Accountable Administrator

Dean or Department head of the highest level unit.

Affiliate ID

A 10 digit unique number assigned by the PeopleSoft System and also displayed on the users ASU Sun Card.

Application Program Interface (API)

An API is a set of subroutine definitions, protocols, and tools for building software and applications. It is a way for an application to interact with other systems/applications/libraries. ASU has enterprise tools that serve as primary interfaces between different ASU data stores.

 Application Server

Communicates with a web server and a database server, preventing the web server from directly accessing the database server, and ensuring that all queries and updates conform to a white list of authorized transactions, programs, and authentication credentials. This term may refer to a dedicated hardware appliance, or to a software server running on generic hardware.

 ASU’s Technology Network

consists of: network hosts that are owned or operated by the university and connected either to ASU’s campus networks or to ASU’s cloud infrastructure.


Typically a combination of the users first initial, last name, and numbers if the ID has already been used.  This combination is used for users ASU Single Sign On. 


Authentication is verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

 Availability Rating 

A business-based classification, a rating that is based entirely on ASU’s assessment of the importance of the site’s availability for ASU’s business continuity.

Tier 1 - core web sites that are vital to all of ASU. This set of applications will be defined by the CIO and CISO in conjunction with ASU’s executive leadership. Circumstances that could indicate a Tier 1 rating include:

    • ASU cannot do business if this web site is down.
    • Many other ASU systems rely on this web site being available.

Examples of Tier 1 systems include enterprise student learning management systems, payroll systems, student administration systems, the ASU home page, email, and authentication systems to support these systems.

Tier 2 - enterprise-wide systems relied upon by most students or employees such as MyASU, and other online learning systems used in for-credit classes.

Tier 3 – sites including department-specific applications and all other applications.

 Black List

Specifically identifies items that are known to be undesirable, and allows all others. See (computing) and "white list". Because it is difficult to specify every possible variation of an undesirable pattern, black lists are generally considered insufficient.

 Centralized Web Application 

A centralized Web application is a Web application that is developed, hosted, and managed within the University Technology Office (UTO). These applications may have been developed at the request of an external source.


Any modification involving the configuration of IT hardware, firmware or software, to include version upgrades, patches or file updates. All Changes will be categorized as either Routine, Normal, or Emergency. Refer to Types of Changes in the Enterprise System Change Management Standard for details on each Change type and how should be handled.

 Change Advisory Board (CAB)

The group of individuals with the authority and responsibility of reviewing, denying or approving change requests on a risk basis.

 Change Blackout Period

Specified days, such as Start and End of Semesters on which Changes will not be allowed without additional scrutiny and justification.

Change Window

Approved maintenance period during which normal and routine changes are applied.


Typically refers to a web browser and the associated machine and human user, however in some cases a client may be a search engine or other automated source of web requests.

 Component Units

ASU’s component units are separate legal entities controlled and governed by independent boards of directors whose goals are to support the University or have a close affiliation with the University.  Component units can be defined as legally separate entities for which the University is considered to be financially accountable. For additional information see Note: B of the ASU 2018 Financial statements.


 Configuration Baseline

The current, approved combination of versions and technical configuration settings for the hardware, firmware and software that comprise an IT asset.

 Core Application Security Review Team

This team is organized by the Information Security Office and is convened to review criticality application ratings. The team typically includes members of the Information Security Office, UTO application development, UTO operations and members of the University’s decentralized development community as appropriate.

 Criticality Rating

The criticality rating is the overall web site rating which combines both the data rating and the availability rating to determine an overall rating. See the table on page 4 of the Vulnerability Management Security Standard.

 Data Database

A structured electronic repository that resides in a computer's Random Access Memory (RAM) or on physical storage media, such as a file system, and that is intended to store Data related data and metadata, where such information is organized for the purpose of computer driven storage, search, retrieval, manipulation and calculation.


Includes any technique for storing and/or retrieving bytes that are incorporated into, collected from, or modified by a web page. However the term does not include the normal web logs that are produced by a web server, or the files that comprise a static web page.

