COMPLETE GUIDE TO SECURITY AND PRIVACY METRICS: Measuring Regulatory Compliance, Operational Resilience, and ROI

Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and Roi

Volumn , Issue , 2007, Pages 1-825

  Herrmann, Debra S ^a  

^a FEDERAL AVIATION ADMINISTRATION   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 85179193377     PISSN: None     EISSN: None     Source Type: Book    
DOI: 10.1201/9781420013283     Document Type: Book

References (337)

1. IEC 61508-1(1998-12), Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems — Part 1: General Requirements.
2. IEC 61508-2(2000-5), Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems — Part 2: Requirements for Electrical/Electronic/ Programmable Electronic Safety-Related Systems.
3. IEC 61508-3(1998-12), Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems — Part 3: Software Requirements.
4. IEC 61508-4(1998-12), Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems — Part 4: Definitions and Abbreviations of Terms.
5. IEC 61508-5(1998-12), Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems — Part 5: Examples of Methods for the Determination of Safety Integrity Levels.
6. IEC 61508-6(2000-4), Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems — Part 6: Guidelines on the Application of Parts 2 and 3.
7. IEC 61508-7(2000-3), Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems — Part 7: Overview of Techniques and Measures.
8. IEEE Std. 982.1-1988, Standard Dictionary of Measures to Produce Reliable Software.
9. IEEE Std. 982.2-1988, Guide for the Use of the Standard Dictionary of Measures to Produce Reliable Software.
10. IEEE Std. 1028-1997, Standard for Reviews and Audits.
11. IEEE Std. 1045-1992, Standard for Software Productivity Metrics.
12. IEEE Std. 1061-1998, Software Quality Metrics Methodology.
13. ISO 9000 Compendium — International Standards for Quality Management, 10th edition, 2000.
14. ISO/IEC TR 13335-1(1996-12-15) — Information Technology — Guidelines for the Management of IT Security — Part 1: Concepts and Models for IT Security.
15. ISO/IEC TR 13335-2(1997-12-15) — Information Technology — Guidelines for the Management of IT Security — Part 2: Managing and Planning IT Security.
16. ISO/IEC TR 13335-3(1998-06-15) — Information Technology — Guidelines for the Management of IT Security — Part 3: Techniques for the Management of IT security.
17. ISO/IEC TR 13335-4(2000-03-01) — Information Technology — Guidelines for the Management of IT Security — Part 4: Selection of Safeguards.
18. ISO/IEC TR 13335-5(2001-11-01) — Information Technology — Guidelines for the Management of IT Security — Part 5: Management Guidance on Network Security.
19. ISO/IEC 15408-1(1999-12-01), Information Technology — Security Techniques — Evaluation Criteria for IT Security — Part 1: Introduction and General Model.
20. ISO/IEC 15408-2(1999-12-01), Information Technology — Security Techniques — Evaluation Criteria for IT Security — Part 2: Security Functional Requirements.
21. ISO/IEC 15408-3(1999-12-01), Information Technology — Security Techniques — Evaluation Criteria for IT Security — Part 3: Security Assurance Requirements.
22. ISO/IEC PDTR 15446(2001-04), Information Technology — Security Techniques — Guide for the Production of Protection Profiles and Security Targets.
23. ISO/IEC 15504-1(2004) — Information Technology — Process Assessment — Part 1: Concepts and Vocabulary.
24. ISO/IEC 15504-2(2004) — Information Technology — Process Assessment — Part 2: Performing an Assessment.
25. ISO/IEC 15504-3(2004) — Information Technology — Process Assessment — Part 3: Guidance on Performing an Assessment.
26. ISO/IEC 15504-4(2004) — Information Technology — Process Assessment — Part 4: Guidance on Use for Process Improvement and Process Capability Determination.
27. ISO/IEC 15504-5(2005) — Information Technology — Process Assessment — Part 5: An Exemplar Process Assessment Model.
28. ISO/IEC 17799(2000-12-01) — Information Technology — Code of Practice for Information Security Management.
29. ISO/IEC 21827(2002-10-17), Information Technology — Systems Security Engineering — Capability Maturity Model (SSE-CMM ®).
30. NERC Reliability Functional Model: Function Definitions and Responsible Entities, North America Electric Reliability Council, version 2, 10 February 2004.
31. Standard CIP-002-1 — Cyber Security — Critical Cyber Assets, North America Electric Reliability Council (NERC), April 2006.
32. Standard CIP-003-1 — Cyber Security — Security Management Controls, North America Electric Reliability Council (NERC), April 2006.
33. Standard CIP-004-1 — Cyber Security — Personnel and Training, North America Electric Reliability Council (NERC), April 2006.
34. Standard CIP-005-1 — Cyber Security — Electronic Security, North America Electric Reliability Council (NERC), April 2006.
35. Standard CIP-006-1 — Cyber Security — Physical Security, North America Electric Reliability Council (NERC), April 2006.
36. Standard CIP-007-1 — Cyber Security — System Security Management, North America Electric Reliability Council (NERC), April 2006.
37. Standard CIP-008-1 — Cyber Security — Incident Reporting and Response Planning, North America Electric Reliability Council (NERC), April 2006.
38. Standard CIP-009-1 — Cyber Security — Recovery Plans, North America Electric Reliability Council (NERC), April 2006.
39. Implementation Plan for Cyber Security Standards CIP-002-1 through CIP-009-1, North America Electric Reliability Council (NERC), April 2006.
