Acronyms dictionary
Some of the following acronyms are unique to UW–Madison, while others are industry standards. If you would like to add an acronym to this list, please reach out to the Office of Cybersecurity.
| Acronym | Description |
|---|---|
| aaS | As A Service: S/P/IaaS |
| BAA | Business Associate Agreement - generally attached to a contract with a vendor that allows and secures HIPAA data in their tool (for non-HIPAA data see DUA - Data Use Agreement) |
| CAIQ | Consensus Assessments Initiative Questionnaire - a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. |
| CCR | Cybersecurity Consultative Review - A high-level risk report produced by the Office of Cybersecurity at a unique stage of a project to understand the security risks. |
| CIS | Center for Internet Security - mission is to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats. |
| CISO | Chief Information Security Officer - a senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. |
| CMMC | Cybersecurity Maturity Model Certification - cybersecurity standards into acquisition programs, CMMC provides the Department assurance that contractors and subcontractors are meeting DoD's cybersecurity requirements. |
| CSA | Cloud Security Alliance - promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing. |
| CSOC | Cyber Security Operations Center – a centralized department monitoring for data anomalies on campus with the use of specific tools. |
| CUI | Controlled Unclassified Information - government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies. |
| DUA | Data Use Agreement - collaborative contract to shar ein the responsibility with the UW to secure and manage sensitive/restricted data. |
| DFARS | DFARS – Defense Federal Acquisition Regulations Supplement – developed specific cybersecurity protocols which became a requirement when working with Department of Defense data. |
| DLP | Data Loss Prevention - practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data. |
| DoIT | Division of Information Technology - collaborative information and technology community working to enable innovation, support scholarship, and equip the university with high-quality, sustainable technologies and services. |
| FERPA | Family Educational Rights and Privacy Act - a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. |
| FIPS | Federal Information Processing Standards - publicly announced standards developed by the National Institute of Standards and Technology for use in computer systems by non-military American government agencies and government contractors. |
| FISMA | Federal Information Security Modernization Act - codifies the Department of Homeland Security's role in administering the implementation of information security policies for federal Executive Branch civilian agencies, overseeing agencies' compliance with those policies, and assisting OMB in developing those policies. |
| GDPR | General Data Protection Regulation - a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. |
| GRC | Governance, Risk and Compliance |
| HECVAT | Higher Education Community Vendor Assessment Toolkit - is a questionnaire framework designed to help institutions of higher education measure their vendor risk. This is a self-attestation rather than a third-party confirmation (See SOC2) |
| HIPAA | The Health Insurance Portability and Accountability Act of 1996 (hhs.gov for more details) - is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. |
| HITECH | Health Information Technology for Economic and Clinical Health - is used to promote the adoption and meaningful use of health information technology |
| ISO | International Organization for Standardization - a worldwide federation of national standards bodies. ISO is a nongovernmental organization that comprises standards bodies from more than 160 countries, with one standards body representing each member country. |
| JSPR | Joint Security & Privacy Review - A high level risk report produced by the Office of Cybersecurity prior to the purchase of a software or use of a vendor specifically to be used with HIPAA Data. |
| MFA | Multi Factor Authentication – a way to verify the identify of a person attempting to access data. |
| NIST | National Institute of Standards and Technology – NIST is the basis for the Risk Management Framework utilized on the UW-Madison campus. (https://www.nist.gov) |
| OneTrust | The risk management tool used by UW-Madison RMC team to assess risk and record remediations. |
| PBSS | Program & Business Systems Security |
| PCI-DSS | Payment Card Industry – Data Security Standard – The specific security controls used to secure the use of credit cards. |
| PHI | Protected Health Information - informtion held by covered entities and gives patients an array of rights with respect to that information. |
| PII | Personal Identifiable Information |
| RBAC | Role-based access control - a method of restricting network access based on the roles of individual users within an enterprise. |
| RMC | Risk Management and Compliance – a department within the Office of Cybersecurity which reviews the security of data and its use on the UW-Madison Campus. |
| RTP | Request to Procure – A high level risk report produced by the Office of Cybersecurity prior to the purchase of a software or use of a vendor. |