 Database Server 

A software package that responds to data query and update requests.

 Data Rating

The rating of a web site based on the data included on the site in accordance with ASU’s Data Handling Standard. Web site data rating is determined by the data classification as follows:

    • If a web site has access to Highly Sensitive data the data rating is High
    • If a website can modify Sensitive data within a Tier 1 Mission critical system, the site’s data rating is High.
    • All other websites with sensitive data are rated Medium.
    • If a web site has access to Internal data, but not Sensitive or Highly Sensitive data, the site’s data rating is Low. The expectation is that this rating (or higher) applies to all sites that are protected by passwords or other forms of authentication.
    • If a web site has no access to data other than Public data, the site’s data rating is Low. These sites do not prompt for a password or use other types of authentication.

 Decentralized Web Application

A Web application that is owned, developed, hosted, or managed through individual departments or units at ASU and is not centrally coordinated by UTO.


Any object used to store, process, and/or transfer data.

 Emergency Change Advisory Board (ECAB)

A reduced membership of the CAB, with only 3 members to provide expedited review and approval of Emergency changes. Only 2 of 3 designated ECAB members are required to approve an Emergency Change.

 Financial Systems

The ASU Workday and specific modules within the Oracle/PeopleSoft Student Administration System and HR/Payroll System as defined and reviewed in the 2008 Auditor General Financial Audit.


A paper or electronically structured Document or Artifact that is used to allow human Resources to enter, capture, submit and visualize Data and Information in a contextual and organized manner, often for the purpose of transmitting data to another Resource or System for storage and/or processing.

 Legitimate Purpose

A web site on ASU’s network should further some aspect of the University’s mission, such as providing education or services to students, supporting funded research projects, or enabling University business administrative functions.

  Managed By 

Primary technical contact for maintenance and support of the application or product. The application manager is required to maintain the CMDB application record including reporting criticality and GDPR status changes and providing required security related documentation (SOC2 and Vulnerability Scans). Managed by users will be required to verify the application record for medium and high criticality applications.


 Mobile Application

A type of application software designed to run on a mobile device, such as a phone, tablet or other device running iOS or Android.

 Network Device

Any device that is either permanently or periodically attached to the ASU network. Devices connecting remotely to the ASU network, for example through a Virtual Private Network, can be considered as attaching to the ASU network. This includes computers, routers, printers, cell phones, copiers, and PDAs such as Blackberries, Android devices, iPhones, etc.

 Official Scan

A scan that has been performed by an approved third-party provider, ISO, or a member of the ASU Web Scanning Team. The Web Scanning Team is housed in the UTO within the Chief Operating Officer’s team and provide the service of conducting official scans on Centralized Web Applications, Decentralized Web Applications and Hosted Web Applications in the production and QA environments. Decentralized departments may be approved to conduct their own official scans provided that the tool that will be utilized is comparable to the current, University-designated scanning tool and the request is approved by the Information Security Office.

 Operating System (OS)

The set of programs used to provide the basic functions of a computer.


 Owned By

Product Owner responsible for the strategy, roadmap, and feature definition of a product or product line. The role involves working with cross-functional teams and may include marketing, forecasting, budget, and community outreach/collaboration. Traditionally responsible for work/verifications related to UTO, ISO, Procurement, audit, and application security compliance activities.

 Penetration Testing

Conducting an automated or manual evaluation of a web site that attempts to identify and exploit vulnerabilities.

 Production Instance

Instance of a web site that is intended to be available for business use.

 Quality Assurance (QA) Instance

Instance of a web site that is intended for final testing before a new web site or significant change is released to the production instance. It is expected that the QA site will be as identical to the current or proposed production site as possible, with the exception that the QA site uses test data. Also, a QA site is expected to deliver test communications, including email, to test users.


An HTTP message from a client to a web server.


Consists of HTTP headers and optional content from a web server to a client in reply to the client's request.


The likelihood of an event occurring and the impact that event would have on an information technology asset.

