| Term |
Definition |
| Account Promotion |
The process of changing the Security Level of an account from a lower level to a higher level using applicable Identification Methods. |
| Action(s) |
Actions triggering this advance notice requirement, include the following:
- Commencement of negotiations with any private sector entity to grant a lease, license or permit for use of Infrastructure;
- Preparation of a competitive procurement document or commencement of negotiations to acquire Infrastructure, backbone or Subscriber Equipment; or
- Commencement of negotiations for a lease of Infrastructure, backbone or Subscriber Equipment from a third party provider.
|
| Alphanumeric |
Describes the combined set of all letters in the alphabet and the numbers 0 through 9. It is useful to group letters and numbers together because many programs treat them identically and differently from punctuation characters. For example, most operating systems allow you to use any letters or numbers in filenames but prohibit many punctuation characters. Your computer manual would express this rule by stating: "Filenames may be composed of alphanumeric characters." |
| Alt Attribute |
Will mean an attribute used in the <img> tag to describe the image. |
| Application Owner |
The point of contact for an NYSDS Application. |
| Assistive Technology Devices |
Will mean any item, piece of equipment, or product system, whether acquired commercially, modified, or customized, that is used to increase, maintain, or improve functional capabilities of individuals with disabilities. |
| Asymmetric or public key cryptography or crypto-system |
A system of cryptography that employs two computationally related alphanumerics usually known as a key pair. A private key, known only to the holder, is used to create an e-signature or decrypt, and the other or public key known to others is used to verify the e-signature or encrypt. Public key cryptography is often employed within the context of a public key infrastructure (PKI). |
| Authentication |
Confirming a user's claim of identity. Dual factor (or strong authentication): An authentication scheme using two independent factors, e.g. something you know and something you have. Examples include the following:
- Something you know: user-id, passcode, memorized personal identification number (PIN) or password;
- Something you have: something you own- an RSA secure authentication token, Smart card etc.; and
- Something you are: biometrics, e.g., finger-print, retina scan.
|
| Authentication Method |
The authentication mechanism used at the time of user account login. |
| Automated Attendance & Leave System |
shall mean a computer-based application that facilitates the preparation, review, auditing and reporting of employees' records of attendance and accrual balances, and the processing of appropriate payroll transactions. |
| Availability |
"Ensuring timely and reliable access to and use of information…" [44 U.S.C., SEC. 3542] A loss of availability is the disruption of access to or use of information or an information system. |
| Best Practice Guideline |
shall mean a case study and/or analysis which provides a benchmark for good business and IT practices in achieving a desired result. The analysis or case study highlights one or several proposed products, technology fields, analytical methodologies or IT solutions which constitute a good approach for other entities pursuing similar solutions. While not mandatory, best practices guidelines are intended:
- To be informational,
- To facilitate knowledge transfer, and
- To shorten the learning curve for other entities addressing common technology issues.
|
| Biometrics |
In computer security, biometrics refers to authentication techniques that rely on measurable physical characteristics that can be automatically checked. Examples include computer analysis of fingerprints or speech. |
| Bitrate |
In digital multimedia, bitrate is the number of bits used per unit of time to represent a continuous medium such as audio or video after source coding (data compression). In this sense it corresponds to the term digital bandwidth consumption. While often referred to as "speed," bitrate does not measure distance/time but quantity/time. |
| Bulk Load Registration |
An account creation process used for the initial loading of a large number of user accounts. |
| Business analysis and risk assessment |
Defined by the ESRA regulation as "identifying and evaluating various factors relevant to the selection of an electronic signature for use or acceptance in an electronic transaction. Such factors include, but are not limited to, relationships between parties to an electronic transaction, value of the transaction, risk of intrusion, risk of repudiation of an electronic signature, risk of fraud, functionality and convenience, business necessity and the cost of employing a particular electronic signature process." |
| Business owner |
Person who authorized the project, or a designated employee. |
| Certified copy |
A duplicate of an original official document, certified as an exact reproduction by the officer responsible for issuing /keeping the original.. |
| Checksum |
A simple error-detection scheme in which each transmitted message is accompanied by a numerical value based on the number of set bits in the message. The receiving station then applies the same formula to the message and checks to make sure the accompanying numerical value is the same. If not, the receiver can assume that the message has been garbled. |
| Clear gif |
shall mean a graphic with a unique identifier, similar to a cookie, used to track the online movements of users. Clear gifs are also known as pixel tags, web beacons, or web bugs. |
| Clear text |
