Commonwealth-Specific Glossary of Terms

November 18, 2010

Acceptable Use Policy

The policy for employees and contractors ("users") of all agencies under the Executive Office for Administration and Finance on the use of information technology resources; ("Agency ITRs"), including computers, printers and other peripherals, programs, data, local and wide area networks, and the Internet.

Agency

A department, bureau, commission, board, office, council, or other entity in the executive department of government, which was created by the constitution or statutes of the Commonwealth of Massachusetts.

Agency Security Officer

The person appointed by an Agency Head in conformance with the policies of the Office of the Comptroller, who is authorized to manage security controls for a particular agency.

Assurance Mechanisms

A system of internal controls including monitoring, evaluation, feedback, and correction activities with respect to the proper design, implementation, and operation of the system of internal controls.

Attack Intrusion

An Attack Intrusion is a propagation of a malicious event through a virus, worm, Trojan horses, botnet, OS vulnerability exploit, etc. that pose a risk to Commonwealth resources.

Authentication

The process of verifying the identity of a user attempting to access the information or attempting to use the Information Technology assets of the Commonwealth.

Best Value

The Commonwealth's procurement philosophy, embodied in regulations issued by the Operational Services Division, that it is in the best interest of the Commonwealth for solicitation evaluation criteria to measure factors beyond cost. Please see the Procurement Information Center (PIC) for a more complete definition of Best Value. For IT investments, a best value evaluation should, at a minimum, consider total cost of ownership over the entire period the IT solution is required, fit with identified business requirements, reliability, performance, scalability, security, maintenance requirements, legal risks, ease of customization, and ease of migration.

Branding

Establishment of an identity to represent key attributes of a site or enterprise, such as the Mass.Gov portal.

Business Partner

A generic term referring to both contracted business partners and statutory business partners as those terms are defined in this glossary.

See also Contracted Business Partner and Statutory Business Partner.

Chief Information Officer (CIO)

A person in the agency, department, secretariat, branch of government, authority, or other entity who has received the delegated authority for all information technology resources within the entity. In some entities, the CIO has the day-to-day responsibilities for planning, budgeting, deploying, maintaining, and controlling the information technology resources of the entity. The CIO and the CSO may or may not be the same person.

Chief Security Officer (CSO)

A person in the agency, department, secretariat, branch of government, authority or other entity who has received the delegated authority for ensuring that the information and IT systems of an entity have adequate security controls in place and functioning so that the entity is in conformance with its security policies and is in conformance with good practice. The CIO and the CSO may or may not be the same person.

CommonHelp

The technical help desk for the Information Technology Division of the Commonwealth, available at 866-888-2808, CommonHelpServiceDesk@MassMail.state.ma.us, CommonHelp ServiceDesk.

Contracted Business Partner

An entity under contract with the Commonwealth with which the Commonwealth has an agreement to share data or engage in secure communications for a limited purpose. Contracted business partners do not include individuals who are under contract with and paid directly by the Commonwealth.

Contracted Vendor

An entity under contract with the Commonwealth to provide goods and services to Commonwealth entities.

Controlled Network

A network physically or operationally controlled and security-managed by a specific Commonwealth entity. Controls include physical, operating system, application and patch security.

See also Uncontrolled Network.

Custodian

The person who has actual custody of the information and IT systems of an entity (e.g., Agency, Department, Secretariat, Branch of Government, college or authority), and may provide services to the entity. For example, ITD may have custody of an agency's information and IT system's application since the processing and storage of the information and application resides on the computers at ITD.

Data User

A Data User is any individual who is eligible and authorized to access and use the data.

Demilitarized Zone (DMZ)

A combination of computers, routers, and software that separates Controlled networks from Uncontrolled networks. Specific policies or rules govern the types of traffic allowed between DMZs and Controlled/Uncontrolled networks, and, likewise, traffic originating from or terminating in DMZ networks. Located at the edge of a controlled network, these zones are tightly restricted, all systems are security hardened, and trust relationships between systems and services always originate or terminate in these zones. Port/Protocol communications between DMZs may be controlled through the use of a TCP/IP firewall that meets Common Criteria EAL4 certification at the discretion of the agency network security administrator.

