An Official Pennsylvania Government Website
Translate
Begin Main Content Area

Glossary

Click on the letters to navigate: A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, R, S, T, U, V, W

A

Return to top of page
Term
 ​Definition ​Points of Reference
​Accessible​Refers to a site, work environment, service, or program that is easy to approach, enter, operate, participate in, and/or use safely and with dignity by a person with a disability.​ITP-ACC001
​Access Point​A wireless local access network (WLAN) transmitter/receiver that acts as a connection between wireless clients and wired networks.​ITP-NET001
​Account​The online credential being presented as representing a person.​ITP-SEC039
​Account Lockout
​The disabling or suspension of an account ID, generally as a result of a number of failed attempts to authenticate with that account ID.
​ITP-SEC007
​Active Directory
​A management tool for managing directory-based identity-related services.
​ITP-SEC035
​Advanced Persistent Threat Endpoint Protection
​A capability that allows for detection and containment of advanced malware
​ITP-SEC001
​Adverse Opinion
​The most severe opinion that a Certified Public Accountant (CPA) firm can provide. Misleading or incomplete financial statements may lead auditors to give an Adverse Opinion. An Adverse Opinion in the context of a SOC report often means that the users cannot place any reliance on the Service Organization’s system.
​ITP-SEC040
​Agency/Delivery Center Personnel
​Employees responsible for the management of agency electronic media data cleansing.
​ITP-SEC015
​Agile Model
​A highly iterative software application development model that involves an interactive, cross-functional, and focused team approach to build software solutions in a time boxed (sprints) development methodology.  The Agile model uses feedback and checklists, tightly integrated cross functional teams, and multi-faceted iterations or sprints to quickly build custom software applications.  The feedback is driven by regular tests and releases of the evolving software.
​ITP-SFT000
​Algorithm​A series of discrete, conditional instructions. In computing, algorithms enumerate a list of operations to carry out. An algorithm informs a computer of the steps it must take to deliver a desired result.​ITP-BUS012
​Amendment
​A written alteration in specifications, delivery point, rate of delivery, period of performance, price, quantity, or other provisions of any contract. (i.e. dollar thresholds, modifications/revisions, terms and conditions, billing/payment structures, authorization, and specification of scope change)
​ITP-BUS002
​American National Standards Institute (ANSI)​ANSI serves as a quasi-national standards organization. It provides area charters for groups that establish standards in specific fields. ANSI is unique among the world’s standards groups as a nongovernmental body granted the sole vote for the United States in the International Standards Organization (ISO).​ITP-INF001
​Anonymous FTP
​Allows anyone with an Internet connection to access FTP connections to the site, including uploading or downloading files, without having to log in with a username and password.
ITP-​SFT005
​Anonymous logon (login)
​Access to a system which does not require any information on the person accessing the system.​ITP-SEC039
​Anti-Virus Protection
​A capability to detect and quarantine both known and unknown malware through static signatures, heuristic signatures, and machine learning. 
​ITP-SEC001
​Appliance
​A device that consists of hardware and software packaged together to accomplish a specific function(s) or provide a predefined service.
​ITP-SEC041
​Application Inactivity
​The length of time an application is accessed (i.e., the account ID is logged in) without any interaction with the user.
​ITP-SEC007
​Application Inventory
​A centrally managed repository used to capture data and assess risk profiles for all enterprise and agency-level applications that support the business needs of the commonwealth.
​ITP-SFT000
​Application Lifecycle Management (ALM)
​A tool or set of tools that aids the development teams in the entire application development and product lifecycle management (e.g., governance, development, and maintenance). It encompasses requirements management, software architecture, programming, software testing, software maintenance, change management, continuous integration, project management, defect management, versioning and release management.
​ITP-SFT000
​Application Programming Interface (API)​API or Web API as used in the context of Keystone Login, is an interface containing multiple web-exposed endpoints to a defined request-response data transfer system and/or messaging system​ITP-SEC039
​Application Software
​Often called productivity programs or end-user programs because they enable the user to complete tasks, such as creating documents, spreadsheets, databases, and publications, doing online research, sending email, designing graphics, and running businesses. 
​ITP-SFT000
​Archived Digital Content
 Digital Content that is no longer actively available to end-users but is still subject to record retention plans
​ITP-ACC001
​Artificial Intelligence (AI)​A technology used to emulate human performance typically by learning, coming to its own conclusions, appearing to understand complex content, engaging in natural dialog with people, enhancing human cognitive performance (also known as cognitive computing), or conducting the execution of nonroutine tasks.​ITP-BUS012
​Assertions
​A confident statement of fact or belief made by management regarding certain aspects of their business. Usually comprised of management’s description of the system they are providing and how the system is designed and operating.
​ITP-SEC040
​Assessment
​A review of information technology controls and settings. Typically, against a specific audit framework, such as National Institute of Standards and Technology (NIST), Criminal Justice Information Services (CJIS), Payment Card Industry (PCI), and Internal Revenue Service (IRS), or Center for Information Security (CIS). This can be done via interviews, a manual review of settings and configurations or with tools to report and review on specific control settings. An assessment can be performed for security, risk or compliance reasons.
​ITP-SEC023
​Authentication
​The process of establishing confidence in the validity of a person’s logon account, usually as a prerequisite for granting access to resources in an information system.​ITP-SEC039
​Authentication Method​The type of authentication being used to validate a person’s logon account.  There are three categories: 1. Something you know (e.g. PIN, password, shared information) 2. Something you possess (e.g. token, smart card, digital certificate) 3. Something you are (biometrics – e.g. fingerprint, voice, iris, face)​ITP-SEC039
​Authentic Record
​A record that is what it purports to be; it was duly issued by an authorized person or Agency and has been preserved without any alteration that would impair its use as an Authentic Record.
​ITP-INF000
​Authorization​The process of verifying that an authenticated account is permitted to have access to a system based on the person’s business responsibilities.​ITP-SEC039
​Authorized Users​(MD version) Commonwealth of Pennsylvania employees, contractors, consultants, volunteers, or any other user who utilizes or has access to IT Resources.

(ITP version) Commonwealth employees, contracted resources, consultants, volunteers, or any other users who have been granted access to, and are authorized by the Commonwealth to use, Commonwealth IT Resources.
​MD 205.34
MD 205.42
MD 240.11
​Authorizing Official (AO)
​Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.


​ITP-SEC005
​Authors
​People who produce digital content, including but not limited to web developers, designers, writers, etc.
​ITP-ACC001
​Authoring Tool Accessibility Guidelines (ATAG)
​ATAG are an industry-recognized standard published by the Web Accessibility Initiative (WAI) of the World Wide Web Consortium (W3C) that addresses Authoring Tools.  ATAG includes three levels of conformance: A, AA, and AAA.
​ITP-ACC001
​Authoring Tools
​Software and services that Authors use to produce digital content, including but not limited to content management tools.
​ITP-ACC001
​Availability​Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.​44 U.S.C. Section 3542, Federal Information Processing Standards (FIPS) 199
​Availability (SLA-defined)​A service level metric that measures the percentage of time the application is available during the applicable Measurement Window. This measurement is by application, not by server instance. Calculation: A = (T-M-D) / (T-M) x 100%. A = Availability, T = Total Monthly Minutes, M = Approved Maintenance Time, D = Downtime
N/A

B

Return to top of page
Term
 ​Definition
 ​Point of Reference
​Business Partner
​Any entity identified by statute, regulation, or contract as being an agent of the Commonwealth of Pennsylvania. A business partner connection is an interface for connecting business partners to the Commonwealth of Pennsylvania (COPA) network.​ITP-NET008
​Business Process
​A series of steps or activities designed to accomplish a specific business outcome.
​ITP-BUS010
​Business Process Management (BPM)​A functional discipline that uses various tools and methods to discover, model, analyze, measure, improve, optimize, and better align Business Processes with business goals. ITP-BUS010
​Business Proposal
​An artifact designed to influence a targeted audience of a solution to a business opportunity or problem.
​ITP-BUS001
​Business Rules Engine (BRE)
​A software system that executes one or more business rules in a runtime production environment. The rules might come from company policy, (“All customers that spend more than $100 at one time will receive a 10% discount”), legal rules, or other sources.​N/A

C

Return to top of page
​Term
 ​Definition
 ​Point of Reference
​Capital Planning
​The management and decision-making process associated with the planning, selection, control, and evaluation of investments in resources.​N/A
​Categorization
The process of placing data into groups or types of data that are in some way similar to each other, based on characteristics of the data
​ITP-SEC019
​Chain of Custody
​The chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence.
​ITP-SEC015
​Chain of Custody Tracking Form
​The document utilized by agencies to track all electronic media transfers throughout the process involving the sanitization and/or destruction of commonwealth electronic media.
​ITP-SEC015
​Change Management​A process responsible for formal assessment of a new or changed IT service to mitigate risks and impacts.
ITP-SYM010
​Change Order
​A printed or electronic order signed by the Contracting Officer directing the contractor to make changes that are authorized by the changes clause of the contract. Change Orders may be either with the consent of the contractor or a unilateral order by the Contracting Officer.
​ITP-BUS002
​Chatbot​An artificial intelligence (AI) program that simulates interactive human conversation by using key pre-calculated user phrases and auditory or text-based signals. A chatbot is known as an artificial conversational entity (ACE), chat robot, talk bot, chatterbot or chatterbox.​ITP-BUS012
​CIA Triad​Three fundamental tenets of information security: Confidentiality, Integrity, Availability​Cybersecurity and Cyberwar (Singer & Friedman)
​Citizen
​A person, business, or other entity obtaining services, either directly or indirectly, from the Commonwealth of Pennsylvania.
​ITP-INF003
​Citizen Experience
​The full series of interactions or steps that a Citizen takes when seeking a Service or a series of Services and has a discrete beginning and end.
​ITP-INF003
​Citizen Experience Goals
​Measurable outcomes related to the Citizen Experience that Agencies identify to drive performance improvement and inform Citizen expectations for services delivery.
​ITP-INF003
​Citizen Experience Standards
​A set of rules, principles, and current best practices common to all Agencies under the Governor’s Jurisdiction that guide the delivery of Services to Citizens.
​ITP-INF003
​Citizen Profile
​The unique data associated with a Citizen and contains information that is used by the Enterprise to facilitate a specific Service for the Citizen.
​ITP-INF003
​Classification
The process of assigning labels to data according to a predetermined set of principles, which define that data class based on the treatment and use of the data.
​ITP-SEC019
​Cloud Computing Service 
 Any computing service that is procured through and hosted by or within a third-party vendor, licensor, contractor, or supplier (Service Organizations) or its subcontractor(s) (Subservice Organization(s)) managed infrastructure regardless of deployment model (public, private, or hybrid) or type such as, but not limited to, software-as-a-service (SaaS) for web-based applications, infrastructure-as-a-service (IaaS) for Internet-based access to storage and computing power, and platform-as-a-service (PaaS) that gives developers the tools to build and host Web applications. Solutions deployed through traditional hosting methods and without the use of NIST Cloud capabilities (i.e., rapid elasticity, resource pooling, measured service, broad network access, and on demand self-service) are also included.
​ITP-SEC040
​Cloud Service Provider (CSP) 
​An entity (private or public) that provides cloud-based platforms, infrastructure, applications, security, and/or storage services for another entity/organization.
​ITP-SEC040
Cloud Storage 
​Infrastructure as a Services (IaaS) deployment model that provides block, file and/or object storage services delivered through various protocols. The service can be stand-alone with no requirement for additional managed services or be bundled with additional managed services.
​ITP-SEC040
​Cloud Use Case Review
 An established process to ensure the procurement and/or implementation of any Cloud Computing Service is aligned with the Commonwealth’s overall business and IT vision, strategy, goals, and policies. This process includes representation and review from all domains to pro-actively identify, manage, and mitigate risk, if any, with the Cloud Computing Service being considered. As part of Cloud Use Case Review, the Service Organization (third-party vendor, licensor, contractor, or supplier), is required to complete the Cloud Services Requirements (CSR) document that is specific to the Cloud Computing Service being considered. Any procurement or use of a Cloud Computing Service requires an approved cloud use case.