40. SAE JA 1006: Software Support Concept, Society for Aerospace Engineering (SAE), June 1999.
41. SAE JA 1004: Software Supportability Program Standard, Society for Aerospace Engineering (SAE), July 1998.
42. SAE JA 1005, Software Supportability Program Implementation Guide, Society for Aerospace Engineering (SAE), (draft) March 2000.
43. FAA Order 1370.89, Information Operation Conditions, 25 August 2003.
44. FAA Order 1600.1E, FAA Personnel Security Program, 25 July 2005.
45. FEMA 452, Risk Assessment: A How-To Guide to Mitigate Potential Terrorist Attacks against Buildings, January 2005.
46. FIPS PUB 199 — Standards for Security Categorization of Federal Information and Information Systems, National Institute of Standards and Technology, December 2003.
47. FIPS PUB 200 — Security Controls for Federal Information Systems, National Institute of Standards and Technology, scheduled for December 2005; replaces SP 800-53, including Annexes 1 through 3.
48. FIPS PUB 201 — Personal Identity Verification (PIV) of Federal Employees and Contractors, National Institute of Standards and Technology, 25 February 2005. 48a
49. SP 800-79 — Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations, draft 1.1, National Institute of Standards and Technology, June 2005. 48b
50. Federal Identity Management Handbook, public draft, U.S. General Services Administration, March 2005. 48c
51. SP 800-76 — Biometric Data Specification for Personal Identity Verification (draft), National Institute of Standards and Technology, 24 January 2005. 48d
52. SP 800-73 — Interfaces for Personal Identity Verification, National Institute of Standards and Technology, April 2005.
53. SP 800-18 — Guide for Developing Security Plans for Information Technology Systems, National Institute of Standards and Technology, December 1998.
54. SP 800-30 — Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology, July 2002.
55. SP 800-37 — Guide for the Security Certification and Accreditation of Federal Information Systems, National Institute of Standards and Technology, May 2004.
56. SP 800-53 — Recommended Security Controls for Federal Information Systems, February 2005.
57. Annex 1 to SP 800-53 — Recommended Security Controls for Federal Information Systems: Minimum Security Controls, Low Baseline, February 2005.
58. Annex 2 to SP 800-53 — Recommended Security Controls for Federal Information Systems: Minimum Security Controls, Moderate Baseline, February 2005.
59. Annex 3 to SP 800-53 — Recommended Security Controls for Federal Information Systems: Minimum Security Controls, High Baseline, February 2005.
60. SP 800-53A — Guide for Assessing the Security Controls in Federal Information Systems, National Institute of Standards and Technology, Spring 2005.
61. SP 800-55 — Security Metrics Guide for Information Technology Systems, National Institute of Standards and Technology, July 2003. 57a.
62. SP 800-80 — Guide for Developing Performance Metrics for Information Security (draft), National Institute of Standards and Technology, May 2006.
63. SP 800-60 — Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories, National Institute of Standards and Technology, July 2004.
64. SP 800-60 — Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, National Institute of Standards and Technology, July 2004.
65. SP 800-66 — An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, National Institute of Standards and Technology (draft), May 2004.
66. The Personal Health Information Act, Statutes of Canada, 28 June 1997
67. Bill C-6: Personal Information Protection and Electronic Documents Act (PIPEDA), Statutes of Canada, 13 April 2000.
68. Basel II: The International Convergence of Capital Measurement and Capital Management: A Revised Framework, Basel Committee on Banking Supervision, June 2004.
69. Data Protection Act, 1998, Chapter 29, United Kingdom.
70. Directive 95/46/EC, The Data Protection Directive, European Parliament and of the Council, 24 October 1995.
71. High-Level Principles for the Cross-Border Implementation of the New Accord, Basel Committee on Banking Supervision, August 2003 66a.
72. Principles for the Home-Host Recognition of AMA Operational Risk Capital, Basel Committee on Banking Supervision, January 2004.
73. Implementation of Basel II: Practical Considerations, Basel Committee on Banking Supervision, July 2004.
74. OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, Organization for Economic Co-operation and Development, 25 July 2002. 68a.
75. Implementation Plan for the OECD Guidelines for the Security of Infor mation Systems and Networks: Towards a Culture of Security, Organization for Economic Co-operation and Development, 2 July 2003. 68b.
76. Summary of Responses to the Survey on the Implementation of the OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, Organization for Economic Co-operation and Development, 24 September 2004.
77. OECD Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data, 23 September 1980. 69a.
78. Ministerial Declaration on the Protection of Privacy on Global Networks, Organization of Economic Co-operation and Development, Ottawa, 7–9 October 1998.
79. Background Material on Biometrics and Enhanced Network Systems for the Security of International Travel, Organization for Economic Co-operation and Development, 23 December 2004.
80. OECD Guidelines for Cryptography Policy, Organization for Economic Co-operation and Development, 1997. 71a.
81. OECD Cryptography Guidelines: Recommendation of the Council, Organization for Economic Co-operation and Development, 27 March 1997. 71b.
82. Report on Background and Issues of Cryptography Policy, Organization for Economic Co-operation and Development, 1997.
83. E-Government Act, Public Law 107-347 — Title III — Federal Information Security Management Act, U.S. Congress, 17 December 2002. 72a.
84. OMB Memo M-04-25, FY2004 Reporting Instructions for the Federal Information Security Management Act, 23 August 2004. 72b.
85. OMB Memo from M. Forman, Certification and Accreditation — What an Agency Can Do Now, 3 July 2003. 72c.
86. OMB Memo M-05-15, FY2005 Reporting Instructions for the Federal Information Security Management Act and Privacy Officer, 13 June 2005. 72d.
