encrypt files or folders based on policies or locations.  File encryption is often used to protect files being sent through email or written to removable media.
​ITP-SEC031
​Functional Testing
​Validating an application correctly performs functions identified in requirements documents. This includes testing for normal and erroneous input. Functional testing can be performed manually or automated.​ITP-SFT000

G

Return to top of page
​Term
​Definition
​Point of Reference
​Gateway
​Network hardware that enables data and resources to be shared easily and securely over the internet.
​ITP-SEC010
​General Maintenance (Enterprise Services)​Maintenance performed by a service provider. This type of maintenance is performed on the service offering which affects multiple customers, and is vital to the integrity of the services provided.​ITP-SYM010
​Generative Artificial Intelligence (Generative AI)
​Predictive algorithms that can be used to create new content including audio, code, images, text, simulations, and videos.  
​ITP-BUS014
​Globally Unique Identifier (GUID)
​An alpha-numeric code that uniquely identifies a person. Two John Smiths could, for instance, both have the same user ID, but they would have different GUIDs. User access to IT resources should be based on the GUID rather than the user ID as it uniquely identifies the person. Note: Active Directory assigns a GUID to each account, this is not necessarily the same as assigning a GUID to a person.  
​ITP-SEC007
​ Guest Wireless (COPA-Guest SSID):
​The Office of Administration’s (OA) Controller for providing wireless access to the Internet that shall be used only by nonCommonwealth employees on a case-by-case basis. 
​ITP-NET001
​Guideline​A recommended best practice or course of action usually with some latitude in its use and implementation.​ITP-BUS004

​H

Return to top of page
Term
Definition
​Point of Reference
​Hardware
​Any computerized machine or related device used on behalf of the Commonwealth. Examples of these devices include desktops/laptops, servers, network devices, telecommunication devices.
​ITP-BUS002
​High-level Data Model (HDM)​Used to communicate core data concepts, rules, and definitions to a business user as part of an application development initiative.​S. Hobermen. Data Modeling for Business
Host
​A computer connected to the internet
​ITP-SEC010
Host Intrusion Prevention System (HIPS)
​A capability to detect and prevent unauthorized application and/or network behavior on desktops, servers, laptops, and tablet devices and distribute updated enterprise policies.
​ITP-SEC001

​I

Return to top of page
​Term
Definition
​Point of Reference
​Identify and Access Management (IAM)​Processes and tools used to manage user IT accounts throughout the account lifecycle. These include the creation (provisioning) of the account, management of attributes and privileges during the account's active lifetime, password management, and finally the removal (de-provisioning) of the account when that lifetime is over.
​ITP-SEC038
​Identity Proofing​The process of verifying the real life identity being claimed by a person.​ITP-SEC039
​Identity Verification​A service is used to ensure that users provide information that is associated with the identity of a real person.  It can involve the verification of identity information (fields) against independent and authoritative sources, such as credit bureau or commonwealth data.​ITP-SEC039
​IEEE​The Institute of Electrical and Electronics Engineers, a non-profit, technical professional association and leading authority in technical areas ranging from computer engineering, biomedical technology and telecommunications, to electric power, aerospace and consumer electronics, among others.​ITP-NET001
​Illegal Use​Use which violates local, state, or federal law as well as CoPA or agency IT policy.​MD 245.18
​Imaged Document​A copy of an original hardcopy (paper) record that has been electronically imaged to an electronic storage system. An imaged document contains all the recorded information that appears on the original document and be able to serves the purpose(s) for which the original was created or retained.​MD 210.12
IRS Rev. Procedure 97-22
​Immediate Maintenance (Enterprise Services)​Maintenance necessary when a problem exists on any Enterprise infrastructure component or Enterprise Service that has the potential to cause major disruptions to one or more agencies.​ITP-SYM010
​Inactive Account
​An Inactive Account shall be any account that hasn’t been used in 18 months or one which lacks any role or related attribute that would be used to authorize its use to access an Information Technology System; or any account where the AD userAccountControl attribute is set to “Disabled”.
​ITP-SEC007
​Inappropriate Use​A violation of the goals, purpose and intended use of the network.
​MD 245.18
​Incident
​Unplanned interruption to an IT service or reduction in the quality of an IT service.
​ITP-SYM010
​Incident (Security)​A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of an incident are denial of service, malicious code, unauthorized access and inappropriate usage.​ITP-SEC021
​Incident Response (Security)
​The manual and automated procedures used to respond to reported incidents (real or suspected), system failures and errors, and other undesirable events.​ITP-SEC021
Incident Response Process Document (Security)
​A set of processes that outlines what to do in a Cyber Security Incident or potentially suspected Cyber Security Incident.
​ITP-SEC024
​Independent Third Party
​An entity that is not currently implementing or managing the system(s) in scope.
​ITP-SEC023
​Indicators of Compromise (IOCs)
​Evidence or an artifact observed on a system or network that indicates a potential intrusion.
​ITP-SEC024
​Information
​(MD Version): Data, text, images, sounds, codes, computer programs, software, data bases, or the like.

(ITP Version): Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual forms.
​MD 210.12


ITP-INF000
​Information Asset
​Information relevant to the enterprise’s business functions, including captured and tacit knowledge of employees, customers or business partners; data and Information stored in highly-structured databases; data and Information stored in textual form and in less-structured databases such as messages, e-mail, workflow content and spreadsheets; Information stored in digital and paper documents; purchased content; and public content from the internet or other sources.
​ITP-INF000
​Information Life Cycle
The stages through which Information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition.
ITP-INF000
​Information Resources​Information and related resources, such as personnel, equipment, funds, and information technology.
​44 U.S.C. Section 3502
​Information Security​Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: Integrity, Confidentiality, Availability.​44 U.S.C. Section 3542
​Information Silo
​Is an information management system that is unable to freely communicate with other information management systems. Communication within an Information Silo is always vertical, making it difficult or impossible for the system to work with unrelated systems. Information Silos occur when different individuals or groups generate or record new data, but don’t integrate or aggregate that information for other parts of the business to view or use in a strategic way. Additionally, it occurs from the tool sprawl and the poor integration of business applications and processes. 
​ITP-INF012
​Information System​A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.​NIST 800-39
ITP-BUS008
​Information Technology​The resources applied in an enterprise for the purpose of storing, retrieving, transmitting, and manipulating data through use of software and hardware infrastructure.​ITP-BUS000
​Information Technology Policy (IT Policy, ITP)​A document published by OA/OIT that defines the expectations, requirements, standards, technical specifications, procedures, and guidelines to agencies that use and manage IT resources and services. Defined general areas (domains) in which IT policies encompass and are categorized. The policy domains and their abbreviations are: Accessibility (ACC), Application (APP), Business (BUS), Information (INF, INFG, INFRM), Integration (INT), IT Procurement (PRO), Network (NET), Platform (PLT), Privacy (PRV), Project Management (EPM), Security (SEC), Services (SER), Software (SFT), Systems Management (SYM).
​ITP-BUS000
ITP-BUS004
​Information Technology Systems or Systems
Information Technology Systems or Systems ​include computer applications, servers, laptops, databases, routers, switches, wireless devices, mobile devices and other computer related hardware and software.
​ITP-SEC007
​Information Type​A specific category of information (e.g. privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization, specific law, executive order, directive, policy, or regulation.​Federal Information Processing Standards (FIPS) 199
​Infrastructure
​Refers to the enterprise's entire collection of hardware, software, networks, data centers, facilities and related equipment used to develop, test, operate, monitor, manage and/or support information technology services.
​ITP-BUS001
​Infrastructure as a Service (IaaS)
A Cloud Computing Service through which agencies provision processing, storage, networks, and other computing resources where the agency can deploy and run software, which can include operating systems and applications. The agency does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components.
​ITP-SEC040
ITP-SFT000
​Integrated Development Environments (IDE)
​Provides frameworks used in modern programming languages and provide components with similar-user interfaces, minimizing the amount of mode switching compared to discrete collections of disparate development programs. IDEs offer robust capabilities to create service-oriented architecture (SOA) components and applications.. IDEs increase productivity by providing customizable interfaces, integrated debugging, testing and deployment tools, and integration with existing technology through SOA.
​ITP-SFT009
​Integration Testing​The phase of software testing in which individual software modules are combined and tested as a group. It follows unit testing and precedes system testing.​ITP-SFT000
​Integrity​Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. A  loss of integrity is the unauthorized modification or destruction of information.​44 U.S.C. Section 3542
Federal Information Processing Standards (FIPS) 199
​Intelligence
​Using large sets or contents of data and generate information to deliver context-based insights. 
​ITP-INF012
​Internet Facing Web Application
An application that uses the Internet to provide citizens, Commonwealth employees, and business partners with access to agency-specific data or services and that resides on a Commonwealth web server. This includes content generated from a data visualization or business analytics platform. 
​ITP-SEC005
​Internet Security Protocol (IPsec)
​Consists of a set of open standards to provide security equivalence to a private network in the shared public infrastructure (internet). IPsec provides security at the network layer and encrypts data within application communications.
​ITP-SEC010
​Invitation For Bids (IFB)Competitive sealed bidding for an IT product or Service. Refer to Part I, Chapter 02, “Definitions” and Section A of Part I Chapter 06 “Method of Awarding Contracts” of the Procurement Handbook.​ITP-BUS002
​Invitation To Qualify (ITQ)​A multiple award contract used to procure IT services from contractors pre-qualified in various IT service categories. Refer to Part I, Chapter 02, “Definitions” and Section A of Part I Chapter 06, “Method of Awarding Contracts” of the Procurement Handbook.​ITP-BUS002
​ISO​Information Security Office/Officer
​MD 240.12
​IT Governance 
​The processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. It requires specification of the decision rights and accountability framework to encourage desirable behavior in the use of information technology.
​ITP-SEC040
​IT Investment
​The purchase or procurement of any IT services that meet the criteria specified in ITP-BUS002.
​ITP-BUS001
​IT Operations