​Commercial-off-the-Shelf (COTS) 
​A term used to describe the purchase of products that are standard manufactured products rather than custom, or bespoke, products.  COTS application software are built and delivered usually from a third party vendor and can be purchased, leased or even licensed. 
​ITP-SFT000
​Common Vulnerabilities and Exposures (CVE ID)
​A list of publicly disclosed computer flaws that have been given an identification number. These are provided by either the manufacturer of the software or MITRE/NIST.  
​ITP-SEC023
​Common Weakness Enumeration (CWE ID):
​A category system for software weaknesses and vulnerabilities that have been given an identification number. These are provided by MITRE/NIST.
​ITP-SEC023
​Commonwealth Application Certification and Accreditation (CA)2​A security assessment for Commonwealth IT systems involved in the transmission or storage of electronic transactions such as electronic records and electronic signatures.​MD 210.12
ITP-SEC005
​Commonwealth Data 
​Consists of, but is not limited to, data is that intellectual property of the Commonwealth, data that is protected by law, order, regulation, directive or policy and any other sensitive or confidential data that requires security controls and compliance standards.
​ITP-SEC040
​Commonwealth Enterprise Storage Solutions 
Information technology services, applications, or programs procured, obtained, created, or licensed by the Office of Administration for the storage or maintenance of records, data, or other information controlled, maintained, or possessed by the Commonwealth and its agencies. Commonwealth Enterprise Storage Solutions include, but are not limited to, the suite of applications provided as part of Microsoft 365 (Outlook 365, OneDrive, SharePoint, etc.) and the PACS environment (Pennsylvania Compute Services).
​ITP-SEC019
​Commonwealth Network
​A collection of servers, mainframes, networking devices and IT Resources that are interconnected, either by cable, wireless connection, or logically, and are physically or operationally controlled and security-managed by the Commonwealth or a contracted third-party vendor on behalf of the Commonwealth.
​MD 535.09 
​Commonwealth of PA Procurement and Architectural Review (COPPAR)​The former review mechanism used by the Office for Information Technology to review agency requests for policy waivers and large IT-related procurements. (This has been replaced by Technology Investment and Policy Review (TIPR)).​ITP-BUS000
ITP-BUS004
ITP-SEC000
​Complementary User Entity Controls (“CUEC”)
​Controls for SOC 1 and SOC 2 reports that management of the Service Organization assumes, in the design of the Service Organization’s system, will be implemented by user entities and are necessary to achieve the control objectives stated in management’s description of the Service Organization’s system.
​ITP-SEC040
​Confidentiality
​Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.​44 U.S.C. Section 3542, Federal Information Processing Standards (FIPS) 199
​Configuration Item (CI)
​Any service component, infrastructure element, or other item that needs to be managed in order to ensure the successful delivery of IT services.  
​ITP-SYM010
​Connection​Includes remote access system (RAS), a tool used to connect remotely to the commonwealth network. Authorized Users may need to connect to the network from home or another remote location, to perform their job functions. Remote access is coordinated by the Office of Administration, Office for Information Technology (OA/OIT), and users must have the Cisco virtual private network (VPN) client on their computer and a valid digital certificate. Connection does not include connecting with Authorized User devices to Office Outlook Web Access.
​MD 240.11
​Consultant
​A person identified as an expert in a particular field whom the Commonwealth engages under contract to provide professional advice and/or services to the Commonwealth for a specific purpose and duration.  A Consultant is not a Commonwealth employee.
​N/A
​Controller
​Network device which controls the access points within a wireless network.
​ITP-NET001
​COPA-Campus wireless
​Enterprise wireless network that bridges participating agencies’ networks to allow wireless roaming capability.
​ITP-NET001
​Corrective Action Plan (CAP)
​A detailed plan outlining a set of actions identified to remedy an unsatisfactory performance. A CAP includes time limits and goals.
​ITP-SEC040
​Contract Change Request (CCR)
​Contractual document utilized to modify, change, or delete a service and/or product within a contract.
​ITP-NET003
​Contract Manager (CM)
​Individual responsible for managing the day-to-day activities of a contract post award. 
​ITP-SEC040
​Contract Value
​Total dollar amount of the entire contract term (the base term and all estimated costs for option years)
​ITP-BUS002
​Contracted Resource
​A person whose service, under contract, are provided to the Commonwealth as an independent contractor for a specific purpose and duration.  A Contracted Resource is not a Commonwealth employee.
​N/A
​Contracting Officer
​One who is authorized to enter into contracts for supplies and Services.
​ITP-BUS002
​CONUS
​The continental United States and Hawaii.
​ITP-SEC000
​Corrective Action Plan (CAP)
​A detailed plan outlining a set of actions identified to remedy an unsatisfactory performance. A CAP includes time limits and goals.
​ITP-SEC040
​Cost-to-Carry
​Current level of services. The focus is on activities and intended accomplishments.  When budgeting, Cost-to-Carry includes the future cost consequences of current program policy.
​ITP-BUS001
​Custom Built Application Software 
​The designing of software applications for a specific user or group of users within an organization. Such application software is designed to address specific user needs precisely as opposed to the more traditional and widespread off-the-shelf application software. Custom built application software meets unique business requirements.
​ITP-SFT000
​​Cyber Security Incident
​​Any occurrence involving the unauthorized or accidental modification, destruction, disclosure, loss, damage, misuse, or access to information technology resources such as systems, files and databases.  It also includes the violation or imminent threat of violation of computer security policies, acceptable use policies, and standard security practices.
​ITP-SEC024
Cybersecurity Risk Management Program
Set of policies, processes, and controls designed to protect information and systems from security events that could compromise the achievement of the entity’s cybersecurity objectives and to detect, respond to, mitigate, and recover from security events that are not prevented.
ITP-SEC040

D

Return to top of page
​Term
 ​Definition
 ​Point of Reference
​Data
​A value or set of values representing a specific concept or concepts. Data become “information” when analyzed and possibly combined with other data in order to extract meaning, and to provide context.​ITP-INF013 (pending)
project-open-data.cio.gov
​Data Architecture​Describes the data structures used by a business and its applications. The architecture sets the data standards for all information systems in the organization and communicates a model of the interactions of data in those systems.​ITP-INF013 (pending)
​Data Breach
​An unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of a system, data or personal information maintained by the entity that causes, or the entity reasonably believes has caused, or will cause loss or injury to any resident of this Commonwealth.
​ITP-SEC024
​Data Element Encryption​A technique that encrypts individual data elements instead of encrypting an entire file or database. Common examples of data element encryption include column level database encryption and encryption of a Social Security Number (SSN) before writing it to a file. Data element encryption is used to selectively apply encryption, and may be used to reduce encryption/decryption overhead, to protect different elements with different keys, or to simplify adding encryption to applications.​ITP-SEC031
​Data Exchange
​Data from a source system that is restructured for the target system for the purpose of accurately representing the source data. Data Exchanges rely on implementing data languages such as Extensible Markup Language (XML) and JavaScript Object Notation (JSON).
​ITP-INF000
​Data Migration
​Utilizing a design for data extraction and data loading for the purpose of permanently relocating data from one system/application to another system/application.
​ITP-INF000
​Data Owner
​Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

