NIH Office of Management Assessment
logo
About the OMA
News & Events
Internet Links
logo

What's NewContact Us!Site Index
Management Support

OMA Collage
Program IntegrityOutside Review and LiaisonQuality ManagementManagment Support
Management Support
Quicklinks Quicklinks
IC Privacy Coordinators Eye on Privacy News
PMC Meetings Privacy Brochure
PCG Meetings OCIO Website
Privacy Training FAQs
PIA Training Glossary
Privacy Act SORNs References
SORN Checklist  

Main Menu - Privacy Information Privacy Act PIAs Web Privacy HSPD-12 FISMA Incident Reporting Training Resources Policy and Memoranda

Glossary

Access: The ability to make use of any information system (IS) resource. (Defined in NIST SP 800-32, Section 9).

Access Control: Enables authorized use of a resource while preventing unauthorized use or use in an unauthorized manner. (Defined in NIST SP 800-27, Appendix B).

Accreditation: The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operation (including mission, function, image, or reputation), agency assets, or individuals based on the implementation of an agreed-upon set of security controls. (Defined in NIST SP 800-37, Appendix B).

Administrative Controls: Safeguards to ensure proper management and control of information and information systems. These safeguards include policy, the completion of Privacy Impact Assessments (PIAs), certification and accreditation programs, etc. (Defined in NIST SP 800-12).

Agency: Any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency. (Defined in the Freedom of Information Act (FOIA) Public Law No. 104-231).

Alien: Any person not a citizen or national of the United States. (Defined by U.S. Citizen and Immigration Services).

Awareness, Training, and Education: Includes (1) awareness programs that set the stage for training by changing organizational attitudes towards realization of the importance of security and the adverse consequences of its failure; (2) teaching people the skill that shall enable them to perform their jobs more effectively; and (3) education is more in-depth than training, and is targeted for security professionals and those whose jobs require expertise in IT security. (Defined in NIST SP 800-26, Appendix C).

Breach: The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. (Defined in OMB Memorandum M-07-16, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information").

Certificates of Confidentiality: Section 301(d) of the Public Health Service Act, 42 U.S.C. 241(d), provides that the Secretary of HHS may authorize persons engaged in biomedical, behavioral, clinical, or other research (including research on mental health or the use of drugs or alcohol) to protect the privacy of research subjects by withholding from persons not connected with the research the names or other identifying characteristics of such individuals including from compelled legal disclosure processes such as subpoenas for documents or testimony or court orders. Confidentiality certificates do not protect information from voluntary disclosure or when release is requested by the subject individual. Certificates of Confidentiality are issued by the National Institutes of Health.

Certification: A comprehensive assessment of the management, operational and technical security controls in an information system made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operated as intended, and producing the desired outcome with respect to meeting the security requirements for the system. (Defined in NIST SP 800-37, Appendix B).

Child and Children: Unless the context otherwise provides, it means individuals under the age of 18. (Defined in Manual 2805, "NIH Web Page Privacy Policy").

Children’s Online Privacy Protection Act (COPPA) of 1998: Applies to private sector websites that collect personal information online from children under the age of 13. OMB Memorandum M-00-13, Privacy Policies and Data Collection on Federal Web Sites extended the provisions of COPPA to federal websites. COPPA identifies the content that a website operator must include in a privacy policy, outlines when and how to seek verifiable consent from a parent, and specifies the responsibilities an operator has for protecting children’s privacy and safety online. (Defined in Secure One HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

Clinger-Cohen Act of 1996: Includes both the Information Technology Management Reform Act and the Federal Acquisition Reform Act and is intended to improve the productivity, efficiency, and effectiveness of federal programs through the improved acquisition, use, and disposal of IT resources. Among other effects, it makes agencies responsible for IT resource acquisition and management, under the guidance of the Chief Information Officer (CIO), and emphasizes that value must be maximized and risk must be minimized in capital planning and budget processes. In effect, the Clinger-Cohen Act places the burden of incorporating privacy controls into IT investments at the agency and CIO levels. (Defined in Secure One HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

Computer Security Incident: An event that may result in, or has resulted in, the unauthorized access to, or disclosure of, sensitive or classified information; unauthorized modification or destruction of systems data; reduced, interrupted, or terminated processing capability; malicious logic or virus activity; or the loss, theft, damage, or destruction of any IT resource. Examples of incidents include: unauthorized use of another user account, unauthorized scans or probes, successful and unsuccessful intrusions, unauthorized use of system privileges, and execution of malicious code (e.g., viruses, Trojan horses, or back doors). Events such as natural disasters and power-related disruptions are not generally within the scope of Incident Response Teams (IRTs) and should be addressed in an agency business continuity and contingency plan. (Defined in HHS Incident Response Management (IRM) Policy for Establishing an Incident Response Capability).