Any message or text that is not rendered unintelligible through an encryption or hashing algorithm. |
| Click-through |
shall mean a message on a user's computer screen, requiring that the user respond to a question and, as a result, provide information by clicking on an icon. |
| Client-side image map |
Will mean HTML code delivered to the browser that provides coordinates to "hot spots" users may click on inside a given image. |
| Confidentiality |
"Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…" [44 U.S.C., Sec. 3542] A loss of confidentiality is the unauthorized disclosure of information. |
| Control |
An action taken to enhance the likelihood that established goals or objectives will be achieved (in the context of this policy, generally an action taken to reduce risk.) |
| Cookie |
shall mean a unique text file stored on a user's computer by an Internet browser. These text files are used as a means of distinguishing among users of a website and as a means of customizing the website according to the user's preferences and interests. A cookie will not include personal information unless the user has volunteered that information. |
| Collect |
shall have the same meaning as defined in State Technology Law §202. This shall mean to store information, including via cookie technology, for purposes of retrieval at a later time to initiate communication with or make determinations about the person who is the subject of such information. |
| Credential |
An object that is verified when presented to the verifier in an authentication transaction. A common credential is a user-id and associated password. |
| Cryptographic |
Related to cryptography which is (i) The mathematical science used to secure the confidentiality and authentication of data by replacing it with a transformed version that can be reconverted to reveal the original data only by someone holding the proper cryptographic algorithm and key (ii) A discipline that embodies the principles, means, and methods for transforming data in order to hide its information content, prevent its undetected modification, and/or prevent its unauthorized uses. |
| Cryptographic keys |
Data used to encrypt or decrypt a message or information. |
| Delegated Administrator |
An administrator account, either a PO Delegated Administrator or an Entitlement Administrator. |
| Deprecated |
Will mean an element or attribute that is being phased out and will no longer be supported, or any elements or attributes that are currently not supported. A list of deprecated terms is provided by the World Wide Web Consortium at http://www.w3.org/TR/REC-html40/index/elements.html. |
| Deprovision |
The act of retiring a user’s identity and terminating his or her access to IT systems and services. |
| Descriptive link |
Will mean a link to a page that provides a description of the image, commonly referred to as a D link. |
| Device-independent event handler |
Will mean that an array of input (e.g., mouse, keyboard, microphones, pointing devices) or output (e.g., monitors, speech synthesizers, Braille devices) devices are able to interface with the content. |
| Device-specific event handler |
Will mean that a specific input or output device is required to interface with the content. |
| Digital object |
Any discrete set of digital data that can be individually selected and manipulated. This can include shapes, pictures, string of numbers, or characters that appear on a display screen as well as less tangible software entities. |
| Digital signatures |
Produced by two mathematically linked cryptographic keys, a private key used to sign, and a public key used to validate the signature. A digital signature is created when a person uses his or her private key to create a unique mark (called a "signed hash") on an electronic document. The recipient of the document employs the person's public key to validate the authenticity of the digital signature and to verify that the document was not altered subsequent to signing. Digital signatures are often used within the context of a Public Key Infrastructure (PKI) in which a trusted third party known as a Certification Authority (CA) binds individuals to private keys. |
| Directory Services Administrator (DSA) |
The primary contact for each Participating Organization. |
| Disclose |
shall have the same meaning as defined in State Technology Law §202. This shall mean to reveal, release, transfer, disseminate or otherwise communicate information orally, in writing or by electronic or other means, other than to the person who is the subject of such information. |
| Discretionary Access Controls |
Access Controls which are enforced by Entitlements, based on the need-to-know defined by the Entitlement Delegated Administrator. |
| Document type definition |
Will mean HTML directive which provides information to the browser about the syntax used to markup the content. |
| Electronic record (E-record) |
Shall have the same meaning as defined in State Technology Law §102. This shall mean "information, evidencing any act, transaction, occurrence, event, or other activity, produced or stored by electronic means and capable of being accurately reproduced in forms perceptible by human sensory capabilities." This definition is consistent with the definition of "records" in the laws that govern the admissibility of records in legal proceedings (Civil Practice Law and Rules sec. 4518), the retention and disposition of government records (Arts and Cultural Affairs Law Art. sections 57.05 and 57.17), and the Freedom of Information Law (Public Officers Law Art. 6, sec. 86). |
| Electronic Signature (E-signature) |