Also referred to as Information Owner
​ITP-SEC005
​Dataset
​An organized collection of data.
​ITP-INF000
​Database Management System (DBMS)​Software to manage a database that provides a common and controlled approach maintaining data integrity and accessibility in storing data, adding new data, and in modifying and retrieving existing data within a database. Security and backups are key components.​ITP-INF001
​Degauss
​Procedure that reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. Degaussing any electronic media will render the media permanently unusable.
​ITP-SEC015
​Demilitarized zone (DMZ)
​A perimeter network that protects an organization's internal local-area network (LAN) from untrusted traffic.
​OPD-SEC010A
​Development Application Software
​Known as computer programming tools, are used to translate and combine computer program source code and libraries.
​ITP-SFT000
​Digital Accessibility
​Digital Accessibility is providing Digital Content and Services that can be used by any user, including those with visual, auditory, motor, or cognitive Disabilities.
​ITP-ACC001
​Digital Accessibility Maturity Assessment
​A tool for measuring the degree of maturity attained in implementing and managing Digital Accessibility.  The assessment will help people in agencies understand the ten dimensions of an accessibility program and allow them to plan and work on improving the accessibility of Digital Content and Services year over year.
​ITP-ACC001
​Digital Content and Services
​The delivery of information and services to end-users via data, voice, or video technologies, which includes but is not limited to:
  • Electronic content: Websites and web-based materials (Internet & Intranet), Microsoft Office (Word, Excel, PowerPoint), Adobe InDesign & PDF documents, training materials (e.g., online training materials, tests, online surveys), multimedia (video/audio), digital materials (e.g., documents, templates, forms, reports, surveys), maps and infographics, electronic emergency notifications, and subscription services (e.g., news feeds, alert services, professional journals);
  • Software:  Web, desktop, server, and mobile client applications, authoring tools, associated infrastructure, and service offerings (SaaS, PaaS, IaaS);
  • Hardware:  Computers & laptops, servers, tablets, printers and copiers, scanners, peripheral equipment (e.g., keyboards, mice), kiosks and mobile phones;
  • Support documentation and services:  Training services, help desk or call center, automated self-service & technical support, and product informational materials.
​ITP-ACC001
​Disable
​An account may be Disabled either by setting the Active Directory (AD) userAccountControl attribute (set the 0x200 bit to 1) or by moving the account to a dead storage area where it will not be used for Authentication purposes
​ITP-SEC007
​Disability (with respect to an individual)
  • ​A physical or mental impairment that substantially limits one or more major life activities of an individual
  • A record of such an impairment; or
  • Being regarded as having such an impairment.  This terms does not include current, illegal use of or addiction to a controlled substance, as defined in Section 102 of the Controlled Substances Act, 21 U.S.C. § 802.
​ITP-ACC001
​Disclaimer Opinion
​Is provided when auditors can’t express an opinion. This typically occurs when a Service Organization does not provide the auditors with adequate information to render an opinion, in which the CPA firm may disclaim their opinion.
​ITP-SEC040
​Disk Wipe
​Procedure that uses a single character to overwrite all addressable locations on a magnetic drive.
​ITP-SEC015
​DoD 5220.22-M
​Known as the National Industrial Security Program, that stipulates the requirement of three passes where the entire magnetic drive is overwritten.
​ITP-SEC015
​DoD Rated Degausser
​Department of Defense-type degaussers that meet or exceed DoD Type I or Type II media sanitization standards.

Type I: Equipment rated to degauss magnetic media having a maximum coercivity of 350 oersteds.

Type II: Equipment rated to degauss magnetic media having a maximum coercivity of 750 oersteds.
​ITP-SEC015

E

Return to top of page
Term
 ​Definition
 ​Point of Reference
​eDiscovery
​Electronic discovery (also called e-discovery or eDiscovery) refers to any process in which electronically stored information is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. Electronically stored information, for the purpose of the Federal Rules of Civil Procedure, is information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software.​OA Legal
​e-Discovery​Any process in which electronically stored information (ESI) is identified, collected, searched, and analyzed for production in the discovery phase of litigation.​ITP-INF009
​Electronic​Relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.​MD 210.12
​Electronic Device
​Devices that contain electronic media which include, but are not limited to, PCs, printers, multifunction systems, scanners, fax machines, and handheld devices such as cellular phones, smartphones and tablets.
​ITP-SEC015
​Electronic Media
​Material on which data are or may be recorded via an electrically based process, such as, but are not limited to, magnetic tape, magnetic disks (hard drives), solid state devices/SSD (flash drives, SD cards, SIM cards), optical discs (CDs, DVDs).
​ITP-SEC015
​Electronic Record​A record created, generated, sent, communicated, received, or stored by electronic means. This term includes permits, licenses, applications, and other documents required or issued by an executive agency.​MD 210.12
​Electronic Signature​(MD version) An electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.

(ITP version) an electronic sound, symbol, or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. Although Electronic Signatures are represented digitally (i.e., as a series of ones and zeros), they can take many forms and can be created by many different technologies. This should not be confused with the Digital Signature terminology, which is used in public key cryptography.
​MD 210.12



ITP-SEC006
​Electronic Storage System​A system to prepare, record, transfer, index, store, preserve, retrieve, and reproduce books and records by either electronically imaging hardcopy (paper) documents to an electronic storage media or transferring computerized books and records to an electronic storage media.​MD 210.12
IRS Rev. Procedure 97-22
​Electronic Transaction​The electronic sharing of information including: Electronic posting of data on a network. The exchange of an electronic record or electronic signature by an executive agency with a person or automated system to: facilitate access to restricted information; purchase, sell, or lease goods, services, or construction; transfer funds; facilitate the submission of an electronic record or electronic signature required or accepted by the commonwealth; or create a record upon which the commonwealth or another person will reasonably rely.​MD 210.12
​Electronically Stored Information (ESI)​Any data or information produced or received on commonwealth IT Resources that resides on commonwealth-managed storage solutions, either on premise or off premise (i.e. cloud storage, backup tapes).​ITP-INF009
​Emergency Change
 Supports maintenance in response to a reported Incident, when a problem exists on any infrastructure component or service that is causing business disruptions to one or more agencies.
​ITP-SYM010
​Emergency Maintenance (Enterprise Services)​Maintenance necessary when a problem exists on any Enterprise infrastructure component or Enterprise Service that is causing major disruptions to one or more agencies.​ITP-SYM010
​Endpoint Detection and Response (EDR)
​A capability that provides:
• Real time indication on known tactics, techniques, and procedures (TTPs);
• The ability to monitor common applications and processes for exploitation and proactively block those exploitations; and
• The ability to detect and block lateral movement with the enterprise network.
​ITP-SEC001
​Endpoint Security
​An integrated solution that provides cybersecurity protection on endpoint devices including servers, desktops, laptops, and other mobile devices that should encompass the below capabilities:
 • The ability to integrate with different security solutions utilized by the Commonwealth; and
 • Automatically update signature files and scan engines.
​ITP-SEC001
​Enterprise Architecture​The analysis and documentation of an enterprise in its current and future states from an integrated strategy, business, and technology perspective.​N/A
​Enterprise Architecture Artifact​A documentation product such as a text document, diagram, spreadsheet, briefing slides, or video clip that document EA components in a consistent way across the entire architecture.​N/A
​Enterprise Architecture Component
​Changeable resources that provide capabilities at each level of a framework. Examples include strategic goals and initiatives, business services, web services, software applications, voice/data/mobile networks, buildings.​N/A
​Enterprise Class DBMS
​Integrates multiple business processes or applications into a single DBMS and hardware platform. This is in contrast to creating application-specific DBMSs.
ITP-​INF001
​Enterprise Information Security Office (EISO)​Office within the Office of Administration, Office for Information Technology tasked with managing the enterprise IT security posture for the commonwealth as it pertains to governance, risk, and compliance.​ITP-SEC000
​Enterprise IT Service Offering​An Enterprise IT Service Offering is made up from a combination of people, processes and technology that supports a customer's business. An Enterprise IT Service Offering is a means of delivering value to customers by facilitating the outcomes customers want to achieve without the ownership of costs and risks.​ITP-BUS007
​Enterprise Maintenance (Enterprise Services)​Maintenance is considered Enterprise if:
  • It affects any Enterprise infrastructure component or Enterprise service
  • It affects two or more agencies at one site
  • It affects two or more agencies at multiple sites
  • It affects one agency at multiple sites
​ITP-SYM010
​Enterprise Service Bus (ESB)
​Refers to a software architecture construct. This construct is typically implemented by technologies found in a category of middleware infrastructure products, based on recognized standards, which provide fundamental services for more complex architectures via an event-driven and standards-based messaging engine (the bus).​N/A
​Enterprise Service Catalog
​A document that describes the Enterprise IT Service Offerings.
​ITP-BUS007
​Enterprise Standard
​An Enterprise IT Service Offering that is required to be utilized and consumed by Agencies.
​ITP-BUS007
​Event (Security)​An observable occurrence in a system or network. Events include, but are not limited to, a user connecting to a file share, a server receiving a request for a Web page, a user sending electronic mail (e-mail), and a firewall blocking a connection attempt.​ITP-SEC021
​Event Correlation (Security)​The process of monitoring events in order to identify patterns that may signify attacks, intrusions, misuse or failure.​ITP-SEC021
​Executive Agency​A department, board, commission, council, authority, officer, or agency subject to the policy, supervision, and control of the Governor.​MD 210.12

F

Return to top of page
​Term
 ​Definition
 ​Point of Reference
​Facilities Hardening
​A process intended to evaluate risks and reduce vulnerabilities related to the physical security of the building housing the infrastructure.
ITP-​BUS002
​Federal Information Processing Standards (FIPS)​A federal IT standard established by the National Institute of Standards and Technology​ITP-SEC000

​File Encryption
A technique that encrypts files on a file system without encrypting the file system itself or the entire disk.  A file encrypting application may include functionality to archive multiple files into a single file before or after encrypting, produce self-decrypting files, or automatically encrypt files or folders based on policies or locations.  File encryption is often used to protect files being sent through email or written to removable media.
​ITP-SEC031
​Forensic Analysis
​Evidence found in computers and digital storage media as part of a formal investigation using systematic and sound methods to examine digital media with the aim of identifying, preserving, recovering, analyzing, and presenting facts and opinions about the digital information.
​ITP-SEC024
​Forensic Response Servlet
​A capability for performing forensic captures on desktops, servers, laptops, and tablet devices which enables OA/OIT forensic team to investigate security incidents.
​ITP-INF001
​Full Disk EncryptionA technique that encrypts files on a file system without encrypting the file system itself or the entire disk.  A file encrypting application may include functionality to archive multiple files into a single file before or after encrypting, produce self-decrypting files, or automatically encrypt files or folders based on policies or locations.  File encryption is often used to protect files being sent through email or written to removable media.
​ITP-SEC031
​Functional Testing
​Validating an application correctly performs functions identified in requirements documents. This includes testing for normal and erroneous input. Functional testing can be performed manually or automated.​ITP-SFT000