Computer Matching and Privacy Protection Act of 1988: Added several new provisions to the Privacy Act of 1974. "Computer matching" occurs when federal and/or state agencies share information in identifiable form (IIF). Agencies use computer matching to conduct many government functions, including establishing or verifying eligibility for federal benefit programs, or identifying payments/debts owed to government agencies. The Act requires agencies engaged in computer matching activities to:

  • Provide notice to individuals if their IIF is being computer matched;
  • Allow individuals the opportunity to refute adverse information before having a benefit denied or terminated; and
  • Establish data integrity boards to oversee computer-matching activities.

(Defined in Secure One HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

Computer Security Act of 1987: Provides a computer standards program within the National Institute of Standards and Technology to provide for Government-wide computer security, and to provide for the training in security matters of persons who are involved in the management, operation, and use of Federal computer systems, and for other purposes.

Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (Defined in 44 U.S.C., Section 3542).

Cookies: A text file, saved in a browser’s directory or folder, which is stored in the computer’s memory while the browser is running. The cookie usually goes unnoticed to the user and expire at some point. Using the cookie, the site can collect user preferences. The server generates a cookie, and then the cookie is sent to the user’s computer. The browser records the cookie onto a "cookie list." The cookie was developed as a timesaving device to prevent the user from having to manually dispense personal information upon each site visit. It was also developed to allow users to customize their Web service, or to allow Web site creators to gauge the effectiveness of their sites.

Basically there are two types of cookies used on Web pages:

  • "Persistent cookies": Collect and maintain information for later use. They can track the activities of users over time and across different Web sites. These are capable of capturing personal information that can be retrieved by individual identifiers (e.g., name, SSN, etc.) and may therefore be covered by the Privacy Act. Use of persistent cookies requires pre-approval in accordance with Section 5 below.
  • "Session cookies": Collect information and use it for a single session. These generally would not save information for later retrieval and would not be covered by the Privacy Act.

(Defined in NIH Manual 2805, "NIH Web Page Privacy Policy").

Data: Programs, files or other information stored in, or processed by, a computer system. (Defined in HHS IRM Information Security Program Policy).

Data Integrity: Assurance of reliability and accuracy of information. The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit. (Defined in NIST SP 800-27, Appendix B).

Data (Business) Owner: The authority, individual, or organization that has original responsibility for the data by statute, executive order, or directive. (Defined in the HHS Information Security Program Policy).

Database: A set of related files that is created and managed by a database management system. (Defined in HHS Information Security Program Policy).

Disclaimer: A Web site statement that states that NIH is not responsible for the information or material included on (1) the NIH Web site that was derived from other non-NIH sources and (2) external Web pages. A disclaimer is also used to avoid giving a user the impression that NIH is endorsing information, or a commercial product described on an NIH page or at an external site linked to an NIH page. Disclaimers on copyright, endorsement (general and external links), liability, and medical information may be used, as appropriate, for individual IC Web sites. See Appendix for sample disclaimers. In determining appropriate statements, careful consideration should be given to the nature of the specific site and its potential liability. (Defined in NIH Manual 2805, "NIH Web Page Privacy Policy").

E-Government Act of 2002: Title II of the E-Government Act of 2002 requires federal agencies to conduct PIAs before developing or procuring IT systems that collect, maintain, or disseminate IIF. Once completed, the agency’s Chief Information Officer (CIO), or an equivalent official, must review the Privacy Impact Assessments (PIAs). Additional requirements include making PIAs publicly accessible and posting a machine-readable privacy notice on publicly facing websites. (Defined in HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

Excepted: Records compiled in reasonable anticipation of a civil action or proceeding for which access under the Privacy Act is not granted. (Defined in the Privacy Act of 1974, 5 U.S.C. Section 552a(d)(5)).

Exempted: Systems of records for which general and specific exemptions can be claimed to prevent release under some requirements of the Privacy Act. (Defined in the Privacy Act of 1974, 5 U.S.C. Section 552a(j)(k)).