Commonwealth-sponsored ongoing routine IT activities or business processes which include, but are not limited to, reportable activities which support existing IT products or services throughout their defined service lifecycle, and do not meet the planning and classification criteria for an IT Project.
​ITP-SEC040
​IT Policy Business Owner​OA/OIT personnel or program area responsible for ensuring assigned IT policy aligns with the enterprise's current IT environment.​ITP-BUS000
​IT Policy Coordinator​OA/OIT personnel responsible for the management of the IT policy life cycle and facilitating the IT policy governance process.​ITP-BUS000
​IT Policy Domain Owner​​OA/OIT personnel responsible for the management of a specific domain of IT policies.​ITP-BUS000
​IT Policy Waiver​A temporary exemption granted to commonwealth agencies for non-compliance with a specific OA/OIT IT Policy.​ITP-BUS004
​IT Project
​A Commonwealth-sponsored IT Project is an undertaking that is not a routine operation or business process, but a specific set of tasks that are planned, organized, tracked, and executed by multiple resources, and has a defined start and end date.  IT Projects are classified in one of three Investment Classes: Run, Grow or Transform.
​ITP-BUS001
​IT Resources​(MD version): Include, but are not limited to, the following: the commonwealth’s computer systems, together with any electronic resource used for communications, which includes, but is not limited to laptops, individual desktop computers, wired or wireless telephones, cellular phones, pagers, beepers, personal data assistants and handheld devices, and, further, includes use of the internet, electronic mail (email), instant messaging, texting, voice mail, facsimile, copiers, printers or other electronic messaging through commonwealth facilities, equipment or networks (collectively "IT Resources").

(ITP version): Include, but are not limited to, the staff, software,  hardware, systems, services, tools, plans, data, and related training materials and documentation that, in combination, support business activities. Examples of IT Resources include, but are not limited to, Commonwealth resources such as Commonwealth technology standardized services (e.g., ITSM, ERP, IAM), endpoints (e.g., desktop computers, mobile devices), email, telephones, network and security components (e.g., switches, routers), and servers.
​MD 205.34
MD 205.42
MD 240.11


​J

Return to top of page
​Term
​Definition
​Point of Reference
​Jailbreaking/Rooting​The process used to modify the operating system on a mobile device.  The act of “jailbreaking” or “rooting” a mobile device allows the user control over the device including removing any vendor imposed restrictions on the products.​ITP-SEC035
​Java Database Connectivity (JDBC)​A set of programming Application Programming Interfaces (APIs) that allow easy connection to a wide range of databases through Java programs.​ITP-INF001

​K

Return to top of page
​Term
​Definition
​Point of Reference
​Key Performance Indicators (KPIs)
​The set of quantifiable measurements used to gauge an organization’s overall long-term performance. KPIs and Metrics specifically help determine an organizations strategic, financial, and operational achievements, especially compared to those of other organizations within the same sector. 
​ITP-INF012
​Keystone Key
​The online account established for a person and stored in the enterprise citizen directory SRPROD​ITP-SEC039
​Keystone Login
​An account management system for the Commonwealth of Pennsylvania online services.
​ITP-SEC039
​Knowledge Based Authentication (KBA)​An identity verification method where the person is asked a selection of questions gathered from information on that person from a variety of public and commercial data systems with the assumption that the real person would know the correct answers whereas an imposter would not.​ITP-SEC039

L

Return to top of page
Term
​Definition
​Point of Reference
​Least Privilege
​Least Privilege refers to the security objective of granting users only those accesses they need to perform their official duties.  Data entry clerks, for example, would not normally have any need for administrative level access to the database they use. 
​ITP-SEC038
​Legacy
​Any application or platform that is based on older technology that continues to provide core services to an organization.
​ITP-BUS001
​Legacy Digital Content and Services
​Digital Content and Services designed and implemented prior to January 26, 2021.
​ITP-ACC001

​Level of Assurance (LOA)

 

The measurement of the degree or level of confidence that the person is who they are claiming to be.

The Commonwealth recognizes two levels of assurance:

LOA1 - little or no confidence in the user's identity beyond what the user claims.

LOA2 - information provided by the user has been verified by a third party.

​ITP-SEC039


​License Pool
​Groups the total number of licenses purchased by product type, which can be segregated by agency, bureau, funding stream, or other required method. As licenses are assigned or unassigned to users, the pool will be updated to reflect the remaining balance of available licenses. 
​ITP-BUSFM013
​Load balancing
​The server’s ability to send the request to the different servers within the set-up, depending on the load and availability of the servers. 
​ITP-PLT019
​Load Testing

​Covers both performance testing and stress testing.