G

Return to top of page
​Term
​Definition
​Point of Reference
​Gateway
​Network hardware that enables data and resources to be shared easily and securely over the internet.
​ITP-SEC010
​General Maintenance (Enterprise Services)​Maintenance performed by a service provider. This type of maintenance is performed on the service offering which affects multiple customers, and is vital to the integrity of the services provided.​ITP-SYM010
​Globally Unique Identifier (GUID)
​An alpha-numeric code that uniquely identifies a person. Two John Smiths could, for instance, both have the same user ID, but they would have different GUIDs. User access to IT resources should be based on the GUID rather than the user ID as it uniquely identifies the person. Note: Active Directory assigns a GUID to each account, this is not necessarily the same as assigning a GUID to a person.  
​ITP-SEC007
​ Guest Wireless (COPA-Guest SSID):
​The Office of Administration’s (OA) Controller for providing wireless access to the Internet that shall be used only by nonCommonwealth employees on a case-by-case basis. 
​ITP-NET001
​Guideline​A recommended best practice or course of action usually with some latitude in its use and implementation.​ITP-BUS004

​H

Return to top of page
Term
 Definition
 ​Point of Reference
​Hardware
​Any computerized machine or related device used on behalf of the Commonwealth. Examples of these devices include desktops/laptops, servers, network devices, telecommunication devices.
​ITP-BUS002
​High-level Data Model (HDM)​Used to communicate core data concepts, rules, and definitions to a business user as part of an application development initiative.​S. Hobermen. Data Modeling for Business
Host
​A computer connected to the internet
​ITP-SEC010
Host Intrusion Prevention System (HIPS)
​A capability to detect and prevent unauthorized application and/or network behavior on desktops, servers, laptops, and tablet devices and distribute updated enterprise policies.
​ITP-SEC001

​I

Return to top of page
​Term
 Definition
 ​Point of Reference
​Identify and Access Management (IAM)​Processes and tools used to manage user IT accounts throughout the account lifecycle. These include the creation (provisioning) of the account, management of attributes and privileges during the account's active lifetime, password management, and finally the removal (de-provisioning) of the account when that lifetime is over.
​ITP-SEC038
​Identity Proofing​The process of verifying the real life identity being claimed by a person.​ITP-SEC039
​Identity Verification​A service is used to ensure that users provide information that is associated with the identity of a real person.  It can involve the verification of identity information (fields) against independent and authoritative sources, such as credit bureau or commonwealth data.​ITP-SEC039
​IEEE​The Institute of Electrical and Electronics Engineers, a non-profit, technical professional association and leading authority in technical areas ranging from computer engineering, biomedical technology and telecommunications, to electric power, aerospace and consumer electronics, among others.​ITP-NET001
​Illegal Use​Use which violates local, state, or federal law as well as CoPA or agency IT policy.​MD 245.18
​Imaged Document​A copy of an original hardcopy (paper) record that has been electronically imaged to an electronic storage system. An imaged document contains all the recorded information that appears on the original document and be able to serves the purpose(s) for which the original was created or retained.​MD 210.12
IRS Rev. Procedure 97-22
​Immediate Maintenance (Enterprise Services)​Maintenance necessary when a problem exists on any Enterprise infrastructure component or Enterprise Service that has the potential to cause major disruptions to one or more agencies.​ITP-SYM010
​Inactive Account
​An account that hasn't been used in 18 months or one which lacks any role or related attribute that would be used to authorize its use to access an information technology system; or any account where the AD userAccountControl attribute is set to disabled.
​ITP-SEC007
​Inappropriate Use​A violation of the goals, purpose and intended use of the network.
​MD 245.18
​Incident
​Unplanned interruption to an IT service or reduction in the quality of an IT service.
​ITP-SYM010
​Incident (Security)​A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of an incident are denial of service, malicious code, unauthorized access and inappropriate usage.​ITP-SEC021
​Incident Response (Security)
​The manual and automated procedures used to respond to reported incidents (real or suspected), system failures and errors, and other undesirable events.​ITP-SEC021
Incident Response Process Document (Security)
​A set of processes that outlines what to do in a Cyber Security Incident or potentially suspected Cyber Security Incident.
​ITP-SEC024
​Independent Third Party
​An entity that is not currently implementing or managing the system(s) in scope.
​ITP-SEC023
​Indicators of Compromise (IOCs)
​Evidence or an artifact observed on a system or network that indicates a potential intrusion.
​ITP-SEC024
​Information
​Data, text, images, sounds, codes, computer programs, software, data bases, or the like.​MD 210.12
​Information Asset
​Information relevant to the enterprise’s business functions, including captured and tacit knowledge of employees, customers or business partners; data and Information stored in highly-structured databases; data and Information stored in textual form and in less-structured databases such as messages, e-mail, workflow content and spreadsheets; Information stored in digital and paper documents; purchased content; and public content from the internet or other sources.
​ITP-INF000
​Information Life Cycle
The stages through which Information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition.
ITP-INF000
​Information Resources​Information and related resources, such as personnel, equipment, funds, and information technology.
​44 U.S.C. Section 3502
​Information Security​Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: Integrity, Confidentiality, Availability.​44 U.S.C. Section 3542
​Information System​A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.​NIST 800-39
ITP-BUS008
​Information Technology​The resources applied in an enterprise for the purpose of storing, retrieving, transmitting, and manipulating data through use of software and hardware infrastructure.​ITP-BUS000
​Information Technology Policy (IT Policy, ITP)​A document published by OA/OIT that defines the expectations, requirements, standards, technical specifications, procedures, and guidelines to agencies that use and manage IT resources and services. Defined general areas (domains) in which IT policies encompass and are categorized. The policy domains and their abbreviations are: Accessibility (ACC), Application (APP), Business (BUS), Information (INF, INFG, INFRM), Integration (INT), IT Procurement (PRO), Network (NET), Platform (PLT), Privacy (PRV), Project Management (EPM), Security (SEC), Services (SER), Software (SFT), Systems Management (SYM).
​ITP-BUS000
ITP-BUS004
​Information Technology Systems or Systems
Information Technology Systems or Systems ​include computer applications, servers, laptops, databases, routers, switches, wireless devices, mobile devices and other computer related hardware and software.
​ITP-SEC007
​Information Type​A specific category of information (e.g. privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization, specific law, executive order, directive, policy, or regulation.​Federal Information Processing Standards (FIPS) 199
​Infrastructure
​Refers to the enterprise's entire collection of hardware, software, networks, data centers, facilities and related equipment used to develop, test, operate, monitor, manage and/or support information technology services.
​ITP-BUS001
​Infrastructure as a Service (IaaS)
A Cloud Computing Service through which agencies provision processing, storage, networks, and other computing resources where the agency can deploy and run software, which can include operating systems and applications. The agency does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components.
​ITP-SEC040
ITP-SFT000
​Integrated Development Environments (IDE)
​Provides frameworks used in modern programming languages and provide components with similar-user interfaces, minimizing the amount of mode switching compared to discrete collections of disparate development programs. IDEs offer robust capabilities to create service-oriented architecture (SOA) components and applications.. IDEs increase productivity by providing customizable interfaces, integrated debugging, testing and deployment tools, and integration with existing technology through SOA.
​ITP-SFT009
​Integration Testing​The phase of software testing in which individual software modules are combined and tested as a group. It follows unit testing and precedes system testing.​ITP-SFT000
​Integrity​Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. A  loss of integrity is the unauthorized modification or destruction of information.​44 U.S.C. Section 3542
Federal Information Processing Standards (FIPS) 199
​Internet Facing Web Application
​An application that uses the Internet to provide citizens, Commonwealth employees, and business partners with access to agency-specific data or services and that resides on Commonwealth IT Resources.  This includes content generated from a data visualization or business analytics platform.
​ITP-SEC005
​Internet Security Protocol (IPsec)
​Consists of a set of open standards to provide security equivalence to a private network in the shared public infrastructure (internet). IPsec provides security at the network layer and encrypts data within application communications.
​ITP-SEC010
​Invitation For Bids (IFB)Competitive sealed bidding for an IT product or Service. Refer to Part I, Chapter 02, “Definitions” and Section A of Part I Chapter 06 “Method of Awarding Contracts” of the Procurement Handbook.​ITP-BUS002
​Invitation To Qualify (ITQ)​A multiple award contract used to procure IT services from contractors pre-qualified in various IT service categories. Refer to Part I, Chapter 02, “Definitions” and Section A of Part I Chapter 06, “Method of Awarding Contracts” of the Procurement Handbook.​ITP-BUS002
​ISO​Information Security Office/Officer
​MD 240.12
​IT Governance 
​The processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. It requires specification of the decision rights and accountability framework to encourage desirable behavior in the use of information technology.
​ITP-SEC040
​IT Investment
​The purpose or procurement of any IT services that meet the specified criteria
​ITP-BUS001
​IT Operations

Commonwealth-sponsored ongoing routine IT activities or business processes which include, but are not limited to, reportable activities which support existing IT products or services throughout their defined service lifecycle, and do not meet the planning and classification criteria for an IT Project.
​ITP-SEC040
​IT Policy Business Owner​OA/OIT personnel or program area responsible for ensuring assigned IT policy aligns with the enterprise's current IT environment.​ITP-BUS000
​IT Policy Coordinator​OA/OIT personnel responsible for the management of the IT policy life cycle and facilitating the IT policy governance process.​ITP-BUS000
​IT Policy Domain Owner​​OA/OIT personnel responsible for the management of a specific domain of IT policies.​ITP-BUS000
​IT Policy Waiver​A temporary exemption granted to commonwealth agencies for non-compliance with a specific OA/OIT IT Policy.​ITP-BUS004
​IT Project
​A Commonwealth-sponsored IT Project is an undertaking that is not a routine operation or business process, but a specific set of tasks that are planned, organized, tracked, and executed by multiple resources, and has a defined start and end date.  IT Projects are classified in one of three Investment Classes: Run, Grow or Transform.
​ITP-BUS001
​IT Resources​(MD version): Include, but are not limited to, the following: the commonwealth’s computer systems, together with any electronic resource used for communications, which includes, but is not limited to laptops, individual desktop computers, wired or wireless telephones, cellular phones, pagers, beepers, personal data assistants and handheld devices, and, further, includes use of the internet, electronic mail (email), instant messaging, texting, voice mail, facsimile, copiers, printers or other electronic messaging through commonwealth facilities, equipment or networks (collectively "IT Resources").

