Sanitization | A process to render access to target data (the data subject to the sanitization technique) on the media infeasible for a given level of recovery effort. Three categories: Clear, Purge, and Destroy. | NIST SP 800-88 Rev. 1 |
Scope (IT Policy) | This ITP applies to all offices, departments, boards, commissions, and councils under the Governor’s jurisdiction (hereinafter referred to as "agencies). Agencies not under the Governor’s jurisdiction are strongly encouraged to follow this ITP. | All ITPs
|
Section 508 Standards (Revised)
| A final rule, published in January of
2017, updating accessibility requirements for information and communication
technology (ICT) covered by Section 508 of the Rehabilitation Act of 1973, 29
U.S.C. § 701 et seq.
| ITP-ACC001
|
Secure email
| Involves encrypting, or disguising, the content of email
messages to protect potentially sensitive information from being read by
anyone other than the intended recipients.
| ITP-SEC008
|
Secure Wireless
| A wireless implementation utilizing the centralized Controller for
access to the internal Commonwealth network as well as the Internet.
| ITP-NET001
|
Security Assessment | A process conducted by the Office of Administration, Office for Information Technology’s Enterprise Information Security Office that defines, identifies, and classifies security vulnerabilities of IT Resources. | MD 310.24 |
Security Incident
| Any occurrence involving the unauthorized or accidental modification, destruction, disclosure, loss, damage, misuse, or access to information technology resources such as systems, files, and databases. It also includes a violation or imminent threat of violation of computer security policies, acceptable use policies, and standard security practices.
| ITP-SEC025
|
Security Information & Event Manager (SIEM) | An application that provides the ability to gather security data from information system components and present the data as actionable information via a single interface. | ITP-SEC021 |
Server and Desktop Systems | Applies to all Commonwealth-associated platforms and infrastructure utilized to run and access IT Resources. This includes software (e.g., operating systems) and the hardware (e.g., routers, switches, etc.).
| ITP-SYM006
|
Service
| A Service provided by an IT service provider which is made up of
a combination of information technology, people, and processes. Examples
include: ASP, DaaS, Hosted COTS, IaaS, PaaS, SaaS and OA/OIT services as
defined in the service catalog.
| ITP-BUS002
|
Services
| A collection of Enterprise processes and procedures to deliver something of value to a Citizen.
| ITP-INF003
|
Service Design Coordinator
| Role responsible for providing oversight of all design activities and associated processes of service design and evaluation for new or changes to existing services. Coordinates with Business Relationship Managers, technical staff, product vendors, procurement, project managers, transition teams, and other key stakeholders to ensure the completeness and successful implementation of the Service Design Package for enabling and sustainment of the IT services.
| ITP-SFT000
|
Service Design Package (SDP)
| Documentation defining all aspects of an IT service and its requirements through each stage of its lifecycle. SDP defines the service model, requirements (utility & warranty), tools, architecture, metrics, and blueprints needed by the service transition team to build, test/validate, and deliver the service and their underpinning components. A service design package is developed for new, major changes, and retirement of an IT service.
| ITP-SFT000
|
Service Engagement Review Process (SERP) | Commonwealth review process to ensure new services being introduced into IT environments to mitigate potential risks and disruptions of Commonwealth business. | ITP-NET008 |
Service Organization
| Third-party vendors, licensors, contractors, suppliers, or other contracted entities that provide business or technology solutions and services procured by the Commonwealth.
| ITP-INF000 ITP-SEC040 ITP-SEC009
|
Service or Operational Accounts:
| Generally, system-to-system or application-toapplication accounts having administrative level roles. For example, an application which updates or creates records in a backend database would use a Service Account with appropriate database privileges to do so.
| ITP-SEC038
|
Service Owner
| Accountable for the availability, performance, quality, and cost of one or more services. Deals directly with the Service Customer or proxy, usually in the context of a Service Level Agreement or Operating Level Agreement. Service Owner is responsible for day-to-day operation of the service. | N/A |
Service Principal
| A Service Principal is the local representation, or application instance, of a global application object in a single tenant or directory. A ServicePrincipal is a concrete instance created from the application object and inherits certain properties from that application object. | ITP-INF010
|
Service Set Identifier (SSID) | Identifies and specifies which 802.11 network is being joined. | ITP-NET001
|
Session Inactivity
| The length of time a system or device is accessed (i.e., the account ID is logged in) without any interaction with the user.
| ITP-SEC007
|
Shared Resource
| A device, such as a printer, set up on the network to be used by more than one user.
| ITP-PLT002
|
Shareware
| Software that is licensed for free (possibly with restricted use or
functionality) for a limited period of time, and payment is expected for full usage or
functionality. Types of Shareware may include:
• Adware — software packages that generate revenue for their developers by
rendering and tracking advertisement in the software's installation and usage, or
both.
• Crippleware — software packages that disable wanted feature or add unwanted
watermarking until the user buys a license.
• Donationware — software packages that request a donation to be paid to the
author or a third-party beneficiary.