System events with potential malicious implication. Examples include but are not limited to:

    • Failed login attempts
    • Multiple login attempts
    • Resetting passwords
    • Superhuman events, logging in from different geographical locations within seconds or minutes
    • IP address of login
    • Logging in during non-business hours (anomalies to normal login schedule or pattern)

 Security Reviews

Process designed to guide each project team to implement technology solutions efficiently while minimizing security risks.

 Security Testing

Seeks to uncover any vulnerabilities that were previously unseen and confirm that mitigation plans and strategies have been successful.


Any computer that accepts incoming connections. A desktop computer may be a server if it provides services to other computers. Servers typically, but not necessarily, have static IP addresses so that other systems may readily locate them and connect to them.

 Server Program

Any software, other than a web server, that runs on the server side and generates a real-time response to a request. This term applies regardless of the programming language (for example Java or Perl) or page suffix (for example .asp .cgi or .pl).

 Significant Change

Any change, including a code fix, that creates or alters executable code, whether the code runs on a server, a Web browser, or elsewhere. A cosmetic change, including changes in text, formatting, or color is typically not considered significant for the purposes of this definition.


Software, is a collection of data or computer instructions that tell the computer how to work. The three types of computer software's are systems software, or operating system often referred to by OS, programming software, and applications software.

 Static Page

A web page that is not generated at the time of the request. It does not contain or invoke any web server- side code beyond the code of the web server itself. It only changes when an author manually modifies it. It is not a server program. It does not receive form input via POST requests nor by query parameters. A page that includes, for example, a client-side script to display the current date or time is still a static page because the script executes on the browser, not the web server, and the text of the script changes only when an author modifies it.


An ASU employee who is responsible for a web site on ASU’s network from a business perspective, and who ensures that the site exists for a legitimate purpose and meets ASU’s security requirements.

 Senior TAG 

Senior Technical Representatives (Senior TAG) is a position that is responsible (as defined by their job duties) for their unit’s computing environment and its interaction with the University’s shared technology infrastructure. Traditionally accountable for UTO, ISO, Procurement, audit, and SOC2 coordination where needed. For more details see the Technical Advisory Charter.



Systems, web applications and application source code developed, maintained or operated by, or on behalf of, ASU.

 Technical Administrator

An ASU employee or contracted third party with the skill and availability to maintain a system or web application, including timely and effective response to security issues. The technical administrator is responsible for the overall implementation and maintenance of their system or application.

 Testing Cycle

A method of testing that allows for the evaluation of critical patches in a test environment before pushing them into production on enterprise systems.

 Threat Modeling

A process to identify potential risks in an application and potential steps to mitigate those risks.

 URL Path

The portion of the URL before the ‘?’ and query string, or before the ‘#’ and fragment identifier. If neither the ‘?’ or ‘#’ are present, the URL Path is the entire URL.


Users of ASU’s computing, the internet, and communications resources, including all, faculty, staff (including student employees), contractors, vendors, consultants, temporary and other workers for ASU and its Component Units.


A design flaw or misconfiguration which makes a server susceptible to malicious attacks from local or remote users.

 Web Application

Any Web site that uses server-side logic to determine what information is sent to the user’s Internet browser based on data from a database or a Web service. A site with a URL that receives data from a form typically includes server-side logic to process that data, and is presumed to be a web application.

 Web Host 

A physical or virtual machine that hosts one or more web sites.

 Web Page

The combination of HTTP headers, HTML, CSS, images, scripts, frames etc. that are sent to a browser in response to an initial URL request and the subsequent URLs recursively embedded within the first response.

 Web Server

A software package that responds to web requests. Popular web servers include Apache and IIS.


A collection of one or more URLs that respond to requests using the HTTP protocol. A typical web site will have a starting URL that provides links allowing authorized users to navigate, directly or indirectly, to the other URLs available on the site. Many web sites reside entirely on a single web server, or even within and below a single subdirectory on a web server, but other combinations are possible.

 White List

Specifically identifies items that are known to be acceptable, and denies all others. See and "black list". Generally speaking, white lists are preferred over black lists, because they reject by default anything the list maker did not anticipate.