​ITP-SFT000
​Lobby Ambassador
​Individual capable of creating Guest Wireless accounts.
​ITP-NET001
​Local Area Network (LAN)​A network that connects computers, printers and perhaps other devices within a department, building or house.​ITP-NET001
​Log (Security)​A file that lists actions that have occurred.​ITP-SEC021
​Logon Banner​A display that provides a definitive warning about access, authorization, and monitoring activity requirements and allows a user to acknowledge this display prior to logging into an IT Resource.​ITP-SEC012

​M

Return to top of page
​Term
​Definition
​Point of Reference
​Machine Learning (ML)​A technique involving the use of a computer to train and improve an algorithm or model with minimal human participation to generating useful predictions and conclusions.​ITP-BUS012
​Maintenance Window
The period in which changes can be implemented. Weekly maintenance windows are pre-defined by the Change Manager. Maintenance outside of these pre-defined windows will require approval.
​ITP-SYM010
​Major Change Request
​An alteration to an existing IT Project that meets the designated criteria as outlined in the policy.
​ITP-BUS001
​Managed Device
​A device that is configured and monitored via graphical user interface, command line interface, simple network management protocol, syslog, and/or similar methods with a periodic review of the logs and device status by the organization maintaining it.
​ITP-NET018
​Managed File Transfer (MFT)
Manages the secure transfer of data from one computer to another through a network and offers a higher-level of security and control than FTP. MFT is characterized by having all or most of the following features:
    • Support multiple file transfer protocols including FTP/S, SFTP, and HTTP/S.
    • Securely transfer files over public and private networks using encrypted file transfer protocols. 
    • Securely store files using multiple data encryption methods.
    • Automate file transfer processes between third-party vendors, licensors, contractors, or suppliers and exchanges including detection and handling of failed file transfers.
    • Authenticate users against existing user repositories internal and external (Lightweight Directory Access Protocol (LDAP) and Active Directory (AD)). 
    • Integrate to existing applications using documented Application Programming Interfaces (APIs). 
    • Generate detailed reports on user and file transfer activity. 
​ITP-SFT005
​Master Data Management Plan
​An agency-specific document developed by the agency’s data/information governance body that documents the governance operating model, data processes (collection, reporting, release), data roadmaps, data acquisition/integration methodologies, and other relevant procedures.
​ITP-INF000
Material Decision
A decision that has a significant legal, financial, human resource, legislative, organizational, or regulatory impact. This includes but is not limited to, program eligibility, benefits determinations, and decisions impacting the health, safety, and welfare of Commonwealth citizens and/or employees.
ITP-BUS010
​Metadata
​Information that describes various facets of an Information Asset to improve its usability throughout its life cycle.
​ITP-INF000
​Metrics
​Measures of quantitative assessment commonly used for assessing, comparing, and tracking performance or production.
​ITP-INF012
​Metropolitan Area Network (MAN)
​The network that interconnects agencies or entities with computer resources within the Commonwealth of Pennsylvania.
​ITP-NET018
​Mosaic Effect
​An event in which Datasets that pose no disclosure threat by themselves can create a security risk or produce Personally Identifiable Information (PII) when combined with other Datasets.
​ITP-INF000
​Maximum Session Lifetime
​The maximum time a system, device, or application may be accessed by a user, regardless of the user's activity, before the user must re-authenticate to the system, device, or application.
​ITP-SEC007
​Mbps​Millions of bits per second, or Megabits per Second, is the measurement of bandwidth on a telecommunication medium. Bandwidth is also sometimes measured in Kbps (kilobits per second), or Gbps (billions of bits per second).​ITP-NET001
​Migration
​The moving from one operating environment to another or involving moving to new hardware, new software, or both. For example: Migration of data from one database to another kind of database, moving from one database to another, or switching platforms (from one operating system to another operating system).​ITP-BUS001
​Mission Critical Application
​Any application which, if interrupted for a predetermined period of time, would cause hardship to a segment of the people of the Commonwealth, adversely affect public health and safety, seriously inhibit the primary function of an agency and/or state government operations, or cause any legal liability on behalf of the Commonwealth.
​ITP-PLT019
​Mobile Application
​A computer program designed to run on mobile devices and as an add-on to existing applications.
​ITP-SEC035
​Mobile Application Management (MAM)​The process of developing, procuring, deploying and managing the configuration, distribution and access of in-house and commercially developed mobile apps through an enterprise app virtual marketplace or a consumer app store.​ITP-SEC035
​Mobile Communication Device (Mobile Devices)​Any mobile phone, smartphone, or tablet that transmits, stores, and receives data, text, and/or voice with a connection to a wireless local area network (LAN) or cellular network that are authorized to leverage Commonwealth IT Resources and networks.  These devices do not utilize or cannot utilize the enterprise authentication services nor desktop management tools and require provisioning through a mobile device management solution for access to Commonwealth IT Resources. 
​ITP-SEC035
​Mobile Device​(MD version) A device easily removable and stores data that can be connected to the Commonwealth network, workstation or other computing device via cable, Universal Serial Bus (USB), Firewire (IEEE 1394), I-LINK, infrared, radio frequency, personal computer memory card international association (PCMCIA), or any other external connection that would allow data to be transferred and removed.
(ITP version). Mobile devices include, but are not limited to smart phones, laptops, tablets, zip drives, floppy diskettes, recording and re-writeable compact disks (CD), recordable and re-writeable digital video disks (DVD), USB flash digital media devices (thumb drives), memory sticks/cards, PC card storage devices of all types and external hard drives.
​MD 240.12
ITP-PLT011
​Mobile Device Management (MDM)​Software technologies that secure, monitor, manage and support mobile devices deployed across the enterprise. By controlling and protecting the data and configuration settings for all mobile devices in the network, MDM can reduce support costs, security, and business risks. The intent of MDM is to optimize the functionality and security of a mobile communications network while minimizing cost and downtime.​ITP-SEC035
​Mobile Device Service Plan
​Any service agreement established with a cellular service provider to grant mobile device access to cellular networks for the transmission of voice and data traffic.
​ITP-NET016
​Mobile Email Management (MEM)​Mobile Email Management (MEM) controls which mobile devices that can access email, prevents data loss, encrypts sensitive data and enforces compliance policies.​ITP-SEC035
​Modernization
​The transition or transformation of existing IT assets to enhance performance, functionality, reliability, scalability, security, quality of service, and/or revitalized applications or extend the useful life of computing platforms and infrastructure used to support business operations.
​ITP-BUS001
​Modified off-the-Shelf (MOTS) 
​A commercial-off-the-shelf (COTS) product whose source code can be modified. The product may be customized by the purchaser, vendor, or another party to meet business requirements. MOTS is a software delivery concept that enables source code or programmatic customization of a standard prepackaged, market-available software.
​ITP-SFT000
​Multi-Factor AuthenticationA security system that verifies a user's identity by requiring the user to provide multiple types of credentials which can include simple authentication credentials, One-time passcodes, automated phone calls and/or biometrics.​ITP-SEC039
​Multi-Function Device (MFD)
​A device the consolidates the functionality of a printer, copier, scanner, and/or fax into one machine.
​ITP-PLT002
​Multi-Homed/Split Tunneling​Simultaneously using two different networks or connections, such as USB, wireless, cellular, or Bluetooth, or near-field communications (NFC).​ITP-SEC035

​N

Return to top of page
Term
​Definition
​Point of Reference
​NASCIO
​National Association of State Chief Information Officers
​National Institute of Standards and Technology (NIST)​A division of the federal Department of Commerce tasked with research and, including establishment of federal IT standards.​ITP-SEC000

​National Strategy for Trusted Identity in Cyberspace (NSTIC)​A federal initiative for secure, privacy enhancing identities in cyberspace.​N/A
​Network Device
​A hardware component of the network infrastructure such as, routers, switches, wireless access points, etc.
​ITP-SEC041
​Network Management Teams
​Internal or external agencies or Commonwealth-contracted vendors tasked with management of Commonwealth IT networks. 
ITP-​SYM008
​Network Timing Protocol (NTP)
​A networking protocol designed to synchronize the clocks of computers over a network. Typical NTP configurations utilize multiple redundant servers and diverse network paths to achieve high accuracy and reliability.
​ITP-NET017
​New and Updated Digital Content and Services
​Digital Content and Services designed and implemented after January 26, 2021.
​ITP-ACC001
​New Software
​Applies to the acquisition of Software when one or more of the following conditions exist, regardless of dollar threshold:

• The product does not currently exist on a contract.
• There is no existing license agreement that has been approved by appropriate legal entities.
​ITP-BUS002

