Policy University Management Digital Policy Glossary

Digital Policy Glossary

Policy
Procedures
Other related documents

Acceptable Use - Refers to the appropriate and permitted use of the University's digital technologies and digital technology assets, as outlined in the guiding principles of the Digital Technologies Acceptable Use Policy (Section 1).

Authentication Credentials - Refers to the unique identifiers such as user identification and password, or username and passcode, used to verify a user's identity and authorise access to the University's Digital Technologies, Digital Technology Assets, Digital Resources, and Data and Information Assets. These credentials play a critical role in maintaining the security of these assets by ensuring that only authorised individuals or entities have access.

Authorised Users - These are individuals or entities that have been granted permission (authentication credentials) by the University to access and use its Digital Technology Assets, Digital Resources, Data and Information Assets, and Digital Communications Systems within the University's Digital Environments. This includes members of the University Community (members of the Council, students, staff, affiliates) as well as adjuncts, visitors, volunteers, and Third-Party Service Providers (contractors, suppliers, consultants, partners, vendors). Authorised Users are expected to comply with the University's policies and guidelines while accessing and using these assets and systems. They play a crucial role in maintaining the security of these assets by using them responsibly and reporting any security issues they encounter.

Availability - Ensuring that data and information assets and digital technology assets are reliably accessible and usable when needed by authorised entities.

Backup - refers to the process of making copies of data which may be used to restore the original after a data loss event. Backups have two distinct purposes. The primary purpose is to recover data after its loss, be it by data deletion or corruption. The secondary purpose of backups is to recover data from an earlier time.

Breach(es) - Any action that contravenes the University's Digital Technologies Acceptable Use Policy, Information Privacy Policy or any relevant policy or procedure whether intentional or unintentional. This includes but is not limited to Unauthorised access to or use of Digital Technologies, Digital Technology Assets, or Data and Information Assets, misuse of resources or information, inappropriate behaviour, and other actions or omissions that breach Information Security policies and their supporting documentation.

Business Continuity Planning (BCP) - Has the same meaning as the Business Continuity Policy.

Business Owner - Is the primary stakeholder for a digital technology asset, and the role responsible for defining business objectives and making high–level decisions about the asset. They ensure the asset aligns with organisational strategy and complies with relevant policies and regulations.

CIA Triad - This is a foundational concept in Information Security that aims to ensure the confidentiality, integrity, and availability of both data and information assets as well as digital technology assets. Refer to Confidentiality, Integrity, and Availability for definition.

Confidential Information - refers to any information that requires protection from unauthorised access, disclosure, alteration, or destruction due to its sensitive nature, proprietary value, or regulatory requirements. This information is critical to an organisation's operations and competitive position, and its compromise could result in significant business, financial, or legal impact.

Confidentiality - Ensuring that data and information assets and digital technology assets are accessible only by authorised individuals.

Consultant - These are individuals or organisations with specialised knowledge or expertise, including independent consultants, that are engaged by the University to provide professional advice or services. Consultants operate under a contractual agreement and are not considered employees of the University. They are expected to comply with the University's policies and guidelines in the course of their consultancy work. Complements and expands on the definition under the FM711 Procurement Procedure.

Contractor - These are individuals or organisations, including sub-contractors, that are engaged under a contract to perform specific tasks or services for the University. Contractors operate under the terms of a contract agreement and are not considered employees of the University. They are expected to comply with the University's policies and guidelines while performing their contracted services. Complements and expands on the definition under the FM711 Procurement Procedure.

Corporate Data - Has the same meaning as the Data Governance Policy.

Corrupt Conduct - Has the same meaning as the Public Interest Disclosure Procedure

Cybersecurity - The preservation of confidentiality, integrity, and availability of information in the cyberspace such as computer systems, networks, and data from cyber threats and attacks.

This definition aligns closely with the definition of information security but specifically emphasises the context of cyberspace, which encompasses the interconnected digital environment where electronic communication and transactions occur.

