Acceptable Level of RiskA judicious, carefully considered, and fully documented assessment by the appropriate Designated Approving Authority (AA) that an information subsystem meets the minimum requirements of applicable security directives. The assessment should take into account and carefully document the sensitivity and criticality of information, threats, vulnerabilities and countermeasures and their effectiveness in compensating for vulnerabilities, and operational requirements (ref. State of Maryland Information Technology Security Manual v1.2).Acceptable RiskA concern that is deemed acceptable to responsible management, due to the cost and magnitude of implementing countermeasures to mitigate the risk (ref. State of Maryland Information Technology Security Manual v1.2).Access ControlA security technique that regulates who or what can view or use resources.AccountabilityAccountability is (1) The quality or state that enables violations or attempted violations of IT Security to be traced to individuals who may then be held responsible. (2) The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non repudiation, deterrence, fault isolation, intrusion detection and prevention, after-action recovery and legal action (ref. State of Maryland Information Technology Security Manual v1.2).Adequate SecuritySecurity commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information (ref. State of Maryland Information Technology Security Manual v1.2).Agency Data OfficerAn individual designated by a State unit to implement measure for the secure, efficient, and effective use of data; provide administrative support to the State Chief Data Officer on behalf of the the unit; receive and promptly address inquiries, requests, or concerns about access to the unit’s data; comply with direction from the State Chief Data Officer as to the use and management of the unit’s data in accordance with Executive Order "01.01.2021.09 State Chief Data Officer" (ref. Executive Order "01.01.2021.09 State Chief Data Officer").Agency Privacy OfficerAn individual designated by a State unit to manage its implementation of reasonable security practices and procedures in compliance with Executive Order "01.01.2021.10 Data Privacy" (ref. Executive Order "01.01.2021.10 Data Privacy").ApplicationThe use of information resources (information and information technology) to satisfy a specific set of users requirements (See Major Application) (ref. State of Maryland Information Technology Security Manual v1.2).Application Program Interface (API)A formal interface that a system provides to other systems in order to expose its data or functionality in a well-defined, well-managed way. An API provides one official way to access materials and provides an appropriate level of security and structure in order to assure that anything coming to the system gets good fidelity and dependable results in a well-structured format.Artificial Intelligence (AI)the ability of a machine to mimic the capabilities of the human mind, such as learning from examples and sample sets, recognizing objects, understanding and responding to language, making decisions, and solving problems.AssessmentSee Security Control Assessment (ref. State of Maryland Information Technology Security Manual v1.2).AssuranceGrounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. Adequately met includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software, and (3) sufficient resistance to intentional penetration or bypass (ref. State of Maryland Information Technology Security Manual v1.2).Audit LogA chronological record of system activities which enables the reconstruction and examination of the sequence of events and activities surrounding or leading to an operation, a procedure or an event in a transaction from its inception to final results. The audit log also serves as the chain of custody for the history of use of a record. This term is synonymous with Audit Records and Audit Trails (ref. State of Maryland Information Technology Security Manual v1.2).Authentication [FIPS 199]The process of verifying the identity of a user, process or device, often as a prerequisite to allowing access to resources in an information system (ref. State of Maryland Information Technology Security Manual v1.2).Big Datalarge, hard-to-manage volumes of data – both structured and unstructuredBusiness Intelligence (BI)analyzing and transforming data to extract valuable business insights to enable data driven decision-makingChildren's Online Privacy Protection Act (COPPA)Governs the connection of information obtained through online/website services relating to children aged 13 and under.Cloudservers that are accessed over the Internet, and the software and databases that run on those serversConfidential Data (Classification)Access to confidential data requires specific authorization and/or clearance. Types of confidential data might include Social Security numbers, cardholder data, etc. This data is usually protected by laws like Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).COTS ProductCommercial Off The Shelf software that is available for business processing.Criminal Justice Information System (CJIS)Governs data collected and protected by the Federal Bureau of Investigations (FBI) but is accessible to local and state law enforcement organizations. Local and state organizations who have access to CJIS data must comply with the CJIS security requirements to protect it.DaaS - Data as a Servicea term used to describe cloud-based software tools used for working with data, such as managing data in a data warehouse or analyzing data with business intelligenceDashboardA graphical representation of the analyses performed by the algorithmsDataStatistics or facts about something that can be used in calculating, reasoning, or planning.Data accessThe act or method of viewing or retrieving stored data.Data ArchitectIndividual responsible for designing all structures of data within an organization.Data ArchitectureThe organizational and classification structure of data and metadata, and standardized terms and definitions for data that facilitate system interoperability.Data Asset ValuationA method for estimating the value of data assets by quantifying the impact on cash flows if the