​Non-Degradation of Service Availability (SLA-defined)
​A service level metric that measures the percentage of time the application is non-degraded during the applicable Measurement Window. This measurement is by application, not by server instance. Degradation shall mean a Service that tests as fully operational but is degraded below the baselines established during acceptance testing. This includes, but is not limited to slow performance and/or intermittent system errors. Calculation: N = (T - M - D) / (T - M) x 100%. N = Non-Degradation, T = Total Monthly Minutes, M = Approved Maintenance Time, D = Time Service is Degraded.​N/A
​Non-Enterprise Directories
All other Commonwealth user directory stores that are not Enterprise Directories.​​ITP-SEC007
​Normal Change
​Supports maintenance performed by a service provider. This type of maintenance is performed on the service offering that affects multiple customers and is vital to the integrity of the services provided.
​ITP-SYM010
​NoSQL
​A non-relational database architecture (sometimes referred to as “non-SQL” or “not only SQL”). NoSQL databases do not follow the strict table/row structure of Relational Databases. The non-relational nature of these databases allows them to be more flexible and scalable than traditional Relational Databases. NoSQL databases are increasingly used in big data and real-time web applications. The data structures used by NoSQL databases (e.g. key–value pair, wide column, graph, or document) are different from those used by default in Relational Databases, making some operations faster in NoSQL.
​ITP-INF001
​Notice of Forth Coming Procurement (NFP)​ Public notice posted to the eMarketplace website notifying vendors of an upcoming procurement. This is required for all procurements in the amount of $250,000.00 or greater.​ITP-BUS002

​O

Return to top of page
​Term
​Definition
​Point of Reference
​Oersted
​Unit of the magnetic field H in the centimeter–gram–second system of units (CGS)
​ITP-SEC015
​Office Class Print Device
​An advanced printer with specifications suitable to the office environment including network card availability, print speed and volume, memory, with features such as integrated card readers, multi-purpose trays, and two-sided printing.
​ITP-PLT002
​Office of Administration, Office for Information Technology (OA/IT)​Consists of the offices managed by the Commonwealth Chief Information Officer (CIO), Chief Technology Officer (CTO), Chief Information Security Officer (CISO), Director of Office of Strategy and Management, and Director of Enterprise Services and their respective program areas.
​ITP-BUS000
​Office Productivity Software
​Application software dedicated to producing information, such as documents, presentations, worksheets, databases, charts, graphs, and digital video.
​ITP-SFT007
​Online Analytical Processing (OLAP)
​A type of software used to perform rapid multidimensional analysis on large volumes of data from a data warehouse or some other centralized data store. This is accomplished by extracting data from multiple relational data sets and reorganizing it into a multidimensional format that enables fast processing.
​ITP-INF004
​Open Data​Data that can be freely used, re-used, and distributed by any entity, subject only, to the requirements to attribute.
​ITP-INF013
​Open Data Protocol (OData)
​An open protocol that allows the creation and consumption of queryable and interoperable REST APIs in a simple and standard way.
​ITP-INT003
​Offshore
​Any country or territory outside the continental United States or Hawaii.
​ITP-SEC000
​Open Database Connectivity (ODBC)​Vendor-neutral interface, based on the SQL Access Group (SAG) specifications, that permits maximum interoperability among diverse Database Management Systems. The ODBC interface defines: function calls that allow an application to connect to a DBMS, execute SQL statements, and retrieve results; a standard way to connect and log on to a DBMS; and a standardized representation for data types. Database drivers link the application to their choice of DBMS.​ITP-INF001
​Open Source Software (OSS)
​Software for which the source code has been made available (according to license terms) for review, modification, deployment, and redistribution.
​ITP-SFT001
​Outsourced Services
​​Activities, functions, and/or solutions delivered through third party entities (e.g., hosted services over the internet or some other mechanism, contracting, or other outsourced service delivery model).
​ITP-BUS001
​Overfitting
A prediction-based outcome that has low bias and high variance
​ITP-BUS012

​P

Return to top of page
​Term
​Definition
​Point of Reference
​PDAA Assessment
​A tool that the Commonwealth provides to suppliers to demonstrate the extent to which the supplier’s organization has implemented accessibility best practices into their operations to support the accessibility of their Digital Content and Services.
​ITP-ACC001
​Portable Document Format (PDF)/Universal Accessibility (UA)
​PDF/UA is a technical specification intended for developers implementing PDF writing and processing software. PDF/UA provides definitive terms and requirements for accessibility in PDF documents and applications. For those equipped with appropriate software, conformance with PDF/UA ensures accessibility for people with a Disability who use assistive technologies to navigate and read electronic content. PDF/UA is included within the Section 508 Standards (Revised).
​ITP-ACC001
​Penetration Testing/Ethical Hacking
​A review of information technology controls where an authorized analyst will actively attack a host or application using similar methods as threat actors to verify if a vulnerability is present. Penetration Testing can go beyond vulnerability validation in order to determine what a threat actor could do with access to a specific application, host or service, potentially gaining access to more assets and data deeper into a network.
​ITP-SEC023
​Pennsylvania Computer Security Incident Response Team (PA-CSIRT)
​A group of Commonwealth subject matter experts that handle computer security incidents.
​ITP-SEC024
​Pennsylvania Information Sharing and Analysis Center (PA-ISAC)
​A centralized Commonwealth resource for gathering information on Cyber Security Incidents.
​ITP-SEC024
​Performance Testing​Identifies bottlenecks during high volume simulation.
​ITP-SFT000
​Peripheral Device
​An auxiliary device that connects to and works with a computer and is typically used to input information into it or get information out of it.
​ITP-SEC041
​Personal Identification Number (PIN)
​A secret number that an individual memorizes and uses to authenticate his or her identity.  PINs are generally only decimal digits.
​ITP-SEC006
​Personally Identifiable Information (PII)​Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.​ITP-INF000
ITP-SEC025
NIST SP 800-122
​Pilot 
​A project that consists of a scaled down, but fully functional environment with the exact same capabilities that would be enabled if the environment were to be promoted to production.
​ITP-SEC040
​Platform-as-a-Service (PaaS)
A Cloud Computing Service through which agencies provision, instantiate, run, and manage agency-created or acquired applications.  The agency does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
​ITP-SEC040
ITP-SFT000
​Policy Driven Adoption for Accessibility (PDAA)
​PDAA is the integration of digital content and services accessibility governance into Commonwealth policies. The PDAA methodology was created by a work group of the National Association of State Chief Information Officers (NASCIO).
​ITP-ACC001
​Portable Document Format (PDF)/Universal Accessibility (UA)
​PDF/UA is a technical specification intended for developers implementing PDF writing and processing software. PDF/UA provides definitive terms and requirements for accessibility in PDF documents and applications. For those equipped with appropriate software, conformance with PDF/UA ensures accessibility for people with a Disability who use assistive technologies to navigate and read electronic content. PDF/UA is included within the Section 508 Standards (Revised).
​ITP-ACC001
​Printed Media 
The physical copy made of a digital item either mechanically or electronically.
​ITP-SEC019
​Private Generative AI
​ Generative AI tools that are specific to an entity or organization and their data. Private Generative AI tools can be developed in-house by an entity or organization for their own use or obtained from a third-party vendor. These systems are configured in a way that ensures an organization’s data is segmented from other Training Data and accessible to only the entity or organization that owns it.  
​ITP-BUS014
​Privately Owned​A non-Commonwealth owned device used by an Authorized user in which the Commonwealth has no responsibility for the procurement or maintenance of the asset and it is solely the responsibility of the Authorized User.
​ITP-PLT012
​Privileged Account​(MD version) An account that have virtually unlimited access to all programs, files, and  resources on a computer system. Users shall not be given access to privileged accounts without the specific approval of the agency chief security officer. Privileged accounts must be used only for the purposes for which they were authorized and only for conducting CoPA business.
​MD 245.18