Exit Page: An intermediary page the user sees before proceeding to external Web pages not located on NIH servers, and which notifies the user that they are leaving NIH-managed Web pages. (Defined in NIH Manual 2805, "Web Page Privacy Policy").

Fair Information Practices: A general term for a set of standards that govern the collection, maintenance, use, and dissemination of personal information by Federal agencies and addresses issues of privacy.

Federal Information Security Management Act (FISMA) of 2002 (Title III of E-Gov): Provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets. This act defines terms such as information security and information technology and the responsibilities of federal agencies regarding information security. This act also outlines the requirements for annual independent evaluations, which evaluate the effectiveness of an agency’s security program and practice. (Defined in HHS Information Security Program Privacy Policy).

Freedom of Information Act (FOIA) of 1966: Requires all agencies of the executive branch to disclose federal agency records or information upon receiving a written request from any individual, except for those records (or portions of them) that are protected from disclosure by certain exemptions and exclusions. (Defined in HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

General Support System: An interconnected set of information resources under the same direct management control, which shares common functionality. A GSS normally includes hardware, software, information, data, applications, communications, and people. A GSS can be, for example, a local area network (LAN), including smart terminals that support a branch office, an agency-wide backbone, a communications network, a departmental data processing center and its operating system and utilities, a tactical radio network, or a shared information processing service organization (IPSO). (Defined in Office of Management and Budget (OMB) Circular A-130, (A)(2)(c)).

Health Insurance Portability and Accountability Act (HIPAA) of 1996: Affects the health insurance industry and contains provisions under the heading of "Administrative Simplification" that govern how government and private senior health care institutions handle protected health information (PHI), a subset of "individually identifiable health information." Pursuant with these provisions, regulations published in 2000 established standards for providing notice on how to use and disclose health information collected from users under a covered entity’s services. These regulations also grant certain rights to individuals, including the right to see one’s health records and to request corrections or other amendments to those records. These regulations apply to both written and oral PHI. (Defined in HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

HHS Breach Response Team: Reviews and evaluates initial breach information that has been reported by an OPDIV. Upon receiving the initial notification, the HHS BRT evaluates the suspected or confirmed breach and conducts an initial breach assessment to determine whether the breach response should be led at the OPDIV level or if HHS BRT leadership is required to adequately manage the risk of the suspected or confirmed breach. The HHS BRT also evaluates an OPDIV’s risk assessment and response plan for addressing a breach. The HHS BRT may provide further guidance to the OPDIV and re-evaluate whether the HHS BRT should lead response activities. (Defined in Secure One HHS "Personally Identifiable Information Breach Response Team Standard Operating Procedures").

Homeland Security Presidential Directive 12 (HSPD-12): Requires the establishment of common and achievable standards for Personal Identity Verification (PIV) of Federal employees and contractors.

Incident: A violation of imminent threat of violation of computer security policies, acceptable use policies, or standard computer security. (Defined in NIST SP 800-61, Appendix D).

Individual: An American citizen or an alien lawfully admitted for permanent residence. (Defined in the Privacy Act of 1974, 5 U.S.C. § 552a).

Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form; including textual, numerical, graphic, cartographic, narrative, or audiovisual forms. (Defined in OMB Circular A-130, 6(a)).

Information in Identifiable Form (IIF): Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. (Defined in the E-Government Act of 2002, Public Law 107-347, Title II, Section 208(d)).

Information in an information system or online collection:

  • That directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc); or
  • By which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic identifier, and other descriptors).

(Defined in OMB Memorandum M-03-22, "Guidance for Implementing Privacy Provisions of the E-Government Act of 2002").

Note: The acronyms IIF and PII are often used interchangeably.

Information Technology: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency. Equipment is considered used by an executive agency if used directly or is used by a contractor under a contract with the executive agency, which: (i) requires the use of such equipment, or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. (Defined in 40 U.S.C., SEC 1401).

Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. (Defined in 44 U.S.C., SEC 3542).

Kid’s Pages: NIH Web sites directed to children under the age of 13. (Defined in NIH Manual 2805, "NIH Web Page Privacy Policy").

Machine-Readable Privacy Policy (P3P): Agencies must adopt machine readable technology that alerts users automatically about whether site privacy practices match their personal privacy preferences. Such technology enables users to make an informed choice about whether to conduct business with that site. (Defined in OMB Memorandum M-03-22 (4)(a)).