There are diverse perspectives on the definitions of 'information security' and 'cybersecurity', as well as in determining which concept is broader. At JCU, we currently interpret these terms interchangeably. However, it's important to acknowledge that 'information security' is generally considered the broader term, encompassing various aspects including 'cybersecurity' which focuses on protecting digital assets.

Cybersecurity events - An occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security.

Cybersecurity incidents - An unwanted or unexpected cybersecurity event, or a series of such events, which has either compromised business operations or has a significant probability of compromising business operations.

Cybersecurity resilience - The ability to adapt to disruptions caused by cyber security incidents while maintaining continuous business operations. This includes the ability to detect, manage and recover from cyber security incidents.

Data and Information Assets - These assets encompass both physical and digital data and information owned or managed by the University. This includes but is not limited to Institutional Data (Corporate Data and Research Data). While digital data and information can technically be classified as a subset of digital technology assets, we distinguish them as a separate category. This is because the management of data and information assets does not primarily involve the operation and use of digital technologies. Instead, these assets are stored, processed, and managed using digital resources, and are subject to specific rules and guidelines to ensure their integrity, confidentiality, and availability.

Data Protection - This pertains to the measures and safeguards implemented to prevent unauthorised access to, or manipulation of, the University's Data and Information Assets and Digital Technology Assets. It involves maintaining data integrity by preventing corruption and loss, and ensuring that, in the event of a data breach or loss, the data can be restored. Data protection strategies often include encryption, backup and recovery procedures, data masking, and other security techniques. The goal of data protection is to deliver a comprehensive approach to securing sensitive data and digital technology assets from a variety of threats, including data breaches, data corruption, and data loss, within the University's Digital Environment.

Digital Communications System - These are the digital platforms and technologies that enable the exchange, transmission, and reception of information between individuals or groups. This includes, but is not limited to, email systems, messaging platforms, voice and video systems and collaborative workspaces. While these systems do handle information as part of their function, they are primarily designed to facilitate communication and collaboration in a digital environment.

Digital Environment - This term refers to the specific settings or contexts where digital technologies are deployed for the University. This includes devices, software, services, network architecture, as well as physical and virtual environments where digital technology assets are used and managed. It represents the overall landscape of digital technology use for the University.

Digital Infrastructure - This term refers to the foundational infrastructure of digital and network systems that support the entire digital technology environment. This includes hardware (like servers and networks), software, and services that are critical for the functioning and operation of all other digital technology assets. This infrastructure forms the backbone of the University’s digital operations, enabling the use and management of digital technologies.

Digital Operations - Refers to the activities that involve the use and management of digital technologies at the University. This includes but is not limited to everything from deploying new software, managing databases, maintaining network infrastructure, to ensuring the security of digital assets. It encompasses the operational aspects of managing and utilising digital technologies to support the University's functions and objectives.

Digital Resources - Refers to the resources that are consumed or utilised when using digital technologies. This includes network bandwidth, internet access, storage space on servers or in the cloud, processing power of computers and servers, access to software applications and services, and more. These resources are what enable the operation and use of digital technologies for the University.

Digital Technologies - Is a broad term that encompasses both IT (Information Technology) and ICT (Information and Communication Technology) and includes Operational Technology and Internet of Things (IoT). It refers to electronic tools, systems, devices, and resources that generate, store, or process data. This includes a wide range of devices and systems such as computers, software, networks, and the Internet.

The term Digital Technologies is more modern and comprehensive than previously used terms, as it not only refers to infrastructure (like IT and ICT) but also includes a broader array of technologies that the University interacts with, including cloud services, mobile devices, artificial intelligence and more.

Digital Technology Assets - Is a broad term that encompasses all the different types of digital assets whether physical or virtual and are used to support digital operations. This includes but is not limited to computers, servers, data centres, software, and network services. These assets are specifically related to technology and are used to enable the operation and use of digital technologies for the University.