• Nagware — software packages that persistently remind the user to purchase a
license.
• Freemium — software packages offer some features for free while charging a
premium for advanced features.
| ITP-SFT001
|
Signature
| A signature, whether electronic or on paper, is first and foremost a symbol that signifies intent. Thus, the definition of "signed" in the Uniform Commercial Code includes "any symbol" so long as it is "executed or adopted by a party with present intention to authenticate the writing." A Signature may, for example, signify an intent to be bound to the terms of a contract, the approval of a subordinate's request for funding of a project, confirmation that a signer has read and reviewed the contents of a memo, an indication that the signer was the author of a document, or merely that the contents of a document have been shown to the signer and that he or she has had the opportunity to review them.
| ITP-SEC006
|
Simple Object Access Protocol (SOAP)
| A messaging protocol specification for
exchanging structured information in the implementation of web services in computer
networks. It uses XML Information Set for its message format, and relies on application
layer protocols, most often HTTP.
| ITP-INT003
|
Single Sign-On (SSO) | A property of identity and access management that enables users to securely authenticate with multiple applications and websites by logging in only once - with just one set of credentials (username and password). | ITP-SEC039 |
Smart Mobile Device
| A portable device that combines mobile telephone and computing functions into one unit.
| ITP-TEL001
|
Smartphone | A mobile communication device with voice, messaging, scheduling, email and Internet capabilities. Smartphones also permit access to application stores, where additional software can be obtained for installation on the mobile device. | ITP-SEC035 |
Snowflake Schema
| A snowflake schema is a multi-dimensional Data Model that is an
extension of a star schema, where Dimension Tables are broken down into
subdimensions. Snowflake schemas are commonly used for business intelligence and
reporting in OLAP data warehouses, Data Marts, and relational databases.
| ITP-INF004
|
Social Media | Web-based and mobile technologies used to turn communication into interactive dialogue. The term includes, but is not limited to, blogs, RSS, discussion boards, wikis, video sharing sites, mash-ups and folksonomies. | MD 205.42
|
Software
| A set of instructions, data, or programs used to operate computers and execute specific tasks. Software is a generic term utilized to refer to applications, scripts or programs that run on a device.
| ITP-BUS002 ITP-SEC041
|
Software Application Development Methodology (SADM)
| A software application development methodology is a structured framework of procedures and processes used to develop custom software applications. Software application development methodologies are essentially derivatives from the system development life cycle model but are unique in their respective processes and execution.
| ITP-SFT000
|
Software-as-a-Service (SaaS)
| A Cloud Computing Service through which agencies use third-party vendors, licensors, contractors, or suppliers to provision applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser or a program interface. The agency does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, apart from limited user-specific application configuration settings.
| ITP-SEC040 ITP-SFT000
|
Software Asset Management (SAM)
| A set of processes and strategies for the
efficient management of software assets throughout their lifecycle. The focus of SAM
includes maximizing value, controlling costs, and supporting decision-making.
| ITP-BUSFM013
|
Software-Defined Wide Area Network (SD-WAN)
| Solutions that provide a
replacement for traditional wide area network (WAN) routers and are agnostic
to WAN transport technologies. Provides dynamic, policy-based, application
path selection across multiple WAN connections and supports service chaining
for additional services such as WAN optimization and firewalls.
| ITP-NET018
|
Software Development Life Cycle (SDLC)
| A conceptual model used in software engineering as well as project management that describes the phases involved in an information system solution development and delivery. An SDLC framework consists of multiple phases to assure high quality systems are delivered, provide strong management controls over IT projects, and ensure that the information system can, and will, work as required and is effectively maintained to support agency’s missions. SDLC can be applied to Commercial-off-the-Shelf (COTS), Software-as-a-Service, (SaaS), or custom-built applications. SDLC frameworks should be intently integrated into key service life cycle phases (e.g., strategy, design, transition, operations) and affiliated processes.
| ITP-SFT000
|
Software License Reclamation
| Software license reclamation, also known as license
harvesting, is a component of SAM that involves identifying unused or underutilized
software licenses and returning them to a License Pool, so that they can be reallocated
to others.
| ITP-BUSFM013
|
Sole Source
| The process by which an agency requests a sole/single
vendor to procure materials or Services.
| ITP-BUS002
|
Solicitation
| A procurement process for inviting vendors to bid on opportunities to
provide goods and Services.
| ITP-BUS002
|
Spiral Model
| An incremental software development process model that incorporates requirements, design, build/construct, test/simulations, and deploy prototype phases separated by planning and risk assessment. A prototype is created with each iteration and evaluated until a final production ready (i.e., fully functional and validated) prototype model has been created. This method can be used to create temporary prototype solutions that are later discarded or for large, expensive, and complicated projects using each iterative prototype build as a phase gate and/or milestone. Documentation in this process is dynamic and incrementally refined. Documentation is finalized with the implementation of the final production ready prototype.
| ITP-SFT000
|
Sponsoring Agency
| Commonwealth
agency in contract with external Network Management Team.