data assets needed to be replaced.Data ClassificationAn indicator and categorization for aiding in the proper management and security of data in use, transit, and at rest. Public/Open |This type of data is freely accessible to the public and can be freely used, reused, and redistributed without repercussions. Protected/Internal Only | This type of data is strictly accessible to internal Agency personnel or internal employees who are granted access. Confidential | Access to confidential data requires specific authorization and/or clearance. Types of confidential data might include Social Security numbers, cardholder data, etc. This data is usually protected by laws like HIPAA and the PCI DSS. Restricted | Data that, if compromised or accessed without authorization, which could lead to criminal charges and massive legal fines or cause irreparable damage to the company.Data CleansingData CustodianAn individual that is responsible for maintaining quality assurance, quality control, security and storage associated with the data as it relates to the standards set by the data owner.Data DictionaryA complete set of definitions for all tables and data fields in a data system.Data ElementA fundamental unit of information that has a unique meaning.Data FabricAn end-to-end data integration and management solution, consisting of architecture, data management and integration software, and shared data that helps organizations manage their data. A data fabric provides a unified, consistent user experience and access to data for any member of an organization worldwide and in real-time.Data FidelityA set of quality standards, defined at various levels, that specify what level of quality is deemed minimally required for a data set in aggregate, e.g., "99.5% of all zip codes in the Address table with be filled and correct at all times."Data GovernanceThe exercise of authority and control (planning, monitoring, and enforcement) over the management of data assets with the purpose of ensuring that data is managed properly, according to policies and best practices.Data Governance FrameworkA set of rules, processes, and specific duties as it relates to the compliance of the organization's data management expectationsData IntegrationThe process of bringing data together from different sources to provide unified or consolidated view.Data InteroperabilityThe ability of data to be utilized seamlessly across multiple systems.Data InventoryA catalog of data assets within an organization. It provides information related to the type of data collected, who can access it, where it is stored and how it is used.Data LakeA centralized repository that stores both structured and unstructured data.Data LakehouseA data architecture platform that combines the structured data management features of a data warehouse, with the flexible storage and optimized performance features of a data lake, supporting structured, semi-structured, and unstructured data.Data LineageA description of data as it relates to time. It includes information such as the origin of the data, where it has traveled, and the transformations it underwent.Data Literacyability to read, write and communicate data in context. It includes an understanding of data sources, analytical techniques, business applications, and value of dataData MaintenanceData maintenance is the process of auditing, organizing and correcting data in management systems and databases to ensure accuracy and accessibility.Data ManagementThe development, execution, and supervision of plans, policies, programs, and practices, that deliver, control, protect, and enhance the value of data and information assets throughout their lifecycle.Data MartA subset of a data warehouse that focuses on a specific set of data to be used by an entity within an organization.Data MaturityIdentification and improvement of the quality of data within Participating Organization’s systems.Data MeshA data platform architecture where an organization's data remains decentralized and managed by domain, but can be accessed, analyzed, queried, and operationalized through a interoperable layer with standards applied.Data migrationThe process of moving data between different storage types or formats, or between different computer systems.Data Mininga process of extracting and discovering patterns in large data setsData ModelData model refers to the logical inter-relationships and data flow between different data elements involved in the information system.Data OwnerAn individual or entity that is responsible for data within a specific domain. The Data Owner typically dictate and establish standards and goals associated with the data, and can authorize or deny access to the data and is responsible for its accuracy, integrity, and timeliness.Data PrivacyFocuses on the protection of personally identifiable information by government agencies.Data ProfilingThe process of examining, analyzing, reviewing and summarizing data sets to gain insight into the quality of data.Data QualityThe state of the data as it relates to accuracy, reliability, consistency, timeliness, validity, and uniqueness.Data SecurityProtecting digital data, such as those in a database, throughout its lifecycle from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or data breach.Data SeriesA single measure, usually plotted over time, usually represented as a single column.Data StewardThe person with day-to-day management responsibility of individual databases, datasets, or information systems. In general, a data steward has business knowledge of the data and can answer questions about the data itself.Data TrustA scalable alternative to multiple “point-to-point” sharing agreements established through common rules for data security and data privacy.Data UserAn employee, contractor, or other individual affiliated with the State who is eligible and authorized to collect, access and/or use the data. A dataset may have more than one user group.Data VisualizationA visual abstraction of data designed for the purpose of deriving meaning or communicating information more effectively.Data WarehouseA collection of structured data that is populated and filtered from internal and external systems for a specific purpose.DatabaseAn electronic system that enables the