Accountable Administrator

Dean or Department head of the highest level unit.

Affiliate ID

A 10 digit unique number assigned by the PeopleSoft System and also displayed on the users ASU Sun Card.

Application Program Interface (API)

An API is a set of subroutine definitions, protocols, and tools for building software and applications. It is a way for an application to interact with other systems/applications/libraries. ASU has enterprise tools that serve as primary interfaces between different ASU data stores.

Application Server

Communicates with a web server and a database server, preventing the web server from directly accessing the database server, and ensuring that all queries and updates conform to a white list of authorized transactions, programs, and authentication credentials. This term may refer to a dedicated hardware appliance, or to a software server running on generic hardware.

ASU’s Technology Network

consists of: network hosts that are owned or operated by the university and connected either to ASU’s campus networks or to ASU’s cloud infrastructure.


Typically a combination of the users first initial, last name, and numbers if the ID has already been used.  This combination is used for users ASU Single Sign On. 


Authentication is verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.


Authorization determines what an authenticated digital identity has access to, or what actions the identity is allowed to perform. Authorization can also be granted for physical access to buildings or areas, based on possession of a physical key card that is imprinted with a digital identity and tied to an individual.


Auditing is a practice that ensures the authentication and authorization processes can be tracked and measured as required by ASU policies and standards.

Availability Rating

A business-based classification, a rating that is based entirely on ASU’s assessment of the importance of the site’s availability for ASU’s business continuity.

Tier 1 - core web sites that are vital to all of ASU. This set of applications will be defined by the CIO and CISO in conjunction with ASU’s executive leadership. Circumstances that could indicate a Tier 1 rating include:

    • ASU cannot do business if this web site is down.
    • Many other ASU systems rely on this web site being available.

Examples of Tier 1 systems include enterprise student learning management systems, payroll systems, student administration systems, the ASU home page, email, and authentication systems to support these systems.

Tier 2 - enterprise-wide systems relied upon by most students or employees such as MyASU, and other online learning systems used in for-credit classes.

Tier 3 – sites including department-specific applications and all other applications.

Black List

Specifically identifies items that are known to be undesirable, and allows all others. See (computing) and "white list". Because it is difficult to specify every possible variation of an undesirable pattern, black lists are generally considered insufficient.

Centralized Web Application

A centralized Web application is a Web application that is developed, hosted, and managed within the University Technology Office (UTO). These applications may have been developed at the request of an external source.


Any modification involving the configuration of IT hardware, firmware or software, to include version upgrades, patches or file updates. All Changes will be categorized as either Routine, Normal, or Emergency. Refer to Types of Changes in the Enterprise System Change Management Standard for details on each Change type and how should be handled.

Change Advisory Board (CAB)

The group of individuals with the authority and responsibility of reviewing, denying or approving change requests on a risk basis.

Change Blackout Period

Specified days, such as Start and End of Semesters on which Changes will not be allowed without additional scrutiny and justification.

Change Window

Approved maintenance period during which normal and routine changes are applied.


Typically refers to a web browser and the associated machine and human user, however in some cases a client may be a search engine or other automated source of web requests.

Component Units

ASU’s component units are separate legal entities controlled and governed by independent boards of directors whose goals are to support the University or have a close affiliation with the University.  Component units can be defined as legally separate entities for which the University is considered to be financially accountable. For additional information see Note: B of the ASU 2018 Financial statements.

Configuration Baseline

The current, approved combination of versions and technical configuration settings for the hardware, firmware and software that comprise an IT asset.

Consent of a Data Subject means any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to them.

Core Application Security Review Team

This team is organized by the Information Security Office and is convened to review criticality application ratings. The team typically includes members of the Information Security Office, UTO application development, UTO operations and members of the University’s decentralized development community as appropriate.

Criticality Rating

The criticality rating is the overall web site rating which combines both the data rating and the availability rating to determine an overall rating. See the table on page 4 of the Vulnerability Management Security Standard.

Data Controller (GDPR)

Responsible for Processing purpose (in other words, determines why the EU Data is Processed). The Data Controller is responsible for how the EU Data is Processed and controls what EU Data is Processed.

Data Database

A structured electronic repository that resides in a computer's Random Access Memory (RAM) or on physical storage media, such as a file system, and that is intended to store Data related data and metadata, where such information is organized for the purpose of computer driven storage, search, retrieval, manipulation and calculation.

Data Processor (GDPR)

Receives EU Data from the Controller or collects EU Data for the Controller. The Data Processor uses the EU Data only as instructed by the Controller and may enter into Sub Processor agreements for EU Data only when authorized by the Controller.

Data Subject

A natural person whose Personal Data is Processed by a Controller or Processor.


