The ability to use, modify, or affect an IT system or to gain entry to a physical area or location.
A computer program or set of programs that meet a defined set of business needs. A program or group of programs designed for end users. These programs are divided into two classes: system software and application software. While system software consists of low-level programs that interact with computers at a basic level, application software resides above system software and includes applications such as database programs, word processors and spreadsheets. Application software may be grouped along with system software or published alone. For the purposes of integration applications consume an integration service such as a web service or API.
An interconnected set of IT resources under the same direct management control that meets a defined set of business needs.
An attempt to bypass security controls on an IT system in order to compromise the data.
The process of ensuring the identity of a connected user or participants exchanging electronic data.
An application or system which has a direct impact on the delivery of services to department/agency employees, clients or consumers.
The activities performed by the agency to ensure critical functions are available to entities needing access to those functions. Business continuity is related to restoring normal day-to-day functions in the event of service disruptions. Business continuity planning is different than disaster recovery planning.
The effort to ensure that mission-essential functions continue to be performed during a wide range of emergencies which could be localized or widespread.
All public-facing content, including websites, applications, documents and media, blog posts, and social media content. Certain non-public-facing content that must also comply. Examples include: All electronic content used for official business to communicate: emergency notifications, initial or final decisions adjudicating administrative claims or proceedings, internal or external program or policy announcements, notices of benefits, program eligibility, employment opportunities or personnel actions, formal acknowledgements or receipts, questionnaires or surveys, templates or forms, educational or training materials, and web-based intranets.
A known system defect or enhancement request that if left unresolved could significantly impact business operations, compliance with statute or policy, the integrity of the system or data or otherwise create a public health, safety or other significant risk areas.
Data Centers are facilities that house and protect critical IT equipment supporting delivery of government services including the space, power, environment controls, racks, cabling and external labor.
We distinguish between Agency Data Centers, and the State Data Centers because by statute we are directed to migrate TO the State Data Center and away from Agency Data Centers.
State Data Centers include:
NOTE: This definition is used in the TBM program and also reside in Standard 113.30: TBM Taxonomy.
The latest date a manufacturer will provide security patches. Some manufacturers have an end of mainstream support date and an extended end-of support date. In these cases, after the end of mainstream support, no additional software feature/function enhancements or fixes are issued but security patches are until the end of extended support. The recommended best practice is to migrate before end of mainstream support.
Enterprise Architecture is an established process for describing the current state and defining the target state and transition strategy for an organization's people, processes, and technology.
RCW 43.105.20 (5): "Enterprise architecture" means an ongoing activity for translating business vision and strategy into effective enterprise change. It is a continuous activity. Enterprise architecture creates, communicates, and improves the key principles and models that describe the enterprise's future state and enable its evolution.
Physical protection against damage from fire, flood, wind, earthquake, explosion, civil unrest and other forms of natural and man-made risk.
Network-level access originating from outside the network. Examples include SSL, IPSec, “terminal service” or Citrix-like connections.
A combination of hardware and software designed to control the types of network connections allowed to a system or combination of systems or that enforces a boundary between 2 or more networks.
Per RCW 43.105.020, "Information technology" includes, but is not limited to, all electronic technology systems and services, automated information handling, system design and analysis, conversion of data, computer programming, information storage and retrieval, telecommunications, requisite system controls, simulation, electronic commerce, radio technologies, and all related interactions between people and machines.
The processes, procedures, systems, IT infrastructure, data, and communication capabilities that allow each agency to manage, store, and share information in pursuit of its business mission, including but not limited to:
IT infrastructure consists of the equipment, systems, software, and services used in common across an organization, regardless of mission/program/project. IT Infrastructure also serves as the foundation upon which mission/program/project-specific systems and capabilities are built. Approaches to provisioning of IT infrastructure vary across organizations, but commonly include capabilities such as Domain Name Server (DNS), Wide Area Network (WAN), and employee locator systems. Additional common capabilities examples include IT security systems, servers, routers, workstations, networked Supervisory Control and Data Acquisition (SCADA) systems, and networked printers (multifunction devices).
Risk assessment is a process by which to determine what IT Assets exist that require protection, and to understand and document potential risks from IT security failures that may cause loss of information confidentiality, integrity, or availability. The purpose of a risk assessment is to help management create appropriate strategies and controls for stewardship of information assets.
An IT system or network designed and intended for use only by state of Washington employees, contractors, and business partners.
Software and/or hardware designed to detect an attack on a network or computer system. A Network IDS (NIDS) is designed to support multiple hosts, whereas a Host IDS (HIDS) is set up to detect illegal actions within the host. Most IDS programs typically use signatures of known cracker attempts to signal an alert. Others look for deviations of the normal routine as indications of an attack.
