A
|
| Accessible | Refers to a site, work environment, service, or program that is easy to approach, enter, operate, participate in, and/or use safely and with dignity by a person with a disability. | ITP-ACC001 |
| Access Point | A wireless local access network (WLAN) transmitter/receiver that acts as a connection between wireless clients and wired networks. | ITP-NET001 |
| Account | The online credential being presented as representing a person. | ITP-SEC037
|
Agency/Delivery Center Personnel
| Employees responsible for the management of agency electronic media data cleansing.
| ITP-SEC015
|
Agile Model
| A highly iterative software application development model that involves an interactive, cross-functional, and focused team approach to build software solutions in a time boxed (sprints) development methodology. The Agile model uses feedback and checklists, tightly integrated cross functional teams, and multi-faceted iterations or sprints to quickly build custom software applications. The feedback is driven by regular tests and releases of the evolving software.
| ITP-SFT000
|
| Algorithm | A series of discrete, conditional instructions. In computing, algorithms enumerate a list of operations to carry out. An algorithm informs a computer of the steps it must take to deliver a desired result. | ITP-BUS012 |
| American National Standards Institute (ANSI) | ANSI serves as a quasi-national standards organization. It provides area charters for groups that establish standards in specific fields. ANSI is unique among the world’s standards groups as a nongovernmental body granted the sole vote for the United States in the International Standards Organization (ISO). | ITP-INF001
|
| Anonymous logon (login) | Access to a system which does not require any information on the person accessing the system. | ITP-SEC037
|
Application Inventory
| A centrally managed repository used to capture data and assess risk profiles for all enterprise and agency-level applications that support the business needs of the commonwealth.
| ITP-SFT000
|
Application Lifecycle Management (ALM)
| A tool or set of tools that aids the development teams in the entire application development and product lifecycle management (e.g., governance, development, and maintenance). It encompasses requirements management, software architecture, programming, software testing, software maintenance, change management, continuous integration, project management, defect management, versioning and release management.
| ITP-SFT000
|
| Application Programming Interface (API) | API or Web API as used in the context of Keystone Login, is an interface containing multiple web-exposed endpoints to a defined request-response data transfer system and/or messaging system | ITP-SEC039 |
Application Software
| Often called productivity programs or end-user programs because they enable the user to complete tasks, such as creating documents, spreadsheets, databases, and publications, doing online research, sending email, designing graphics, and running businesses.
| ITP-SFT000
|
| Artificial Intelligence (AI) | A technology used to emulate human performance typically by learning, coming to its own conclusions, appearing to understand complex content, engaging in natural dialog with people, enhancing human cognitive performance (also known as cognitive computing), or conducting the execution of nonroutine tasks. | ITP-BUS012 |
| Authentication | The process of establishing confidence in the validity of a person’s logon account, usually as a prerequisite for granting access to resources in an information system. | ITP-SEC037 |
| Authentication Method | The type of authentication being used to validate a person’s logon account. There are three categories: 1. Something you know (e.g. PIN, password, shared information) 2. Something you possess (e.g. token, smart card, digital certificate) 3. Something you are (biometrics – e.g. fingerprint, voice, iris, face) | ITP-SEC037 |
| Authorization | The process of verifying that an authenticated account is permitted to have access to a system based on the person’s business responsibilities. | ITP-SEC037 |
| Authorized Users | Commonwealth of Pennsylvania employees, contractors, consultants, volunteers, or any other user who utilizes or has access to IT Resources. | MD 205.34
MD 205.42
MD 240.11
|
| Availability | Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. | 44 U.S.C. Section 3542, Federal Information Processing Standards (FIPS) 199 |
| Availability (SLA-defined) | A service level metric that measures the percentage of time the application is available during the applicable Measurement Window. This measurement is by application, not by server instance. Calculation: A = (T-M-D) / (T-M) x 100%. A = Availability, T = Total Monthly Minutes, M = Approved Maintenance Time, D = Downtime | RFD-SER001A (pending) |
B |
| Business Partner | Any entity identified by statute, regulation, or contract as being an agent of the Commonwealth of Pennsylvania. A business partner connection is an interface for connecting business partners to the Commonwealth of Pennsylvania (COPA) network. | ITP-NET008 |
| Business Process Management (BPM) | A management practice that emphasizes the control, management, and continuous improvement of business processes. Business Process Management Suites (BPMS) are an integrated collection of software technologies that support the BPM practice. | N/A |
| Business Rules Engine (BRE) | A software system that executes one or more business rules in a runtime production environment. The rules might come from company policy, (“All customers that spend more than $100 at one time will receive a 10% discount”), legal rules, or other sources. | N/A |
| C |
| Capital Planning | The management and decision-making process associated with the planning, selection, control, and evaluation of investments in resources. | N/A
|
Chain of Custody
| The chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence.
| ITP-SEC015
|
Chain of Custody Tracking Form
| The document utilized by agencies to track all electronic media transfers throughout the process involving the sanitization and/or destruction of commonwealth electronic media.
| ITP-SEC015
|
| Change Management | The process of setting expectations and involving stakeholders in how a process or activity will be changed. | N/A |
| Chatbot | An artificial intelligence (AI) program that simulates interactive human conversation by using key pre-calculated user phrases and auditory or text-based signals. A chatbot is known as an artificial conversational entity (ACE), chat robot, talk bot, chatterbot or chatterbox. | ITP-BUS012 |
| CIA Triad | Three fundamental tenets of information security: Confidentiality, Integrity, Availability | Cybersecurity and Cyberwar (Singer & Friedman)
|
Cloud Computing Service
| A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction that is provided from a cloud service provider.