87. OMB Memo M-06-20, FY2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, 17 July 2006. 72e.
88. OMB Memo M-06-16, Protection of Sensitive Agency Information, 23 June 2006. 72f.
89. OMB Memo M-06-19. Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost of Security in Agency Information Technology Investments, 12 July 2006.
90. GAO-04-354, Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, Report to Congress, U.S. General Accounting Office, March 2004.
91. GAO-05-551, Information Security: Radio Frequency Identification Technology in the Federal Government, May 2005.
92. Gramm-Leach-Bliley Act, Public Law 106-102, Title V — Privacy, U.S. Congress, 12 November 1999. 75a.
93. Gramm-Leach-Bliley Act, Department of the Treasury — Privacy of Consumer Financial Information; Final Rule, 12 CFR Parts 40, 216, 332, and 573, 1 June 2000. 75b.
94. Gramm-Leach-Bliley Act, Federal Trade Commission — Privacy of Consumer Financial Information; Final Rule, 16 CFR Part 313, 24 May 2000. 75c.
95. Gramm-Leach-Bliley Act, Securities and Exchange Commission — Privacy of Consumer Financial Information (Regulation S-P); Rules, 17 CFR Part 248, 29 July 2000. 75d.
96. Gramm-Leach-Bliley Act, National Credit Union Administration — Privacy of Consumer Financial Information; Requirements for Insurance; Final Rule, 12 CFR Parts 716 and 741, 18 May 2000. 75e.
97. Gramm-Leach-Bliley Act, Federal Trade Commission — Standards for Safeguarding Customer Information; Final Rule, 16 CFR Part 314, 23 May 2002. 75f.
98. How to Comply with the Privacy of Consumer Information Rule of the Gramm-Leach-Bliley Act: A Guide for Small Business, Federal Trade Commission, July 2002.
99. Right to Financial Privacy Act of 1978, Public Law 95-630, as codified at 12 U.S.C. Chapter 35.
100. Privacy Protection Act of 1980, Public Law 96-440, as codified at 42 U.S.C. § 2000aa.
101. Electronic Communication Privacy Act of 1986, Public Law 99-508, as codified at 18 U.S.C. Chapter 121.
102. Computer Matching and Privacy Act of 1988, Public Law 100-503, as codified at 5 U.S.C. § 552a.
103. Health Insurance Portability and Accountability Act of 1996, Public Law 104-91, U.S. Congress, 21 August 1996.
104. Health Insurance Reform: Part II — Department of Health and Human Services — Security Standards; Final Rule, 45 CFR Parts 160, 162, 164, 20 February 2003.
105. Health Insurance Reform: Part V — Department of Health and Human Services — Standards for Privacy of Individually Identifiable Health Information; Final Rule, 45 CFR Parts 160 and 164, 14 August 2002.
106. Homeland Security Presidential Directive/HSPD-1: Organization and Operation of the Homeland Security Council, 29 October 2001.
107. Homeland Security Presidential Directive/HSPD-2: Combating Terrorism through Immigration Policies, 29 October 2001.
108. Homeland Security Presidential Directive/HSPD-3: Homeland Security Advisory System, March 2002.
109. Homeland Security Presidential Directive/HSPD-4: [unclassified version] National Strategy to Combat Weapons of Mass Destruction, December 2002.
110. Homeland Security Presidential Directive/HSPD-5: Management of Domestic Incidents, 28 February 2003.
111. Homeland Security Presidential Directive/HSPD-6: Integration and Use of Screening Information, 16 September 2003.
112. Homeland Security Presidential Directive/HSPD-7: Critical Infrastructure Identification, Prioritization, and Protection, 17 December 2003.
113. Homeland Security Presidential Directive/HSPD-8: National Preparedness, 17 December 2003.
114. Homeland Security Presidential Directive/HSPD-9: Defense of United States Agriculture and Food, 30 January 2004.
115. Homeland Security Presidential Directive/HSPD-10: Bio-defense for the 21st Century, 28 April 2004.
116. Homeland Security Presidential Directive/HSPD-11: Comprehensive Terrorist-Related Screening Procedures, 27 August 2004.
117. Homeland Security Presidential Directive/HSPD-12: Policy for a Common Identification Standard for Federal Employees and Contractors, 27 August 2004. 94a.
118. OMB Memo M-06-18, Acquisition of Products and Services for Implementation of HSPD-12, 30 June 2006.
119. Video Privacy Protection Act of 1988, Public Law 100-618, as codified at 18 U.S.C. § 2710.
120. Corporate and Auditing Accountability, Responsibility, and Transparency Act, known as the Sarbanes-Oxley Act of 2002.
121. In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act, Federal Trade Commission, February 2005.
122. Real ID Act of 2005, Public Law 109-13, as codified at 49 USC § 30301.
123. Interim National Infrastructure Protection Plan, Department of Homeland Security, February 2005.
124. National Information Assurance (IA) Glossary, Committee on National Security Systems (CNSS) Instruction 4009, May 2003.
125. OMB Circular No. A-130, Appendix III, Security of Federal Automated Information Resources, 26 March 2003.
126. Telemarketer Protection Act of 1991, Public Law 102-243, as codified at 47 U.S.C. § 227.
127. Letter from Representative Carolyn Maloney to Jo Anne Barnhart, Commissioner of the Social Security Administration, 27 May 2005.
128. USA Patriot Act of 2001, Public Law 107-56, U.S. Congress, 26 October 2001.
129. Report of the Best Practices and Metrics Teams, Corporate Information Security Working Group, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Government Reform Committee, U.S. House of Representatives, 10 January 2005.
130. The National Plan for Research and Development in Support of Critical Infrastructure Protection, The Executive Office of the President, Office of Science and Technology Policy and The Department of Homeland Security, Science and Technology Directorate, 2005.