Includes any technique for storing and/or retrieving bytes that are incorporated into, collected from, or modified by a web page. However the term does not include the normal web logs that are produced by a web server, or the files that comprise a static web page.

Database Server

A software package that responds to data query and update requests.

Data Rating

The rating of a web site based on the data included on the site in accordance with ASU’s Data Handling Standard. Web site data rating is determined by the data classification as follows:

    • If a web site has access to Highly Sensitive data the data rating is High
    • If a website can modify Sensitive data within a Tier 1 Mission critical system, the site’s data rating is High.
    • All other websites with sensitive data are rated Medium.
    • If a web site has access to Internal data, but not Sensitive or Highly Sensitive data, the site’s data rating is Low. The expectation is that this rating (or higher) applies to all sites that are protected by passwords or other forms of authentication.
    • If a web site has no access to data other than Public data, the site’s data rating is Low. These sites do not prompt for a password or use other types of authentication.

Decentralized Web Application

A Web application that is owned, developed, hosted, or managed through individual departments or units at ASU and is not centrally coordinated by UTO.


For ASU Data to be considered deidentified, all direct and indirect personal identifiers must be removed, including names, ID numbers, dates of birth, demographic information, location information, and school information.


Any object used to store, process, and/or transfer data.

Dictionary Attack

A method of attack against a password-protected authentication mechanism, whereby the attacker leverages a list of words as password guesses and systematically attempts to log in using each one until the login system has granted access.

Digital Identity

Digital Identity is the unique representation of a subject engaged in an online activity for business or academic purposes.

Emergency Change Advisory Board (ECAB)

A reduced membership of the CAB, with only 3 members to provide expedited review and approval of Emergency changes. Only 2 of 3 designated ECAB members are required to approve an Emergency Change.

European Union (GDPR)

Countries in the EU include Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and (for now) the UK. Switzerland is not a member of the EU, but the GDPR applies. 

Financial Systems

The ASU Workday and specific modules within the Oracle/PeopleSoft Student Administration System and HR/Payroll System as defined and reviewed in the 2008 Auditor General Financial Audit.


A paper or electronically structured Document or Artifact that is used to allow human Resources to enter, capture, submit and visualize Data and Information in a contextual and organized manner, often for the purpose of transmitting data to another Resource or System for storage and/or processing.


The General Data Protection Regulation (GDPR) is a privacy law that is interpreted and enforced by all countries in the EU (and Switzerland). The GDPR became effective in May 2018. It is based on the premise that each person has the fundamental right to control their personal data and how it is used.

Identifiable Natural Person

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Identity and Access Management (IAM)

Identity and Access Management is the policies, standards, and procedures for controlling access to the ASU environment.

Legitimate Purpose

A web site on ASU’s network should further some aspect of the University’s mission, such as providing education or services to students, supporting funded research projects, or enabling University business administrative functions.

Managed By

Primary technical contact for maintenance and support of the application or product. The application manager is required to maintain the CMDB application record including reporting criticality and GDPR status changes and providing required security related documentation (SOC2 and Vulnerability Scans). Managed by users will be required to verify the application record for medium and high criticality applications.

Mobile Application

A type of application software designed to run on a mobile device, such as a phone, tablet or other device running iOS or Android.

Network Device

Any device that is either permanently or periodically attached to the ASU network. Devices connecting remotely to the ASU network, for example through a Virtual Private Network, can be considered as attaching to the ASU network. This includes computers, routers, printers, cell phones, copiers, and PDAs such as Blackberries, Android devices, iPhones, etc.

Official Scan

A scan that has been performed by an approved third-party provider, ISO, or a member of the ASU Web Scanning Team. The Web Scanning Team is housed in the UTO within the Chief Operating Officer’s team and provide the service of conducting official scans on Centralized Web Applications, Decentralized Web Applications and Hosted Web Applications in the production and QA environments. Decentralized departments may be approved to conduct their own official scans provided that the tool that will be utilized is comparable to the current, University-designated scanning tool and the request is approved by the Information Security Office.

Operating System (OS)

The set of programs used to provide the basic functions of a computer.

Owned By

Product Owner responsible for the strategy, roadmap, and feature definition of a product or product line. The role involves working with cross-functional teams and may include marketing, forecasting, budget, and community outreach/collaboration. Traditionally responsible for work/verifications related to UTO, ISO, Procurement, audit, and application security compliance activities.

Penetration Testing

Conducting an automated or manual evaluation of a web site that attempts to identify and exploit vulnerabilities.

Personal Data

Any information relating to an identified or identifiable natural person.

Processing (or Process)

Any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Production Instance

Instance of a web site that is intended to be available for business use.