| ITP-BUS011
|
Cloud Service Provider (CSP)
| An entity (private or public) that provides cloud-based platforms, infrastructure, applications, security, and/or storage services for another entity/organization.
| ITP-BUS011
|
Cloud Storage
| Infrastructure as a Services (IaaS) deployment model that provides block, file and/or object storage services delivered through various protocols. The service can be stand-alone with no requirement for additional managed services or be bundled with additional managed services.
| ITP-BUS011
|
Commercial-off-the-Shelf (COTS)
| A term used to describe the purchase of products that are standard manufactured products rather than custom, or bespoke, products. COTS application software are built and delivered usually from a third party vendor and can be purchased, leased or even licensed.
| ITP-SFT000
|
| Commonwealth Application Certification and Accreditation (CA)2 | A security assessment for Commonwealth IT systems involved in the transmission or storage of electronic transactions such as electronic records and electronic signatures. | MD 210.12
ITP-SEC005
|
Commonwealth Data
| Consists of, but is not limited to, data is that intellectual property of the Commonwealth, data that is protected by law, order, regulation, directive or policy and any other sensitive or confidential data that requires security controls and compliance standards.
| ITP-BUS011
|
| Commonwealth of PA Procurement and Architectural Review (COPPAR) | The review mechanism the Office for Information Technology uses to review agency requests for policy waivers and large IT-related procurements. | ITP-BUS000
ITP-BUS004
ITP-SEC000 |
| Confidentiality | Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. | 44 U.S.C. Section 3542, Federal Information Processing Standards (FIPS) 199 |
| Connection | Includes remote access system (RAS), a tool used to connect remotely to the commonwealth network. Authorized Users may need to connect to the network from home or another remote location, to perform their job functions. Remote access is coordinated by the Office of Administration, Office for Information Technology (OA/OIT), and users must have the Cisco virtual private network (VPN) client on their computer and a valid digital certificate. Connection does not include connecting with Authorized User devices to Office Outlook Web Access.
| MD 240.11 |
Contract Change Request (CCR)
| Contractual document utilized to modify, change, or delete a service and/or product within a contract.
| ITP-NET003
|
Custom Built Application Software
| The designing of software applications for a specific user or group of users within an organization. Such application software is designed to address specific user needs precisely as opposed to the more traditional and widespread off-the-shelf application software. Custom built application software meets unique business requirements.
| ITP-SFT000
|
| D |
| Data | A value or set of values representing a specific concept or concepts. Data become “information” when analyzed and possibly combined with other data in order to extract meaning, and to provide context. | ITP-INF013
project-open-data.cio.gov
|
| Data Architecture | Describes the data structures used by a business and its applications. The architecture sets the data standards for all information systems in the organization and communicates a model of the interactions of data in those systems. | ITP-INF013 (pending) |
| Data Element Encryption | A technique that encrypts individual data elements instead of encrypting an entire file or database. Common examples of data element encryption include column level database encryption and encryption of a Social Security Number (SSN) before writing it to a file. Data element encryption is used to selectively apply encryption, and may be used to reduce encryption/decryption overhead, to protect different elements with different keys, or to simplify adding encryption to applications. | ITP-SEC020 |
| Database Management System (DBMS) | Software to manage a database that provides a common and controlled approach maintaining data integrity and accessibility in storing data, adding new data, and in modifying and retrieving existing data within a database. Security and backups are key components. | ITP-INF001
|
Degauss
| Procedure that reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. Degaussing any electronic media will render the media permanently unusable.
| ITP-SEC015
|
Development Application Software
| Known as computer programming tools, are used to translate and combine computer program source code and libraries.
| ITP-SFT000
|
Disk Wipe
| Procedure that uses a single character to overwrite all addressable locations on a magnetic drive.
| ITP-SEC015
|
DoD 5220.22-M
| Known as the National Industrial Security Program, that stipulates the requirement of three passes where the entire magnetic drive is overwritten.
| ITP-SEC015
|
DoD Rated Degausser
| Department of Defense-type degaussers that meet or exceed DoD Type I or Type II media sanitization standards.
Type I: Equipment rated to degauss magnetic media having a maximum coercivity of 350 oersteds.
Type II: Equipment rated to degauss magnetic media having a maximum coercivity of 750 oersteds.
| ITP-SEC015
|
E
|
| eDiscovery | Electronic discovery (also called e-discovery or eDiscovery) refers to any process in which electronically stored information is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. Electronically stored information, for the purpose of the Federal Rules of Civil Procedure, is information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer hardware and software. | OA Legal |
| e-Discovery | Any process in which electronically stored information (ESI) is identified, collected, searched, and analyzed for production in the discovery phase of litigation. | ITP-INF009 |
| Electronic | Relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities. | MD 210.12
|
Electronic Device
| Devices that contain electronic media which include, but are not limited to, PCs, printers, multifunction systems, scanners, fax machines, and handheld devices such as cellular phones, smartphones and tablets.
| ITP-SEC015
|
Electronic Media
| Material on which data are or may be recorded via an electrically based process, such as, but are not limited to, magnetic tape, magnetic disks (hard drives), solid state devices/SSD (flash drives, SD cards, SIM cards), optical discs (CDs, DVDs).
