Body
Last Modified: 12/11/2025
Authority: Approved by University Technology Services (UTS) Chief Information Officer
Category: Security Standards
Status: Approved
Overview
In the dynamic landscape of information technology, security, risk, and compliance, terminology -continues to evolve in response to emerging threats, regulatory requirements, and technological advancements. This section defines key terms used throughout the Oakland University Technology Services Policies and Standards to ensure clarity , consistency and shared understanding. Recognizing the rapidly changing nature of technology, these definitions will be reviewed and updated on an annual basis to ensure continued relevance and alignment with industry best practices and institutional needs.
Scope
This standard is campus-wide and is the authoritative source for terms used in:
- Information Security Policies
- Charters
- Standards
- Guidelines
- Other IT governance and security-related documents
If a term is defined here, this definition prevails for OU Information Security and UTS documentation.
Standard
Oakland University recognizes and adopts the following definitions:
Application
A software program, platform, or system used to perform specific tasks or functions. In the context of information security, applications must be managed and secured to ensure the confidentiality, integrity, and availability of the data they process or access.
Approved University Electronic Communication Method
Electronic collaboration tools such as email, chat, forums, text, and social networking that are formally approved by UTS for University business. Approved electronic communication services also include OU-managed websites and platforms vetted for institutional use.
Artificial Intelligence (AI)
An engineered or machine-based system or functionality designed, for a given set of objectives, to generate outputs such as text, images, predictions, or to make recommendations or decisions influencing human action or real/virtual environments. The term AI includes Generative AI (GenAI), Predictive AI, and associated Language Models.
Cardholder Data Environment (CDE)
The devices, Payment Card Systems, applications, and networks identified as in scope for Payment Card Industry (PCI) compliance.
Cardholder Data
Card holder’s name, contact information, Payment Card number, Primary Account Number, card expiration date, Payment Card Validation Code, Payment Card transaction information, or any other information that can personally identify a Payment Card account or holder.
Certified IT Group
A group of IT personnel certified by the Information Security Office to be part of its Information Security Program and responsible for providing secure infrastructure in support of University Data in their areas of responsibility.
Compliance Endpoint
Endpoints that process, transmit, or store any of the following data types: Protected Health Information (PHI), Payment Card Information (PCI), International Traffic in Arms Regulations (ITAR) data, Gramm-Leach-Bliley Act (GLBA) data, or similar regulated information. UTS may require supplemental inventories as appropriate.
Confidential Data
Any information that is contractually protected as confidential and any other information that the University considers appropriate for confidential treatment. See the Data Classification Standard for examples of Confidential Data.
Covered Entity
A (1) health plan, (2) health care clearinghouse, or (3) Covered Health Care Provider, as defined in the HIPAA Rules at 45 CFR 160.103.
Covered Health Care Provider
A health care provider that transmits any health information in electronic form in connection with a Covered Transaction.
Covered Transaction
An electronic financial or administrative transaction for which HHS has developed standards under the HIPAA Transactions and Code Sets Regulations, as described in the HIPAA Rules at 45 CFR 162.
Data Classification
Oakland University classifies data into three types: Confidential, Internal, and Public (formerly Confidential, Operational Critical, and Unrestricted).
Data Custodian
Creates data products and ensures data access and quality standards are met.
Data Owner
University officials (e.g., Directors, Officers of Instruction, Research, and Administration) responsible for:
- Determining University Data classifications
- Working with the Information Security Office on risk assessments
- Developing procedures to implement Information Security Policies in their areas
Data Steward
Works with relevant committees and business units to align data entry practices with quality standards. Data Stewards are documented in the Data Stewards Approval Table (login required).
Data User
Uses appropriate data to accomplish daily tasks and understands applicable data entry standards.
DHCP (Dynamic Host Configuration Protocol)
A network protocol that enables a server to automatically assign an IP address to a network-capable device from a defined pool of addresses.
DNS (Domain Name System)
A protocol that translates human-readable domain names (e.g., oakland.edu) into IP addresses (e.g., 141.210.5.108) for use on the internet or a private network.
Domain Name
A human-readable address (e.g., oakland.edu) used to identify internet resources.
Domain Owner
The individual or department responsible for the content and operation of a domain or subdomain.
Email System
A system that transmits, stores, and/or receives email messages.
Endpoint
Any desktop or laptop computer, Mobile Device, tablet, or other portable device used to:
- Connect to the University wireless or wired Network
- Access Oakland email
- Access institutional Systems either owned by the University or personally owned but used for University purposes
End User Device(s)
A physical or virtual device equipped with an operating system that a User can use to establish a local or network connection to Oakland Information Resources.
EPHI (Electronic Protected Health Information)
Protected Health Information that is created, stored, transmitted, or received in electronic form.
FERPA (Family Educational Rights and Privacy Act)
Federal law that protects the privacy of student education records.