Shall have the same meaning as defined in State Technology Law §102. This shall mean "an electronic sound, symbol, or process, attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the record." This definition conforms to the definition found in the Federal E-Sign Law. |
| Elements |
Will mean HTML tags. |
| Embedded Base |
shall mean the collective existing systems of state government entities. |
| Encoder |
A device used to change a signal (such as a bitstream) or data into a code. The code may serve any of a number of purposes such as compressing information for transmission or storage, encrypting or adding redundancies to the input code, or translating from one code to another. This is usually done by means of a programmed algorithm, especially if any part of the code is digital. |
| Encoding |
The process of preparing content for sending to viewers. Audio and video is converted to a format that matches the chosen distribution technique and attributes, and is also compressed. |
| Encryption |
A technique to protect the confidentiality of information. The method transforms ("encrypts") readable information into unintelligible text through an algorithm and associated cryptographic key(s). |
| Enterprise |
For the purposes of this document, enterprise is defined as all state government entities in New York. In some instances, enterprise expands beyond the State to include federal and local government partners in an effort to leverage resources across jurisdictions and expand information sharing capabilities. |
| Enterprise Architecture (EA) |
Enterprise Architecture is a top-down, business strategic-driven process that coordinates the parallel, internally consistent development of enterprise business, information, and technology architectures, as well as the enterprise application portfolio. It represents the encompassing expression of the enterprise's key program, information, application, and technology strategies and their impact on program functions and processes. Conducted within an appropriate, collaborative organization/governance context, EA artifacts consist of a common requirements vision (CRV) and conceptual architecture (CA), as well as current- and future-state models of four key components:
- Enterprise Business Architecture (EBA), a business vision-driven, disciplined process that decomposes the enterprise's program strategies, the assets and processes required to execute them, as well as their impact on program functions.
- Enterprise Information Architecture (EIA), a business driven process that details the enterprise's information strategies, its extended information value chain, and the impact on technical architecture.
- Enterprise Technical Architecture (ETA), an Enterprise Business Architecture (EBA), and/or Enterprise Information Architecture (EIA)-driven, structured process that details the enterprise's technology strategies, its extended technology linkages, and their impact on program/project initiatives.
- >Enterprise Application Portfolio (EAP), a collection of integrated application systems required to satisfy program information needs, including the existing and planned inventory of applications and components, complete with relationships to supported information and business processes, and engineered linkages to the enterprise technical architecture and infrastructure services.
* NYS uses a federated architecture model (see Federated Architecture definition) |
| Enterprise Application Portfolio (EAP) |
The Enterprise Application Portfolio is a collection of integrated application systems required to satisfy program information needs, including the existing and planned inventory of applications and components, complete with relationships to supported information and business processes, and engineered linkages to the enterprise technical architecture and infrastructure services. |
| Enterprise Business Architecture (EBA) |
The Enterprise Business Architecture is a business vision-driven, disciplined process that decomposes the enterprise's program strategies, the assets and processes required to execute them, as well as their impact on program functions. |
| Enterprise Information Architecture (EIA) |
The Enterprise Information Architecture is a business driven process that details the enterprise's information strategies, its extended information value chain, and the impact on technical architecture. The EIA delineates the key information artifacts of business events, models, and information flows, provides logically consistent information management principles, and enables rapid business decision making and information sharing. |
| Enterprise Technical Architecture (ETA) |
An Enterprise Business Architecture (EBA), and/or Enterprise Information Architecture (EIA)-driven, structured process that details the enterprise's technology strategies, its extended technology linkages, and their impact on program/project initiatives. |
| Entitlement Administrator |
An administrator account which is able to grant and remove NYSDS Application entitlements to User Accounts, potentially across POs. |
| Event Handler |
Will mean triggers which are fired when certain keyboard or mouse activity is detected such as clicked, focus, etc. |
| Entropy |
A measure of the amount of uncertainty that an attacker faces to determine the value of a secret such as a password. Entropy is usually stated in bits. See NIST 800-63 Recommendation for Electronic Authentication, Appendix A. |
| Existing System |
shall mean a commercial or homegrown system which is deployed prior to the effective date of a standard, and includes, without limitation, hardware, software, development tools, applications and protocols. |
| Extranet |
An intranet that is available to an authorized user outside the formal boundaries of the organization. |
| Federated Architecture |