Quality Assurance (QA) Instance

Instance of a web site that is intended for final testing before a new web site or significant change is released to the production instance. It is expected that the QA site will be as identical to the current or proposed production site as possible, with the exception that the QA site uses test data. Also, a QA site is expected to deliver test communications, including email, to test users.


An HTTP message from a client to a web server.


Consists of HTTP headers and optional content from a web server to a client in reply to the client's request.


The likelihood of an event occurring and the impact that event would have on an information technology asset.

System events with potential malicious implication. Examples include but are not limited to:

    • Failed login attempts
    • Multiple login attempts
    • Resetting passwords
    • Superhuman events, logging in from different geographical locations within seconds or minutes
    • IP address of login
    • Logging in during non-business hours (anomalies to normal login schedule or pattern)

Security Reviews

Process designed to guide each project team to implement technology solutions efficiently while minimizing security risks.

Security Testing

Seeks to uncover any vulnerabilities that were previously unseen and confirm that mitigation plans and strategies have been successful.


A server is any physical computer, virtual computer, or system that accepts incoming connections from client systems and provides services, data, and or other resources over a network connection. A desktop computer may be considered a server if it provides services to other computing systems.

Server Program

Any software, other than a web server, that runs on the server side and generates a real-time response to a request. This term applies regardless of the programming language (for example Java or Perl) or page suffix (for example .asp .cgi or .pl).

Significant Change

Any change, including a code fix, that creates or alters executable code, whether the code runs on a server, a Web browser, or elsewhere. A cosmetic change, including changes in text, formatting, or color is typically not considered significant for the purposes of this definition.


Software, is a collection of data or computer instructions that tell the computer how to work. The three types of computer software's are systems software, or operating system often referred to by OS, programming software, and applications software.

Special Categories of Personal Data (GDPR)

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union memberships
  • Genetic data (e.g., gender at birth)
  • Biometric data for uniquely identifying a natural person (e.g., an ID card photo)
  • Data concerning health
  • Data concerning an individual’s sex life or sexual orientation

Static Page

A web page that is not generated at the time of the request. It does not contain or invoke any web server- side code beyond the code of the web server itself. It only changes when an author manually modifies it. It is not a server program. It does not receive form input via POST requests nor by query parameters. A page that includes, for example, a client-side script to display the current date or time is still a static page because the script executes on the browser, not the web server, and the text of the script changes only when an author modifies it.


An ASU employee who is responsible for a web site on ASU’s network from a business perspective, and who ensures that the site exists for a legitimate purpose and meets ASU’s security requirements.

Senior TAG (SrTAG)

Senior Technical Representatives (Senior TAG) is a position that is responsible (as defined by their job duties) for their unit’s computing environment and its interaction with the University’s shared technology infrastructure. Traditionally accountable for UTO, ISO, Procurement, audit, and SOC2 coordination where needed. For more details see the Technical Advisory Charter.


Systems, web applications and application source code developed, maintained or operated by, or on behalf of, ASU.

Technical Administrator

An ASU employee or contracted third party with the skill and availability to maintain a system or web application, including timely and effective response to security issues. The technical administrator is responsible for the overall implementation and maintenance of their system or application.

Testing Cycle

A method of testing that allows for the evaluation of critical patches in a test environment before pushing them into production on enterprise systems.

Threat Modeling

A process to identify potential risks in an application and potential steps to mitigate those risks.

URL Path

The portion of the URL before the ‘?’ and query string, or before the ‘#’ and fragment identifier. If neither the ‘?’ or ‘#’ are present, the URL Path is the entire URL.


Users of ASU’s computing, the internet, and communications resources, including all, faculty, staff (including student employees), contractors, vendors, consultants, temporary and other workers for ASU and its Component Units.


A design flaw or misconfiguration which makes a server susceptible to malicious attacks from local or remote users.

Web Application

Any Web site that uses server-side logic to determine what information is sent to the user’s Internet browser based on data from a database or a Web service. A site with a URL that receives data from a form typically includes server-side logic to process that data, and is presumed to be a web application.

Web Host

A physical or virtual machine that hosts one or more web sites.

Web Page

The combination of HTTP headers, HTML, CSS, images, scripts, frames etc. that are sent to a browser in response to an initial URL request and the subsequent URLs recursively embedded within the first response.

Web Server

A software package that responds to web requests. Popular web servers include Apache and IIS.


A collection of one or more URLs that respond to requests using the HTTP protocol. A typical web site will have a starting URL that provides links allowing authorized users to navigate, directly or indirectly, to the other URLs available on the site. Many web sites reside entirely on a single web server, or even within and below a single subdirectory on a web server, but other combinations are possible.

White List

Specifically identifies items that are known to be acceptable, and denies all others. See and "black list". Generally speaking, white lists are preferred over black lists, because they reject by default anything the list maker did not anticipate.