Privileged (Local Administrator) Accounts
​Local Administrator Accounts referenced in this section are defined as accounts having privileges beyond standard user-level access privileges, for accessing servers, workstations (PCs, laptops, etc.), printers, routers, network switches, firewalls, wireless access points, databases, applications, and other Information Technology Systems. Local Administrator accounts are typically generated, maintained, monitored and managed on an individual machine-level, system-level, application-level or database-level basis.
​ITP-SEC007
​Privileged Identity Management Solution​Software or tool that provides IT administrators a method of managing privileged user accounts and access rights to IT resources.​ITP-SEC038
​Privileged UserAuthorized Users who have elevated access, with the ability to create, modify, and delete electronic resources, data, and/or system configurations.
​ITP-SEC038
​Procedure​Operational document that outlines predefined step-by-step sequence of instructions, activities, or course of action that must be followed in order to correctly accomplish a particular task.​ITP-BUS004
​Process Analyst
​Process Analysts define processes and how tools for automation will support that process. This involves documenting existing processes, determining the root cause of process deficiencies, identifying opportunities to improve processes, and evaluating changes to processes and their effectiveness. 
​ITP-BUS010
​Process Manager
The individual responsible for overseeing the execution of the process. Process Managers monitor the daily operations to ensure the process is executed properly and operating efficiently. They are also responsible for handling issues or exceptions that arise during the execution of the process​​ITP-BUS010
​Process Owner
​The person with the authority to determine how a process should operate and the responsibility to ensure that the process meets ongoing operational needs.
​ITP-BUS010
​Process Practitioners
​The individual(s) who execute one or more of the activities of a process.
​ITP-BUS010
​Production
​An environment with a live web application/service that is externally facing and accessible to the public with live data and full functionality.
​ITP-SEC005
​Project Level
​IT Project categorization based on complexity, visibility, duration, and cost. A Project Level score determines the Level of a Project, with a higher-level project representing a more rigorous project management process
Level One: 75-100 score
Level Two: 50-74 score
Level Three: < 50 score
​ITP-BUS001
​Project Request Process (PRP)
​The investment review process for agency requests of IT Project approvals
​ITP-BUS001
​Project Revision Request (PRR)
​A formal request to be submitted to support new programs or major changes in existing programs.
​ITP-BUS001
​Project Scaling Process
​The process used to assist in the evaluation process and determining the Project Level of status reporting required.
​ITP-BUS001
​Promiscuous ModeA mode for a network interface controller (a server that manages authentication requests) that causes the controller to pass all traffic it receives to the device rather than passing only the frames that the controller is intended to receive.  This mode is normally used for packet sniffing. 
​ITP-SEC035
​Proof of Concept 
​A project that is evaluated exclusively on pass or fail success criteria. Failed success criteria can still be considered a successful proof of concept as the results gave definitive proof that the concept was not viable.
​ITP-SEC040
​Public Computer
​Various computers available in public areas (i.e., libraries, schools, coffee shops) that many different individual users can access throughout the course of a day.
​ITP-PLT012
​Public Generative AI
​Generative AI tools that are openly available to multiple entities, organizations, or the general public and utilize widely sourced data from the internet as well as data from users or customers to train the Generative AI model. Public Generative AI tools do not guarantee the privacy of data input by users, entities, or organizations.  Additionally, Training Data and models are not owned by a public organization unless otherwise noted. 
​ITP-BUS014
​Public Switched Telephone Network (PSTN)
​Aggregate of the world's circuit-switched telephone networks that are operated by national, regional, or local telephony operators, providing infrastructure and services for public telecommunication.
​ITP-NET003
​Public Records

Public records (​also known as Open Records), are records from an agency that are: not exempt under Section 708 of the Right to Know Law; not exempt from being disclosed under any other Federal or State law or regulation, or judicial order or degree; and not protected by privilege.ITP-SEC019

​R

Return to top of page
​Term
​Definition
​Point of Reference
​Re-hosting
​The transitioning of applications and infrastructure with no major changes (configuration only) from the current hosting environment to a different hosting environment. 
​ITP-BUS001
​Record​Information, regardless of physical form or characteristics, that document a transaction or activity of an agency and that is created, received or retained pursuant to law or in connection with a transaction, business or activity of the agency.  The term includes a document, paper, letter, map, book, tape, photograph, film or sound recording, information stored or maintained electronically, and a data-processed or image-processed document.​MD 205.42
MD 210.12
​Records System
​An information technology resource used to generate either an electronic or physical record that is based on business rules and processes. 
​ITP-INF000
​Regression Testing​Allows a consistent and repeatable validation of each new release of an application. This ensures no new defects have been introduced with the latest maintenance.​ITP-SFT000
​Relational Database
​A type of database that stores and provides access to data points that are related to one another. Relational Databases are based on the relational model, an intuitive, straightforward way of representing data in tables. In a Relational Database, each row in the table is a record with a unique ID called the key. The columns of the table hold attributes of the data, and each record usually has a value for each attribute, making it easy to establish the relationships among data points
​ITP-INF001
​Remote Access
​Ability for an organization's users to access its non-public computing resources from external locations other than the organization's facilities.​NIST SP 800-46
​Renewal
The continuance of a purchase order or contract for a specific period of time as permitted by an option to renew provision within the purchase order or contract.  
​ITP-BUS002
​Representational State Transfer (REST)
​A software architectural style which uses a subset of Hypertext Transfer Protocol (HTTP). It is commonly used to create interactive applications that use Web Services.
​ITP-INT003
​Request for Application (RFA)
​A type of solicitation notice that announces grant funding is available and informs organizations that they may submit applications or bids for the funding.
​ITP-BUS002
​Request for Proposal (RFP)​An RFP is a competitive sealed method of procurement where proposals are solicited and the award is made to the responsible offeror whose proposal is determined, in writing, to be the most advantageous to the purchasing agency. Refer to Part I, Chapter 02, “Definitions” and Section A of Part I Chapter 06 “Method of Awarding Contracts” ITP-BUS002 IT Investment Review Process Page 3 of 8 of the Procurement Handbook.​ITP-BUS002
​Request for Quote (RFQ) An RFQ is a competitive sealed method of procurement where quotes are solicited and the award is made to the responsible contractor whose quote is determined, in writing, to be the most advantageous to the purchasing agency. Refer to Part I, Chapter 02, “Definitions” and Section A of Part I Chapter 06 “Method of Awarding Contracts” of the Procurement Handbook.​ITP-BUS002
​Resolution Time (SLA-defined)​Also referred to as Problem Circumvention, a service level metric that details the time required for circumvention or solution after reporting a problem.N/A
​Reverse-Proxy Server
​A type of proxy server that typically sits behind the firewall and directs client requests to the appropriate backend server.
​ITP-SEC002
​Reverse Proxy Managed Services
​The service follows a defined standardized process to implement reverse proxy requests that includes a Service Request, Solution proposal, and monitoring.
​ITP-SEC002
​Right-To-Explain (RTE)
​A concept that requires an AI service provider to satisfactorily detail an AI algorithm’s use of a user’s input data to formulate output data.
​ITP-BUS012
​Robotic Process Automation (RPA)
​A technique utilizing automation and AI technologies to handle high-volume, repeatable tasks to streamline business processes.
​ITP-BUS012
​Role-based access control (RBAC)
​The idea of establishing standard levels of access – “permissions” – to the various computing resources and networks of an organization that are tailored to specific employee roles, or job functions, rather than to individuals. 
​ITP-SEC038
​Routine Investment Submission
​Any investment submission that does not meet the criteria of being an expedited submission.
​ITP-BUS002