(ITP version): Include, but are not limited to, the staff, software,  hardware, systems, services, tools, plans, data, and related training materials and documentation that, in combination, support business activities. Examples of IT Resources include, but not limited to, desktop computers, mobile devices, email. telephones, servers, and network switches/routers.
​MD 205.34
MD 205.42
MD 240.11

ITP-SEC012

​J

Return to top of page
​Term
 ​Definition
 ​Point of Reference
​Jailbreaking/Rooting​The process used to modify the operating system on a mobile device.  The act of “jailbreaking” or “rooting” a mobile device allows the user control over the device including removing any vendor imposed restrictions on the products.​ITP-SEC035
​Java Database Connectivity (JDBC)​A set of programming Application Programming Interfaces (APIs) that allow easy connection to a wide range of databases through Java programs.​ITP-INF001

​K

Return to top of page
​Term
 ​Definition
 ​Point of Reference
​Keystone Key
​The online account established for a person and stored in the enterprise citizen directory SRPROD​ITP-SEC039
​Keystone Login
​An account management system for the Commonwealth of Pennsylvania online services.
​ITP-SEC039
​Knowledge Based Authentication (KBA)​An identity verification method where the person is asked a selection of questions gathered from information on that person from a variety of public and commercial data systems with the assumption that the real person would know the correct answers whereas an imposter would not.​ITP-SEC039

L

Return to top of page
Term
 ​Definition
 ​Point of Reference
​Legacy
​Any application or platform that is based on older technology that continues to provide core services to an organization.
​ITP-BUS001

​Level of Assurance (LOA)

 

The measurement of the degree or level of confidence that the person is who they are claiming to be.

The Commonwealth recognizes two levels of assurance:

LOA1 - little or no confidence in the user's identity beyond what the user claims.

LOA2 - information provided by the user has been verified by a third party.

​ITP-SEC039


​Load Testing

​Covers both performance testing and stress testing.

​ITP-SFT000
​Lobby Ambassador
​Individual capable of creating Guest Wireless accounts.
​ITP-NET001
​Local Administrator Accounts
​Local Administrator Accounts referenced in this section are defined as accounts having privileges beyond standard user-level access privileges, for accessing servers, workstations (PCs, laptops, etc.), printers, routers, network switches, firewalls, wireless access points, databases, applications and other Information Technology Systems. Local Administrator accounts are typically generated, maintained, monitored and managed on an individual machine-level, system-level, application-level or database-level basis.
​ITP-SEC007
​Local Area Network (LAN)​A network that connects computers, printers and perhaps other devices within a department, building or house.​ITP-NET001
​Log (Security)​A file that lists actions that have occurred.​ITP-SEC021
​Logon Banner​A display that provides a definitive warning about access, authorization, and monitoring activity requirements and allows a user to acknowledge this display prior to logging into an IT Resource.​ITP-SEC012

​M

Return to top of page
​Term
 ​Definition
 ​Point of Reference
​Machine Learning (ML)​A technique involving the use of a computer to train and improve an algorithm or model with minimal human participation to generating useful predictions and conclusions.​ITP-BUS012
​Maintenance Window
The period in which changes can be implemented. Weekly maintenance windows are pre-defined by the Change Manager. Maintenance outside of these pre-defined windows will require approval.
​ITP-SYM010
​Major Change Request
​An alteration to an existing IT Project that meets the designated criteria as outlined in the policy.
​ITP-BUS001
​Managed File Transfer (MFT)
Manages the secure transfer of data from one computer to another through a network and offers a higher-level of security and control than FTP. MFT is characterized by having all or most of the following features:
    • Support multiple file transfer protocols including FTP/S, SFTP, and HTTP/S.
    • Securely transfer files over public and private networks using encrypted file transfer protocols. 
    • Securely store files using multiple data encryption methods.
    • Automate file transfer processes between third-party vendors, licensors, contractors, or suppliers and exchanges including detection and handling of failed file transfers.
    • Authenticate users against existing user repositories internal and external (Lightweight Directory Access Protocol (LDAP) and Active Directory (AD)). 
    • Integrate to existing applications using documented Application Programming Interfaces (APIs). 
    • Generate detailed reports on user and file transfer activity. 
​ITP-SFT005
​Master Data Management Plan
​An agency-specific document developed by the agency’s data/information governance body that documents the governance operating model, data processes (collection, reporting, release), data roadmaps, data acquisition/integration methodologies, and other relevant procedures.
​ITP-INF000
​Metadata
​Information that describes various facets of an Information Asset to improve its usability throughout its life cycle.
​ITP-INF000
​Material Decision
​A decision that has a significant legal, financial, human resource, legislative, organizational, or regulatory impact. This includes but is not limited to, program eligibility, benefits determinations, and decisions impacting the health, safety, and welfare of Commonwealth citizens and/or employees.
​ITP-BUS010
​Mosaic Effect
​An event in which Datasets that pose no disclosure threat by themselves can create a security risk or produce Personally Identifiable Information (PII) when combined with other Datasets.
​ITP-INF000
​Maximum Session Lifetime
​The maximum time a system, device, or application may be accessed by a user, regardless of the user's activity, before the user must re-authenticate to the system, device, or application.
​ITP-SEC007
​Mbps​Millions of bits per second, or Megabits per Second, is the measurement of bandwidth on a telecommunication medium. Bandwidth is also sometimes measured in Kbps (kilobits per second), or Gbps (billions of bits per second).​ITP-NET001
​Migration
​The moving from one operating environment to another or involving moving to new hardware, new software, or both. For example: Migration of data from one database to another kind of database, moving from one database to another, or switching platforms (from one operating system to another operating system).​ITP-BUS001
​Mobile Application
​A computer program designed to run on mobile devices and as an add-on to existing applications.
​ITP-SEC035
​Mobile Application Management (MAM)​The process of developing, procuring, deploying and managing the configuration, distribution and access of in-house and commercially developed mobile apps through an enterprise app virtual marketplace or a consumer app store.​ITP-SEC035
​Mobile Communication Device (Mobile Devices)​Any mobile phone, smartphone, laptop, or media tablet that transmits, stores, and receives data, text, and/or voice with a connection to a wireless LAN and/or cellular network.​ITP-SEC035
​Mobile Device​(MD version) A device easily removable and stores data that can be connected to the Commonwealth network, workstation or other computing device via cable, Universal Serial Bus (USB), Firewire (IEEE 1394), I-LINK, infrared, radio frequency, personal computer memory card international association (PCMCIA), or any other external connection that would allow data to be transferred and removed.
(ITP version). Mobile devices include, but are not limited to smart phones, laptops, tablets, zip drives, floppy diskettes, recording and re-writeable compact disks (CD), recordable and re-writeable digital video disks (DVD), USB flash digital media devices (thumb drives), memory sticks/cards, PC card storage devices of all types and external hard drives.		​MD 240.12
ITP-PLT011
​Mobile Device Management (MDM)​Software technologies that secure, monitor, manage and support mobile devices deployed across the enterprise. By controlling and protecting the data and configuration settings for all mobile devices in the network, MDM can reduce support costs, security, and business risks. The intent of MDM is to optimize the functionality and security of a mobile communications network while minimizing cost and downtime.​ITP-SEC035
​Mobile Device Service Plan
​Any service agreement established with a cellular service provider to grant mobile device access to cellular networks for the transmission of voice and data traffic.
​ITP-NET016
​Mobile Email Management (MEM)​Mobile Email Management (MEM) controls which mobile devices that can access email, prevents data loss, encrypts sensitive data and enforces compliance policies.​ITP-SEC035
​Modernization
​The transition or transformation of existing IT assets to enhance performance, functionality, reliability, scalability, security, quality of service, and/or revitalized applications or extend the useful life of computing platforms and infrastructure used to support business operations.
​ITP-BUS001
​Modified off-the-Shelf (MOTS) 
​A commercial-off-the-shelf (COTS) product whose source code can be modified. The product may be customized by the purchaser, vendor, or another party to meet business requirements. MOTS is a software delivery concept that enables source code or programmatic customization of a standard prepackaged, market-available software.
​ITP-SFT000
​Multi-Factor AuthenticationA security system that verifies a user's identity by requiring the user to provide multiple types of credentials which can include simple authentication credentials, One-time passcodes, automated phone calls and/or biometrics.​ITP-SEC039
​Multi-Function Device (MFD)
​A device the consolidates the functionality of a printer, copier, scanner, and/or fax into one machine.
​ITP-PLT002
​Multi-Homed/Split Tunneling​Simultaneously using two different networks or connections, such as USB, wireless, cellular, or Bluetooth, or near-field communications (NFC).​ITP-SEC035

​N

Return to top of page
Term
 ​Definition
 ​Point of Reference
​NASCIO
​National Association of State Chief Information Officers
​National Institute of Standards and Technology (NIST)​A division of the federal Department of Commerce tasked with research and, including establishment of federal IT standards.​ITP-SEC000

​National Strategy for Trusted Identity in Cyberspace (NSTIC)​A federal initiative for secure, privacy enhancing identities in cyberspace.​N/A
​Network Device
​A hardware component of the network infrastructure such as, routers, switches, wireless access points, etc.
​ITP-SEC041
​Network Management Teams
​Internal or external agencies or Commonwealth-contracted vendors tasked with management of Commonwealth IT networks. 
ITP-​SYM008
​Network Timing Protocol (NTP)
​A networking protocol designed to synchronize the clocks of computers over a network. Typical NTP configurations utilize multiple redundant servers and diverse network paths to achieve high accuracy and reliability.
​ITP-NET017
​New Software
​Applies to the acquisition of Software when one or more of the following conditions exist, regardless of dollar threshold:

• The product does not currently exist on a contract.
• There is no existing license agreement that has been approved by appropriate legal entities.
​ITP-BUS002