Software and/or hardware designed to prevent an attack on a network or computer system. An IPS is a significant step beyond an IDS because it stops the attack from damaging or retrieving data. Whereas an IDS passively monitors traffic by sniffing packets off of a switch port, an IPS resides inline like a firewall, intercepting and forwarding packets. It can thus block attacks in real time.
Inventory costs represent a substantial portion of the total cost of ownership for many organizations. Proper inventory management requires an investment of time and resources. Carrying insufficient inventory may have adverse mission impacts or consequences. Carrying too much inventory ties up capital, is usually inefficient, requires extra storage space, and for items with a limited shelf life may lead to costly disposal actions
Defines the set of capabilities to receive and track user-reported issues and problems in using IT systems, including help desk calls
IT Infrastructure Maintenance involves the planning, design, and maintenance of an IT Infrastructure to effectively support automated needs (i.e. platforms, networks, servers, printers, etc.).
IT Strategy and Innovation includes all activities outside of normal Strategic Planning that focus on trying new approaches, new systems and thinking about/ planning IT investments in different ways.
IT System Development / Integration Support includes the software services enabling elements of distributed business applications to interoperate and the software development necessary to facilitate such integration. These elements can share function, content, and communications across heterogeneous computing environments
A lightweight data-interchange format. It is a language independent text format that is easy for humans to read and write. It is easy for machines to parse and generate.
A form submitted to a potential employer by a potential employee to collect basic information about the applicant such as employment history, education, training, and contact information
A method of identifying and defining job duties and responsibilities
Defines the set of capabilities to facilitate collection of data and information
Defines the set of capabilities to support the transfer of knowledge to the end customer.
Software (such as a Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic.
A general term coined for all forms malicious software including but limited to computer viruses, worms, Trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software.
The process of preparing management reports and accounts that provide accurate and timely financial and statistical information required by managers to make day-to-day and short-term decisions. Unlike financial accounting, which produces annual reports mainly for external stakeholders, management accounting generates monthly or weekly reports for an organization's internal audiences such as department managers and the chief executive officer. These reports typically show the amount of available cash, sales revenue generated, amount of orders in hand, state of accounts payable and accounts receivable, outstanding debts, raw material and inventory, and may also include trend charts, variance analysis, and other statistics
Provide for the representation of mapping and geospatial information through the use of attributes such as zip code, country code, elevation, natural features and other spatial measures
Support the maintenance and administration of data that describes data
Any hand-portable device capable of text, voice, email, instant messaging (“IM”), photo messaging or other types of data communication. This policy is not meant to apply to: cars, boats, airplanes, laptop computers, desktop computers, unpiloted aerial vehicles (drones), gps receivers, radios
Modularity refers to the extent to which a software/Web application may be divided into smaller modules. Software modularity indicates that the number of application modules are capable of serving a specified business domain. Allows typical applications to be divided into modules, as well as integration with similar modules, which helps developers use prewritten code. Modules are divided based on functionality, and programmers are not involved with the functionalities of other modules. Thus, new functionalities may be easily programmed in separate modules. It is a practical application of the principle of "Separation of Concerns" by dividing a complex system into simpler and more manageable modules that will work together Modularization can take place in two ways: The Composition or bottom-up approach takes modules and puts them together to form a larger system The alternative approach is to take a complete system and decompose it into its modules. This approach is known as the decomposition or top-down approach. Modules are technically connected to one another. The measure of inter-module relation is known as coupling. Design goals require modules to have low-coupling and high cohesion. Cohesion is a measure of the inter-relatedness of elements (statements, procedures, declarations) within a module. A module is said to have high cohesion if all the elements in the module are strongly connected with one another. Tight coupling of modules makes analysis, understanding, modification and testing of modules difficult. Reuse of modules is also hindered. Modularity enhances the understandability of software systems and change process. Developers need not have to understand the entire system for changes to be made as details are localized into components; modularity separates concerns down to the modules and is thus a direct realization of the principle of "Separation of Concerns"
A security system or mechanism in which more than one form of authentication is implemented to verify the legitimacy of a transaction. In contrast, single factor authentication involves only a UserID/password.
In 2-factor authentication, the user provides dual means of identification, one of which is typically a physical token, such as a card, and the other of which is typically something memorized, such as a security code.
Additional authentication methods that can be used in MFA include biometric verification such as keyboard cadence, finger scanning, iris recognition, facial recognition and voice ID. In addition to these methods, device identification software, smart cards, and other electronic devices can be used along with the traditional UserID and password.