Maintain: To maintain, collect, use or disseminate. (Defined in the Privacy Act of 1974, 5 U.S.C. § 552a).

Major Application: An application that requires special attention to security because of the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to, or modification of, the information in the application. A breach in a major application might comprise many individual application programs and hardware, software, and telecommunication components. MAs can be either a major software application or a combination of hardware and software in which the only purpose of the system is to support a specific mission-related function. (Defined in NIST Special Publication 800-18).

Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as a "Major Application." Adequate security for other applications should be provided by security of the systems in which they operate. (Defined in OMB Circular A-130, (A)(2)(d)).

Major Change: Any change that is made to the system environment or operation of the system. According to OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, PIAs should be conducted following any major changes, including, but not limited to:

  • Conversions: A conversion from paper-based methods to electronic systems;
  • Anonymous to Non-Anonymous: When the system’s function, as applied to an existing information collection, changes anonymous information into IIF;
  • Significant System Management Changes: In the case that new uses of an existing IT system, including application of new technologies, significantly change the process of managing IIF in the system;
  • Significant Merging: When agencies adopt or alter business processes so that government databases holding IIF are merged, centralized, matched with other databases, or otherwise significantly manipulated;
  • New Public Access: When user-authenticating technology (e.g., password, digital certificate, biometric) is newly applied to an electronic information system, which can be accessed by the public;
  • Commercial Sources: When IIF is obtained from commercial or public sources and is systematically integrated into the existing information systems databases;
  • New Interagency Uses: When agencies work together on shared functions involving significant new uses or exchanges of IIF;
  • Internal Flow or Collection: When alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional IIF; and
  • Alteration in Character of Data: When new IIF added to a collection raises the risk to personal privacy, such as the addition of health or privacy information.

(Defined in Secure One HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

Need to Know: The necessity for access to or knowledge of or possession of specific information required to carry out official duties.

Non-Exempt System: A Privacy Act system of record for which no exemption is claimed for the system. It typically means the record in the system is releasable to the subject of the file. Naturally, there are some exceptions to the rule.

Nonresident Alien: An individual who is not a citizen or national of the United States and who is in this country on a visa or temporary basis and does not have the right to remain indefinitely.

Paperwork Reduction Act (PRA) of 1995: Focuses on increasing the efficiency of the federal government’s information collection practices. The PRA specifies that Chief Information Officers (CIOs) shall improve protection for the privacy and security of information under their agency’s control. The PRA also created the Office of Information and Regulatory Affairs (OIRA) within OMB to provide central oversight of information management activities across the federal government. Furthermore, the PRA requires agencies to receive an OMB information collection approval number (also known as an "OMB control number") for an information system, prior to using that system to collect information from any person. (Defined in Secure One HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

Personal Digital Assistant: A multi-purpose, handheld device that serves as a personal computer. Personal digital assistants have the capability to access the worldwide web (internet, intranet, or extranets) and can store large amounts of information (e.g., text files, contact information, emails, spreadsheets, music, survey responses). Such devices often employ phone technologies as well.

Personal Identifier: Any piece of information specific to a person such as name, date of birth, medical records, social security number, photographic identifiers etc., used on an IT system to identify a person. (Defined in NIH Manual 2805, "Web Page Privacy Policy").

Personal Identity Verification (PIV) Card: A government-issued identification card used to authenticate individuals for physical access to Federally-controlled facilities and logical access to Federally-controlled information systems. The card contains a microchip, the holder's facial image, and other identifying information and security features. The microchip will store a user's access (Public Key Infrastructure (PKI)) certificate, the card holder's unique identifier, and fingerprint biometric.

Personally Identifiable Information (PII): Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. (Defined in OMB Memorandum M-06-19, "Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments").

Note: The acronyms PII and IIF are often used interchangeably.

Personal Identity Verification (PIV) Card: A government-issued identification card used to authenticate individuals for physical access to Federally-controlled facilities and logical access to Federally-controlled information systems. The card contains a microchip, the holder's facial image, and other identifying information and security features. The microchip will store a user's access (Public Key Infrastructure (PKI)) certificate, the card holder's unique identifier, and fingerprint biometric.

Physical Security Controls: Measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment. These safeguards might include protections against fire, structural collapse, plumbing leaks, physical access controls, and controls against the intercept of data. (Defined in NIST SP 800-12).