131. The National Strategy to Secure Cyberspace, Department of Homeland Security, February 2003.
132. The Privacy Act of 1974, Public Law 93-579, as codified at 5 U.S.C. § 552a (as Amended).
133. OMB Memo M-05-08, Designation of Senior Agency Officials for Privacy, 11 February 2005.
134. @stake Labs, “Defined Security Creates Efficiencies,” Secure Business Quarterly, Fourth Quarter 2001.
135. A Status Report of the Auditor General of Canada to the House of Commons, Office of the Auditor General of Canada, February 2005.
136. Akhir, T., Return on Security Investment, EI7010-Keamanan Sisten Lanjut, Semester III, Department Teknik Elektro — Institut Teknologi Bandung, 2004.
137. Ammann, P., Barnes, B., Jajodia, S., and Sibley, E. (Eds.), Proceedings, Computer Security, Dependability, and Assurance: From Needs to Solutions, IEEE Computer Society Press, 1998.
138. Armstrong, I., “Budgeting for Infosecurity: Are Funds Growing?” SC Magazine, April 2002.
139. Armstrong, I., “Failure Must Be Part of the Plan,” SC Magazine, pp. 24–28, May 2005. 115.
140. Assessment Guide for U.S. Legislative, Regulatory, and Listing Exchange Requirements Affecting Internal Auditing, The Institute of Internal Auditors (IIA) Research Foundation, 10 November 2004. 116.
141. Asset Protection and Security Management Handbook, POA Publishing LLC, Auerbach Publications, 2003.
142. Bayuk, J.L., “Security Metrics,” Computer Security Journal, Computer Security Institute, January 2001.
143. Beaver, K. and Herold, R., The Practical Guide to HPAA Privacy and Security Compliance, Auerbach Publications, 2003.
144. Beaver, K., Healthcare Information Systems, 2nd edition, Auerbach Publications, 2002.
145. Bieda, J., Practical Product Assurance Management, ASQ Quality Press, 1997.
146. Blakely, B., “An Imprecise but Necessary Calculation,” Secure Business Quarterly, Fourth Quarter 2001.
147. Bolz, F., Dodonis, K.J., and Schultz, D.P., The Counterterrorism Handbook: Tactics, Procedures, and Techniques, 2nd edition, CRC Press, 2002.
148. Briney, A., “Doom or Boom? Fearing the Worst, Companies Are Diversifying Their Security Spending,” Information Security, April 2004.
149. Brenner, B., “HIPAA Security Compliance Not Just an IT Problem,” Search Security. com, 30 September 2004.
150. Buskin, A. and Schaen, S., The Privacy Act of 1974: A Reference Manual for Compliance, System Development Corporation, McLean, VA, 1975.
151. Caralli, R., Managing for Enterprise Security, Software Engineering Institute, Carnegie Mellon University, December 2004.
152. Chaula, J.A., Security Metrics and Public Key Infrastructure Interoperability Testing, Licentiate thesis, Department Computer and Systems Sciences, Stockholm University and Royal Institute of Technology, 12 December 2003.
153. Clafin, B., “Information Risk Management at 3Com,” Security Business Quarterly, Fourth Quarter 2001.
154. “Compliance: Changing Our Approach to Data,” Connected, Hewlett-Packard e-newsletter, July 2004.
155. DeBrino, R., “HIPAA Compliance: One Organization’s Tale,” CIO Decisions, p. 29, May 2005.
156. Dunn, L., Explicit Routing: The Fish at 4+yrs, Cisco, 2002.
157. Earthlink: Security from the Inside: A Dialogue with Lisa Ekman and Lisa Hoyt, Secure Business Quarterly, Fourth Quarter 2001.
158. Emam, K., Drouin, J., and Melo, W., SPICE: The Theory and Practice of Software Process Improvement and Capability Determination, IEEE Computer Society Press, 1998. 134.
159. Energy Security, Breakwater Security Associates, February 2005 135.
160. Energy and Utility Security Standards, Breakwater Security Associates, February 2005
161. Evans, N., High Risk, High Rewards, Optimize, TechWeb Business Technology Network, March 2002, Issue 5.
162. Fenton, N. and Pfleeger, S., Software Metrics: A Rigorous and Practical Approach, International Thomson Computer Press, 2nd edition, 1997.
163. Fenton, N., Whitty, R., and Iizuka, Y. (Eds .), Software Quality Assurance and Measurement: A Worldwide Perspective, International Thomson Computer Press, 1995.
164. Feudo, C., “Beyond A Security Metrics Paradigm,” Interactive Technologies 2004 Conference, Society for Applied Learning Technology.
165. “FTC Enforces Gramm-Leach-Bliley Act’s Safeguards Rule against Mortgage Companies,” Federal Trade Commission Press Release, 16 November 2004.
166. Fuldner, G., Sensitive Information in Financial Services, for CS 457a course, Yale, 14 November 2003.
167. Foundstone Quantifies ROI of Proactive and Automated Vulnerability Management, foundstone.com, 6 February 2004.
168. Garigue, R. and Stefaniu, M., “Information Security Governance Reporting,” EDP Audit, 76-15-11, Auerbach Publications, October 2003.
169. Geer, D.E., “Making Choices to Show ROI,” Secure Business Quarterly, Fourth Quarter 2001.
170. Geer, D.E., Soo Hoo, K., and Jaquith, A., “Why the Future Belongs to the Quants,” Security and Privacy Magazine, IEEE, July 2003, pp. 24–32.