A device available to other computers on a network. Examples include servers, firewalls, routers, switches, workstations, networked Supervisory Control and Data Acquisition (SCADA) systems, and networked printers (multifunction devices).
An open source specification to define a standard, language-agnostic interface to REST APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection. When properly defined, a consumer can understand and interact with the remote service with a minimal amount of implementation logic.
The administration of employee compensation and benefits on a scheduled basis through a centralized payment system
A deliberate probe of a network or system to discover security weaknesses. The test attempts to leverage identified weaknesses to penetrate into the organization. The test exploits the vulnerabilities uncovered during a vulnerability assessment to avoid false positives often reported by automated assessment tools.
A systematic process of objectively obtaining and evaluating evidence regarding the performance of an organization, program, function, or activity. Evaluation is made in terms of its economy and efficiency of operations and effectiveness in achieving desired goals. The performance audit function provides an independent review of management's performance and the degree to which actual performance meets pre-stated goals
The act of considering and making funding choices based on desired outcomes. Performance budgeting focuses on the results to be gained through investment decisions.
Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media in an IT facility.
Analysis and evaluation of the ways in which material requirements can be met using a life cycle management approach
Defines the set of capabilities to support the administration of a group of investments held by an organization
Defines the set of capabilities to manage business processes, including business process mapping, remapping, reengineering, and business process improvement efforts
The process of obtaining or buying goods and services consistent with RCW 39.26 with the intent to Purchase. Purchasing, renting, leasing, or otherwise acquiring any supplies or services; includes all functions that pertain to the acquisition, including description of requirements, selection, and solicitation of sources, preparation and award of contract, and all phases of contract administration. The combined functions of purchasing, inventory control, traffic and transportation, receiving, inspection, storekeeping, salvage, and disposal operations
Defines the set of capabilities to manage and control a particular effort of an organization. This includes intra-agency work.
The acquisition of goods or services, including the leasing or renting of goods
The process of finding and hiring the best-qualified candidate (from within or outside of an organization) for a job opening in a timely and cost effective manner. The recruitment process includes analyzing the requirements of a job, attracting employees to that job, screening and selecting applicants, hiring, and integrating the new employee to the organization - recruitment measures include tracking time to hire/fill, candidate quality, and applicant satisfaction
A distributed system framework that uses Web protocols and technology. The REST architecture involves client and server interactions build around the transfer of resources. Systems that conform to REST principles are referred to as RESTful.
The capability of remaining or returning to a normal situation after an event by having multiple ways of performing a function. This may include people, processes or technology. Generally speaking, this means there would be no single point of failure that could stop a process.
Separation of an employee who meets the age and service requirements to receive retirement benefits and has filed an application for retirement with the Department of Retirement Systems - includes tracking and/or managing an employee's retirement eligibility status throughout the life cycle of an employee's career
The days and hours an employee is scheduled to work
A secure version of File Transfer Protocol (FTP), which facilitates data access and data transfer over a Secure Shell (SSH) data stream. It is part of the SSH Protocol. This term is also known as SSH File Transfer Protocol.
Secure segmentation is defined as implementing methods that allow for secure communication between various levels of segmented environments. These environments typically involve 4 basic segment groups:
The methods for securing these segments may include but are not limited to firewall and switch/router configurations and router/switch ACLs.
The security requirements and methods applied by agencies to manage IT security risk including but not limited those defined in the OCIO IT security standards.
An environment or context that is defined by security policy, a security model, or security architecture to include a set of system resources and the set of system entities that have the right to access the resources.
The voluntary or involuntary act of leaving Washington State service
A requestor that consumes or uses an automated IT Service provided by a Service Provider. Entities (systems, people, and organizations) that needs to make use of services offered by providers.
Computer application readable description of capabilities, requirements, general characteristics, abstract message operations, concrete network protocols, endpoint addresses, and structure and content of messages received by and sent by the service.
The coordination and arrangement of multiple services exposed as a single aggregate service. Developers utilize service orchestration to support the automation of business processes by loosely coupling services across different applications and enterprises and creating "second-generation," composite applications. In other words, service orchestration is the combination of service interactions to create higher-level business services.
Style of software design where services are provided to the other components by application components, through a communication protocol over a network. The basic principles of service-oriented architecture are independent of vendors, products and technologies. A service is a discrete unit of functionality that can be accessed remotely and acted upon and updated independently, such as retrieving a credit card statement online. According to TOGAF, under the terms of an SOA, a service has four properties: It logically represents a business activity with a specified outcome. It is self-contained. It is a black box for its consumers. It may consist of other underlying services.
Entities (systems, people, and organizations) that offer capabilities and act as service providers. An authoritative/trusted organization that offers an automated IT Service to a Service Consumer by means of one of its Provided Service Interfaces.