| ITP-SYM008
|
Staging/Pre-Production
| An environment that exactly resembles a Production environment. It seeks to mirror an actual Production environment as closely as possible and may connect to other Production services and data, such as databases. Pre-Production environments can be externally facing and accessible to the public. Typically, test data is used to minimize compliance responsibilities and to ensure information security.
| ITP-SEC005
|
Stakeholder
| Everyone who is or will be affected by a policy, program, project, activity, or resource. | N/A |
Standard
| Specific directives, specifications, or procedures used as a
minimum acceptable benchmark that must be followed in order to
ensure a consistent implementation of information technology
practices. | ITP-BUS002
|
Standard Change
| Supports maintenance that is low risk-assessed, pre-authorized, and is administratively routine. Appropriate Change Management reviews and processes apply.
| ITP-SYM010
|
Standard Maintenance (Enterprise Services) | OA-approved, risk-assessed, routine administrative maintenance on an Enterprise infrastructure component or Enterprise service. | ITP-SYM010 |
Standards
for Attestation Engagements No. 18 (SSAE18)
| An
attestation standard whereby a Service Organization's auditor (i.e., CPA firm
conducting the engagement) issues an opinion concerning a Service
Organization's controls.
| ITP-SEC040
|
Star Schema
| A star schema is a multi-dimensional Data Model used to organize data
in a database so that it is easy to understand and analyze. Star schemas can be applied
to data warehouses, databases, Data Marts, and other tools.
| ITP-INF004
|
Stress Testing
| Used to determine the load under which the application ceases to perform acceptably. | ITP-SFT000
|
Structured Query Language (SQL) | A relational data language that provides a consistent, English keyword-oriented set of facilities for query, data definition, data manipulation and data control. It is a programmed interface to relational database management systems. | ITP-INF001
|
Subservice Organization
| An entity that is used by a Service Organization to perform some or all of the services on behalf of the Service Organization.
Service Organizations may use Subservice Organizations to perform specific processes and controls.
Some examples of a Subservice Organizations include but are not limited to: a. Data Centers that host Service Organization software or systems. b. A Subservice Organization that manages data backup and recovery for the Service Organization's system.
| ITP-SEC040
|
System Accounts
| Built-in system or application accounts having administrative level roles. Some examples include root in Linux/Unix systems, Administrator in Windows systems, or in SQL Server.
| ITP-SEC038
|
System Administrator Accounts
| Privileged or Administrator
Accounts generally have elevated or full access rights to Systems, devices, and
applications. Thisallows them to change system or device configurations and
access data with full read-write privileges. They can create, delete, or modify
user accounts and install software. The level of security protecting such accounts
needs to be higher than a normal user account.
| ITP-SEC007
|
System and Organization Controls (SOC) 1 Type 2 Report
| A
report on a Service Organization or Subservice Organization relevant to
internal controls over financial transactions and reporting. The report focuses
on the suitability of the design and operating effectiveness of the controls to
achieve objectives throughout a specific reporting period.
| ITP-SEC040
|
System and Organization Controls (SOC) 2
Type 2 Report
| A
report on a Service Organization or Subservice Organization that focuses
specifically on IT controls of a system as they relate to relevant Trust
Service Principles. The report, based upon and inclusive of auditors’ opinions,
indicates whether controls placed in operation were suitably designed to meet
or exceed the criteria of each relevant Trust Service Principle and whether
those controls operated effectively for the reporting period.
| ITP-SEC040
|
System and Organization Controls (SOC) for Cybersecurity
| A
report on a Service Organization or Subservice Organization that focuses on
controls within the Service Organization’s Cybersecurity Risk Management
Program and the suitability of the design of controls to meet cybersecurity
objectives.
| ITP-SEC040
|
System and Organization Controls (SOC) Reports
| A suite of reports produced during a third-party audit (CPA certified) as defined by the American Institute of Certified Public Accountants (AICPA). It is intended for use by Service Organizations, Subservice Organizations, or other entities to issue certified reports.
| ITP-SEC040
|
System and Organization Controls (SOC) Report Repository
| A
repository that hosts relevant artifacts to be utilized by authorized
Commonwealth employees tasked with managing SOC reports and official
correspondence relating to the SOC reports.
| ITP-SEC040
|
System and Organization Controls (SOC) Resource Account (SOC RA)
| The
resource account allows OA/OIT to view incoming SOC report emails to monitor
for IT elements and verify the Contract Manager is forwarding on to the
appropriate IT group for review.
| ITP-SEC040
|
System Software
| The programs that are dedicated to managing the computer itself, such as the operating system. The operating system manages the computer hardware resources in addition to applications and data. Without systems software installed in our computers we would have to type the instructions for everything we wanted the computer to do.
| ITP-SFT000
|
System Testing | Testing conducted on a complete integrated system to evaluate the system's compliance with its specified requirements. | ITP-SFT000
|
System Unavailability Notification (SLA-defined) | A service level metric that details the time from discovering or receiving notice of system unavailability until notification is sent to the Commonwealth. | N/A
|