Note:

Digital Technology Assets exclude Data and Information Assets.
The definition of Digital Technology Assets aligns with the term ‘information processing systems’ as described in ISO27002.

Excessive Personal Use - refers to the use of the University's Digital Technologies for personal activities to an extent that it significantly consumes Digital Resources, interferes with job duties or academic performance, or breaches University policies or legal requirements. This includes, but is not limited to, extensive web browsing, streaming media, gaming, or use of social media that goes beyond reasonable limits and impacts the availability of resources for University-related activities.

Incident (information security) - Any event violating JCU’s information security policies or posing a risk to its Digital Technology Assets (physical or digital), ranging from Unauthorised access or use of systems or data to theft of devices containing Confidential Information, Sensitive Information, malware infections, or denial of service attacks.

Information Privacy – The University must comply with the requirements of the Information Privacy Act 2009 (Qld) (IP Act) which provides for the fair collection, management and handling of personal information. Refer to the JCU’s Information Privacy Statement and Collection Notice for further details.

Information Management System - A system that enables the efficient and effective use, storage, and governance of information within an organisation. It encompasses the technologies, policies, and procedures that manage the lifecycle of information, from creation and storage to retrieval and disposal.

Information Security - This definition emphasises the core principles of information security: confidentiality (ensuring that information is only accessible to those authorised to access it), integrity (maintaining the accuracy and trustworthiness of information), and availability (ensuring that information is accessible when needed).

Information Security Controls - Measures and safeguards put in place to protect an organisation's Confidential Information, Sensitive Information, systems, and resources from unauthorised access, disclosure, alteration, or destruction. These controls can be categorised as people, physical, technological or organisational measures and are essential for managing and mitigating security risks.

Information Security Management System (ISMS) - A comprehensive framework comprising digital technology assets, policies, processes, and organisational practices that work together to protect Confidential Information, Sensitive Information and manage security risks. It is not a single system but a set of coordinated components designed to ensure the security of information assets.

Institutional Data - Has the same meaning as the Data Governance Policy.

Integrity - Guaranteeing that data and information assets and digital technology assets are accurate, consistent, and unaltered by unauthorised parties.

Internet of Things (IoT) - encompasses a network of interconnected devices and objects equipped with sensors, software, and connectivity to facilitate the exchange of data. These can include smart classroom technologies, research equipment, and University infrastructure like smart lighting and energy systems. IoT in a university setting enhances the educational and operational capabilities by providing advanced data analytics, improving campus safety, optimising energy use, and supporting innovative research and learning methods.

Limited Personal Use - refers to the non-disruptive and minimal use of the University's Digital Technologies for personal activities. This use should not interfere with job duties, consume significant resources, or breach any University policies or legal requirements. The extent of permissible personal use is subject to the University's discretion.

Multi-Factor Authentication (MFA) - This is a security measure that requires Authorised Users to provide two or more types of evidence (or factors) to authenticate their identity when accessing the University's Digital Technology Assets, Data and Information Assets, and Digital Communications Systems. Factors can include something the user knows (like a password), something the user has (like a physical token or a smartphone), or something the user is (like a fingerprint or other biometric data).

Operational Technology – refers to the hardware and software systems used to control and monitor the physical infrastructure and equipment of the University. This includes systems for managing heating and cooling (HVAC), security and access control, laboratory equipment, and any other technology that directly impacts the physical environment and operations of the University. Operational Technology is integral to maintaining a safe, efficient, and functional campus environment, often working in conjunction with IT systems to optimise resource use and enhance University operations.

Partner - These are individuals, institutions, or organisations that engage in a collaborative relationship with the University for the purpose of conducting research or other academic activities. Partnerships are often formalised through written agreements and can include other academic institutions, government agencies, non-profit organisations, or private sector entities. Partners are expected to comply with the University's policies and guidelines, including those related to research conduct, ethics, data management, and intellectual property. They play a crucial role in enhancing the University's research capacity and contributing to its academic mission.