| ITP-SEC015
|
| Electronic Record | A record created, generated, sent, communicated, received, or stored by electronic means. This term includes permits, licenses, applications, and other documents required or issued by an executive agency. | MD 210.12 |
| Electronic Signature | An electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record. | MD 210.12 |
| Electronic Storage System | A system to prepare, record, transfer, index, store, preserve, retrieve, and reproduce books and records by either electronically imaging hardcopy (paper) documents to an electronic storage media or transferring computerized books and records to an electronic storage media. | MD 210.12
IRS Rev. Procedure 97-22 |
| Electronic Transaction | The electronic sharing of information including: Electronic posting of data on a network. The exchange of an electronic record or electronic signature by an executive agency with a person or automated system to: facilitate access to restricted information; purchase, sell, or lease goods, services, or construction; transfer funds; facilitate the submission of an electronic record or electronic signature required or accepted by the commonwealth; or create a record upon which the commonwealth or another person will reasonably rely. | MD 210.12 |
| Electronically Stored Information (ESI) | Any data or information produced or received on commonwealth IT Resources that resides on commonwealth-managed storage solutions, either on premise or off premise (i.e. cloud storage, backup tapes). | ITP-INF009 |
| Emergency Maintenance (Enterprise Services) | Maintenance necessary when a problem exists on any Enterprise infrastructure component or Enterprise Service that is causing major disruptions to one or more agencies. | ITP-SYM010 |
| Enterprise Architecture | The analysis and documentation of an enterprise in its current and future states from an integrated strategy, business, and technology perspective. | N/A |
| Enterprise Architecture Artifact | A documentation product such as a text document, diagram, spreadsheet, briefing slides, or video clip that document EA components in a consistent way across the entire architecture. | N/A |
| Enterprise Architecture Component | Changeable resources that provide capabilities at each level of a framework. Examples include strategic goals and initiatives, business services, web services, software applications, voice/data/mobile networks, buildings. | N/A |
| Enterprise Information Security Office (EISO) | Office within the Office of Administration, Office for Information Technology tasked with managing the enterprise IT security posture for the commonwealth as it pertains to governance, risk, and compliance. | ITP-SEC000 |
| Enterprise IT Service Offering | An Enterprise IT Service Offering is made up from a combination of people, processes and technology that supports a customer's business. An Enterprise IT Service Offering is a means of delivering value to customers by facilitating the outcomes customers want to achieve without the ownership of costs and risks. | ITP-BUS007 |
| Enterprise IT Service Offering | A combination of people, processes, and technology that supports a customer's business. An Enterprise IT service offering is a means of delivering value to customers by facilitating the outcomes customers want to achieve without the ownership of costs and risks. | ITP-BUS007 |
| Enterprise Maintenance (Enterprise Services) | Maintenance is considered Enterprise if:
- It affects any Enterprise infrastructure component or Enterprise service
-
It affects two or more agencies at one site
- It affects
two or more agencies at multiple sites
- It affects one agency at multiple sites
| ITP-SYM010 |
| Enterprise Service Bus (ESB) | Refers to a software architecture construct. This construct is typically implemented by technologies found in a category of middleware infrastructure products, based on recognized standards, which provide fundamental services for more complex architectures via an event-driven and standards-based messaging engine (the bus). | N/A |
| Event (Security) | An observable occurrence in a system or network. Events include, but are not limited to, a user connecting to a file share, a server receiving a request for a Web page, a user sending electronic mail (e-mail), and a firewall blocking a connection attempt. | ITP-SEC021 |
| Event Correlation (Security) | The process of monitoring events in order to identify patterns that may signify attacks, intrusions, misuse or failure. | ITP-SEC021 |
| Executive Agency | A department, board, commission, council, authority, officer, or agency subject to the policy, supervision, and control of the Governor. | MD 210.12 |
F |
| Federal Information Processing Standards (FIPS) | A federal IT standard established by the National Institute of Standards and Technology | ITP-SEC000
ITP-SEC037 |
| File Encryption | A technique that encrypts files on a file system, without encrypting the file system itself or the entire disk. A file encrypting application may include functionality to: archive multiple files into a single file before or after encrypting; produce self-decrypting files; or automatically encrypt files or folders based on policies or locations. File encryption is often used to protect files being sent through email or written to removable media. | ITP-SEC020 |
| Full Disk Encryption | A computer security technique that encrypts data stored on a mass storage or removable device, and automatically decrypts the information when an authorized user requests it. Full disk encryption is often used to signify that everything on a disk or removable device, including the operating system and other executable, is encrypted. Full disk encryption includes hardware encryption, such as configuring a tape drive to encrypt all backup data before write. | ITP-SEC020 |
| Functional Testing | Validating an application correctly performs functions identified in requirements documents. This includes testing for normal and erroneous input. Functional testing can be performed manually or automated. | ITP-SFT000
|
G
|
Gateway
| Network hardware that enables data and resources to be shared easily and securely over the internet.
| ITP-SEC010
|
| General Maintenance (Enterprise Services) | Maintenance performed by a service provider. This type of maintenance is performed on the service offering which affects multiple customers, and is vital to the integrity of the services provided. | ITP-SYM010
|
| Guideline | A recommended best practice or course of action usually with some latitude in its use and implementation. | ITP-BUS004 |
H
|
| High-level Data Model (HDM) | Used to communicate core data concepts, rules, and definitions to a business user as part of an application development initiative. | S. Hobermen. Data Modeling for Business
|
Host
| A computer connected to the internet.