Plan of Action and Milestones (POA&M): A POA&M is a management process that outlines weaknesses and delineates the tasks necessary to mitigate them. The HHS Information Security Program POA&M process is used to facilitate the remediation of information security program- and system-level weaknesses, and provides a means for:

  • Planning and monitoring corrective actions;
  • Defining roles and responsibilities for weakness resolution;
  • Assisting in identifying the security funding requirements necessary to mitigate weaknesses;
  • Tracking and prioritizing resources; and
  • Informing decision makers

(Defined in the HHS POA&M Guide).

Privacy: Freedom from unauthorized and unwarranted intrusion. Under the Privacy Act, it is a set of fair information practices to ensure that an individual’s personal information is accurate, secure, and current, and that individuals know about the uses of their data.

The Privacy Act of 1974, as amended: Protects the privacy of individuals by establishing "Fair Information Practices" for the collection, maintenance, use, and dissemination of information by federal agencies. The Privacy Act, along with its accompanying case law, is the most significant milestone in the history of the protection of the privacy of personal information held by the federal government. Many subsequent laws, regulations, and guidance build upon the principles first articulated in the Privacy Act. (Defined in HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

Privacy Act Information: Any type of IIF/PII collected and maintained on an individual that is in a records system designated to be retrieved by the individual; name or some unique identifier assigned to the individual.

Privacy Act Record: Any item, collection, or group of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. (Defined in the Privacy Act of 1974, 5 U.S.C. § 552a).

Privacy Act System of Records Notice (SORN): All systems with Privacy Act information contained within them are required to publish a "Records Notice" in the Federal Register that informs the public what information is contained in the system, how it is issued, how individuals may gain access to information about themselves, and other specific aspects of the system. (Defined in Secure One HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

Privacy Impact Assessment (PIA): A methodology that provides information technology (IT) security professionals with a process for assessing whether appropriate privacy policies, procedures, and business practices—as well as applicable administrative, technical and physical security controls—have been implemented to ensure compliance with federal privacy regulations. (Defined in Secure One HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

Record: Any item, collection, or grouping of information about individuals that is maintained by an agency, including, but not limited to, their education, financial transactions, and/or medical, criminal, or employment history and that contains their name; or it contains the identifying number, symbol, or other identifying information assigned to the individual, such as a finger or voice print or a photograph. (Defined in the Privacy Act of 1974, 5 U.S.C., Section 552a(a)(4), as amended).

Risk: The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to:

  • Unauthorized (malicious or accidental) disclosure, modification, or destruction of information;
  • Unintentional errors and omissions;
  • IT disruptions due to natural or man-made disasters;
  • Failure to exercise due care and diligence in the implementation and operation of the information system.

(Defined in NIST SP 800-30, Appendix E).

Risk Assessment: The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis, and incorporates threat and vulnerability analyses. (Defined in NIST SP 800-30, Appendix E).

Risk Management: The process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. It includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of security controls; and the formal approval to operate the system. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations. (Defined in NIST SP 800-30, Rev A).

Routine Use: Under the Privacy Act, regarding the disclosure of a record, the use of such record for a purpose that is compatible with the purpose for which it was collected. (Defined in the Privacy Act of 1974, 5 U.S.C., Section 552a(a)(7), as amended).

Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability (Defined in 44 U.S.C., Section 3542).

Senior Agency Official for Privacy: An individual selected by the Department to have agency-wide oversight in implementing and ensuring compliance to privacy legislation. (Defined in OMB Memorandum M-05-08, "Designation of Senior Agency Officials for Privacy").

Sensitive Information: Information is considered sensitive if the loss of confidentiality, integrity, or availability could be expected to have a serious, severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Further, the loss of sensitive information confidentiality, integrity, or availability might: (i) cause a significant or severe degradation in mission capability to an extent and duration that the organization is unable to perform its primary functions; (ii) result in significant or major damage to organizational assets; (iii) result in significant or major financial loss; or (iv) result in significant, severe or catastrophic harm to individuals that may involve loss of life or serious life threatening injuries. (Defined in HHS Memorandum ISP-2007-005, "Departmental Standard for the Definition of Sensitive Information").

Standard: Refers to the commonality characterized by all HSPD-12 cards, meaning that every card will be equipped with the same set of security features to validate an individual's identity.

Standardized Machine-Readable Format: Format that enables users to make an informed choice about whether to conduct business with the site.

