1051 NW 14th St., Suite 165
(UM mail routing R-26)
Miami, FL 33136

Receptionist: 305-243-6475
Hours: 830am - 500pm, M-F

Help Desk: 305-243-5999
Hours: 24/7

General fax: 305-243-6417
Admin. fax: 305-243-2622

Rust (1963). Electron micrograph of an oxide scale, sometimes called rust, on a single crystal of iron. Source: General Motors and Nationl Museum of American History.

Related content

Terms and definitions

The following terminology is used throughout the Recommended Data Practices:

Asset • Anything that has value to the organization, including but not limited to data (information) and data system assets (information processing facilities). (ISO 13335:2004)

Authority • Any organizational, statutory, regulatory or certificatory requirement or standard for organizational policies and procedures.

Capability • The capacity of an entity. Usually used to refer to the capacity of a threat to exploit a vulnerability.

Control • Any means of promoting positive outcomes, reducing negative outcomes, managing risk or otherwise achieving some other organizational objective, including policies, procedures, guidelines, practices, organizational structures, and software/hardware functionality. (ISO 27002:2005)

Countermeasure • Any means of reducing negative outcomes or mitigating risk. Partial synonym for control.

Guideline • A recommended, non-mandatory control. Cf. standard.

Data controller • The natural or legal person, department or other administrative unit of a private organization, public authority or public agency, or any other body which alone or jointly with others determines the purposes and means of the processing of a particular collection of data. (EU, ISO)

Data owner • Synonym for data controller.

Data subject • The object or “referent” of personal data.

Data system • An information processing system, service or infrastructure, or the physical location housing them. Synonym for information processing facility. (ISO 27002: 2005)

Identified/identifiable data • Data which is, or reasonably could be, linked to a person. See personal data.

Incident • Any event which is not part of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the quality of that service. (ITIL)

Include(s) • Includes, but is not limited to. That is, a not-necessarily-exhaustive listing.

Information processing facilities • Any information processing system, service or infrastructure. Synonym for data system. (ISO 27002:2005)

Information security • Preservation of the confidentiality, integrity and availability of information.

Information security event • See information security incident.

Information security incident • An incident with actual or potential information security consequences. An identified occurrence of a system, service or network state indicating an actual or possible breach of information security policy or failure of safeguards. Used herein as a synonym for information security event, though in standard usage the term incident is reserved for possible events, and events to mean confirmed events. (ISO 27002:2005)

Mobile computing • Work from a non-fixed location using portable computing/communications devices such as laptops, notebooks, palmtops, smart cell phones and PDAs. Contrast with tele-working.

Personal data • Any information relating to an identified or identifiable natural person (data subject). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. (EU)

Policy • A high-level overall plan embracing the general goals and acceptable procedures especially of an organization. Can include specification of defined processes or methods in light of defined conditions, to guide or determine decision-making, but cf. procedure.

Procedure • Specification of defined processes or methods in light of defined conditions, to guide or determine decision-making. Usually based on a policy.

Risk • Combination of the probability of an event and its consequences. (ISO 73:2002)

Risk analysis • Systematic use of information to identify sources and probabilities of risk. See also threats and vulnerabilities. (ISO 73:2002)

Risk assessment • Overall process that includes risk analysis, risk evaluation. (ISO 73:2002)

Risk evaluation • Process of comparing estimated risks against given risk criteria to determine the significance of a risk. (ISO 73:2002)

Risk management • Coordinated activities to direct and control an organization with respect to risk based on risk assessment. (ISO 73:2002)

Risk treatment • Process of selection and implementation of measures to modify risk. Synonym for risk management. (ISO 73:2002)

Safeguard • Synonym for control.

Standard • A mandatory control. Cf. guideline.

Tele-working • Work at a fixed location outside of the normal organizational environment. Synonym for tele-commuting. Contrast with mobile computing. (ISO 27002:2005)

Third party • A natural or legal person, department or other administrative unit of a private organization, public authority or public agency, that is independent of the parties involved, as concerns a particular issue. (EU, ISO)

Threat • A potential cause of an unwanted incident or event. The capacity of a threat to damage organizational resources is sometimes referenced as its capability. Includes computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. (ISO 13335:2004, ISO 27002:2005)

Vulnerability • A weakness in an asset or group of assets that can be exploited by one or more threats. (ISO 13335:2004)