​S

Return to top of page
​Term
​Definition
​Point of Reference
​Sanitization​A process to render access to target data (the data subject to the sanitization technique) on the media infeasible for a given level of recovery effort. Three categories: Clear, Purge, and Destroy.​NIST SP 800-88 Rev. 1
​Scope (IT Policy)​This ITP applies to all offices, departments, boards, commissions, and councils under the Governor’s jurisdiction (hereinafter referred to as "agencies). Agencies not under the Governor’s jurisdiction are strongly encouraged to follow this ITP.​All ITPs
​Section 508 Standards (Revised)
​A final rule, published in January of 2017, updating accessibility requirements for information and communication technology (ICT) covered by Section 508 of the Rehabilitation Act of 1973, 29 U.S.C. § 701 et seq.
​ITP-ACC001
​Secure email
​Involves encrypting, or disguising, the content of email messages to protect potentially sensitive information from being read by anyone other than the intended recipients.
​ITP-SEC008
​Secure Wireless
​A wireless implementation utilizing the centralized Controller for access to the internal Commonwealth network as well as the Internet.
​ITP-NET001
​Security Assessment​A process conducted by the Office of Administration, Office for Information Technology’s Enterprise Information Security Office that defines, identifies, and classifies security vulnerabilities of IT Resources.​MD 310.24
​Security Incident
​Any occurrence involving the unauthorized or accidental modification, destruction, disclosure, loss, damage, misuse, or access to information technology resources such as systems, files, and databases.  It also includes a violation or imminent threat of violation of computer security policies, acceptable use policies, and standard security practices.
​ITP-SEC025
​Security Information and Event Managers (SIEM)​A set of tools used by IT professionals and system administrators to manage multiple security applications and devices, and to respond automatically to resolve security incidents and provides real-time monitoring and historical reporting of information security events from networks, servers, systems, applications and more.​ITP-SEC021
​Server and Desktop Systems​Applies to all Commonwealth-associated platforms and infrastructure utilized to run and access IT Resources.  This includes software (e.g., operating systems) and the hardware (e.g., routers, switches, etc.).
​ITP-SYM006
​Service
A Service provided by an IT service provider which is made up of a combination of information technology, people, and processes. Examples include: ASP, DaaS, Hosted COTS, IaaS, PaaS, SaaS and OA/OIT services as defined in the service catalog.
​ITP-BUS002
Services​
​A collection of Enterprise processes and procedures to deliver something of value to a Citizen.
​ITP-INF003
​Service Design Coordinator
​Role responsible for providing oversight of all design activities and associated processes of service design and evaluation for new or changes to existing services. Coordinates with Business Relationship Managers, technical staff, product vendors, procurement, project managers, transition teams, and other key stakeholders to ensure the completeness and successful implementation of the Service Design Package for enabling and sustainment of the IT services.
​ITP-SFT000
​Service Design Package (SDP)
​Documentation defining all aspects of an IT service and its requirements through each stage of its lifecycle. SDP defines the service model, requirements (utility & warranty), tools, architecture, metrics, and blueprints needed by the service transition team to build, test/validate, and deliver the service and their underpinning components. A service design package is developed for new, major changes, and retirement of an IT service.
​ITP-SFT000
​Service Engagement Review Process (SERP)​Commonwealth review process to ensure new services being introduced into IT environments to mitigate potential risks and disruptions of Commonwealth business.​ITP-NET008
​Service Organization
​Third-party vendors, licensors, contractors, suppliers, or other contracted entities that provide business or technology solutions and services procured by the Commonwealth.
​ITP-INF000
ITP-SEC040
ITP-SEC009
​Service or Operational Accounts:
​Generally, system-to-system or application-toapplication accounts having administrative level roles.  For example, an application which updates or creates records in a backend database would use a Service Account with appropriate database privileges to do so.
​ITP-SEC038
​Service Owner
​Accountable for the availability, performance, quality, and cost of one or more services. Deals directly with the Service Customer or proxy, usually in the context of a Service Level Agreement or Operating Level Agreement. Service Owner is responsible for day-to-day operation of the service.​N/A
​Service Principal
​A Service Principal is the local representation, or application
instance, of a global application object in a single tenant or directory. A ServicePrincipal is a concrete instance created from the application object and inherits certain properties from that application object.
​ITP-INF010
​Service Set Identifier (SSID)​Identifies and specifies which 802.11 network is being joined.​ITP-NET001
​Session Inactivity
​The length of time a system or device is accessed (i.e., the account ID is logged in) without any interaction with the user.
​ITP-SEC007
​Shared Resource
​A device, such as a printer, set up on the network to be used by more than one user.
​ITP-PLT002
​Shareware
​Software that is licensed for free (possibly with restricted use or functionality) for a limited period of time, and payment is expected for full usage or functionality. Types of Shareware may include:

• Adware — software packages that generate revenue for their developers by rendering and tracking advertisement in the software's installation and usage, or both.

• Crippleware — software packages that disable wanted feature or add unwanted watermarking until the user buys a license.

• Donationware — software packages that request a donation to be paid to the author or a third-party beneficiary.

• Nagware — software packages that persistently remind the user to purchase a license.

• Freemium — software packages offer some features for free while charging a premium for advanced features.
​ITP-SFT001
​Signature
​A signature, whether electronic or on paper, is first and foremost a symbol that signifies intent.  Thus, the definition of "signed" in the Uniform Commercial Code includes "any symbol" so long as it is "executed or adopted by a party with present intention to authenticate the writing." A Signature may, for example, signify an intent to be bound to the terms of a contract, the approval of a subordinate's request for funding of a project, confirmation that a signer has read and reviewed the contents of a memo, an indication that the signer was the author of a document, or merely that the contents of a document have been shown to the signer and that he or she has had the opportunity to review them.
​ITP-SEC006
​Simple Object Access Protocol (SOAP)
​A messaging protocol specification for exchanging structured information in the implementation of web services in computer networks. It uses XML Information Set for its message format, and relies on application layer protocols, most often HTTP.
​ITP-INT003
​Single Sign-On (SSO)​A property of identity and access management that enables users to securely authenticate with multiple applications and websites by logging in only once - with just one set of credentials (username and password).​ITP-SEC039
​Smart Mobile Device
​A portable device that combines mobile telephone and computing functions into one unit.
​ITP-TEL001
​Smartphone​A mobile communication device with voice, messaging, scheduling, email and Internet capabilities. Smartphones also permit access to application stores, where additional software can be obtained for installation on the mobile device.​ITP-SEC035
​Snowflake Schema
​A snowflake schema is a multi-dimensional Data Model that is an extension of a star schema, where Dimension Tables are broken down into subdimensions. Snowflake schemas are commonly used for business intelligence and reporting in OLAP data warehouses, Data Marts, and relational databases.
​ITP-INF004
​Social Media​Web-based and mobile technologies used to turn communication into interactive dialogue. The term includes, but is not limited to, blogs, RSS, discussion boards, wikis, video sharing sites, mash-ups and folksonomies.​MD 205.42
​Software
​A collection of instructions and data that tell a computer how to work or what to do.
​ITP-BUS002
​Software Application Development Methodology (SADM)
​A software application development methodology is a structured framework of procedures and processes used to develop custom software applications.  Software application development methodologies are essentially derivatives from the system development life cycle model but are unique in their respective processes and execution. 
​ITP-SFT000
​Software-as-a-Service (SaaS)
A Cloud Computing Service through which agencies use third-party vendors, licensors, contractors, or suppliers to provision applications running on a cloud infrastructure.  The applications are accessible from various client devices through either a thin client interface, such as a web browser or a program interface. The agency does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, apart from limited user-specific application configuration settings.
ITP-SEC040
ITP-SFT000
​Software Asset Management (SAM)
​A set of processes and strategies for the efficient management of software assets throughout their lifecycle. The focus of SAM includes maximizing value, controlling costs, and supporting decision-making.
​ITP-BUSFM013
​Software-Defined Wide Area Network (SD-WAN)
​Solutions that provide a replacement for traditional wide area network (WAN) routers and are agnostic to WAN transport technologies. Provides dynamic, policy-based, application path selection across multiple WAN connections and supports service chaining for additional services such as WAN optimization and firewalls.
​ITP-NET018
​Software Development Life Cycle (SDLC)
​A conceptual model used in software engineering as well as project management that describes the phases involved in an information system solution development and delivery. An SDLC framework consists of multiple phases to assure high quality systems are delivered, provide strong management controls over IT projects, and ensure that the information system can, and will, work as required and is effectively maintained to support agency’s missions. SDLC can be applied to Commercial-off-the-Shelf (COTS), Software-as-a-Service, (SaaS), or custom-built applications. SDLC frameworks should be intently integrated into key service life cycle phases (e.g., strategy, design, transition, operations) and affiliated processes. 
​ITP-SFT000
​Software License Reclamation
​Software license reclamation, also known as license harvesting, is a component of SAM that involves identifying unused or underutilized software licenses and returning them to a License Pool, so that they can be reallocated to others.
​ITP-BUSFM013
Sole Source
​The process by which an agency requests a sole/single vendor to procure materials or Services.
​ITP-BUS002
​Solicitation
 A procurement process for inviting vendors to bid on opportunities to provide goods and Services.
​ITP-BUS002
​Spiral Model
​An incremental software development process model that incorporates requirements, design, build/construct, test/simulations, and deploy prototype phases separated by planning and risk assessment. A prototype is created with each iteration and evaluated until a final production ready (i.e., fully functional and validated) prototype model has been created. This method can be used to create temporary prototype solutions that are later discarded or for large, expensive, and complicated projects using each iterative prototype build as a phase gate and/or milestone. Documentation in this process is dynamic and incrementally refined. Documentation is finalized with the implementation of the final production ready prototype.
​ITP-SFT000
Sponsoring Agency
​Commonwealth agency in contract with external Network Management Team.
​ITP-SYM008
​Staging/Pre-Production
​An environment that exactly resembles a Production environment. It seeks to mirror an actual Production environment as closely as possible and may connect to other Production services and data, such as databases.  Pre-Production environments can be externally facing and accessible to the public. Typically, test data is used to minimize compliance responsibilities and to ensure information security. 
​ITP-SEC005
​Stakeholder
​Everyone who is or will be affected by a policy, program, project, activity, or resource.​N/A
​Standard
Specific directives, specifications, or procedures used as a minimum acceptable benchmark that must be followed in order to ensure a consistent implementation of information technology practices.​ITP-BUS002
​Standard Maintenance (Enterprise Services)​OA-approved, risk-assessed, routine administrative maintenance on an Enterprise infrastructure component or Enterprise service.​ITP-SYM010
​Standards for Attestation Engagements No. 18 (SSAE18)
​An attestation standard whereby a Service Organization's auditor (i.e., CPA firm conducting the engagement) issues an opinion concerning a Service Organization's controls. 
​ITP-SEC040
​Star Schema
​ A star schema is a multi-dimensional Data Model used to organize data in a database so that it is easy to understand and analyze. Star schemas can be applied to data warehouses, databases, Data Marts, and other tools.  
​ITP-INF004
​Stress Testing
​Used to determine the load under which the application ceases to perform acceptably.​ITP-SFT000
​Structured Query Language (SQL)​A relational data language that provides a consistent, English keyword-oriented set of facilities for query, data definition, data manipulation and data control. It is a programmed interface to relational database management systems.​ITP-INF001
​Subservice Organization
​An entity that is used by a Service Organization to perform some or all of the services on behalf of the Service Organization.  Service Organizations may use Subservice Organizations to perform specific processes and controls.

