As used in this chapter, the following terms shall have the meanings indicated:
AUTHORIZATIONThe granting of rights which includes the granting of access based on an authenticated identity.
AVAILABILITYThe property of being operational, accessible, functional and usable upon demand by an authorized entity, e.g., a system or user.
CLASSIFICATIONThe designation given to information or a document from a defined category on the basis of its sensitivity.
COMPUTERAll physical, electronic and other components, types and uses of computers, including but not limited to hardware, software, central processing units, electronic communications and systems, databases, memory, Internet service, information systems, laptops, personal digital assistants and accompanying equipment used to support the use of computers, such as printers, fax machines and copiers, and any updates, revisions, upgrades or replacements thereto.
CONSUMER REPORTING AGENCYConsumer reporting agency shall mean any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. A list of consumer reporting agencies shall be compiled by the State Attorney General and furnished upon request to state entities required to make a notification under this policy.
CONFIDENTIALITYThe property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
CONTROLSCountermeasures or safeguards that are the devices or mechanisms that are needed to meet the requirements of policy.
CRITICALA condition, vulnerability or threat that could cause danger to data, a system, network, or a component thereof.
CUSTODIAN OF INFORMATIONAn employee or organizational unit acting as a caretaker of an automated file or database on behalf of its owner.
DATAAny information created, stored (in temporary or permanent form), filed, produced or reproduced, regardless of the form or media. Data may include, but is not limited to personally identifying information, reports, files, folders, memoranda, statements, examinations, transcripts, images, communications, electronic or hard copy.
DATA SECURITYThe protection of information assets from accidental or intentional but unauthorized disclosure, modification, or destruction, or the inability to process that information.
DECRYPTIONThe reversal of a corresponding reversible encryption to render information intelligible using the appropriate algorithm and key.
ENCRYPTIONThe cryptographic transformation of data to render it unintelligible through an algorithmic process using a cryptographic key.
INCIDENTAny adverse event that threatens the confidentiality, integrity or accessibility of information resources.
INCIDENT RESPONSEThe manual and automated procedures used to respond to reported network intrusions (real or suspected); network failures and errors; and other undesirable events.
INFORMATIONInformation is defined as the representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by human or automated means.
INFORMATION ASSETSAll categories of automated information, including but not limited to: records, files, and databases; and information technology facilities, equipment (including microcomputer systems), and software owned or leased by the state.
INFORMATION OWNERAn individual or a group of individuals that has responsibility for making classification and control decisions regarding use of information.
INFORMATION SECURITYThe concepts, techniques and measures used to protect information from accidental or intentional unauthorized access, modification, destruction, disclosure or temporary or permanent loss (see "availability").
INTEGRITYThe property that data has not been altered or destroyed from its intended form or content in an unintentional or an unauthorized manner.
INTERNETA system of linked computer networks, international in scope, that facilitates data transmission and exchange, which all use the standard Internet protocol, TCP/IP, to communicate and share data with each other.
INTRUSION DETECTIONThe monitoring of network activities, primarily through automated measures, to detect, log and report upon actual or suspected authorized access and events for investigation and resolution.
NONPUBLIC INFORMATIONAny information that is covered by an exception to the Freedom of Information Law, Public Officer Law Article 6, or is otherwise protected from disclosure by law.
OWNER OF INFORMATIONAn individual or organizational unit having responsibility for making classification and control decisions regarding use of information.
PERSONAL INFORMATIONPersonal information means any information concerning a natural person which, because of name, number, personal mark or other identifier can be used to identify such natural person.
PRIVACYThe right of individuals and organizations to control the collection, storage, and dissemination of information about themselves.
PRIVATE INFORMATIONPrivate information means personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired: social security number; or driver's license number or nondriver identification card number; or account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual's financial account. Private information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
PROCEDURESSpecific operational steps that individuals must take to achieve goals stated in this policy.
PUBLIC INFORMATIONInformation on Town programs and services, disseminated information through publications and through the news media.
RISKThe probability of suffering harm or loss. It refers to an action, event or a natural occurrence that could cause an undesirable outcome, resulting in a negative impact or consequence.
RISK ASSESSMENTThe process of identifying threats to information or information systems, determining the likelihood of occurrence of the threat, and identifying system vulnerabilities that could be exploited by the threat.
RISK MANAGEMENTThe process of taking actions to assess risks and avoid or reduce risk to acceptable levels.
SECURITY POLICYThe set of criteria for the provision of security services based on global rules imposed for all users. These rules usually rely on a comparison of the sensitivity of the resources being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on behalf of users.
SENSITIVITYThe measurable, harmful impact resulting from disclosure, modification, or destruction of information.
STANDARDSets of rules for implementing policy. Standards make specific mention of technologies, methodologies, implementation procedures and other detail factors.
STATEThe State of New York.
SYSTEM(S)An interconnected set of information resources under the same direct management control that shares common functionality. A system may include hardware, software, information, data, applications or communications infrastructure.
THIRD PARTYAny non-Town employees such as a contractor, vendor, consultant, intern, another municipal agency, etc.
THREATA force, organization or person, which seeks to gain access to, or compromise, information. A threat can be assessed in terms of the probability of an attack. Looking at the nature of the threat, its capability and resources, one can assess it, and then determine the likelihood of occurrence, as in risk assessment.
USERAny Town entity(ies), state entity(ies), federal government entity(ies), political subdivisions(s), their employees or third-party contractor(s) or business associates, or any other individual(s) who are authorized by such entities to access a system for a legitimate government purpose.
USER OF INFORMATIONAn individual having specific limited authority from the owner of information to view, change, add to, disseminate or delete such information.