171. Gerard, P., Risk Based E-Business Testing, Artech House, 2002.
172. Gilb, T., “Quantifying Security,” Proceedings of International Conference on Practical Software Quality and Testing, May 2–6, 2005.
173. Gilb, T. and Graham, D., Software Inspection, Addison-Wesley, 1993.
174. Gilliam, D., Wolfe, T., Sherif, J., and Bishop, M., “Software Security Checklist for the Software Life Cycle,” Proceedings 12th IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003.
175. Gossels, J. and Noll, L.C., “HIPAA Compliance,” System Experts Corporation, 2004.
176. Gray, G.L., Changing Internal Audit Practices in the New Paradigm: The Sarbanes-Oxley Environment, The Institute of Internal Auditors Research Foundation, 2004.
177. Hale, R., The Chief Security Officer: A Guide to Protecting People, Facilities, and Information, Auerbach Publications, 2004.
178. Hecht, H., Systems Reliability and Failure Prevention, Artech House, 2004.
179. Herrmann, D., “Common Criteria Cleared for Take Off at the U.S. Federal Aviation Administration,” Information Security Bulletin, December 2004, pp. 379–388.
180. Herrmann, D., Using the Common Criteria for IT Security Evaluation, Auerbach Publications, 2003.
181. Herrmann, D., A Practical Guide to Security Engineering and Information Assurance, Auerbach Publications, 2002.
182. Herrmann, D. and Keith, S., “Application of Common Criteria to Telecom Services,” Computer Security Journal, 17(2), 21–28, 2001.
183. Herrmann, D., Software Safety and Reliability: Techniques, Approaches, and Standards of Key Industrial Sectors, IEEE Computer Society Press, 1999.
184. Herrmann, D., “Sample Implementation of the Littlewood Holistic Model for Analyzing Software Safety and Reliability,” Proceedings of the Annual Reliability and Maintainability Symposium (RAMS’98), IEEE, 1998.
185. Hollingworth, D, Towards Threat, Attack, and Vulnerability Taxonomies, Network Associates Laboratories, 2002.
186. INEEL/EXT-04-02428, rev., “A Comparison of Electrical Sector Cyber Security Standards and Guidelines,” Idaho National Engineering and Environmental Lab, 2 November 2004.
187. Information Security and Cyber Crime Update, Cooley Godward LLP e-newsletter, 3 October 2003.
188. Information Security Governance: A Call to Action, Corporate Governance Task Force Report, National Cyber Security Summit Task Force, April 2004.
189. Information Security under the Basel II Accord, ContinuityCentral.com, 30 January 2004.
190. Information Technology for Counter-terrorism: Immediate Actions and Future Possibilities, Computer Science and Telecommunications Board (CSTB), National Academies of Science, National Academies Press, 2003.
191. Jackson, W., “New Federal ID Standard Approved,” Government Computer News, 25 February 2005.
192. Novak, R., Threat of the Auditors: The Sarbanes-Oxley Act Is a Danger to Growth, The Washington Post, p. A31, 7 April 2005.
193. Jaquith, A., The Security of Applications: Not All Are Created Equal, Research Report, @stake.com, February 2002.
194. Jelen, G., “SSE-CMM® Security Metrics,” Profiles, Assurance and Metrics Committee, International Systems Security Engineering Association, presented at NIST Workshop, Washington, D.C., June 2000.
195. Johnson, A., “Cyber Security for the Bulk Electric System,” NERC Cyber Security Workshops, January and March 2005.
196. Johnson, M., Passing the Audit, CIO Decisions, pp. 48–51, April 2005.
197. June, D.L ., Protection, Security, and Safeguards: Practical Approaches and Perspectives, Auerbach Publications, 2000.
198. Kalvar, S.T., Focusing Measurements and Metrics on Security, CNET Networks, Inc., 2003.
199. Kan, S.H., Metrics and Models in Software Quality Engineering, Addison-Wesley, 1995.
200. Karofsky, E., “Executive Summary: Insight into Return on Security Investment,” Security Business Quarterly, Fourth Quarter 2001.
201. Knight, M., Compliance Tops IT Priority List, AccountancyAge.com/news, 10 November 2004.
202. Krist, M.A., Standard for Auditing Computer Applications, Auerbach Publications, 1998.
203. Leo, R., The HIPAA Program Reference Handbook, Auerbach Publications, 2004.
204. Levandowki, T., Gramm-Leach-Bliley Act Privacy Requirements, Vice President and Assistant General Counsel, First Union Corporation/Educaid, 2002.
205. Levi, S.T. and Agrawala, A.K., Fault Tolerant System Design, McGraw-Hill, Inc., 1994.
206. Lindstrom, P. “Security: Measuring Up,” Information Security, February 2005, pp. 48–55.
207. Lovejoy, K., “Know Your Customers Inside & Out: The Best Way to Work with the Patriot Act,” SC Magazine, p. 78, May 2005.
208. Lineman, D.J., A Brief History of Regulatory Time, InformationShield.com, 2004.
209. Lyu, M. (Ed.), Handbook of Software Reliability Engineering, IEEE Computer Society Press, 1996.
210. MacKay, R. and Smith M., “Bill C-13: An Act to Amend the Criminal Code, Capital Markets Fraud and Evidence Gathering,” LS-469E, Legislative Summaries, Library of Parliament, Parliamentary Information and Research Service, 2004. 186.
211. Making the Nation Safer: The Role of Science and Technology in Countering Terrorism, National Academies of Science, National Academies Press, 2002.
212. McCollum, T., “U.S. Working Group Reports on Security Metrics,” IT Audit, Institute of Internal Auditors, Vol. 8, 1 February 2005.