Generative Artificial Intelligence (GenAI)
A class of AI models designed to create new content (text, images, music, code, etc.) by learning patterns from existing data. GenAI can generate original outputs based on prompts, examples, or instructions and is used for content creation, simulations, and research.
Health Care
The care, services, or supplies relating to an individual’s health, including:
- Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care; counseling, services, assessments, or procedures related to physical or mental conditions or functional status; and
- The sale or dispensing of drugs, devices, or equipment in accordance with a prescription.
HIPAA (Health Insurance Portability and Accountability Act)
U.S. law governing the privacy and security of health information.
HIPAA Rules
The HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (45 CFR Parts 160 and 164).
HITECH (Health Information Technology for Economic and Clinical Health Act)
Federal law that promotes the adoption and meaningful use of health information technology and strengthens HIPAA enforcement.
Hosted Solution/Service
Any computing environment (e.g., physical server, virtual machine, or cloud-based infrastructure) providing processing, storage, or networking capabilities for applications and data. Hosted solutions must be configured, monitored, and secured per institutional information security standards.
Impersonation
Using the name or persona of someone else without their consent and with the intent to harm, intimidate, defraud, or threaten another individual.
IIHI (Individually Identifiable Health Information)
Information (including demographic and genetic data) created or received by the Oakland Health Care Component that relates to:
- The past, present, or future physical or mental health or condition of an individual
- The provision of Health Care to an individual
- Payment for Health Care
and that either identifies the individual or can reasonably be used to identify the individual, as defined in HIPAA at 45 CFR 160.103.
Information Resources
Includes:
- All University Data regardless of medium (paper, electronic, cloud, etc.) or form (text, graphic, video, audio, etc.)
- Computing hardware and software Systems that process, transmit, or store University Data
- Networks that transport University Data
Information Security Policies
University-wide policies that apply to all individuals who access, use, or control Information Resources at the University.
Information Security Program
The coordinated set of policies, processes, and controls designed to protect the confidentiality, integrity, and availability of University Data, Systems, and Networks.
Infrastructure as a Service (IaaS)
Virtualized computing infrastructure (e.g., compute, storage, networking) managed by a third-party provider.
Internal Data
Information that is proprietary or produced for use only by members of the University community with a legitimate need to access it.
IP (Internet Protocol)
A standard for addressing and routing packets of data across networks.
IRB (Institutional Review Board)
A committee that reviews and approves research involving human subjects to ensure ethical and regulatory compliance.
IT (Information Technology)
The use of systems, networks, software, and hardware to manage and process information.
IT Custodian
University personnel responsible for providing secure infrastructure in support of University Data, including:
- Physical security
- Backup and recovery
- Granting access privileges as authorized
- Implementing and administering controls over University Data
IT Group
Two or more IT Custodians whose responsibilities involve the same Information Resource.
Key Business System
A system critical to the operations of a University business unit.
Large Language Model (LLM)
A type of Generative AI designed to understand, process, and generate human language based on large text datasets. LLMs support translation, summarization, content generation, and question answering.
Learning Management System (LMS)
A software application that helps Oakland University manage and deliver educational content and training programs.
MAC (Media Access Control)
A unique identifier assigned to a network interface for communications on the physical network segment.
MFA (Multi-Factor Authentication)
An authentication method requiring two or more verification factors (e.g., password + token + biometrics).
Mobile Device
A smartphone, cell phone, tablet, wearable device, or USB/removable drive capable of storing or transmitting data.
Monitoring
The continuous observation and analysis of systems, networks, and user activity to detect anomalies, security events, or policy violations in real time.
Network
Electronic Information Resources that transport University Data between interconnected Endpoints. Network components may include routers, switches, hubs, cabling, telecommunications, VPNs, and wireless access points.
NIST (National Institute of Standards and Technology)
A non-regulatory U.S. agency that promotes innovation and security through standards and technology, including cybersecurity frameworks.
Oakland University
Also referred to as “Oakland,” “OU,” or “the University.”
OHCA (Organized Health Care Arrangement)
An arrangement recognized under HIPAA that allows two or more Covered Entities that present themselves as a joint arrangement to share PHI for joint health care operations.
OU Information Security Office
The unit responsible for managing the Information Security Program at Oakland University.
OU IT (Oakland University Information Technology)
The collective IT organization at Oakland University.
OU Network
The Network owned and operated by Oakland University.
Payment Card
A credit, debit, prepaid, or similar card issued by a financial institution used to initiate a payment transaction.
Payment Card Industry (PCI) Compliance
Compliance with the standards established by the PCI Security Standards Council (PCI-SSC).
Payment Card System
Any device, system, application, hosted service, or technology used to process, transmit, or store Cardholder Information.
Payment Card Validation Code
Also known as CVV, CV2, or CVV2; the three- or four-digit security code printed on a payment card.