Some examples of a Subservice Organizations include but are not limited to:
a. Data Centers that host Service Organization software or systems.
b. A Subservice Organization that manages data backup and recovery for the Service Organization's system.

​ITP-SEC040
​System Accounts
​Built-in system or application accounts having administrative level roles.  Some examples include root in Linux/Unix systems, Administrator in Windows systems, or in SQL Server.
​ITP-SEC038
​System Administrator Accounts
​Privileged or Administrator Accounts generally have elevated or full access rights to Systems, devices, and applications. Thisallows them to change system or device configurations and access data with full read-write privileges. They can create, delete, or modify user accounts and install software. The level of security protecting such accounts needs to be higher than a normal user account.
​ITP-SEC007
System and Organization Controls (SOC) ​1 Type 2 Report
​A report on a Service Organization or Subservice Organization relevant to internal controls over financial transactions and reporting. The report focuses on the suitability of the design and operating effectiveness of the controls to achieve objectives throughout a specific reporting period.
​ITP-SEC040
System and Organization Controls (SOC) ​2 Type 2 Report
​A report on a Service Organization or Subservice Organization that focuses specifically on IT controls of a system as they relate to relevant Trust Service Principles. The report, based upon and inclusive of auditors’ opinions, indicates whether controls placed in operation were suitably designed to meet or exceed the criteria of each relevant Trust Service Principle and whether those controls operated effectively for the reporting period.
ITP-SEC040
​System and Organization Controls (SOC) for Cybersecurity 
​A report on a Service Organization or Subservice Organization that focuses on controls within the Service Organization’s Cybersecurity Risk Management Program and the suitability of the design of controls to meet cybersecurity objectives.
​ITP-SEC040
​System and Organization Controls (SOC) Reports
​A suite of reports produced during a third-party audit (CPA certified) as defined by the American Institute of Certified Public Accountants (AICPA). It is intended for use by Service Organizations, Subservice Organizations, or other entities to issue certified reports.
​ITP-SEC040
​System and Organization Controls (SOC) Report Repository
​A repository that hosts relevant artifacts to be utilized by authorized Commonwealth employees tasked with managing SOC reports and official correspondence relating to the SOC reports.
​ITP-SEC040
System and Organization Controls (SOC) ​Resource Account (SOC RA)
​The resource account allows OA/OIT to view incoming SOC report emails to monitor for IT elements and verify the Contract Manager is forwarding on to the appropriate IT group for review.
​ITP-SEC040
System Software
​The programs that are dedicated to managing the computer itself, such as the operating system. The operating system manages the computer hardware resources in addition to applications and data. Without systems software installed in our computers we would have to type the instructions for everything we wanted the computer to do.  
​ITP-SFT000
​System Testing​Testing conducted on a complete integrated system to evaluate the system's compliance with its specified requirements.​ITP-SFT000
​System Unavailability Notification (SLA-defined)​A service level metric that details the time from discovering or receiving notice of system unavailability until notification is sent to the Commonwealth.N/A

​T

Return to top of page
Term
​Definition
​Point of Reference
​Tablet
​An open-face wireless device with touch screen display, primarily used in the consumption of media. These devices may also have messaging, scheduling, email, and Internet capabilities and a camera. Tablets may have open-source OSs (such as Android) or closed OSs under the control of OS vendors and/or device manufacturers (such as Apple and Microsoft). Media tablets may or may not support a mobile application store.​ITP-SEC035
​Technical Security Assessments
​A series of security tests, reviews, assessments, and audits conducted for discovering vulnerabilities in IT systems and services that may cause significant risk to an organization.
​ITP-SEC023
​Technical Specification​An explicit set of requirements outlining the specific characteristics, features, capabilities, of a product or technology (e.g., levels of quality, architectural, functions, performance, usability, compatibility, reliability, safety, scalability, interoperability, or other dimensions)​ITP-BUS004
​Technology Maturity Lifecycle (TML)​The technology maturity life cycle (TML) defines the varying life span stages in which a technology product development sustains its competitive and economic value over a particular timeframe. The TML has four distinct stages: Current: Technologies/standards that are supported by the commonwealth and meeting the requirements of the enterprise architecture. They are recommended for use. Contained: Technologies/standards that no longer meet the requirements of the current enterprise architecture.  They are not recommended for use. They are to be phased out over time.  No date has been set for their discontinuance. Retire: Technologies/standards are being phased out. Plans are to be developed for their replacement, especially if there is risk involved, such as lack of vendor support. A date for retirement has been set. Emerging: Technologies/standards that have the potential to become current technologies/standards. At the present time, they are to be used only in pilot or test environments where they can be evaluated. Use of these technologies is restricted to a limited production mode, and requires approval of a waiver request. Research technologies are less widely accepted and time will determine if they will become a standard.​ITP-BUS004
​Telecommunications Management Officer (TMO)​A commonwealth employee designated by OA/OIT or agency head to oversee the communications services of an agency and/or worksite.
​MD 240.11

ITP-NET016
​Third-Party Software
​Any software or software component created, developed, or owned by a non-Commonwealth entity.
​ITP-SFT001
​Threat Modeling​Identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, quantifying the likelihood of successful attacks and their impacts, and analyzing the information to determine where security controls need to be improved or added.​NIST SP 800-46
​Technology Investment and Policy Review (TIPR)
​The review mechanism the Office for Information Technology uses to review agency requests for  IT Investments.
​ITP-BUS002
​Training Data
​Data used to train a large language model and other predictive algorithms. 
​ITP-BUS014
​Transaction Management:
​The transactional capabilities of the server.
​ITP-PLT019
​Transaction Security Levels
​A value assigned to a transaction to determine the level of security that should be applied to the Electronic Signature of that transaction. The three levels are:

Low Risk / Low Impact Transactions (Level A) - Transactions in this category have little value to potential hackers and would have minimal consequences if compromised.