213. McCollum, T., U.S. Working Group Issues Security Proposals, IT Audit, Institute of Internal Auditors, Vol. 7, 1 June 2004.
214. McConnel, P.,A ‘Standards-Based’ Approach to Operational Risk Management under Basel II, ContinuityCentral.com, 14 January 2005.
215. McCracken, A. Practical Guide to Business Continuity Assurance, Artech House, 2004.
216. Hard Problem List, Infosec Research Council (IRC), November 2005.
217. Mimoso, M., Keeping the Data and Oil Flowing, Information Security, pp. 44–48, May 2005.
218. Miller, J., “Whose in Charge of Privacy Issues? Agencies Have until March 11 to Figure It Out,” Government Computer News, GCN.com, 17 February 2005. 193a.
219. Miller, J., “Is Your Agency Required to Have a Privacy Officer?,” Government Computer News, GCN.com, 13 December 2004.
220. Mizzi, A., Return on Information Security Investment: Are You Spending Enough? Are You Spending Too Much?, Geocities.com/amz, January 2005.
221. Musa, J., Iannino, A., and Okumoto, K., Software Reliability: Measurement, Prediction, Application, McGraw-Hill, Inc., 1987.
222. Oblivion, B., “Secure Hardware Design,” Black Hat Briefings, 26–27 July 2000.
223. O’Connor, P., Practical Reliability Engineering, 3rd edition, John Wiley & Sons, Ltd., 1991. 198. Out-Think Shrink — What Every Retailer Should Know about Loss Prevention, IntelliQ Ltd., 2004.
224. Peltier, T., Information Security Risk Analysis, Auerbach Publications, 2001.
225. Perin, M., “Utilities Face Deadline from NERC to Meet FERC Security Mandate,” Energy Beat, Houston Business Journal, 10 January 2005.
226. Petco Settles FTC Charges, Federal Trade Commission Press Release, 17 November 2004.
227. Peterson, J.K ., Understanding Surveillance Technologies: Spy Devices, Their Origins, and Applications, CRC Press, 2001.
228. Pullum, L., Software Fault Tolerance: Techniques and Implementation, Artech House, 2001.
229. Pyzdek, T. and Berger, R. (Eds.), Quality Engineering Handbook, Marcel Dekker, Inc. and ASQC Press, 1992.
230. Quainton, D., “We Must Learn to Love Compliance,” SC Magazine, February 2005, pp. 28–31.
231. Radding, A., “Meeting the Challenges of Security Mandates,” CIO Decisions, pp. 26–28, May 2005.
232. Rothke, B., “Sticking Plaster that Won’t Stick: Why HIPAA Has Failed to Achieve the Same Level of Success as SOX,” SC Magazine, pp. 45–46, May 2005.
233. Savage, M., “Will HIPAA Bite?,” SC Magazine, pp. 40–42, May 2005.
234. Schulmeyer, G. and McManus, J. (Eds.), Handbook of Software Quality Assurance, 2nd edition, International Thomson Computer Press, 1996.
235. Schulmeyer, G. and McManus, J. (Eds.), Total Quality Management for Software, International Thomson Computer Press, 1996.
236. Sherwood, J., “SABSA® Security Architecture,” Netigy Corporation, 2000
237. “Side-by-Side Comparison of Major Privacy Regulations and Laws Affecting Health Insurers,” Health Insurance Association of America (HIAA), Department of Policy and Information, 23 October 2000.
238. Silverman, K., Lightning Man: The Accursed Life of Samuel F.B. Morse, Alfred A. Knopf, 2003.
239. Soo Hoo, K., Metrics of Network Integrity, Sygate Technologies, Inc., July 2004.
240. Soo Hoo, K., Sudbury, A., and Jaquith, A., “Tangible ROI through Secure Software Engineering,” Secure Business Quarterly, Fourth Quarter 2001.
241. Stephenson, P., “STRAIS: A Method for Security Requirements Engineering Using a Standards-Based Network Security Reference Model,” Netigy Corporation, 2001.
242. Sterneckert, A.B., Critical Incident Management, Auerbach Publications, 2003.
243. Summary of Sarbanes-Oxley Act of 2002, American Institute of Certified Public Accountants (AICPA), 2005.
244. Summers, C. and Weers, K., Security Metrics Consortium Founded by Top CSOs/ CISOs, Shift Communications, 24 February 2004.
245. Thieme, R., “What Insurance Can — and Can’t — Do for Security Risks,” Secure Business Quarterly, Fourth Quarter 2001.
246. Thomas, D., Security Must Be Key Part of Outsourcing, AccountancyAge.com/ features, 18 November 2004.
247. Tipton, H.F. and Krause, M., Information Security Management Handbook, 4th edition, Auerbach Publications, 2003.
248. Vaugn, R., Henning, R., and Siraj, A., “Information Assurance Measures and Metrics — State of Practice and Proposed Taxonomy,” Proceedings of the 36th Hawaii International Conference on System Sciences (HICSS-03), IEEE Computer Society, 2003.
249. Utilities Face Deadline for Security Mandate, GreatRiverEnergy.com, February 2005.
250. Walsh, L. and Taylor, D., “Big Brother’s Watchful Eyes,” Information Security, pp. 34–42, May 2005.
251. Weinstock, C. and Rushby, J., Dependable Computing for Critical Applications — 7, IEEE Computer Society Press, 1999.