​Non-Degradation of Service Availability (SLA-defined)
​A service level metric that measures the percentage of time the application is non-degraded during the applicable Measurement Window. This measurement is by application, not by server instance. Degradation shall mean a Service that tests as fully operational but is degraded below the baselines established during acceptance testing. This includes, but is not limited to slow performance and/or intermittent system errors. Calculation: N = (T - M - D) / (T - M) x 100%. N = Non-Degradation, T = Total Monthly Minutes, M = Approved Maintenance Time, D = Time Service is Degraded.​N/A
​Non-Enterprise Directories
All other Commonwealth user directory stores that are not Enterprise Directories.​​ITP-SEC007
​Normal Change
​Supports maintenance performed by a service provider. This type of maintenance is performed on the service offering that affects multiple customers and is vital to the integrity of the services provided.
​ITP-SYM010
​NoSQL
​A non-relational database architecture (sometimes referred to as “non-SQL” or “not only SQL”). NoSQL databases do not follow the strict table/row structure of Relational Databases. The non-relational nature of these databases allows them to be more flexible and scalable than traditional Relational Databases. NoSQL databases are increasingly used in big data and real-time web applications. The data structures used by NoSQL databases (e.g. key–value pair, wide column, graph, or document) are different from those used by default in Relational Databases, making some operations faster in NoSQL.
​ITP-INF001
​Notice of Forth Coming Procurement (NFP)​ Public notice posted to the eMarketplace website notifying vendors of an upcoming procurement. This is required for all procurements in the amount of $250,000.00 or greater.​ITP-BUS002

​O

Return to top of page
​Term
 ​Definition
 ​Point of Reference
​Oersted
​Unit of the magnetic field H in the centimeter–gram–second system of units (CGS)
​ITP-SEC015
​Office Class Print Device
​An advanced printer with specifications suitable to the office environment including network card availability, print speed and volume, memory, with features such as integrated card readers, multi-purpose trays, and two-sided printing.
​ITP-PLT002
​Office of Administration, Office for Information Technology (OA/OIT)​Consists of the offices managed by the Commonwealth Chief Information Officer (CIO), Chief Technology Officer (CTO), Chief Information Security Officer (CISO), Director of Office of Strategy and Management, and Director of Enterprise Services and their respective program areas.
​ITP-BUS000
​Office Productivity Software
​Application software dedicated to producing information, such as documents, presentations, worksheets, databases, charts, graphs, and digital video.
​ITP-SFT007
​Open Data​Data that can be freely used, re-used, and distributed by any entity, subject only, to the requirements to attribute.
​ITP-INF013
​Offshore
​Any country or territory outside the continental United States or Hawaii.
​ITP-SEC000
​Open Database Connectivity (ODBC)​Vendor-neutral interface, based on the SQL Access Group (SAG) specifications, that permits maximum interoperability among diverse Database Management Systems. The ODBC interface defines: function calls that allow an application to connect to a DBMS, execute SQL statements, and retrieve results; a standard way to connect and log on to a DBMS; and a standardized representation for data types. Database drivers link the application to their choice of DBMS.​ITP-INF001
​Outsourced Services
​Activities, functions, and/or solutions delivered through third party entities (e.g., hosted services over the internet or some other mechanism, contracting, or other outsourced service delivery model).​ITP-BUS001

​P

Return to top of page
​Term
 ​Definition
 ​Point of Reference
​PDF/UA (PDF/Universal Accessibility)
​PDF/UA is a technical specification intended for developers implementing PDF writing and processing software.  PDF/UA provides definitive terms and requirements for accessibility in PDF documents and applications. For those equipped with appropriate software, conformance with PDF/UA ensures accessibility for people with Disabilities who use assistive technologies such as screen readers, screen magnifiers, joysticks, and other technologies to navigate and read electronic content. PDF/UA is included within the revised Section 508 Standards.
​ITP-ACC001
​Penetration Testing/Ethical Hacking
​A review of information technology controls where an authorized analyst will actively attack a host or application using similar methods as threat actors to verify if a vulnerability is present. Penetration Testing can go beyond vulnerability validation in order to determine what a threat actor could do with access to a specific application, host or service, potentially gaining access to more assets and data deeper into a network.
​ITP-SEC023
​Pennsylvania Computer Security Incident Response Team (PA-CSIRT)
​A group of Commonwealth subject matter experts that handle computer security incidents.
​ITP-SEC024
​Pennsylvania Information Sharing and Analysis Center (PA-ISAC)
​A centralized Commonwealth resource for gathering information on Cyber Security Incidents.
​ITP-SEC024
​Performance Testing​Identifies bottlenecks during high volume simulation.
​ITP-SFT000
​Peripheral Device
​An auxiliary device that connects to and works with a computer and is typically used to input information into it or get information out of it.
​ITP-SEC041
​Personal Identification Number (PIN)
​A secret number that an individual memorizes and uses to authenticate his or her identity.  PINs are generally only decimal digits.
​ITP-SEC006
​Personally Identifiable Information (PII)​Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.​ITP-INF000
ITP-SEC025
NIST SP 800-122
​Pilot 
​A project that consists of a scaled down, but fully functional environment with the exact same capabilities that would be enabled if the environment were to be promoted to production.
​ITP-SEC040
​Platform-as-a-Service (PaaS)
 A Cloud Computing Service through which agencies provision, instantiate, run, and manage agency-created or acquired applications.  The agency does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
​ITP-SEC040
ITP-SFT000
​Policy Driven Adoption for Accessibility (PDAA)
​PDAA is the integration of digital content and services accessibility governance into Commonwealth policies.  The PDAA methodology was created by a work group of the National Association of State CIOs (NASCIO)
​ITP-ACC001
​Printed Media 
The physical copy made of a digital item either mechanically or electronically.
​ITP-SEC019
​Privately Owned​A non-Commonwealth owned device used by an Authorized user in which the Commonwealth has no responsibility for the procurement or maintenance of the asset and it is solely the responsibility of the Authorized User.
​ITP-PLT012
​Privileged Account​(MD version) An account that have virtually unlimited access to all programs, files, and  resources on a computer system. Users shall not be given access to privileged accounts without the specific approval of the agency chief security officer. Privileged accounts must be used only for the purposes for which they were authorized and only for conducting CoPA business.
​MD 245.18





​Privileged Identity Management Solution​Software or tool that provides IT administrators a method of managing privileged user accounts and access rights to IT resources.​ITP-SEC038
​Privileged User​A user who, by virtue of function, has been allocated powers within a computer system, which are greater than those available to the majority of users of said computer system.

(ITP version) Authorized Users who have elevated access, with the ability to create, modify, and delete electronic resources, data, and/or system configurations.
​SANS.org
ITP-SEC038
​Procedure​Operational document that outlines predefined step-by-step sequence of instructions, activities, or course of action that must be followed in order to correctly accomplish a particular task.​ITP-BUS004
​Process Analyst
​Process Analysts define processes and how tools for automation will support that process. This involves documenting existing processes, determining the root cause of process deficiencies, identifying opportunities to improve processes, and evaluating changes to processes and their effectiveness. 
​ITP-BUS010
​Process Manager
The individual responsible for overseeing the execution of the process. Process Managers monitor the daily operations to ensure the process is executed properly and operating efficiently. They are also responsible for handling issues or exceptions that arise during the execution of the process​​ITP-BUS010
​Process Owner
​The person with the authority to determine how a process should operate and the responsibility to ensure that the process meets ongoing operational needs.
​ITP-BUS010
​Process Practitioners
​The individual(s) who execute one or more of the activities of a process.
​ITP-BUS010
​Project Level
​IT Project categorization based on complexity, visibility, duration, and cost. A Project Level score determines the Level of a Project, with a higher-level project representing a more rigorous project management process
Level One: 75-100 score
Level Two: 50-74 score
Level Three: < 50 score
​ITP-BUS001
​Project Request Process (PRP)
​The investment review process for agency requests of IT Project approvals
​ITP-BUS001
​Project Revision Request (PRR)
​A formal request to be submitted to support new programs or major changes in existing programs.
​ITP-BUS001
​Project Scaling Process
​The process used to assist in the evaluation process and determining the Project Level of status reporting required.
​ITP-BUS001
​Promiscuous Mode​A mode for a network controller that causes the controller to pass all traffic it receives to the device rather than passing only the frames that the controller is intended to receive. This mode is normally used for packet sniffing.​ITP-SEC035
​Proof of Concept 
​A project that is evaluated exclusively on pass or fail success criteria. Failed success criteria can still be considered a successful proof of concept as the results gave definitive proof that the concept was not viable.
​ITP-SEC040
​Public Computer
​Various computers available in public areas (i.e., libraries, schools, coffee shops) that many different individual users can access throughout the course of a day.
​ITP-PLT012
​Public Record​A record of a Commonwealth agency that is: Not exempt under Section 708 of the Right-to-Know-Law;  Not exempt from being disclosed under any other Federal or State law or regulation or judicial order or degree; Bot protected by privilege.N/A

​R

Return to top of page
​Term
 ​Definition
 ​Point of Reference
​Record​Information, regardless of physical form or characteristics, that document a transaction or activity of an agency and that is created, received or retained pursuant to law or in connection with a transaction, business or activity of the agency.  The term includes a document, paper, letter, map, book, tape, photograph, film or sound recording, information stored or maintained electronically, and a data-processed or image-processed document.​MD 205.42
MD 210.12
​Records System
​An information technology resource used to generate either an electronic or physical record that is based on business rules and processes. 
​ITP-INF000
​Regression Testing​Allows a consistent and repeatable validation of each new release of an application. This ensures no new defects have been introduced with the latest maintenance.​ITP-SFT000
​Relational Database
​A type of database that stores and provides access to data points that are related to one another. Relational Databases are based on the relational model, an intuitive, straightforward way of representing data in tables. In a Relational Database, each row in the table is a record with a unique ID called the key. The columns of the table hold attributes of the data, and each record usually has a value for each attribute, making it easy to establish the relationships among data points
​ITP-INF001
​Remote Access
​Ability for an organization's users to access its non-public computing resources from external locations other than the organization's facilities.​NIST SP 800-46
​Renewal
​Keeping an existing agreement (purchase order or contract) effective for an additional specified period as permitted through the renewal clause within the agreement.
​ITP-BUS002
​Request for Proposal (RFP)​An RFP is a competitive sealed method of procurement where proposals are solicited and the award is made to the responsible offeror whose proposal is determined, in writing, to be the most advantageous to the purchasing agency. Refer to Part I, Chapter 02, “Definitions” and Section A of Part I Chapter 06 “Method of Awarding Contracts” ITP-BUS002 IT Investment Review Process Page 3 of 8 of the Procurement Handbook.​ITP-BUS002
​Request for Quote (RFQ) An RFQ is a competitive sealed method of procurement where quotes are solicited and the award is made to the responsible contractor whose quote is determined, in writing, to be the most advantageous to the purchasing agency. Refer to Part I, Chapter 02, “Definitions” and Section A of Part I Chapter 06 “Method of Awarding Contracts” of the Procurement Handbook.​ITP-BUS002
​Resolution Time (SLA-defined)​Also referred to as Problem Circumvention, a service level metric that details the time required for circumvention or solution after reporting a problem.N/A
​Reverse-Proxy Server
​A type of proxy server that typically sits behind the firewall and directs client requests to the appropriate backend server.
​ITP-SEC002