A cornerstone of informed and consistent technology investments requires the implementation of a federated architecture. A federated model allows individual agency decision-making while leveraging shared services where appropriate. This ensures interoperability and provides shared services which will maximize the use of agencies resources. Smaller agencies with limited resources are provided an IT infrastructure which ensures the integrity of the entire system and delivery of consistent high-quality services to all constituents. Federated Architecture is the structured expression of the State’s key business, information, application, and technology strategies and their resulting impact on business functions and processes. To be successful in the development of a Technical Architecture, an organization must understand and account for the larger Federated Architecture context. Federated Architecture typically consists of current and future State models of four key components: Enterprise Business Architecture (EBA), Enterprise Information Architecture (EIA), Enterprise Application Portfolio (EAP), and Enterprise Technical Architecture (ETA). The technical architecture was developed in 2003. Shared domains, which are supported and maintained by OFT or a lead agency, provide functionality for agencies without the overhead of maintaining the requisite infrastructure for the on-going operation, support, and maintenance of these applications. Using a federated architecture approach enables agencies to maintain diversity and uniqueness, while enabling process integration and information sharing, providing interoperability and driving down costs. |
| Frames |
Will mean a Web browser feature that enables a Web Page to be displayed in an individual, independently scrollable window on a screen. |
| Functional text |
Will mean text that when read conveys an accurate message as to what is being displayed by the script. |
| Fundamental Alteration |
A major change or modification of the critical function or nature of a program or service. |
| Governmental Entity |
Shall have the same meaning as defined in State Technology Law §102. This shall mean "any state department, board, bureau, division, commission, committee, public authority, public benefit corporation, council, office, or other governmental entity or officer of the state having statewide authority, except the state legislature, and any political subdivision of the state." |
| Gramm-Leach-Bliley |
Gramm-Leach-Bliley was passed in 1999, and included provisions that limit the ability of financial institutions to disclose "non-public personal information" about consumers to non-affiliated third parties. It also requires financial institutions to provide customers with their privacy policies and practices with respect to non-public personal information. |
| Hashing |
Producing hash values for accessing data or for security. A hash value (or simply hash) is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. Hashes play a role in security systems where they are used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If they are the same, there is a very high probability that the message was transmitted intact. |
| HIPAA (Health Insurance Portability and Accountability Act) |
HIPAA is a federal act helping to set a national standard for protecting the security and integrity of medical records when they are kept in electronic form. |
| Homegrown System |
shall mean an automated system which a state government entity develops or has developed for its own, or another state government entity's use. |
| Identification Method |
The technique used to obtain information regarding the user’s identity; typically done as part of user account creation or promotion. |
| Independently verified |
Information provided by a user is verified to a source that is independent of the user (most often a trusted database) that the claimed identity exists and is consistent with the identity and address information provided. An independently verified destination is where credentials and tokens are issued or renewed in a manner that binds the verified user with an independently verified
- postal address of record of the user (for example, by mailing an authenticator to the address of record);
- telephone number of the user (for example, by requiring a call from or to the applicant’s telephone number of record).
|
| Information |
Any information created, stored in temporary or permanent form, filed, produced or reproduced by, regardless of the form or media. Information shall include, but not be limited to:
- Personally identifying information;
- Reports, files, folders, memoranda;
- Statements, examinations, transcripts;
- Images; and
- Communications.
If information is already legally in the public domain (e.g. under FOIL), it can be considered as 'public' information. As such security controls are not required to maintain its confidentiality. |
| Information Classification |
See Table 1 of Guideline G07-001. |
| Information Maturity |
Information Maturity is defined as the relative ability or inability of an organization to ensure data is of high-quality, accurate, available and utilized by the jurisdiction to make informed program decisions. |
| Information Owner |
An individual or organizational unit responsible for making classification and control decisions regarding use of information. |
| Integrity |
"Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…" [44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information.
- Authenticity - A third party must be able to verify that the content of a message has not been changed in transit.
- Non-repudiation - The origin or the receipt of a specific message must be verifiable by a third party.