| ITP-SEC010
|
I
|
| Identify and Access Management (IAM) | The security discipline that enables the right individuals to access the right resources at the right times for the right reasons. | ITP-SEC038 |
| Identity Proofing | The process of verifying the real life identity being claimed by a person. | ITP-SEC037 |
| Identity Verification | A service is used to ensure that users provide information that is associated with the identity of a real person. It can involve the verification of identity information (fields) against independent and authoritative sources, such as credit bureau or commonwealth data. | ITP-SEC039 |
| IEEE | The Institute of Electrical and Electronics Engineers, a non-profit, technical professional association and leading authority in technical areas ranging from computer engineering, biomedical technology and telecommunications, to electric power, aerospace and consumer electronics, among others. | ITP-NET001 |
| Illegal Use | Use which violates local, state, or federal law as well as CoPA or agency IT policy. | MD 245.18 |
| Imaged Document | A copy of an original hardcopy (paper) record that has been electronically imaged to an electronic storage system. An imaged document contains all the recorded information that appears on the original document and be able to serves the purpose(s) for which the original was created or retained. | MD 210.12
IRS Rev. Procedure 97-22 |
| Immediate Maintenance (Enterprise Services) | Maintenance necessary when a problem exists on any Enterprise infrastructure component or Enterprise Service that has the potential to cause major disruptions to one or more agencies. | ITP-SYM010 |
| Inappropriate Use | A violation of the goals, purpose and intended use of the network.
| MD 245.18 |
| Incident (Security) | A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of an incident are denial of service, malicious code, unauthorized access and inappropriate usage. | ITP-SEC021 |
| Incident Response (Security) | The manual and automated procedures used to respond to reported incidents (real or suspected), system failures and errors, and other undesirable events. | ITP-SEC021 |
| Information | Data, text, images, sounds, codes, computer programs, software, data bases, or the like. | MD 210.12 |
| Information Resources | Information and related resources, such as personnel, equipment, funds, and information technology | 44 U.S.C. Section 3502 |
| Information Security | Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: Integrity, Confidentiality, Availability. | 44 U.S.C. Section 3542 |
| Information System | A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. | NIST 800-39
ITP-BUS008 |
| Information Technology | The resources applied in an enterprise for the purpose of storing, retrieving, transmitting, and manipulating data through use of software and hardware infrastructure. | ITP-BUS000 |
| Information Technology Policy (IT Policy, ITP) | A document published by OA/OIT that defines the expectations, requirements, standards, technical specifications, procedures, and guidelines to agencies that use and manage IT resources and services. Defined general areas (domains) in which IT policies encompass and are categorized. The policy domains and their abbreviations are: Accessibility (ACC), Application (APP), Business (BUS), Information (INF, INFG, INFRM), Integration (INT), IT Procurement (PRO), Network (NET), Platform (PLT), Privacy (PRV), Project Management (EPM), Security (SEC), Services (SER), Software (SFT), Systems Management (SYM) | ITP-BUS000
ITP-BUS004 |
| Information Type | A specific category of information (e.g. privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization, specific law, executive order, directive, policy, or regulation. | Federal Information Processing Standards (FIPS) 199
|
Infrastructure as a Service (IaaS)
| The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer can deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components.
| ITP-BUS011
ITP-SFT000
|
Integrated Development Environments (IDE)
| Provides frameworks used in modern programming languages and provide components with similar-user interfaces, minimizing the amount of mode switching compared to discrete collections of disparate development programs. IDEs offer robust capabilities to create service-oriented architecture (SOA) components and applications.. IDEs increase productivity by providing customizable interfaces, integrated debugging, testing and deployment tools, and integration with existing technology through SOA.
| ITP-SFT009
|
| Integration Testing | The phase of software testing in which individual software modules are combined and tested as a group. It follows unit testing and precedes system testing. | ITP-SFT000
|
| Integrity | Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. | 44 U.S.C. Section 3542
Federal Information Processing Standards (FIPS) 199
|
| Intergovernmental Agreement (IGA) | A binding contractual agreement executed by the Commonwealth with the federal government or its agencies, another state or its agencies, or with instrumentalities of the Commonwealth (boroughs, cities, counties, state-related institutions, etc.). These agreements should be processed in accordance with the requirements of the Commonwealth Attorneys Act, 71 P.S. §§ 732-101. | ITP-BUS002
|
Internet Security Protocol (IPsec)
| Consists of a set of open standards to provide security equivalence to a private network in the shared public infrastructure (internet). IPsec provides security at the network layer and encrypts data within application communications.
| ITP-SEC010
|
| Invitation For Bids (IFB) | All documents, including those either attached or incorporated by reference, used for soliciting bids. | ITP-PRO001 |
| Invitation To Qualify (ITQ) | The name given to certain multiple-award contracts issued by the Commonwealth pursuant to Section 517 of the Procurement Code. ITQ contracts are issued to pre-qualified suppliers that will compete in the request for quote (RFQ) process. | ITP-PRO001 |
| ISO | Information Security Office/Officer
| MD 240.12 |
| Issuing Office | The sole point of contact for the offerors to contact the purchasing agency with any questions in regard to a request for proposals. | ITP-PRO001
|
IT Governance
| The processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. It requires specification of the decision rights and accountability framework to encourage desirable behavior in the use of information technology.
| ITP-BUS011
|
| IT Policy Business Owner | OA/OIT personnel or program area responsible for ensuring assigned IT policy aligns with the enterprise's current IT environment. | ITP-BUS000 |
| IT Policy Coordinator | OA/OIT personnel responsible for the management of the IT policy life cycle and facilitating the IT policy governance process. | ITP-BUS000 |
| IT Policy Domain Owner | OA/OIT personnel responsible for the management of a specific domain of IT policies. | ITP-BUS000 |
| IT Policy Waiver | A temporary exemption granted to commonwealth agencies for non-compliance with a specific OA/OIT IT Policy. | ITP-BUS004 |
| IT Resources | (MD version): Include, but are not limited to, the following: the commonwealth’s computer systems, together with any electronic resource used for communications, which includes, but is not limited to laptops, individual desktop computers, wired or wireless telephones, cellular phones, pagers, beepers, personal data assistants and handheld devices, and, further, includes use of the internet, electronic mail (email), instant messaging, texting, voice mail, facsimile, copiers, printers or other electronic messaging through commonwealth facilities, equipment or networks (collectively "IT Resources").