​S

Return to top of page
​Term
 ​Definition
 ​Point of Reference
​Sanitization​A process to render access to target data (the data subject to the sanitization technique) on the media infeasible for a given level of recovery effort. Three categories: Clear, Purge, and Destroy.​NIST SP 800-88 Rev. 1
​Scope (IT Policy)​This ITP applies to all offices, departments, boards, commissions, and councils under the Governor’s jurisdiction (hereinafter referred to as "agencies). Agencies not under the Governor’s jurisdiction are strongly encouraged to follow this ITP.​All ITPs
​Section 508 Standards (Revised)
​A final rule, published in January of 2017, updating accessibility requirements for information and communication technology (ICT) covered by Section 508 of the Rehabilitation Act of 1973, 29 U.S.C. § 701 et seq.
​ITP-ACC001
​Secure email
​Involves encrypting, or disguising, the content of email messages to protect potentially sensitive information from being read by anyone other than the intended recipients.
​ITP-SEC008
​Secure Wireless
​A wireless implementation utilizing the centralized Controller for access to the internal Commonwealth network as well as the Internet.
​ITP-NET001
​Security Assessment​A process conducted by the Office of Administration, Office for Information Technology’s Enterprise Information Security Office that defines, identifies, and classifies security vulnerabilities of IT Resources.​MD 310.24
​Security Information and Event Managers (SIEM)​A set of tools used by IT professionals and system administrators to manage multiple security applications and devices, and to respond automatically to resolve security incidents and provides real-time monitoring and historical reporting of information security events from networks, servers, systems, applications and more.​ITP-SEC021
​Server and Desktop Systems​Applies to all Commonwealth-associated platforms and infrastructure utilized to run and access IT Resources.  This includes software (e.g., operating systems) and the hardware (e.g., routers, switches, etc.).
​ITP-SYM006
​Service
A Service provided by an IT service provider which is made up of a combination of information technology, people, and processes. Examples include: ASP, DaaS, Hosted COTS, IaaS, PaaS, SaaS and OA/OIT services as defined in the service catalog.
​ITP-BUS002
Services​
​A collection of Enterprise processes and procedures to deliver something of value to a Citizen.
​ITP-INF003
​Service Design Coordinator
​Role responsible for providing oversight of all design activities and associated processes of service design and evaluation for new or changes to existing services. Coordinates with Business Relationship Managers, technical staff, product vendors, procurement, project managers, transition teams, and other key stakeholders to ensure the completeness and successful implementation of the Service Design Package for enabling and sustainment of the IT services.
​ITP-SFT000
​Service Design Package (SDP)
​Documentation defining all aspects of an IT service and its requirements through each stage of its lifecycle. SDP defines the service model, requirements (utility & warranty), tools, architecture, metrics, and blueprints needed by the service transition team to build, test/validate, and deliver the service and their underpinning components. A service design package is developed for new, major changes, and retirement of an IT service.
​ITP-SFT000
​Service Engagement Review Process (SERP)​Commonwealth review process to ensure new services being introduced into IT environments to mitigate potential risks and disruptions of Commonwealth business.​ITP-NET008
​Service Organization
​Third-party vendors, licensors, contractors, suppliers, or other contracted entities that provide business or technology solutions and services procured by the Commonwealth
​ITP-INF000
ITP-SEC040
​Service Owner
​Accountable for the availability, performance, quality, and cost of one or more services. Deals directly with the Service Customer or proxy, usually in the context of a Service Level Agreement or Operating Level Agreement. Service Owner is responsible for day-to-day operation of the service.​N/A
​Service Set Identifier (SSID)​Identifies and specifies which 802.11 network is being joined.​ITP-NET001
​Session Inactivity
​The length of time a system or device is accessed (i.e., the account ID is logged in) without any interaction with the user.
​ITP-SEC007
​Shared Resource
​A device, such as a printer, set up on the network to be used by more than one user.
​ITP-PLT002
​Signature
​A signature, whether electronic or on paper, is first and foremost a symbol that signifies intent.  Thus, the definition of "signed" in the Uniform Commercial Code includes "any symbol" so long as it is "executed or adopted by a party with present intention to authenticate the writing." A Signature may, for example, signify an intent to be bound to the terms of a contract, the approval of a subordinate's request for funding of a project, confirmation that a signer has read and reviewed the contents of a memo, an indication that the signer was the author of a document, or merely that the contents of a document have been shown to the signer and that he or she has had the opportunity to review them.
​ITP-SEC006
​Single Sign-On (SSO)​A property of identity and access management that enables users to securely authenticate with multiple applications and websites by logging in only once - with just one set of credentials (username and password).​ITP-SEC039
​Smartphone​A mobile communication device with voice, messaging, scheduling, email and Internet capabilities. Smartphones also permit access to application stores, where additional software can be obtained for installation on the mobile device.​ITP-SEC035
​Social Media​Web-based and mobile technologies used to turn communication into interactive dialogue. The term includes, but is not limited to, blogs, RSS, discussion boards, wikis, video sharing sites, mash-ups and folksonomies.​MD 205.42
​Software
​A collection of instructions and data that tell a computer how to work or what to do.
​ITP-BUS002
​Software Application Development Methodology (SADM)
​A software application development methodology is a structured framework of procedures and processes used to develop custom software applications.  Software application development methodologies are essentially derivatives from the system development life cycle model but are unique in their respective processes and execution. 
​ITP-SFT000
​Software-as-a-Service (SaaS)
A Cloud Computing Service through which agencies use third-party vendors, licensors, contractors, or suppliers to provision applications running on a cloud infrastructure.  The applications are accessible from various client devices through either a thin client interface, such as a web browser or a program interface. The agency does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, apart from limited user-specific application configuration settings.
ITP-SEC040
ITP-SFT000
​Software Development Life Cycle (SDLC)
​A conceptual model used in software engineering as well as project management that describes the phases involved in an information system solution development and delivery. An SDLC framework consists of multiple phases to assure high quality systems are delivered, provide strong management controls over IT projects, and ensure that the information system can, and will, work as required and is effectively maintained to support agency’s missions. SDLC can be applied to Commercial-off-the-Shelf (COTS), Software-as-a-Service, (SaaS), or custom-built applications. SDLC frameworks should be intently integrated into key service life cycle phases (e.g., strategy, design, transition, operations) and affiliated processes. 
​ITP-SFT000
Sole Source
​The process by which an agency requests a sole/single vendor to procure materials or Services.
​ITP-BUS002
​Solicitation
 A procurement process for inviting vendors to bid on opportunities to provide goods and Services.
​ITP-BUS002
​Spiral Model
​An incremental software development process model that incorporates requirements, design, build/construct, test/simulations, and deploy prototype phases separated by planning and risk assessment. A prototype is created with each iteration and evaluated until a final production ready (i.e., fully functional and validated) prototype model has been created. This method can be used to create temporary prototype solutions that are later discarded or for large, expensive, and complicated projects using each iterative prototype build as a phase gate and/or milestone. Documentation in this process is dynamic and incrementally refined. Documentation is finalized with the implementation of the final production ready prototype.
​ITP-SFT000
Sponsoring Agency
​Commonwealth agency in contract with external Network Management Team.
​ITP-SYM008
​Stakeholder
​Everyone who is or will be affected by a policy, program, project, activity, or resource.​N/A
​Standard
​Universally or widely accepted, agreed upon written definition, limit, or rule, approved and monitored for compliance by an authoritative agency, professional organization, or recognized body as a minimum acceptable benchmark.​ITP-BUS004
​Standard Maintenance (Enterprise Services)​OA-approved, risk-assessed, routine administrative maintenance on an Enterprise infrastructure component or Enterprise service.​ITP-SYM010
​Standards for Attestation Engagements No. 18 (SSAE18)
​An attestation standard whereby a Service Organization's auditor (i.e., CPA firm conducting the engagement) issues an opinion concerning a Service Organization's controls. 
​ITP-SEC040
​Stress Testing
​Used to determine the load under which the application ceases to perform acceptably.​ITP-SFT000
​Structured Query Language (SQL)​A relational data language that provides a consistent, English keyword-oriented set of facilities for query, data definition, data manipulation and data control. It is a programmed interface to relational database management systems.​ITP-INF001
​Subservice Organization
​An entity that is used by a Service Organization to perform some or all of the services on behalf of the Service Organization.  Service Organizations may use Subservice Organizations to perform specific processes and controls.

Some examples of a Subservice Organizations include but are not limited to:
a. Data Centers that host Service Organization software or systems.
b. A Subservice Organization that manages data backup and recovery for the Service Organization's system.