See also Extended Demilitarized Zone.

Employee

(1) The agency's employees or (2) individuals under contract with the agency to provide services and who are paid directly by the agency and whose work is controlled and directed by the agency.

Enterprise

The term Enterprise encompasses the IT environment of the Commonwealth of Massachusetts' Executive Department.

Enterprise Security Board

A voluntary board that represents the Executive, Legislative, and Judicial branches of Massachusetts' government. The mission of the Enterprise Security Board is to develop and recommend policies and guidelines, consistent with best practices and state and federal law and regulation, designed to ensure adequate levels of security, integrity, and availability of electronic data captured, stored, and produced by the Commonwealth's IT resources. Because it lacks its own statutory authority, the Board's recommendations cannot become policy unless adopted by the Executive Department's CIO (in which case they become policy for the Executive Department) or by CIO's or agency heads of other departments or branches of state government. The Board's mission, as conceived by ITD and the Board's members, includes promoting the education and communication of generally accepted IT management and control practices and encouraging compliance with established standards and procedures.

Enterprise Technical Reference Model (ETRM)

An enterprise architecture document that includes reference specifications for systems and technologies. These specifications include technical standards that are most often open standards but may also be proprietary de facto standards where there is no consensus on an open standard. The specifications may also include Enterprise Technology Solutions which include Commonwealth shared business or technical services that agencies are required or encouraged to use when there is a business need, or products or tools on which the Commonwealth has standardized.

Enterprise Technology Solutions

Shared services that agencies are required or encouraged to use when there is a business need, or products or tools on which the Commonwealth has standardized.

Entity

An agency, department, secretariat, authority, college or other unit of government of the Commonwealth of Massachusetts.

Executive Department

The agencies that comprise the Executive Branch of state government with the exception of the Constitutional Offices - the State Auditor, State Treasurer and Receiver General, the Attorney General, and the Secretary of the Commonwealth.

Extended Demilitarized Zone (XDMZ)

An extended Demilitarized Zone is a DMZ that has been deployed either within the internal network, managed by ITD, or local agency environment.

See also Demilitarized Zone.

FID

A Federal employer identification number.

Fusion Center

The Fusion Center provides 24 hours a day statewide information sharing among local, state and federal public safety agencies and private sector organizations in order to facilitate the collection, analysis and dissemination of intelligence relevant to terrorism and public safety. The Commonwealth Fusion Center collects and analyzes information from all available sources to produce and disseminate actionable intelligence to stakeholders for strategic and tactical decision-making in order to disrupt domestic and international terrorism.

Guideline

A collection of system-specific or procedure-specific suggestions for best practices that guide the implementation of policies and standards. Guidelines are advisory in nature and are strongly recommended.

Incident Response

Incident response is the set of actions taken once an adverse event has occurred to minimize the damage.

Information Security Officer (ISO)

The person designated by the agency head to administer the agency's information security program. The ISO is the agency's internal and external point of contact for all information security matters. The ISO and CIO may be the same individual.

IT Asset

An IT asset can be a physical IT asset (hardware, network devices, etc.) or a logical IT asset (data, software, licensing, and applications).

Information Technology Resources (IT Resources)

The Commonwealth's computers, printers, and other peripherals, programs, data, local and wide area networks, access to the Internet when provided by the Commonwealth, and remote access methods, including VPN.

ITD

The Information Technology Division of the Executive Office for Administration and Finance.

Least Privilege

The principle of least privilege means to give a user only those powers/privileges which are absolutely essential to perform his/her job responsibilities.

MAGNet

Massachusetts Access to Government Network, the state government's internal network also known as the Commonwealth's Wide Area Network.

Mass.Gov

The enterprise portal developed for use by all citizens, businesses, visitors, and government agencies to facilitate interaction between the Commonwealth of Massachusetts and the various customers of its services as well as business partners.