(ITP version): Include, but are not limited to, the staff, software, hardware, systems, services, tools, plans, data, and related training materials and documentation that in combination support business activities. Examples of IT Resources include, but not limited to, desktop computers, mobile devices, email. telephones, servers, and network switches/routers.
| MD 205.34
MD 205.42
MD 240.11
ITP-SEC012 |
J
|
| Jailbreaking/Rooting | The process used to modify the operating system on a mobile device. The act of “jailbreaking” or “rooting” a mobile device allows the user control over the device including removing any vendor imposed restrictions on the products. | ITP-SEC035 |
| Java Database Connectivity (JDBC) | A set of programming Application Programming Interfaces (APIs) that allow easy connection to a wide range of databases through Java programs. | ITP-INF001 |
K
|
| Keystone Key | The online account established for a person and stored in the enterprise citizen directory SRPROD | ITP-SEC037 |
| Keystone Login Multi-Factor Authentication (MFA) | A security system that verifies a user's identity by requiring the user to provide multiple types of credentials which can include simple authentication credentials, One-time passcodes, automated phone calls and/or biometrics. | ITP-SEC039 |
| Knowledge Based Authentication (KBA) | An identity verification method where the person is asked a selection of questions gathered from information on that person from a variety of public and commercial data systems with the assumption that the real person would know the correct answers whereas an imposter would not. | ITP-SEC037 |
|
Level of Assurance (LOA) | The measurement of the degree or level of confidence that the person is who they are claiming to be. The Commonwealth recognizes two levels of assurance: LOA1 - little or no confidence in the user's identity beyond what the user claims. LOA2 - information provided by the user has been verified by a third party via the processes provided per ITP-SEC037 Identity Proofing of Online Users. | ITP-SEC037 ITP-SEC039 |
| Load Testing | Covers both performance testing and stress testing. | ITP-SFT000
|
| Local Area Network (LAN) | A network that connects computers, printers and perhaps other devices within a department, building or house. | ITP-NET001 |
| Log (Security) | A file that lists actions that have occurred. | ITP-SEC021 |
| Logon Banner | A display that provides a definitive warning about access, authorization, and monitoring activity requirements and allows a user to acknowledge this display prior to logging into an IT Resource. | ITP-SEC012 |
M
|
| Machine Learning (ML) | A technique involving the use of a computer to train and improve an algorithm or model with minimal human participation to generating useful predictions and conclusions. | ITP-BUS012 |
| Mbps | Millions of bits per second, or Megabits per Second, is the measurement of bandwidth on a telecommunication medium. Bandwidth is also sometimes measured in Kbps (kilobits per second), or Gbps (billions of bits per second). | ITP-NET001 |
| Memorandum of Understanding (MOU) | A cooperative arrangement between executive agencies or, if concurred with both parties, an arrangement between an executive agency and an independent agency, as defined in the Commonwealth Attorneys Act, 71 P.S. §§ 732-101, which does not create any contractual rights or obligations between the signatory agencies. This document does not require approval by the Office of Attorney General. | ITP-PRO001 |
| Mobile Application Management (MAM) | The process of developing, procuring, deploying and managing the configuration, distribution and access of in-house and commercially developed mobile apps through an enterprise app virtual marketplace or a consumer app store. | ITP-SEC035 |
| Mobile Communication Device (Mobile Devices) | Any mobile phone, smartphone, laptop, or media tablet that transmits, stores, and receives data, text, and/or voice with a connection to a wireless LAN and/or cellular network. | ITP-SEC035 |
| Mobile Device | (MD version) A device easily removable and stores data that can be connected to the Commonwealth network, workstation or other computing device via cable, Universal Serial Bus (USB), Firewire (IEEE 1394), I-LINK, infrared, radio frequency, personal computer memory card international association (PCMCIA), or any other external connection that would allow data to be transferred and removed.
(ITP version). Mobile devices include, but are not limited to smart phones, laptops, tablets, zip drives, floppy diskettes, recording and re-writeable compact disks (CD), recordable and re-writeable digital video disks (DVD), USB flash digital media devices (thumb drives), memory sticks/cards, PC card storage devices of all types and external hard drives. | MD 240.12
ITP-PLT011 |
| Mobile Device Management (MDM) | Software technologies that secure, monitor, manage and support mobile devices deployed across the enterprise. By controlling and protecting the data and configuration settings for all mobile devices in the network, MDM can reduce support costs, security, and business risks. The intent of MDM is to optimize the functionality and security of a mobile communications network while minimizing cost and downtime. | ITP-SEC035 |
| Mobile Email Management (MEM) | Mobile Email Management (MEM) controls which mobile devices that can access email, prevents data loss, encrypts sensitive data and enforces compliance policies. | ITP-SEC035
|
Modified off-the-Shelf (MOTS)
| A commercial-off-the-shelf (COTS) product whose source code can be modified. The product may be customized by the purchaser, vendor, or another party to meet business requirements. MOTS is a software delivery concept that enables source code or programmatic customization of a standard prepackaged, market-available software.
| ITP-SFT000
|
| Multi-Factor Authentication | The use of two or more of the Authentication Methods. Two-factor would employ one each of two of the methods; three-factor would employ one each of all three methods. | ITP-SEC037
|
Multi-Function Device (MFD)
| A device the consolidates the functionality of a printer, copier, scanner, and/or fax into one machine.