Substance Abuse Records: Section 543 of the Public Health Service Act, 42 U.S.C. 290dd-2 provides that records of the identity, diagnosis, prognosis or treatment of any patient maintained in connection with a substance abuse education, treatment, prevention, rehabilitation, training or research program are protected and may only be disclosed under limited circumstances, e.g., to medical personnel with a bona fide need, qualified personnel with a research or management need, or if authorized by a court order upon the showing of substantial risk of death or bodily injury. The statute specifically precludes use of the records to initiate or substantiate a criminal charge or to conduct an investigation.

System: A collection of computing and/or communications components and other resources that support one or more functional objectives of an organization. IT system resources include any IT component plus associated manual procedures and physical facilities that are used in the acquisition, storage, manipulation, display, and/or movement of data or to direct or monitor operating procedures. An IT system may consist of one or more computers and their related resources of any size. The resources that comprise a system do not have to be physically connected. (Defined in NIST SP 800-16, Appendix C.).

An organized assembly of IT resources and procedures integrated and regulated by interaction or interdependence to accomplish a set of specified functions. (Defined in Secure One HHS Information Security Program Privacy Impact Assessment (PIA) Guide).

System Development Life Cycle (SDLC): A software development process that is used by a systems analyst to develop and maintain an information system. This process includes five system phases: Initiation, acquisition/development, implementation/assessment, operation/maintenance, and disposition. (Defined in NIST SP 800-34, Appendix E).

System of Records (SOR): A group of any records under the control of any agency where information is retrieved by the name of the individual, by some identifying number or symbol, or other identifiers assigned to the individual. The key to this definition is that the records must be "retrieved by", not "retrievable by" an individual’s name and/or personal identifier. (Defined in the Secure One HHS Information Assurance and Privacy: Privacy Impact Assessment (PIA) Guide).

Systems of Records Notice (SORN): A publication in the Federal Register of the record system that covers a particular information collection. SORNs can be internal, such as those which cover NIH records. Central agency SOR notices are those that belong to OPM. Government-wide SOR notices are those that belong to the EEOC, FEMA, GSA, DOL, OGE, etc. and which are also referred to as "umbrella" systems of record notices. Note: Before data can be collected, a SORN must be published and maintained in the Federal Register for 40 days.

All systems with Privacy Act information contained within them are required to publish a "Records Notice" in the Federal Register that informs the public what information is contained in the system, how it is used, how individuals may gain access to information about themselves, and other specific aspects of the system. (Defined in the Secure One HHS Information Assurance and Privacy: Privacy Impact Assessment (PIA) Guide).

Technical Controls: The security controls (i.e., safeguards and countermeasures) applied to an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. Technical safeguards include mandatory passwords, encryption, and 30-minute time out protection, as well as firewalls, cryptography, etc. (Defined in NIST SP 800-53, Appendix B).

Threat: Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. (Defined in NIST SP 800-53, Appendix B).

Umbrella System: Agency Privacy Act systems of records that can be used by all or many agencies. Examples include: personnel, finance, time and attendance, pay, badge and I.D., and general correspondence file record systems, etc.

Unauthorized Disclosure: Exposure of information to individuals not authorized to receive it.

United States Computer Emergency Response Team (US-CERT): A partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation's Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation.

Verifiable Parental Consent: Consent from the child’s parent or legal guardian, verified by reasonable efforts of Kids’ Pages IC Program/Content Manager in coordination with the IC Web Site Operation Staff (taking into consideration available technology), shall be obtained before collecting, using, or disclosing personal information from or about a child. Verifiable Parental Consent is used to ensure that before personal information is collected from a child, a parent or guardian of the child receives notice of the operator’s information practices and consents to those practices. (Defined in NIH Manual Chapter 2805).

Vulnerability: A flaw or weakness in the design or implementation of an information system (including the security procedures and security controls associated with the system) that could be intentionally or unintentionally exploited to adversely effect an organization’s operations or assets through a loss of confidentiality, integrity, or availability (Defined in NIST SP 800-53, Appendix B.).

Website: A collection of interlinked Web pages (on either Internet or intranet sites) with a related topic, usually under a single domain name, which includes an intended starting file called a "home page." From the home page, access is gained to all the other pages on the website.

Return to the top

 

 

National Institutes of Health OMA Home

Last updated on:
December 9, 2008

National Institutes of Health
OMA Disclaimer & Privacy Notice