A service-oriented architecture design principle for creating services that can be used for business purposes beyond those initially specified in requirements. Reusable services are designed so their solution logic is independent of any particular business process or technology.
A protocol for implementing Web Services. SOAP features guidelines that allow communication via the Internet between two programs, even if they run on different platforms, use different technologies and are written in different programming languages.
Shared, common infrastructure for lifecycle management such as a services registry, policies, business analytics; routing/addressing, quality of service, communication; Development Tools for security, management, and adapters.
Modular, swappable functions, separate from, yet connected to an application via well-defined interfaces to provide agility. Often referred to as 'services' they: Perform granular business functions such as "get customer address" or larger ones such as 'process payment.' Are loosely coupled to a new or existing application. Have capability to perform the steps, tasks and activities of one or more business processes. Can be combined to perform a set of functions - referred to as 'orchestration.'
Strategic workforce planning looks at system-wide issues and strategies to: Support the organization's strategic plan (e.g., reorganization and redeployment) Address external workforce factors that affect the entire business (e.g., succession planning for retirement bubbles, or staff reduction planning for budget cuts). Maintain organizational capacity (e.g., in-service training) Mitigate risk exposure (e.g., safety planning and Equal Employment Opportunity training)
The specific staffing strategies designed to develop an internal pool for anticipated vacancies
For the purpose of go live readiness, supporting organizations include the agency(s) and any vendor(s) who are involved in operations and support of the ongoing system/investment. Processes include any unique to the time immediately after go-live as well as those on-going processes required to effectively operate and maintain the system/investment once it is implemented into production.
System and Network Monitoring supports all activities related to the realtime monitoring of systems and networks for optimal performance.
Support the balance and allocation of memory, usage, disk space and performance on computers and their applications.
Telework is the practice of working from home or other alternative locations closer to home through the use of technology which allows the employee to access normal work material (email, telephone, electronic documents, etc.). Telework may be scheduled or done on an ad hoc basis.
Threat and Vulnerability Management involves all functions pertaining to the protection of federal information and information systems from unauthorized access, use, disclosure, disruptions, modification, or destruction, as well as the creation and implementation of security policies, procedures and controls. It includes all risk and controls tracking for IT systems.
The process of submitting, approving, and adjusting an employee's work hours and planned/unplanned leave hours
Training is activities designed to develop employees' job-related knowledge and skills for present job assignments as well as future career development goals. The enterprise level administrative function is the maintenance of training records for state employees.
Activities associated with planning, preparing, and monitoring of business related travel for an organization's employees
An IT system or network that is recognized automatically as reliable, truthful, and accurate without continual validation or testing.
Characterized by absence of trusted status. Assumed to be unreliable, untruthful, and inaccurate unless proven otherwise.
The management of an entity selling a good or service to the State. Vendors include, but are not limited to, retail businesses, consultants, contractors, manufacturers, credit card companies. A vendor may be an individual, corporation, non-profit organization, federal government, or federal agency, local government or local agency, another state or another state agency, a Washington state agency, or Indian nation. For travel reimbursement purposes, a vendor may include an employee, a board member, or volunteer
Defines the set of capabilities to provide telephony or other voice communications
Relates to risk of attack. In IT terms, vulnerability describes points of risk to penetration of security barriers. Awareness of potential vulnerability is very important to designing ever more effective defenses against attack by unauthorized parties.
A comprehensive analysis that attempts to define, identify, and classify the security holes (vulnerabilities) in a system, network, or communications infrastructure within the assessment scope.
Web Infrastructure includes equipment/services to support delivery of services over the Internet or similar networks. These include supporting: Network Services which consists of protocols defining the format and structure of data and information either accessed from a directory or exchanged through communications; Service Transport which consists of protocols defining the format and structure of data and information either accessed from a directory or exchanged through communications.
A software service used to communication between two devices on a network. More specifically, a Web service is a software application with a standardized way of providing interoperability between disparate applications. It does so over HTTP using technologies such as XML, SOAP, WSDL, and UDDI.
An XML format for describing network services as a set of endpoints operating on messages containing either document-oriented or procedure-oriented information. The operations and messages are described abstractly, and then bound to a concrete network protocol and message format to define an endpoint.
An OASIS specification that defines mechanisms to allow different security realms to federate, such that authorized access to resources managed in one realm can be provided to security principles whose identities and attributes are managed in other realms. This includes mechanisms for brokering of identity, attribute, authentication and authorization assertions between realms, and privacy of federated claims.
An OASIS specification that proposes a standard set of SOAP extensions that can be used when building secure Web services to implement message content integrity and confidentiality.