| RO/RAO | Risk Assessment to Operate - A comprehensive risk report produced by the Office of Cybersecurity which offers a full review of a tool, service, or vendor for use within the campus environment. |
| SMPH | School of Medicine and Public Health |
| SOC | System and Organization Controls - a way to verify that an organization is following some specific best practices for securing data before you outsource a business function to that organization. |
| SSL | Secure sockets layer - is an encryption security protocol. Transport Layer Security, or TLS, has replaced SSL. |
| SSO | Single Sign-On - is a session and user authentication service that permits a user to use one set of login credentials. |
| TCD | Testing and Cyber Defense - the ability to detect prevent cyber attacks from infecting a computer system or device. |
| TLS | Transport layer security - a cryptographic protocol designed to provide communications security over a computer network. |
| AC | Access Control: Security requirements for access control include account management, remote access logging, and system privileges to determine users’ ability to access data and reporting features. |
| AT | Awareness and Training: The AT control family’s control sets document your security training materials, procedures, and records. |
| AU | Audit and Accountability: Security controls related to an organization’s audit capabilities make up the AU control family. Audit rules and processes, audit recording, audit report creation, and audit information protection are all part of this. |
| CA | Assessment, Authorization and Monitoring: The CA control family is specific to the execution of security assessment and authorization, including continuous monitoring, action plan and milestones, and system interconnections. |
| CM | Configuration Management: CM controls relate to an organization’s configuration management policy and serve as the foundation for future information system builds or changes. It also includes inventories of information system components and a security impact analysis control. |
| CP | Contingency Planning: The CP control family includes controls particular to an organization’s cybersecurity contingency plan. Contingency plan testing, updating, training, backups, and system reconstitution are included. |
| IA | Identification and Authentication: IA controls are particular to an organization’s identification and authentication procedures to assure proper access for organizational and non-organizational. |
| IR | Incident Response: Controls for incident response are customized to an organization’s rules and processes. This area may include incident response training, testing, monitoring, reporting, and a response strategy. |
| MA | Maintenance: Revision five of NIST 800-53 outlines standards for maintaining systems and tools. |
| MP | Media Protection: Access, marking, storage, transit policies, sanitization, and defined organizational media use are all covered by the media protection control family. |
| PE | Physical and Environmental Protection: Physical and environmental protection is a control family used to safeguard systems, buildings, and supporting infrastructure from physical dangers. Physical access authorizations, monitoring, visitor records, emergency shutoff, electricity, lighting, fire protection, and water damage prevention are all examples of these controls. |
| PL | Planning: Security planning policies address the goal, scope, roles, duties, management commitment, and coordination among entities for organizational compliance. |
| PM | Program Management: The PM control family applies to your cybersecurity program. It includes a critical infrastructure plan, information security program plan, a plan of action milestones and processes, a risk management strategy, and enterprise architecture. |
| PS | Personnel Security: Standards around personnel screening, termination, transfers, sanctions, and access agreements are all examples of PS controls to protect employees. |
| PT | PII Processing and Transparency: The PII Processing and Transparency family of controls helps to safeguard sensitive data, focusing on consent and privacy. |
| RA | Risk Assessment: The RA control family covers an organization’s risk assessment policies and vulnerability scanning capabilities. |
| SA | System and Services Acquisition: Controls that protect allocated resources and an organization’s system development life cycle are associated with the SA control family. It includes procedures for information system documentation, development configuration management, and developer security testing and evaluation. |
| SC | System and Communications Protection: System and communications protection protocols include boundary protection, information at rest protection, collaborative computing devices, cryptographic protection, and denial of service protection. |
| SI | System and Information Integrity: The SI control family includes flaw remediation, malicious code protection, information system monitoring, security warnings, software and firmware integrity, and spam prevention. |
| SR | Supply Chain Risk Management: Guidance to help organizations protect themselves as they acquire and use technology products and services. |