252. Wolstenholme, L.C., Reliability Modeling: A Statistical Approach, Chapman & Hall/ CRC Press, 1999.
253. Wylder, J., Strategic Information Security, Auerbach Publications, 2003.
254. Kehaulani-Goo, S., “House Endorses Altering Security Alerts,” The Washington Post, pp. A9, 19 May 2005.
255. Associated Press, “Expanded Patriot Act to Be Proposed,” The Washington Post, pp. A8, 19 May 2005.
256. Mark, R., “Swindle: Somebody Has to Pay,” Information Security News, internetnews. com, 17 May 2005.
257. USA Patriot Act Sunset, Electronic Privacy Information Center, epic.org, 19 May 2005.
258. Spotlight on Surveillance: Homeland Security ID Card Is Not So Secure, Electronic Privacy Information Center, epic.org, April 2005.
259. Letter to Senate Select Committee on Intelligence, American Booksellers Association, et al. (24 co-signers), 23 May 2005.
260. Letter to Senate Select Committee on Intelligence, Electronic Privacy Information Center, epic.org, 23 May 2005.
261. Spotlight on Surveillance: Transportation Agency’s Plan to X-ray Travelers Should Be Stripped of Funding, Electronic Privacy Information Center, epic.org, June 2005.
262. “Backscatter” X-Ray Screening Technology, Electronic Privacy Information Center, epic.org, June 2005.
263. Rapiscan Secure 1000, Rapiscan Systems Product Brochure #9150068-1, undated.
264. Just Say “9/11” to Obtain Social Security Information, EPIC FOIA Notes #4, 26 April 2005, Electronic Privacy Information Center, epic.org.
265. Zeraga, M., The Right Way to Get SOX Compliant, CIO Decisions, June 2005, p. 60.
266. “Extreme Availability: NYSE’s New IT Infrastructure Puts Hand-Held Wireless Terminals in Brokers’ Hands,” Communications News, June 2005, pp. 12–17.
267. Allard, Pierre-Paul, “Ensure Data Center Resiliency: Intelligent networks can lower costs and improve security and business continuity,” Communications News, June 2005, pp. 40–43.
268. Patriot Second Act,” The Washington Post, 13 June 2005, pp. A18.
269. Silverman, E., Reining in Risk Turns into Big Business: Sarbanes-Oxley Creates Winners, The Washington Post, 13 June 2005, pp. D1 and D9.
270. “Senate Panel Approves New FBI Powers for Patriot Act,” The Washington Post Express, 8 June 2005, p. 3.
271. Miller, J., “OMB Releases FIMSA Guidance with Focus on Privacy,” Government Computer News, gcn.com, 15 June 2005.
272. Krim, J. and Barbaro, M., “40 Million Credit Card Numbers Hacked: Data Breached at Processing Center,” The Washington Post, 18 June 2005, pp. A1 and A10.
273. Lipowicz, A., “California to Revisit RFID Restrictions,” Government Computer News, gcn.com, 24 June 2005.
274. Mosquera, M., “State Tells Lawmakers Biometrics Will Ensure Identity,” Government Computer News, gcn.com, 23 June 2005.
275. Lancaster, J., “Outsourcing in India in Crisis over Scam: British Paper Alleges Security Breach,” The Washington Post, 25 June 2005, p. A18.
276. Olsen, F., “OMB Modifies Security Reporting,” Federal Computer Week, fcw.com, 20 June 2005.
277. Jackson, W., “Draft Guidelines Released for Certifying PIV Card Issuers,” Government Computer News, gcn.com, 20 June 2005.
278. Dizard III, W.P., “GAO Study of RFID Technology, Policy Seen Flawed,” Government Computer News, gcn.com, 31 May 2005
279. Lerner, E., “Biometric Identification,” The Industrial Physicist, 6(1), 20–23, 2000.
280. Rendell, A., “Security, Privacy, and Fraud Research,” Safety Systems, 9(2), 13–15, 2000.
281. Jones, B. and Deane, D., “Between Friends: Don’t Extend Trust Too Far,” SC Magazine, February 2005, pp. 39–40.
282. Sterlicchi, J., “Stop That Fraud: Fingerprints Will Secure Texas Systems,” SC Magazine, February 2005, p. 42.
283. Armstrong, I., “Would You Show This Card to Mom,” SC Magazine, March 2005, p. 15.
284. www.soxonline.com.
285. Rasch, M., “Sarbanes-Oxley for IT Security,” securityfocus.com, 3 May 2005.
286. IT Control Objectives for Sarbanes-Oxley, IT Governance Institute, April 2004.
287. Jackson, W., “New FISMA Standard Advances toward Finalization,” Government Computer News, gcn.com, 19 July 2005.
288. Starkman, D., “Enron Fraud Pacts Set Records: CIBC Deal Brings Total to $7 Billion,” The Washington Post, 3 August 2005, pp. D1–D2.
289. Cullinane, D., “Law is Nothing without Enforcement,” SC Magazine, August 2005, p. 20.
290. Mix, S., Securing the Electric Grid — NERC CIP Standards, Infragard 2005 National Conference, 8–11 August 2005, Washington, D.C.
291. Payment Card Industry Data Security Standard, Visa U.S.A., Inc., December 2004.
292. Mont, M.C., Bramhall, P., and Chan, K.N., “Management and Enforcement of Privacy Obligations in Enterprises,” Information Security Bulletin, September 2005, pp. 245–258.
293. Monchuk, J., Alberta Privacy Office: Hi-Tech Fax Machines a Security Risk, cnews.canoe.ca., 20 March 2005.
294. Lotem, A. and Moiseles, M., Using Attack Simulation and Risk Models for Automated Vulnerability Management, Information Security Bulletin, March 2005, pp. 45–54.