| ITP-PLT002
|
| Multi-Homed/Split Tunneling | Simultaneously using two different networks or connections, such as USB, wireless, cellular, or Bluetooth, or near-field communications (NFC). | ITP-SEC035 |
N
|
| NASCIO | National Association of State Chief Information Officers | ITP-SEC037 |
| National Institute of Standards and Technology (NIST) | A division of the federal Department of Commerce tasked with research and, including establishment of federal IT standards. | ITP-SEC000
ITP-SEC037 |
| National Strategy for Trusted Identity in Cyberspace (NSTIC) | A federal initiative for secure, privacy enhancing identities in cyberspace. | ITP-SEC037 |
| Non-Degradation of Service Availability (SLA-defined) | A service level metric that measures the percentage of time the application is non-degraded during the applicable Measurement Window. This measurement is by application, not by server instance. Degradation shall mean a Service that tests as fully operational but is degraded below the baselines established during acceptance testing. This includes, but is not limited to slow performance and/or intermittent system errors. Calculation: N = (T - M - D) / (T - M) x 100%. N = Non-Degradation, T = Total Monthly Minutes, M = Approved Maintenance Time, D = Time Service is Degraded. | RFD-SER001A (pending) |
| Notice of Forth Coming Procurement (NFP) | Public notice posted to the Pennsylvania eMarketplace (http://www.emarketplace.state.pa.us/) website notifying vendors of an upcoming procurement. Required for all procurement in excess of $250,000. | ITP-PRO001 |
O
|
Oersted
| Unit of the magnetic field H in the centimeter–gram–second system of units (CGS)
| ITP-SEC015
|
Office Class Print Device
| An advanced printer with specifications suitable to the office environment including network card availability, print speed and volume, memory, with features such as integrated card readers, multi-purpose trays, and two-sided printing.
| ITP-PLT002
|
| Office of Administration, Office for Information Technology (OA/OIT) | Consists of the offices managed by the Commonwealth Chief Information Officer (CIO), Chief Technology Officer (CTO), Chief Information Security Officer (CISO), Director of Office of Strategy and Management, and Director of Enterprise Services and their respective program areas.
| ITP-BUS000
|
| Open Data | Data that can be freely used, re-used, and distributed by any entity, subject only, to the requirements to attribute.
| ITP-INF013 |
| Open Database Connectivity (ODBC) | Vendor-neutral interface, based on the SQL Access Group (SAG) specifications, that permits maximum interoperability among diverse Database Management Systems. The ODBC interface defines: function calls that allow an application to connect to a DBMS, execute SQL statements, and retrieve results; a standard way to connect and log on to a DBMS; and a standardized representation for data types. Database drivers link the application to their choice of DBMS. | ITP-INF001 |
P
|
| Performance Testing | Identifies bottlenecks during high volume simulation.
| ITP-SFT000
|
| Personally Identifiable Information (PII) | Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. | ITP-INF000
ITP-SEC025
NIST SP 800-122
|
Pilot
| A project that consists of a scaled down, but fully functional environment with the exact same capabilities that would be enabled if the environment were to be promoted to production.
| ITP-BUS011
|
Platform-as-a-Service (PaaS)
| The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the cloud service provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
| ITP-BUS011
ITP-SFT000
|
| Privately Owned | Employee or contractor owned or leased asset in which the Commonwealth has no responsibility for the procurement or maintenance of and is solely the responsibility of the employee or contractor. | ITP-PLT012 |
| Privileged Account | An account that have virtually unlimited access to all programs, files, and resources on a computer system. Users shall not be given access to privileged accounts without the specific approval of the agency chief security officer. Privileged accounts must be used only for the purposes for which they were authorized and only for conducting CoPA business. | MD 245.18 |
| Privileged Identity Management Solution | Software or tool that provides IT administrators a method of managing privileged user accounts and access rights to IT resources. | ITP-SEC038 |
| Privileged User | A user who, by virtue of function, has been allocated powers within a computer system, which are greater than those available to the majority of users of said computer system. | SANS.org
ITP-SEC038 |
| Procedure | Operational document that outlines predefined step-by-step sequence of instructions, activities, or course of action that must be followed in order to correctly accomplish a particular task. | ITP-BUS004 |
| Promiscuous Mode | A mode for a network controller that causes the controller to pass all traffic it receives to the device rather than passing only the frames that the controller is intended to receive. This mode is normally used for packet sniffing. | ITP-SEC035
|
Proof of Concept
| A project that is evaluated exclusively on pass or fail success criteria. Failed success criteria can still be considered a successful proof of concept as the results gave definitive proof that the concept was not viable.