storage, management, and querying of data.DatasetA collection of data organized or formatted in a specific or prescribed way. Typically, a dataset consists of one or more tables and is stored in a database or spreadsheet. Files of the following types are not datasets: text documents, emails, messages, videos, recordings, image files such as designs, diagrams, drawings, photographs, and scans, and hard-copy records.DeduplicationThe process of combining information from two or more data sets, identifying all entries that represent the same thing, and combining their information into a single result via a formalized set of rules that define which systems or values are more trusted than others.Demographic dataData relating to the characteristics of a human population.Descriptive AnalyticsThe process of using current and historical data to identify trends, relationships, and patterns to understand what has happened.Designated Approving Authority (AA)Encryptionthe method by which information is converted into secret code that hides the information's true meaningEnterprise Service Bus (ESB)A general-use toolset for the movement of data between different systems, event-driven or on-demand.European Union (EU) General Data Protection Regulation (GDPR)This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.External dataData that exists outside of a system/organizationExtract, Load, Transform (ELT)A three-step process to, 1) Extract data from a source, 2) Load the data to the destination, and 3) perform transformation to meet the storage requirements and organizational needsExtract, Transform, Load (ETL)A three-step process to, 1) Extract data from a source, 2) Transform the data so that the format can be read by the destination, and 3) Load the data to the destination.Family Educational Rights and Privacy Act (FERPA)Governs the privacy of student education records and applies to all schools that receive funds under an applicable program of the U.S. Department of Education.Flat FileA set of data that is linear in nature, typically in the form of a unicode or ascii file. Flat files may be structured by the location of data in specific places in a line of text, or via delimiters such as commas or tabs.Geographic Information System (GIS)a computer system that analyzes and displays geographically referenced informationHealth Insurance Portability and Accountability Act (HIPAA)Governs health data created, received, stored, or transmitted by HIPAA covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare servicesHigh Value DataAny data that the department head determines (A) is critical to the operation of an executive branch agency; (B) can increase executive branch agency accountability and responsiveness; (C) can improve public knowledge of the executive branch agency and its operations; (D) can further the core mission of the executive branch agency; (E) can create economic opportunity; (F) is frequently requested by the public; (G) responds to a need and demand as identified by the agency through public consultation; or (H) is used to satisfy any legislative or other reporting requirements.IRS-1075Governs Federal Tax Information (e.g., tax return information) received directly from the IRS or obtained through an authorized secondary source, such as Social Security Administration (SSA), Federal Office of Child Support Enforcement (OCSE), Bureau of the Fiscal Service (BFS), or Centers for Medicare and Medicaid Services (CMS), or another entity acting on behalf of the IRS pursuant to an IRC 6103(p)(2)(B) Agreement.Machine Learning (ML)the artificial intelligence (AI) discipline that provides systems the ability to automatically learn and improve from experience without being explicitly programmedMajor Application?referenced above in application however not definedMetadataData about data. Contains information about the dataset, such as name, publication date, attribution URL, update schedule, and contact information.Open DataOpen Data is any data collected by the state which can be provided to the public. According to the Open Data Act, Open Data is data that - consistent with any applicable laws, rules, regulations, ordinances, resolutions, policies, or other restrictions including requirements or rights associated with the data - has been collected and is permitted, required, or able to make available to the public. Open data includes contractual or other legal orders, restrictions, or requirements. Open data does not include data that if made public would: ● violate another law or regulation that prohibits the data from being made public; ● endanger the public health, safety, or welfare; ● hinder the operation of government, including criminal and civil investigations; ● impose an undue financial, operational, or administrative burden on a state entity; or ● disclose proprietary or confidential information.Open Data PortalOpen Data Portal and Portal refer exclusively to Maryland’s statewide Open Data Portal, http://opendata.maryland.gov. More broadly, the Open Data Portal is a product (Software as a Service, or SaaS), provided by the site’s vendor, Socrata. In other contexts “Portal” can be a shorthand for MD iMAP, http://imap.maryland.gov, Maryland’s mapping Portal.Participating OrganizationsAll departments, boards, commissions, agencies, or subunits in the Executive Branch of State Government.Payment Card Industry Data Security Standard (PCI DSS)Governs personal data associated to an individual (cardholder) that uses credit, debit and/or cash cards for monetary transactions. Any state organization that collects and/or processes credit card information must abide by PCI-DSS.Personally Identifiable Information (PII)Any data about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.PoliciesFormal statements that help meet an organizational objective that are supported by leadership. This answers the question “Why are we doing this?”Predictive AnalyticsThe process of using current and historical data to identify the likelihood of future outcomes, trends, and performance.Prescriptive AnalyticsThe process of using current and historical data to identify options for responding to likhow the likelihood of future outcomes, trends, and performance.Privacy Impact Assessment (PIA)An analysis of how data