- Accountability - A security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.
|
| Internet |
shall have the same meaning as defined in State Technology Law §202. This shall mean a system of linked computer networks, international in scope, that facilitate DATA transmission and exchange. |
| Internet Protocol Address or IP address |
shall mean a numerical identifier assigned either to a user's Internet service provider or directly to a user's computer. |
| Intranet |
A network belonging to an organization, available only to the organization's members, employees or others with authorization. |
| Longdesc attribute |
Will mean an attribute which references a text file containing a longer version of the alt attribute contents. |
| Management authority |
The entity authorized by the NYS Chief Information Officer (CIO) to implement, manage, and interpret this Trust Model. . |
| Major Upgrade |
shall include, but not be limited to, such things as:
i. substantial redesign of an existing system for the purpose of providing new application functionality;
ii. upgrades to a new major version or release of a proprietary software product; or
iii. application modifications which would involve substantial administrative or fiscal resources to implement.
|
| Mandatory Access Controls |
Access Controls which are enforced by the NYSDS, based on the Security Level and allowable Authentication Methods of the NYSDS Application. |
| Mandatory Standard |
shall mean a standard which must be complied with by state government. Exemptions are not granted or considered from mandatory standards. |
| Network Owner |
An individual or organizational unit responsible for operating and maintaining the physical and virtual infrastructure which comprises the network, including responsibility for establishing the procedures to be used for maintenance and upgrades. |
| Noframes |
Will mean a web page displayed without frames. |
| Nonce |
A value used in security protocols that is never repeated with the same key. For example, challenges used in challenge-response authentication protocols generally must not be repeated until authentication keys are changed, or there is a possibility of a replay attack. Using a nonce as a challenge is a different requirement than a random challenge, because a nonce is not necessarily unpredictable. |
| NYS Directory Services (NYSDS) |
The infrastructure run by NYSOFT which enables the centralization of authentication and access control for applications on the NYeNet, and which provides single sign-on functionality for applications on the NYeNet. |
| NYSDS Application |
An NYSDS Application is an application whose authentication and authorization is controlled by the NYSDS. |
| NYSDS User |
Any person authorized to access the NYSDS. |
| NYSDS User Account |
An account in the NYSDS as identified by a User ID. An NYSDS User Account may be authorized to perform specific functions within the NYSDS. |
| Participating Organization |
The State Government entity, political subdivision of the State, corporation, trust, estate, incorporated or unincorporated association or other legal entity that either establishes and maintains user accounts on the NYSDS, and/or provides applications which use the NYSDS. |
| Persistent Cookie |
shall mean a cookie that remains on the user's computer. |
| Personal information |
shall have the same meaning as defined in State Technology Law §202. This shall mean any information concerning a natural person which, because of name, number, symbol, mark or other identifier, can be used to identify that natural person. |
| Persons with Disabilities |
Will have the same meaning as defined in State Executive Law §292. This will mean (a) a physical, mental or medical impairment resulting from anatomical, physiological, genetic or neurological conditions which prevents the exercise of a normal bodily function or is demonstrable by medically accepted clinical or laboratory diagnostic techniques or (b) a record of such an impairment or (c) a condition regard by others as such an impairment. |
| Physical and Environmental Security |
Measures taken to protect systems and physical infrastructure against threats associated with their physical environment. Physical and environmental security controls include the following broad areas:
- The facility's general geographic operating location determines the characteristics of natural threats, such as earthquakes and flooding; man made threats such as burglary, civil disorders, or interception of transmissions and emanations; and damaging nearby activities, including toxic chemical spills, explosions, fires, and electromagnetic interference from emitters, such as radars.
- Supporting facilities are those services, both technical and human, that underpin the operation of the system. The system's operation usually depends on supporting facilities such as electric power, heating and air conditioning, and telecommunications. The failure or substandard performance of these facilities may interrupt operation of the system and may cause physical damage to system hardware or stored data.
|
| Physical Infrastructure |
A generic description of any area containing non end-user IT equipment and subsidiary hardware, e.g.:
- Mainframes;
- Servers;
- Communications equipment;
- Printing facilities;
- Media libraries; and
- Wiring closets.
|
| Physically secured area |
Area that is secured by an access control systems (ACS) comprising the following requirements. The ACS will:
- Require dual factor authentication to access;
- Be designed to prevent abuse of the system, for example: 'Tailgating'; and rendering the system inoperable (by wedging doors open);
- hold a record of those allowed access;
- print a list of those allowed entry to the room;
- print a log of all those who enter the secure area;
- If the device relies on physical tokens (such as magnetic cards) it should be possible at any time to account for the location of all such tokens;
- 'fail-safe' in the event of failure.