| ITP-BUS011
|
| Public Record | A record of a Commonwealth agency that is: Not exempt under Section 708 of the Right-to-Know-Law; Not exempt from being disclosed under any other Federal or State law or regulation or judicial order or degree; Bot protected by privilege. | ITP-BUS009 (pending) |
R
|
| Record | Information, regardless of physical form or characteristics, that document a transaction or activity of an agency and that is created, received or retained pursuant to law or in connection with a transaction, business or activity of the agency. The term includes a document, paper, letter, map, book, tape, photograph, film or sound recording, information stored or maintained electronically, and a data-processed or image-processed document. | MD 205.42
MD 210.12
|
| Regression Testing | Allows a consistent and repeatable validation of each new release of an application. This ensures no new defects have been introduced with the latest maintenance. | ITP-SFT000
|
| Remote Access | Ability for an organization's users to access its non-public computing resources from external locations other than the organization's facilities. | NIST SP 800-46 |
| Request for Proposal (RFP) | An RFP is a competitive sealed method of procurement where proposals are solicited and the award is made to the responsible offeror whose proposal is determined, in writing, to be the most advantageous to the purchasing Agency. An RFP is scored in three separate parts; (1) Technical Evaluation, (2) Cost Evaluation, and (3) Small Diverse Business (SBD) Participation. | ITP-BUS002
|
| Request for Quote (RFQ) | An RFQ is a competitive sealed method of procurement where quotes are solicited and the award is made to the responsible contractor whose quote is determined, in writing, to be the most advantageous to the purchasing Agency. An RFQ can be awarded via a best value determination or scored in three separate parts; (1) Technical Evaluation, (2) Cost Evaluation, and (3) Small Diverse Business (SBD) Participation. | ITP-PRO001 |
| Resolution Time (SLA-defined) | Also referred to as Problem Circumvention, a service level metric that details the time required for circumvention or solution after reporting a problem. | RFD-SER001A (pending) |
S
|
| Sanitization | A process to render access to target data (the data subject to the sanitization technique) on the media infeasible for a given level of recovery effort. Three categories: Clear, Purge, and Destroy. | NIST SP 800-88 Rev. 1 |
| Scope (IT Policy) | This ITP applies to all departments, boards, commissions and councils under the Governor’s jurisdiction. Agencies not under the Governor’s jurisdiction are strongly encouraged to follow this ITP. | All ITPs |
| Security Assessment | A process conducted by the Office of Administration, Office for Information Technology’s Enterprise Information Security Office that defines, identifies, and classifies security vulnerabilities of IT Resources. | MD 310.24 |
| Security Information and Event Managers (SIEM) | A set of tools used by IT professionals and system administrators to manage multiple security applications and devices, and to respond automatically to resolve security incidents and provides real-time monitoring and historical reporting of information security events from networks, servers, systems, applications and more. | ITP-SEC021 |
| Server and Desktop Systems | Applies to all Commonwealth-issued devices utilized to run and access IT resources. All smartphones and non-Microsoft mobile devices (i.e. tablets) are not in scope. | ITP-SYM006
|
Service Design Coordinator
| Role responsible for providing oversight of all design activities and associated processes of service design and evaluation for new or changes to existing services. Coordinates with Business Relationship Managers, technical staff, product vendors, procurement, project managers, transition teams, and other key stakeholders to ensure the completeness and successful implementation of the Service Design Package for enabling and sustainment of the IT services.
| ITP-SFT000
|
Service Design Package (SDP)
| Documentation defining all aspects of an IT service and its requirements through each stage of its lifecycle. SDP defines the service model, requirements (utility & warranty), tools, architecture, metrics, and blueprints needed by the service transition team to build, test/validate, and deliver the service and their underpinning components. A service design package is developed for new, major changes, and retirement of an IT service.
| ITP-SFT000
|
| Service Engagement Review Process (SERP) | Commonwealth review process to ensure new services being introduced into IT environments to mitigate potential risks and disruptions of Commonwealth business. | ITP-NET008 |
| Service Owner | Accountable for the availability, performance, quality, and cost of one or more services. Deals directly with the Service Customer or proxy, usually in the context of a Service Level Agreement or Operating Level Agreement. Service Owner is responsible for day-to-day operation of the service. | N/A |
| Service Set Identifier (SSID) | Identifies and specifies which 802.11 network is being joined. | ITP-NET001
|
Shared Resource
| A device, such as a printer, set up on the network to be used by more than one user.
| ITP-PLT002
|
| Single Sign-On (SSO) | A property of identity and access management that enables users to securely authenticate with multiple applications and websites by logging in only once - with just one set of credentials (username and password). | ITP-SEC039 |
| Smartphone | A mobile communication device with voice, messaging, scheduling, email and Internet capabilities. Smartphones also permit access to application stores, where additional software can be obtained for installation on the mobile device. | ITP-SEC035 |
| Social Media | Web-based and mobile technologies used to turn communication into interactive dialogue. The term includes, but is not limited to, blogs, RSS, discussion boards, wikis, video sharing sites, mash-ups and folksonomies. | MD 205.42
|
Software Application Development Methodology (SADM)
| A software application development methodology is a structured framework of procedures and processes used to develop custom software applications. Software application development methodologies are essentially derivatives from the system development life cycle model but are unique in their respective processes and execution.
| ITP-SFT000
|
Software-as-a-Service (SaaS)
| The capability provided to the consumer is to use the cloud service provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, apart from limited user-specific application configuration settings.
| ITP-BUS011
ITP-SFT000
|
Software Development Life Cycle (SDLC)
| A conceptual model used in software engineering as well as project management that describes the phases involved in an information system solution development and delivery. An SDLC framework consists of multiple phases to assure high quality systems are delivered, provide strong management controls over IT projects, and ensure that the information system can, and will, work as required and is effectively maintained to support agency’s missions. SDLC can be applied to Commercial-off-the-Shelf (COTS), Software-as-a-Service, (SaaS), or custom-built applications. SDLC frameworks should be intently integrated into key service life cycle phases (e.g., strategy, design, transition, operations) and affiliated processes.
| ITP-SFT000
|
| Sole Source | The process by which an agency requests a sole/single vendor to procure materials or services.
| ITP-BUS002
|
Spiral Model
| An incremental software development process model that incorporates requirements, design, build/construct, test/simulations, and deploy prototype phases separated by planning and risk assessment. A prototype is created with each iteration and evaluated until a final production ready (i.e., fully functional and validated) prototype model has been created. This method can be used to create temporary prototype solutions that are later discarded or for large, expensive, and complicated projects using each iterative prototype build as a phase gate and/or milestone. Documentation in this process is dynamic and incrementally refined. Documentation is finalized with the implementation of the final production ready prototype.