Owner

The head of an entity. The owner may be Commissioner, Department head, Chief Justice, Governor, etc., of the agency, department, secretariat, branch of government, authority, or other entity. The owner is ultimately responsible for the information and IT systems within his/her purview. The owner must ensure that the entity for which they are responsible has the security policies and procedures in place to safeguard the information and IT assets of the entity.

Perimeter Network

See Demilitarized Zone.

Policy

A document that outlines specific requirements and rules that must be met. These mandatory and enforceable directives are often supported by Standards, Procedures and architecture documents that provide more detail on implementation and compliance.

Procedures

Implementation requirements or detailed steps that must be taken to comply with a particular policy.

Public Sector Code Sharing

Software code that is owned by a public entity or licensed to a public entity under terms that permit relicensing and is made available to other public entities for use and modification without royalties.

Remote Access

All means of access by an individual or entity located outside the Commonwealth's computer systems to those systems.

Remote Access Contracted Business Partner Agreement

The agreement that Commonwealth contracted business partners must sign as a condition of using remote access.

Remote Access Employee Agreement

The agreement that employees must sign as a condition of using remote access.

Remote Access VPN

An approved method used by authorized end users initiating an encrypted communication session from a remote location to an agency system.

Residual Risk

Risk that is not mitigated by controls and security measures. Residual risk remains even after the proper design, implementation, and exercise of a system of internal controls that provide, at least, a reasonable level of assurance that control objectives will be met. Residual risk should be identified, documented, and formally accepted. The residual risk should be offset with adequate insurance coverage, contractually negotiated liabilities, and self-insurance.

Risk Assessment

Risk Assessment is the process of identifying, qualifying and prioritizing risks against operational and control objectives, and designing and implementing controls that provide reasonable assurance that objectives will be met and that risks will be managed to an acceptable level.

Risk Values

Risk values can be Qualitative (High, Medium, and Low) or Quantitative (dollar value or other metric).

Security Incident

An event, intentional or accidental, that threatens or exploits unauthorized and/or illegal access or use of Commonwealth electronic information systems and/or services inside of MAGNet. Additionally, any violations of Information Technology (IT) Resources security policies, standards or established security practices are considered security incidents.

Site-to-Site VPN

A secure telecommunications channel that establishes a persistent encrypted communication channel between a remote location and an agency system.

Split Tunneling

A configuration that would allow remote VPN users to access distributed computing resources in both a Local Area Network (LAN) and MAGNet simultaneously. Such concurrent links to a remote LAN and MAGNet can inadvertently cause Commonwealth resources to become susceptible to unpatched, unfiltered, improperly configured, and/or an otherwise vulnerable remote environment.

Standards

Collections of system-specific or procedural-specific requirements that must be met.

Statutory Business Partner

Individuals or entities that are not under contract with the Commonwealth and have a statutory right to access data held by the Commonwealth.

System Administrator

A person who has authority for the overall management and operation of a system or application. The administrator ensures that the operation and/or management of the system or application properly safeguard the data. The application administrator derives their authority from the owner/head of the agency.

Third Party

Private sector companies or individuals that conduct business with MAGNet members.

Uncontrolled Network

A network that is not physically or operationally controlled by a specific Commonwealth agency or entity.

See also Controlled Network.

Unique Access Identification Number (UAID)

The unique number assigned to users of Commonwealth IT systems such as the mainframe and remote access VPN users. The UAID is used in combination with a password for access control to systems.

Virtual Private Network (VPN)

A secure telecommunications channel that enables people located at a distance from the Commonwealth's computer systems to use the Internet to communicate with the Commonwealth's internal network. In the Remote Access and Virtual Private Network Policy, the term VPN is used exclusively to mean remote-access VPN.

See also Remote Access VPN and Site-to-Site VPN.

Visitor

An individual who has a business need for temporary access to systems and/or equipment residing in the facility or a need to meet on-site with an employee.
 

VPN Liaison

The person or persons identified by the Information Technology Division to provide information to VPN users and prospective users about VPN.

VPN Software

The software that enables remote users to connect their computer to the Commonwealth's systems via the Internet utilizing VPN services.

XDMZ

See Extended Demilitarized Zone.