Personal Information - Has the same meaning as the Information Privacy Policy.

Physical Security - refers to the safeguards implemented to protect the University's hardware and facilities, such as servers, computers, data centres, and labs. These measures range from perimeter security to maintenance protocols, aiming to prevent unauthorised access, theft, and damage to these critical assets.

Privacy Protection - The process of safeguarding personal or sensitive information from unauthorised access or disclosure, ensuring that individual privacy rights are respected and complied with. This involves implementing measures to control and manage the collection, use, and sharing of personal data.

Product Owner - The role responsible for managing the technical aspects of a digital technology asset (product), ensuring its alignment with IT standards and architectures. The Product Owner oversees the asset's security, reliability, and efficiency throughout its lifecycle, working closely with the Business Owner to align technology solutions with business needs.

Public Interest Disclosure - Has the same meaning as the Public Interest Disclosure Procedure.

Public Officer - Has the same meaning as the Public Interest Disclosure Procedure.

Recovery - is the process of restoring data and applications to a consistent state. This typically refers to the procedures and technologies in place to restore data after it has been lost or corrupted.

Research Data - Has the same meaning as the Data Governance Policy.

Sensitive Information - Has the same meaning as the Information Privacy Policy.

ServiceNow - A cloud-based IT Service Management (ITSM) tool that is used for managing incidents, service requests, and changes in the University.

Suppliers - These are individuals or organisations, including vendors and distributors, that provide goods or services to the University, often in exchange for payment. Suppliers can provide a wide range of goods and services, from office supplies and equipment to software and professional services. They are expected to comply with the University's procurement policies and other relevant guidelines in their dealings with the University.

Third-Party Service Providers - These are individuals or organisations that are authorised under a written agreement to provide specific digital technologies-related services or functions to or on behalf of the University. This includes contractors, suppliers, consultants, partners, vendor who are engaged to conduct work, research, or studies. They are expected to comply with the University's policies and guidelines while delivering their services.

Three (3) Lines of Defence - refers to a structured approach within an organisation designed for effective risk management and control. It delineates the roles and responsibilities across three distinct groups:

First Line: Front-line operating management, responsible for owning and managing risk and control directly within the operational environment.
Second Line: Risk, control, and compliance functions established by management to monitor and support risk management and control processes.
Third Line: Internal audit, tasked with providing independent assurance to senior management on the effectiveness of risk management and control practices across the organisation.

Unacceptable Use - Refers to the prohibited use of the University's digital technologies and digital technology assets, as outlined in the guiding principles of the Digital Technologies Acceptable Use Policy (Section 2).

Unauthorised Access - refers to actions or usage that has not been officially permitted or sanctioned by the University. This includes, but is not limited to, accessing or using Digital Technologies, Digital Technology Assets, or Data and Information Assets without explicit permission, or in a manner that exceeds granted permissions. Unauthorised actions are in breach of Information Security policies and Information Privacy Policies and may result in disciplinary action.

Unethical Activities - In the context of digital technology use, this includes, but is not limited to, Deliberate Misuse of personal information, Inappropriate Use of data not relevant to one's role or function, Privacy Breaches that result in Unauthorised Access or disclosure to Personal Information, and Unauthorised Access to Digital Technology Assets and or Data and Information Assets. These actions are considered unethical as they breach privacy rights, misuse resources, and can cause harm to individuals or the system.

Vendor - These are individuals or business entities that sell goods or services. They can be manufacturers, retailers, wholesalers, or service providers. In the context of the University’s digital infrastructure, vendors could include companies providing software, hardware, cloud services, or other digital technology-related services. Vendors are expected to comply with the University's policies and guidelines while providing their services.

Visitors - A member of the public.

Volunteer - A person who is acting on a voluntary basis for the University (irrespective if the person receives out of pocket expenses).