| ITP-SFT000
|
| Stakeholder | Everyone who is or will be affected by a policy, program, project, activity, or resource. | N/A |
| Standalone Purchase Order | A purchase order processed not in reference to an existing contract or solicitation. Standalone purchase orders must be completed in accordance with Part I Chapter I “General Provisions” and Part I Chapter 7 “Threshold and Delegations.” | ITP-PRO001 |
| Standard | Universally or widely accepted, agreed upon written definition, limit, or rule, approved and monitored for compliance by an authoritative agency, professional organization, or recognized body as a minimum acceptable benchmark. | ITP-BUS004 |
| Standard Maintenance (Enterprise Services) | OA-approved, risk-assessed, routine administrative maintenance on an Enterprise infrastructure component or Enterprise service. | ITP-SYM010 |
| Stress Testing | Used to determine the load under which the application ceases to perform acceptably. | ITP-SFT000
|
| Structured Query Language (SQL) | A relational data language that provides a consistent, English keyword-oriented set of facilities for query, data definition, data manipulation and data control. It is a programmed interface to relational database management systems. | ITP-INF001
|
Systems Software
| The programs that are dedicated to managing the computer itself, such as the operating system. The operating system manages the computer hardware resources in addition to applications and data. Without systems software installed in our computers we would have to type the instructions for everything we wanted the computer to do.
| ITP-SFT000
|
| System Testing | Testing conducted on a complete integrated system to evaluate the system's compliance with its specified requirements. | ITP-SFT000
|
| System Unavailability Notification (SLA-defined) | A service level metric that details the time from discovering or receiving notice of system unavailability until notification is sent to the Commonwealth. | RFD-SER001A (pending) |
T
|
| Tablet | An open-face wireless device with touch screen display, primarily used in the consumption of media. These devices may also have messaging, scheduling, email, and Internet capabilities and a camera. Tablets may have open-source OSs (such as Android) or closed OSs under the control of OS vendors and/or device manufacturers (such as Apple and Microsoft). Media tablets may or may not support a mobile application store. | ITP-SEC035 |
| Technical Specification | An explicit set of requirements outlining the specific characteristics, features, capabilities, of a product or technology (e.g., levels of quality, architectural, functions, performance, usability, compatibility, reliability, safety, scalability, interoperability, or other dimensions) | ITP-BUS004 |
| Technology Maturity Lifecycle (TML) | The technology maturity life cycle (TML) defines the varying life span stages in which a technology product development sustains its competitive and economic value over a particular timeframe. The TML has four distinct stages: Current: Technologies/standards that are supported by the commonwealth and meeting the requirements of the enterprise architecture. They are recommended for use. Contained: Technologies/standards that no longer meet the requirements of the current enterprise architecture. They are not recommended for use. They are to be phased out over time. No date has been set for their discontinuance. Retire: Technologies/standards are being phased out. Plans are to be developed for their replacement, especially if there is risk involved, such as lack of vendor support. A date for retirement has been set. Emerging: Technologies/standards that have the potential to become current technologies/standards. At the present time, they are to be used only in pilot or test environments where they can be evaluated. Use of these technologies is restricted to a limited production mode, and requires approval of a waiver request. Research technologies are less widely accepted and time will determine if they will become a standard. | ITP-BUS004 |
| Telecommunications Management Officer (TMO) | A commonwealth employee designated by the agency head to oversee the communications services of the agency and/or worksite. | MD 240.11 |
| Threat Modeling | Identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, quantifying the likelihood of successful attacks and their impacts, and analyzing the information to determine where security controls need to be improved or added. | NIST SP 800-46 |
| Transitory Record | Records that have little or no documentary or evidential value and that need not to be set aside for future use. | ITP-BUS009 (pending)
|
Transport Layer Security (TLS)
| A protocol created to provide authentication, confidentiality, and data integrity between two communicating applications. TLS is based on a precursor protocol, Secure Sockets Layer version 3.0 (SSL 3.0) which is deprecated.
| ITP-SEC010
|
U
|
| Unit Testing | Functional testing on each module in an application. Used early in development process before all components are completed. | ITP-SFT000
|
United States Jurisdiction
| Consists of all fifty (50) States of the United States and the District of Columbia.
| ITP-BUS011
|
| US-CERT | United States Computer Emergency Readiness Team tasked with providing Cybersecurity resources and notifications for information security officers. | ITP-SYM006
|
User Acceptance Testing (UAT)
| Generally the last phase of the software testing process. During UAT, actual software users test the software to make sure it can handle required tasks in real-world scenarios, per requirements.
| ITP-SFT000
|
V
|
| Virtual Desktop Infrastructure (VDI) | The practice of hosting a desktop operating system within a virtual machine (VM) running on a hosted, centralized or remote server. | ITP-NET019 |
| Virtual Machine | A software implementation of a computing environment in which an operating system or program can be installed or run. | ITP-NET019
|
Virtual Private Network (VPN)
| A network technology that creates a secure network connection over a public network such as the internet or a private network owned by a service provider.
| ITP-SEC010
|
W
|
Waterfall Model
| A software development process model that involves distinct sequential phases (i.e., conception, requirements, design, build/construct, test, and implementation). Solution progress is flowing steadily downwards (like a waterfall) through each of the phases. This means that any phase in the development process may begin only if the previous phase is complete. There can be some slight variations in the waterfall approach (i.e., modified water fall) that define the circumstances and processes to go back to the previous phase. Documentation in this process is also sequential. Documentation is typically created, delivered, and approved with each phase as a prerequisite for the next phase to begin. Each phase in this model is a phase gate or key milestone.
| ITP-SFT000
|
Web Development Framework
| A software framework designed to support development of dynamic web sites, web applications, and web services. Using a framework eases tedious and repetitive programming tasks and alleviates the overhead associated with common activities such as setting up session management and database access and provides structure and services and is deployed along with the application.
| ITP-SFT009
|