​ITP-SEC040
​System Administrator Accounts
​Privileged or Administrator Accounts generally have elevated or full access rights to Systems, devices, and applications. Thisallows them to change system or device configurations and access data with full read-write privileges. They can create, delete, or modify user accounts and install software. The level of security protecting such accounts needs to be higher than a normal user account.
​ITP-SEC007
System and Organization Controls (SOC​1 Type 2 Report
​A report on a Service Organization or Subservice Organization relevant to internal controls over financial transactions and reporting. The report focuses on the suitability of the design and operating effectiveness of the controls to achieve objectives throughout a specific reporting period.
​ITP-SEC040
System and Organization Controls (SOC) ​2 Type 2 Report
​A report on a Service Organization or Subservice Organization that focuses specifically on IT controls of a system as they relate to relevant Trust Service Principles. The report, based upon and inclusive of auditors’ opinions, indicates whether controls placed in operation were suitably designed to meet or exceed the criteria of each relevant Trust Service Principle and whether those controls operated effectively for the reporting period.
ITP-SEC040
System and Organization Controls (SOCfor Cybersecurity 
​A report on a Service Organization or Subservice Organization that focuses on controls within the Service Organization’s Cybersecurity Risk Management Program and the suitability of the design of controls to meet cybersecurity objectives.
​ITP-SEC040
​System and Organization Controls (SOC) Reports
​A suite of reports produced during a third-party audit (CPA certified) as defined by the American Institute of Certified Public Accountants (AICPA). It is intended for use by Service Organizations, Subservice Organizations, or other entities to issue certified reports.
​ITP-SEC040
System and Organization Controls (SOC) Report Repository
​A repository that hosts relevant artifacts to be utilized by authorized Commonwealth employees tasked with managing SOC reports and official correspondence relating to the SOC reports.
​ITP-SEC040
System and Organization Controls (SOC) ​Resource Account (SOC RA)
​The resource account allows OA/OIT to view incoming SOC report emails to monitor for IT elements and verify the Contract Manager is forwarding on to the appropriate IT group for review.
​ITP-SEC040
System Software
​The programs that are dedicated to managing the computer itself, such as the operating system. The operating system manages the computer hardware resources in addition to applications and data. Without systems software installed in our computers we would have to type the instructions for everything we wanted the computer to do.  
​ITP-SFT000
​System Testing​Testing conducted on a complete integrated system to evaluate the system's compliance with its specified requirements.​ITP-SFT000
​System Unavailability Notification (SLA-defined)​A service level metric that details the time from discovering or receiving notice of system unavailability until notification is sent to the Commonwealth.N/A

​T

Return to top of page
Term
 ​Definition
 ​Point of Reference
​Tablet
​An open-face wireless device with touch screen display, primarily used in the consumption of media. These devices may also have messaging, scheduling, email, and Internet capabilities and a camera. Tablets may have open-source OSs (such as Android) or closed OSs under the control of OS vendors and/or device manufacturers (such as Apple and Microsoft). Media tablets may or may not support a mobile application store.​ITP-SEC035
​Technical Security Reviews
​A series of security tests, assessments, and audits conducted for discovering vulnerabilities in IT infrastructure and information systems, which may cause significant risk to an organization.
​ITP-SEC023
​Technical Specification​An explicit set of requirements outlining the specific characteristics, features, capabilities, of a product or technology (e.g., levels of quality, architectural, functions, performance, usability, compatibility, reliability, safety, scalability, interoperability, or other dimensions)​ITP-BUS004
​Technology Maturity Lifecycle (TML)​The technology maturity life cycle (TML) defines the varying life span stages in which a technology product development sustains its competitive and economic value over a particular timeframe. The TML has four distinct stages: Current: Technologies/standards that are supported by the commonwealth and meeting the requirements of the enterprise architecture. They are recommended for use. Contained: Technologies/standards that no longer meet the requirements of the current enterprise architecture.  They are not recommended for use. They are to be phased out over time.  No date has been set for their discontinuance. Retire: Technologies/standards are being phased out. Plans are to be developed for their replacement, especially if there is risk involved, such as lack of vendor support. A date for retirement has been set. Emerging: Technologies/standards that have the potential to become current technologies/standards. At the present time, they are to be used only in pilot or test environments where they can be evaluated. Use of these technologies is restricted to a limited production mode, and requires approval of a waiver request. Research technologies are less widely accepted and time will determine if they will become a standard.​ITP-BUS004
​Telecommunications Management Officer (TMO)​A commonwealth employee designated by OA/OIT or agency head to oversee the communications services of an agency and/or worksite.
​MD 240.11

ITP-NET016
​Threat Modeling​Identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, quantifying the likelihood of successful attacks and their impacts, and analyzing the information to determine where security controls need to be improved or added.​NIST SP 800-46
​Technology Investment and Policy Review (TIPR)
​The review mechanism the Office for Information Technology uses to review agency requests for  IT Investments.
​ITP-BUS002
​Transaction Security Levels
​A value assigned to a transaction to determine the level of security that should be applied to the Electronic Signature of that transaction. The three levels are:

Low Risk / Low Impact Transactions (Level A) - Transactions in this category have little value to potential hackers and would have minimal consequences if compromised.

Low to Medium Risk / Medium to High Impact Transactions (Level B) - Transactions in this category have moderate to high value to potential hackers and/or have moderate to high consequences if compromised.

High Risk / High Impact Transactions (Level C) - Transactions are high risk, high consequence transactions that require high security measures.

​ITP-SEC006
​Transitory Record​Records that have little or no documentary or evidential value and that need not to be set aside for future use. N/A
​Transport Layer Security (TLS)
​A protocol created to provide authentication, confidentiality, and data integrity between two communicating applications. TLS is based on a precursor protocol, Secure Sockets Layer version 3.0 (SSL 3.0) which is deprecated.
​ITP-SEC010
​Trust Service Principles 
  • ​Security - Information and systems are protected against unauthorized access, OPD-SEC040B System & Organization Controls (SOC) Reporting Procedure unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information. 
  • Availability – Information and systems are available for operation and used as committed or agreed. • Processing Integrity – Systems processing is complete, valid, accurate, timely, and authorized. 
  • Confidentiality – Information designated as confidential is protected as committed or agreed. 
  • Privacy – Personal information is collected, used, retained, disclosed, and disposed in conformity with the commitments in the privacy notice.
​ITP-SEC040

U

Return to top of page
Term
 ​Definition
 ​Point of Reference
​Unified Telecommunications Services (UTS)
​Enterprise telecommunications group responsible for policy and standards on platform, equipment, and all related telecommunication items.
​ITP-NET016
​Unit Testing​Functional testing on each module in an application. Used early in development process before all components are completed.​ITP-SFT000
​United States Jurisdiction 
​Consists of all fifty (50) States of the United States and the District of Columbia.
​ITP-SEC040
​Unqualified Opinion
​Is provided by auditors when the controls tested in the report are operating effectively.
​ITP-SEC040
​US-CERT
​United States Computer Emergency Readiness Team tasked with providing Cybersecurity resources and notifications for information security officers.​ITP-SYM006
​User Acceptance Testing (UAT)
Generally the last phase of the software testing process.  During UAT, actual software users test the software to make sure it can handle required tasks in real-world scenarios, per requirements.
​ITP-SFT000
​User Agency Accessibility Guidelines (UAAG)
​UAAG are an industry-recognized standard published by the Web Accessibility Initiative (WAI) of the World Wide Web Consortium (W3C) that addresses User Agents (User Agents include browsers, extensions, media players, readers and other applications that render web content). UAAG includes three levels of conformance: A, AA, and AAA.
​ITP-ACC001

V

Return to top of page
Term
 ​Definition
 ​Point of Reference
​Video Sharing Service
​An enterprise application or service where Authorized Users can create, upload, view, publish, and share videos.
​ITP-SFT007
​Virtual Desktop Infrastructure (VDI)​The practice of hosting a desktop operating system within a virtual machine (VM) running on a hosted, centralized or remote server.​ITP-NET019
​Virtual Machine​A software implementation of a computing environment in which an operating system or program can be installed or run.​ITP-NET019
​Virtual Private Network (VPN)
​A network technology that creates a secure network connection over a public network such as the internet or a private network owned by a service provider.
​ITP-SEC010
​Volume Level Encryption
​Protects a smaller subset of the drive, possibly down to the individual folders.  This can span a single disk or multiple disks.
​ITP-SEC031
Voluntary Product Accessibility Template® (VPAT)
​A VPAT is an industry accepted tool to measure a supplier's ability to demonstrated their product's (hardware, software {COTS, SaaS}, electronic content and support documentation and services) support for accessibility.
​ITP-ACC001
​Vulnerability Assessment
Is the process of identifying defects or weaknesses present in a system due to misconfigurations, or coding flaws in hardware or software, which could allow the unauthorized exploitation of that system as it relates to confidentiality, integrity, or availability.
ITP-SEC023

W

Return to top of page
Term
 ​Definition
 ​Point of Reference
​Waterfall Model
​A software development process model that involves distinct sequential phases (i.e., conception, requirements, design, build/construct, test, and implementation).  Solution progress is flowing steadily downwards (like a waterfall) through each of the phases.  This means that any phase in the development process may begin only if the previous phase is complete.  There can be some slight variations in the waterfall approach (i.e., modified water fall) that define the circumstances and processes to go back to the previous phase.  Documentation in this process is also sequential.  Documentation is typically created, delivered, and approved with each phase as a prerequisite for the next phase to begin.  Each phase in this model is a phase gate or key milestone.
​ITP-SFT000
​Web Application Firewall (WAF)
​Addresses the needs of limiting Internet attacks and monitoring of web applications located in the Commonwealth.  A WAF provides a number of key benefits to the Commonwealth's Enterprise Data Center (EDC) and agencies that house web applications there.  
​ITP-SEC004
​Web Content Accessibility Guidelines (WCAG)
​WCAG are an industry-recognized standard published by the Web Accessibility Initiative (WAI) of the World Wide Web Consortium (W3C) that addresses digital content. WCAG includes three levels of conformance: A, AA, and AAA. 
​ITP-ACC001
​Web Development Framework
​A software framework designed to support development of dynamic web sites, web applications, and web services. Using a framework eases tedious and repetitive programming tasks and alleviates the overhead associated with common activities such as setting up session management and database access and provides structure and services and is deployed along with the application.
​ITP-SFT009
​WiFi Protected Access version 2 (WPA2)
​ A security protocol, specified in the IEEE Wireless Fidelity (WiFi) standard, 802.11i, WPA2 uses AES (Advanced Encryption Standard), meaning it can now meet the government's Federal Information Processing Standard (FIPS) 140-2 security requirements.
​ITP-NET001
​Wireless Communication Devices ​A device that transmits and receives data, text, and/or voice with a wireless connection to a network. This definition includes; but is not limited to, such devices as satellite and cellular telephones, pagers, wireless internet services, wireless data devices, wireless laptops, and cellular telephone/two-way radio combination devices. This definition does not include the radio devices that interface with the 800 MHz Statewide Radio System.MD 240.11