|
| Plaintext |
In cryptography, plaintext refers to any message that is not encrypted and therefore easily read and understood. |
| PO Delegated Administrator |
An administrator account which is able to manage user accounts owned by a PO. |
| Policy |
shall mean a prescribed or proscribed course of action or behavior which is to be followed with respect to the acquisition, deployment, implementation or use of information technology resources. |
| Portal |
The classic intranet portal site functions as an informational hub (i.e., topical tree listing of sites combined with a search engine), aggregating links that connect the portal's constituency of visitors to related information sources. Portals are typically positioned as starting points for users. Private sector examples include AOL and Yahoo. |
| Portfolio Management |
Portfolio Management is a structured approach to categorize, evaluate, prioritize, purchase, and manage an organization's technology assets in projects based on current and future economic drivers and on the accessible balance of value/risk desired by the organization. |
Preferred Technology Standard
|
shall mean a standard which must be complied with by state government, unless the state government entity obtains an exemption from the standard because of technical or other operational deficiencies. (See, New York Statewide Technology Policy No. P02-001, Process for Establishing Statewide Policies& Standards, Part 8, for exemption criteria.) |
| Pretty Good Privacy (PGP) |
A technique for encrypting messages developed by Philip Zimmerman. PGP is one of the most common ways to protect messages on the Internet because it is effective, easy to use, and free. PGP is based on the public-key method, which uses two keys -- one is a public key that you disseminate to anyone from whom you want to receive a message. The other is a private key that you use to decrypt messages that you receive. To encrypt a message using PGP, you need the PGP encryption package, which is available for free from a number of sources. The official repository is at the Massachusetts Institute of Technology. |
| Privacy |
The right of individuals to determine for themselves when, how and to what extent information about them is communicated to others. |
| Private key |
A cryptographic key kept secret or known only by the holder. Private keys can be used to create e-signatures or decrypt messages or files. The same private key used to sign should not be used to decrypt. |
| Procedure |
shall mean a set of administrative instructions for implementation of a policy or standard. |
| Public Key Infrastructure (PKI) |
The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based asymmetric or public key cryptographic system. The PKI consists of systems that collaborate to provide and implement e-signatures, encryption, and authentication services. |
| Remote access |
Any access coming into the NYS government’s network from outsides the NYS private, trusted network. Any and all wireless networks are considered remote access. |
| Revalidate |
Re-confirming the validation process for a previously validated electronic signature. |
| Risk |
A risk is defined as where there are inadequate controls to mitigate a threat or vulnerability effectively. There are two elements to determine the import of a risk:
- Impact- health and safety, reputational, legal and regulatory, financial, etc.;
- Likelihood- likely to occur daily, weekly, etc.
|
| Risk Assessment |
Review of an NYSDS Application to determine the potential for loss of reputation, productivity, or financial assets, given an exposure to vulnerabilities. |
| Screen reader |
Will mean a software application installed on the client machine which scans all textual data and reads it back aloud to the user through a synthesized voice. |
| Secure Sockets Layer (SSL) |
This is a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, Web pages that require an SSL connection start with https: instead of http:. SSL has been approved by the Internet Engineering Task Force (IETF) as a standard. |
| Security Level |
The degree of trust that is associated with a user account, based upon Identification Method; one of the attributes of a user account. |
| Self Registration |
The degree of trust that is associated with a user account, based upon Identification Method; one of the attributes of a user account. |
| Server side image map |
Will mean a file which is directly read from the server by the browser which contains HTML code that provides coordinates to "hot spots" users may click on inside a given image. |
| Session cookie |
shall mean a cookie that is erased during browser operation or when the browser is closed. |
| Shared secret |
In the context of this Trust Model a “shared secret” refers to secret information shared by a user for the purpose of confirming that user’s identity. Shared secrets are often used to authenticate a user for the purposes of conveying a credential or resetting a credential such as a password. |
| Smart card |
A hardware token that incorporates one or more integrated circuit (IC) chips to implement cryptographic functions and possesses some inherent resistance to tampering. |
| Sound Mixer |
A device which takes two or more audio signals, mixes them together and provides one or more output signals. |
| Standard |
shall mean a prescribed or proscribed specific technical approach, solution, methodology, product or protocol which must be adhered to in the design, development, implementation or upgrade of systems architecture (e.g., hardware/software/services).