PCI-DSS (Payment Card Industry Data Security Standard)
A set of security standards designed to ensure all entities that process, store, or transmit cardholder data maintain a secure environment.
PCI-SSC (PCI Security Standards Council)
The global forum of payment brands (e.g., Visa, MasterCard, American Express) that develop and manage PCI-DSS.
Peer
A network participant that makes a portion of its resources (processing, storage, bandwidth) directly available to others without central coordination. Examples: KaZaa, BitTorrent, LimeWire, BearShare.
Personal Device(s)
An End User Device owned by an individual or third party (e.g., vendor) used for University-related purposes. This includes smartphones, tablets, laptops, and other mobile computing devices.
Personally Identifiable Information (PII)
Information about an individual that:
- Can be used to distinguish or trace identity (e.g., name, date/place of birth, mother’s maiden name, biometrics),
- Is linked or linkable to an individual (e.g., medical, educational, financial, employment information), and
- Is protected by federal, state, or local laws, regulations, or industry standards.
Loss or unauthorized disclosure of PII could result in harm to the individual.
Platform as a Service (PaaS)
Provider-hosted development platforms and tools used for building, testing, and deploying applications.
Primary Account Number (PAN)
The card identifier on payment cards (credit, debit, stored-value, gift cards, etc.).
Privileged Access
The ability for users or processes to perform security-relevant or administrative functions beyond those granted to standard users.
Protected Health Information (PHI)
IIHI that is transmitted or maintained by the Oakland Health Care Component in any form or medium, except as excluded by HIPAA (45 CFR 160.103) or considered RHI.
Public Data
Information that may or must be made available to the general public without legal restrictions on access or use.
Qualified Security Assessor (QSA)
A third-party security professional certified to evaluate an organization’s PCI-DSS compliance.
Recording
The systematic capturing and storage of system, network, and user activity data (e.g., log files) to support auditing, incident response, and compliance.
Removable Media
Media such as CDs, DVDs, USB flash drives, external hard drives, smart cards, medical instrumentation devices, and multi-function devices that can store data and be physically moved.
Research Health Information (RHI)
IIHI that:
- Is created or received in connection with research that does not involve a Covered Transaction, or
- Was previously PHI but is now used in research under a valid HIPAA authorization or IRB waiver.
Risk Analysis (Risk Assessment)
The process of identifying, estimating, and prioritizing risks to organizational operations, assets, and individuals.
Risk Management Program
The combined processes of Risk Analysis, Risk Remediation, and Risk Monitoring.
Risk Monitoring
Maintaining ongoing awareness of information security risks via periodic reviews, metrics, and risk tracking.
Risk Remediation (Risk Mitigation / Corrective Action Planning)
Prioritizing, evaluating, and implementing security controls or countermeasures to reduce risks identified during Risk Analysis.
Software as a Service (SaaS)
Cloud-hosted applications accessed via a web browser or API.
Software Development Life Cycle (SDLC)
The process for planning, creating, testing, and deploying an information system.
Sensitive Data
Any data classified as Confidential or Internal according to the Data Classification Standard.
Server
Any computing device that provides services (such as Systems and Applications) to Endpoints over a Network.
Service Account
A special User account used by a System or application to perform automated tasks or configuration changes.
SMTP (Simple Mail Transfer Protocol)
An internet protocol used for transmitting email messages between servers.
Student Education Records
Student data protected by FERPA.
Student Information System (SIS)
A system used to store and manage student information, including personal details, contact data, and academic records.
Subdomain
A domain that is part of a larger domain (e.g., webmail.oakland.edu is a subdomain of oakland.edu).
System
Server-based software that resides on one or more Servers and is used for University purposes. “Application” or “Information System” may be used synonymously.
System Administrator
A person responsible for the configuration, operation, and maintenance of a System.
System Owner
University officials (Directors, Officers of Instruction, Research, or Administration) who determine computing needs, system hardware/software, and ensure proper functionality and oversight of Systems in their areas.
TLS (Transport Layer Security)
A protocol that encrypts network communications to ensure confidentiality and integrity of data in transit.
Top-Level Domain (TLD)
The last segment of a domain name (e.g., .edu, .org, .com).
University Data
All information created, used, stored, or transmitted by the University community in support of teaching, research, clinical care, or business operations.
University Network
The Network owned and operated by the University.
UPS (Uninterruptible Power Supply)
A device providing backup power to systems in the event of a primary power failure.
User
Any person who uses Information Resources.
User ID (User Identifier)
A unique identifier assigned to a User for authentication and access control.
VPC (Virtual Private Cloud)
A logically isolated virtual network environment within a public cloud provider’s infrastructure.
VPN (Virtual Private Network)
A technology that creates a secure, encrypted connection (tunnel) over a public network to access private resources.