295. Denning, D., Information Warfare and Security, Addison-Wesley, 1999.
296. Rozenblit, M., Security for Telecommunications Network Management, IEEE, 1999.
297. Gollmann, D., Computer Security, John Wiley & Sons, 1999.
298. Rubin, A. and Geer, Jr., D., “A Survey of Web Security,” Computer, 31(9), pp. 34–43, 1998.
299. Feghi, J., Feghi, J., and Williams, P., Digital Certificates: Applied Internet Security, Addison-Wesley, 1998.
300. Martin, J., Design and Strategy for Distributed Data Processing, Prentice-Hall, 1981.
301. Schneier, B., Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd edition, John Wiley & Sons, 1995.
302. Tung, B., Kerberos: A Network Authentication System, Addison-Wesley, 1999.
303. Pankanti, S., Bolle, R., and Jain, A., “Biometrics: the Futur e of Identification,” Computer, 33(2), 46–49, 2000.
304. Chadwick, D., “Smart Cards Aren’t Always the Smart Choice,” Computer, 32(12), 142–143, 1999.
305. Garber, L., “News Briefs: Companies Join Forces for Smart Card Standard,” Computer, 31(11), 19–20, 1998.
306. Tilton, C., “An Emerging Biometric API Standard,” Computer, 33(2), 130–132, 2000.
307. Frischoltz, T. and Dickmann, U., “Bio ID: A Multimodal Biometric Identification System,” Computer, 33(2), 64–69, 2000.
308. Lerner, E., “Biometric Identification,” The Industrial Physicist, 6(1), 20–23, 2000.
309. Hankins, M., “Trusted Gate Closes on Thin-Client Computer Network Security Holes,” SIGNAL, December 1999, pp. 67–69.
310. Storey, N., Safety-Critical Computer Systems, Addison-Wesley, 1996.
311. Levenson, N., Safeware: System Safety and Computers, Addison-Wesley, 1995.
312. Jajoda, S., Ammann, P., and McCollum, C., “Surviving Information Warfare Attacks,” Computer, 32(4), pp. 57–63, 1999.
313. Sander, T. and Tschudin, C., Toward Mobile Cryptography, IEEE Symposium on Security and Privacy, 1998, pp. 215–224.
314. Lindquist, U. and Jonssen, E., “A Map of Security Risks Associated with using COTS,” Computer, 31(6), 60–66, 1998.
315. Ritter, T., “Cryptography: Is Staying with the Herd Really Best?,” Computer, 32(8), 94–95, 1999.
316. Cheswick, W. and Bellovin, S., Firewalls and Internet Security, Repelling the Wiley Hacker, Addison-Wesley, 1994.
317. Tarman, T., Hutchinson, R., Pierson, L., Sholander, P., and Witzke, E., “Algorithm-Agile Encryption in ATM Networks,” Computer, 31(9), 57–64, 1998.
318. Garber, L., “Melissa Virus Creates a New Type of Threat,” Computer, 32(6), 16–19, 1999.
319. Morris, D., Introduction to Communication Command and Control Systems, Pergamon Press, 1977.
320. Wang, H., Lee, M., and Wang, C., “Consumer Privacy Concerns about Internet Marketing,” Communications of the ACM, 41(3), 63–70, 1998.
321. Blackburn, N., “Can You Keep a Secret?,” The Jerusalem Post, September 10, 1999, pp. 28–29.
322. Rindfleisch, T., “Privacy, Information Technology and Health Care,” Communications of the ACM, 40(8), 92–100, 1997.
323. McDermid, J., Issues in the Development of Safety-Critical Systems, Safety Critical Systems, Chapman & Hall, 1993, pp. 16–42.
324. Deutertre, B. and Stavridou, V., A Model of Noninterference for Integrating Mixed Criticality Software Components, Weinstock, C. and Rushby, J. (Eds.), Dependable Computing for Critical Applications 7, IEEE, pp. 301–316, 1999.
325. Fraser, T., Badger, L., and Feldman, M., Hardening COTS Software with Generic Software Wrappers, IEEE Symposium on Security and Privacy, 1999.
326. Ybarra, M., “Resurging Business Challenges Hotel IT,” CIO Decisions, January 2006, pp. 26–28.
327. Arbaugh, W., Davin, J., Farber, D., and Smith, J., “Security for Virtual Private Intranets,” Computer, 31(9), 48–56, 1998.
328. Neumann, P., Computer Related Risks, Addison-Wesley, 1995.
329. Brewer, D., Applying Security Techniques to Achieving Safety, Directions in Safety-Critical Systems, Springer-Verlag, 1993, pp. 246–256.
330. Coe, E., “Maryland Unclear on New Driver’s License Law: Real ID Act Will Mean Extra Time when Trying to Renew, Obtain Card,” Cumberland Times-News, 5 December 2005, pp. 1A, 9A.
331. Powell, S.M., “Secret Court Modified Wiretap Requests: Intervention May Have Led Bush to Bypass Panel,” Seattle Post-Intelligencer, 24 December 2005.
332. System Safety Analysis Handbook, 2nd edition, System Safety Society, July 1997.
333. Billings, C.W., Grace Hopper: Navy Admiral and Computer Pioneer, Enslow Publishers, 1989.
334. Kellman, L., House Renews USA Patriot Act; Bush to Sign, ABCnews.go.com, 8 March 2006.
335. Babington, C., Congress Votes to Renew Patriot Act, With Changes, The Washington Post, pp. A3, 8 March 2006
336. DeGarmo, E.P., Sullivan, W.G., and Canada, J.R., Engineering Economy, 7th edition, Macmillan Publishing Company, 1984.
337. Herrmann, D., Security and Privacy Metrics, invited presentation to Federal Information Assurance Conference (FIAC), Washington, D.C., October 2005.