Standards are intended to establish uniformity in common technology infrastructures, applications, processes or data. Standards may be developed as a subset of, and within the context of, a broader technology policy.
Standards may define or limit the tools, proprietary product offerings or technical solution which may be used, developed or deployed by state government entities.
Standards shall be designated as either "mandatory" or "preferred".
|
| State |
shall mean the State of New York. |
| State agency |
shall mean any department, board, bureau, commission, division, office, council, committee, or officer of the state. Such term shall not include the legislature or the judiciary. (Executive Law Section 205(4)) |
| State Government [Entity] |
shall have the same meaning as defined in Executive Order No. 117, first referenced above; and shall include all state agencies, departments, offices, divisions, boards, bureaus, commissions and other entities over which the Governor has executive power and the State University of New York, City University of New York and all public benefit corporations the heads of which are appointed by the Governor; provided, however, that universities shall be included within this definition to the extent of business and administrative functions of such universities common to State government. |
| Subscriber Equipment |
is defined as hand-held, vehicular mounted and table top (FRAT) wireless radio transmission equipment used to send or receive voice or data communications through a network, including but not limited to two-way vehicular repeaters, and personal pagers. |
| Succession Planning |
Succession Planning is a strategic approach towards workforce development, ensuring resource continuity by taking proactive steps to train employees and fill resource gaps in anticipated workforce turnover. |
| Supervisor |
An individual responsible for day-to-day management or supervision of a User. |
| SWN Project Office |
shall be defined as the program operation within the New York State Office for Technology which manages and supervises the Statewide Wireless Network (SWN) project. |
| Synchronized text captioning |
Text transcript that is synchronized or coordinated in time with the audio and video track (also referred to as synchronized text captions). |
| Synchronized text captions |
Will mean a text transcript that is synchronized, or coordinated in time, with the audio and video track. |
| System |
An interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, applications, and communications. |
| S/MIME |
Short for Secure/MIME, a new version of the MIME protocol that supports encryption of messages. S/MIME is based on RSA's public-key encryption technology. It is expected that S/MIME will be widely implemented, which will make it possible for people to send secure e-mail messages to one another, even if they are using different e-mail clients. |
| Technology |
shall have the same meaning as defined in Executive Law, § 205(5), being a good, service, or good and service that results in a digital, electronic or similar technical method of achieving a practical purpose or in improvements in productivity, including but not limited to, information management, equipment, software, operating systems, interface systems, interconnected systems, telecommunications, data management, networks, and network management, consulting, supplies, facilities, maintenance and training. The term "Technology" shall be deemed to include all tasks and products encompassed within the term "services", as defined in New York State Finance Law, § 160 (7). |
| Third Parties (Non-Government workforce) |
Anyone directly or indirectly providing goods and services to the SE who is not under the direct control of the government entity (see workforce below). Such personnel are typically not subject to the rigorous selection and screening processes that apply to the government workforce. In addition, by their very nature, services provided by non-government workforce are typically of a short-term nature, focusing on clearly defined and narrow roles and responsibilities. This means that without impacting their overall effectiveness, their ‘need-to-know’ Agency information assets can be similarly defined and restricted. |
| Third Parties (Non-OFT workforce) |
Anyone directly, or indirectly providing goods and services to OFT who is not under the direct control of the Agency (see workforce below). |
| Threat |
The potential for a person, object, or event to negatively impact the security of the physical infrastructure, systems or information. Threats can be malicious, such as the intentional modification of sensitive information, or they can be accidental, such as an error in a calculation, or the accidental deletion of a file. Threats can also be acts of nature, e.g., flooding, wind or lightning, etc.
Other threats include:
- Hacking;
- Inability to access the datacenter;
- Denial of service;
- Loss of key staff;
- Virus;
- Data corruption;
- Destruction of assets.
|
| Token |
A small hardware device used for security purposes to store confidential user identification or authentication information such as a private key. |
| Transaction |
A discrete event between user and systems that supports a business or programmatic purpose. Typical transaction types are: Read; Write; Execute (a program); Purge. |
| Trust |
Trust is defined as:
- the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued,
- the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued.