Low to Medium Risk / Medium to High Impact Transactions (Level B) - Transactions in this category have moderate to high value to potential hackers and/or have moderate to high consequences if compromised.

High Risk / High Impact Transactions (Level C) - Transactions are high risk, high consequence transactions that require high security measures.

​ITP-SEC006
​Transitory Record​Records that have little or no documentary or evidential value and that need not to be set aside for future use. N/A
​Transport Layer Security (TLS)
​A protocol created to provide authentication, confidentiality, and data integrity between two communicating applications. TLS is based on a precursor protocol, Secure Sockets Layer version 3.0 (SSL 3.0) which is deprecated.
​ITP-SEC010
​Trust Service Principles 
  • ​Security - Information and systems are protected against unauthorized access, OPD-SEC040B System & Organization Controls (SOC) Reporting Procedure unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information. 
  • Availability – Information and systems are available for operation and used as committed or agreed. • Processing Integrity – Systems processing is complete, valid, accurate, timely, and authorized. 
  • Confidentiality – Information designated as confidential is protected as committed or agreed. 
  • Privacy – Personal information is collected, used, retained, disclosed, and disposed in conformity with the commitments in the privacy notice.
​ITP-SEC040

U

Return to top of page
Term
​Definition
​Point of Reference
​Underfitting
​A prediction-based outcome that has high bias and low variance.
​ITP-BUS012
​Unified Communications (UC)
​A set of products that provides a consistent unified user interface and user experience across multiple devices and media types.
​ITP-NET003
​Unified Telecommunications Services (UTS)
​Enterprise telecommunications group responsible for policy and standards on platform, equipment, and all related telecommunication items.
​ITP-NET016
​Unit Testing​Functional testing on each module in an application. Used early in development process before all components are completed.​ITP-SFT000
​United States Jurisdiction 
​Consists of all fifty (50) States of the United States and the District of Columbia.
​ITP-SEC040
​Unqualified Opinion
​Is provided by auditors when the controls tested in the report are operating effectively.
​ITP-SEC040
​US-CERT
​United States Computer Emergency Readiness Team tasked with providing Cybersecurity resources and notifications for information security officers.​ITP-SYM006
​User Acceptance Testing (UAT)
Generally the last phase of the software testing process.  During UAT, actual software users test the software to make sure it can handle required tasks in real-world scenarios, per requirements.
​ITP-SFT000
​User Agents
​User Agents include browsers, browser extensions, media players, readers, and other applications that render web content.
​ITP-ACC001
​User Agent Accessibility Guidelines (UAAG)
​UAAG are an industry-recognized standard published by the WAI of the W3C that addresses User Agents. UAAG includes three levels of conformance: A, AA, and AAA.
ITP-ACC001

V

Return to top of page
Term
​Definition
​Point of Reference
​Variance
​A statistical measurement used to determine the spread of a set of random datapoints from the average value. “Low” variance datapoints are grouped tightly (densely) together. “High” Variance datapoints are grouped loosely (spread out).
​ITP-BUS012
​Video Sharing Service
​An enterprise application or service where Authorized Users can create, upload, view, publish, and share videos.
​ITP-SFT007
​Virtual Desktop Infrastructure (VDI)​The practice of hosting a desktop operating system within a virtual machine (VM) running on a hosted, centralized or remote server.​ITP-NET019
​Virtual Machine​A software implementation of a computing environment in which an operating system or program can be installed or run.​ITP-NET019
​Virtual Private Network (VPN)
​A network technology that creates a secure network connection over a public network such as the internet or a private network owned by a service provider.
​ITP-SEC010
​Virtual Routing and Forwarding (VRF)
​Technology that allows for secure logical separation of traffic and maintains separate routing and forwarding tables to segment the traffic between each instance within a device.
​ITP-NET018
​Volume Level Encryption
​Protects a smaller subset of the drive, possibly down to the individual folders.  This can span a single disk or multiple disks.
​ITP-SEC031
Voluntary Product Accessibility Template® (VPAT)
​A VPAT is an industry accepted template created by the Information Technology Industry Council (ITI) that, when completed, details a digital product’s level of conformance with digital accessibility standards. 
​ITP-ACC001
​Vulnerability Assessment
Is the process of identifying defects or weaknesses present in a system due to misconfigurations, or coding flaws in hardware or software, which could allow the unauthorized exploitation of that system as it relates to confidentiality, integrity, or availability.
ITP-SEC023

W

Return to top of page
Term
​Definition
​Point of Reference
​Waterfall Model
​A software development process model that involves distinct sequential phases (i.e., conception, requirements, design, build/construct, test, and implementation).  Solution progress is flowing steadily downwards (like a waterfall) through each of the phases.  This means that any phase in the development process may begin only if the previous phase is complete.  There can be some slight variations in the waterfall approach (i.e., modified water fall) that define the circumstances and processes to go back to the previous phase.  Documentation in this process is also sequential.  Documentation is typically created, delivered, and approved with each phase as a prerequisite for the next phase to begin.  Each phase in this model is a phase gate or key milestone.
​ITP-SFT000
​Web Application Firewall (WAF)
​Addresses the needs of limiting Internet attacks and monitoring of web applications located in the Commonwealth.  A WAF provides a number of key benefits, such as:
  • Protecting against web attacks. 
  • Minimizing the threat window for each exposure by blocking access to a vulnerability until the vulnerability can be fixed in the source code.
  • Meeting compliance requirements.
  • Monitoring end-user transactions with a web application.
  • Providing an additional layer of web application hardening.
​ITP-SEC004
​Web Content Accessibility Guidelines (WCAG)
​WCAG are an industryrecognized standard published by the WAI of the W3C that addresses digital content. WCAG includes three levels of conformance: A, AA, and AAA.
​ITP-ACC001
​Web Development Framework
​A software framework designed to support development of dynamic web sites, web applications, and web services. Using a framework eases tedious and repetitive programming tasks and alleviates the overhead associated with common activities such as setting up session management and database access and provides structure and services and is deployed along with the application.
​ITP-SFT009
​WiFi Protected Access version 2 (WPA2)
​ A security protocol, specified in the IEEE Wireless Fidelity (WiFi) standard, 802.11i, WPA2 uses AES (Advanced Encryption Standard), meaning it can now meet the government's Federal Information Processing Standard (FIPS) 140-2 security requirements.
​ITP-NET001
​Wireless Communication Devices ​A device that transmits and receives data, text, and/or voice with a wireless connection to a network. This definition includes; but is not limited to, such devices as satellite and cellular telephones, pagers, wireless internet services, wireless data devices, wireless laptops, and cellular telephone/two-way radio combination devices. This definition does not include the radio devices that interface with the 800 MHz Statewide Radio System.MD 240.11