is collected, used, shared, and maintained within an organization to reduce risks related to processing personal data.ProceduresDetailed processes, approaches, and methods to meet the Policies and Standards. This answers the question “How are we doing this?”Protected Data (Classification)Any data the public disclosure of which would (A) violate federal or state laws or regulations; (B) endanger the public health, safety or welfare; (C) hinder the operation of the federal, state or municipal government, including criminal and civil investigations; or (D) impose an undue financial, operational or administrative burden on the executive branch agency. "Protected data" includes any records not required to be disclosed pursuant to subsection (b) of section 1-210 of the general statutes.Protected Health Information (PHI)PHI includes health records, health histories, lab test results, Health plan beneficiary numbers, medical record numbers, and medical bills, etc. Essentially, all health information is considered PHI when it includes individual identifiers. Demographic information is also considered PHI under HIPAA Rules, as are many common identifiers such as patient names.Protection of Information by Government Agencies (MD PIGA)MD State Govt Code § 10-1301. PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information, to a specific individual. Examples of PII are name, social security number (SSN), address, phone number, email address, biometric data (e.g., fingerprints)Public Data (Classification)Any data collected by an executive branch agency that is permitted to be made available to the public, consistent with any and all applicable laws, rules, regulations, ordinances, resolutions, policies or other restrictions, requirements or rights associated with the data, including, but not limited to, contractual or other legal restrictions, orders or requirements.Public InformationInformation that is a public record under the Maryland Public Information Act (ref. State of Maryland Information Technology Security Manual v1.2).Publicly Accessible SystemSystems such as Web and FTP applications that are exposed to the Internet and therefore, more vulnerable.Real-time dataData that is created, processed, stored, analyzed and visualized within millisecondsRecordFor data measured over time, the number of records is equal to the number of observations (e.g., the number of months with data available). The number of records is the sample size (N). A record is represented as a single row.Redactcensor or obscure (part of a text) for legal or security purposesRemote AccessAny access to DoIT ’s managed network through a non-DoIT managed network, device, or medium (ref. State of Maryland Information Technology Security Manual v1.2).Restricted Data (Classification)Data that, if compromised or accessed without authorization, which could lead to criminal charges and massive legal fines or cause irreparable damage to the state.SanitizationRefers to the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed (ref. State of Maryland Information Technology Security Manual v1.2).Secure Shell (SSH)Secure Shell is a network protocol that allows data to be exchanged using a secure channel between two computers (ref. State of Maryland Information Technology Security Manual v1.2).SecuritySemi-structured DataData that is structured but does not conform to a tabular structure such as those found in relational databases.SensitiveInformation that, if divulged, could compromise or endanger the citizens or assets of the State.Service Set Identifier (SSID)Service Set Identifier is a name used to identify the particular 802.11 wireless LAN to which a client wants to attach (ref. State of Maryland Information Technology Security Manual v1.2).Simple Network Management Protocol (SNMP)Simple Network Management Protocol is used in network management systems to monitor network attached devices for conditions that warrant administrative attention.Social MediaOnline technologies and practices that people use to share opinions, insights, experiences, and perspectives with each other (ref. State of Maryland Information Technology Security Manual v1.2).Software as a Service (SaaS)software licensing and delivery model in which software is licensed on a subscription basis and is centrally hostedStandardsFormal, actionable rules that direct, help enforce, and support policies. This answers the question “What are the requirements to do this?”State Chief Data OfficerIndividual appointed by the Governor to supervise and direct the use and management of data by units of State government under the supervision and direction of the Governor (“State Units”) (ref. Executive Order "01.01.2021.09 State Chief Data Officer").State Chief Information Security OfficerIndividual appointed by the Governor responsible for the direction, coordination, and implementation of the statewide cybersecurity strategy and policy for the Executive Branch of State Government.State Chief Privacy OfficerIndividual appointed by the Governor to supervise and direct efforts of State units to protect and secure personally identifiable information; develop and manage the implementation of State information privacy policies; establish privacy requirements to be incorporated into agreements to share data; and oversee the conduct of privacy impact assessments (ref. Executive Order "01.01.2021.10 Data Privacy").Structured DataData that adheres to a predefined schema. It is typically stored in relational databases and can be easily queried.Transactional dataData that changes unpredictably. Examples include accounts payable and receivable dataUnstructured DataData that does not conform to a predefined schema that includes many irregularities that make it difficult to understand without further normalization. It is typically stored in data lakes and consists of items such as images, videos, and audio files.Untrusted EntityAn entity that can or may be potentially harmful to a system (ref. State of Maryland Information Technology Security Manual v1.2).Wi-Fi CertifiedWi-Fi CERTIFIED is a program for testing products to the 802.11 industry standards for interoperability, security, easy installation, and reliability (ref. State of Maryland Information Technology Security Manual v1.2).