|
| Trusted organization |
A State, local or Federal government entity with which the state entity has established a business relationship to issue credentials through a service level agreement, memorandum of understanding or other comparable mechanism, or, a private entity that has a similar contractual relationship with the government entity. The process for issuing credentials must be clearly documented and agreed by the Trust Model’s management authority. |
| Trustworthy system |
Computer hardware, software, and procedures that are reasonably secure from intrusion and misuse; provide a reasonable level of availability, reliability, and correct operation; are reasonably suited to performing their intended functions; and enforce the applicable security policy. A trustworthy system is not necessarily a "trusted system" as recognized in classified government nomenclature. |
| Undue Financial or Administrative Burden |
Will mean significant difficulty or expense. In determining whether an action would result in an undue burden, state government entities must consider all resources available for use in the funding and operation of the service, program, or activity. |
| USA Patriot Act |
To extend existing anti-money-laundering legislation beyond drug trafficking to terrorism funding, the US Congress passed the USA PATRIOT Act (Unifying and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) in October 2001. |
| User |
shall have the same meaning as defined in State Technology Law §202. This shall mean any natural person who uses the internet to access a state agency website. |
| User ID |
A unique alphanumeric identifier within the NYSDS. |
| Video Description |
Video descriptions make videos, and other visual media, accessible to people who are blind or visually impaired by providing descriptive narration of key visual elements in programs. |
| Virtual Private Network (VPN) |
A network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. |
| Vulnerabilities |
Weaknesses in a system, application, or operating environment that can be exploited by a threat. For example, unauthorized access (the threat) to a system or application could occur by an outsider guessing an obvious password. The vulnerability exploited is an easily guessable password chosen by a user. Reducing or eliminating the vulnerabilities can reduce or eliminate the risk to the system, application, or data. For example, a tool that can help users choose robust passwords may reduce the chance that they will choose readily guessable passwords and thus reduce the threat of unauthorized access. |
| White balance |
A setting in a camera that compensates for the differences in color temperature of the surrounding light. In both analog and digital electronic cameras that use CCD and CMOS sensors to capture the image, the white balance must be adjusted to ensure that all colors in the scene will be represented faithfully. It can be adjusted automatically by the camera, by selecting presets (tungsten, fluorescent, etc.) or by aiming the lens at a totally white surface (the white card) and selecting "lock white balance." Alternatively, a gray card with 18% gray is sometimes used. |
| Wireless Communications Infrastructure |
is defined to include:
a. land
b. wireless communications towers
c. buildings
d. rooftops
e. antenna support structures
f. equipment shelters and
g. other site infrastructures which could be used to support transmission or receiving equipment for wireless communications
where such Infrastructure:
a. is owned, leased or otherwise controlled by a State government entity; or where the grant of a lease, license or permit for use of such Infrastructure requires the approval of such entity; and
b. represents expenditures or revenue, in the aggregate, equal to or greater than seventy-five thousand ($75,000) dollars over the entire contract term.
|
| Wireless Communications Initiatives |
The following wireless communications initiatives ("initiatives") are subject to this policy:
1. Grant or approval of a lease, license or permit by a State government entity for the use of wireless communication infrastructure.
“Wireless communication infrastructure” (hereinafter “Infrastructure”) is defined to include:
a. land
b. wireless communications towers
c. buildings
d. rooftops
e. antenna support structures
f. equipment shelters and
g. other site infrastructures which could be used to support transmission or receiving equipment for wireless communications
where such Infrastructure:
a. is owned, leased or otherwise controlled by a State government entity; or where the grant of a lease, license or permit for use of such Infrastructure requires the approval of such entity; and
b. represents expenditures or revenue, in the aggregate, equal to or greater than seventy-five thousand ($75,000) dollars over the entire contract term.
2. Procurement or acquisition of Infrastructure, backbone or Subscriber Equipment by a State government entity representing expenditures or revenue, in the aggregate, equal to or greater than seventy-five thousand ($75,000) dollars over the entire contract term.
"Subscriber Equipment" is defined as hand-held, vehicular mounted and table top (FRAT) wireless radio transmission equipment used to send or receive voice or data communications through a network, including but not limited to two-way vehicular repeaters, and personal pagers.
3. Lease of wireless infrastructure, backbone or Subscriber Equipment by State government entity from a third party provider.
|
| Workforce |
State employees, and other persons whose conduct, in the performance of work for OFT, is under the direct control of OFT, whether or not they are paid by the Agency.
In the policy, OFT personnel or OFT employees shall mean anyone in the OFT workforce. |
News & Publications
