Governing for Enterprise Security - References

[Acuff 00] Acuff, Jr., A. Marshall. "Information Security Impacting Securities Valuations: Information Technology and the Internet Changing the Face of Business," Institute of Internal Auditors, 2000.
http://www.theiia.org/ITAudit/index.cfm?act=itaudit.archive&fid=143.

[AESRM 05] The Alliance for Enterprise Security Risk Management. "Convergence of Enterprise Security Organizations." Booz Allen Hamilton, November 8, 2005.

[Allen 05] Allen, Julia. "Governing for Enterprise Security." (CMU/SEI-2005-TN-023). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, June 2005.
http://www.sei.cmu.edu/library/abstracts/reports/05tn023.cfm.

[Allen 06a] Allen, Julia. "Why Leaders Should Care About Security." CERT Podcast Series: Security for Business Leaders, 2006-2007.
http://www.cert.org/podcast/.

[Allen 06b] Allen, Julia. "Security Is Not Just a Technical Issue." Build Security In web site, Department of Homeland Security, October 2006. https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/management/563.html.

[Allen 06c] Allen, Julia. "Framing Security as a Governance and Management Concern: Risks and Opportunities." Department of Homeland Security, Build Security In web site, October 2006. https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/management/565.html.

[Allen 06d] Allen, Julia. "Navigating the Security Practice Landscape." Department of Homeland Security, Build Security In web site, October 2006. https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/deployment/582.html.

[Allen 06e] Allen, Julia. "Plan, Do, Check, Act." Department of Homeland Security, Build Security In web site, November 2006. https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/deployment/574.html.

[APEC 05] APEC Privacy Framework. Asia-Pacific Economic Cooperation, 2005.
http://www.apec.org/apec/news___media/2004_media_releases/201104_apecminsendorseprivacyfrmwk.html.

[Baker 06] Global Privacy Handbook, Baker & McKenzie, 2006.

[Barker 04a] Barker, William C. Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories, (NIST Special Publication 800-60, Version 2). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, June 2004.
http://csrc.nist.gov/publications/nistpubs/index.html.

[Barker 04b] Barker, William C., et al. Volume II: Appendixes to Guide for Mapping Types of Information and Information Systems to Security Categories, (NIST Special Publication 800-60, Version 2). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, June 2004.
http://csrc.nist.gov/publications/nistpubs/index.html.

[Bolton 03] Bolton, Joshua B. "OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002," September 26, 2003.
http://www.whitehouse.gov/omb/memoranda/m03-22.html#a.

[Bowen 06] Bowen, Pauline, et al. Information Security Handbook: A Guide for Managers (NIST Special Publication 800-100). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, October 2006.
http://csrc.nist.gov/publications/nistpubs/index.html.

[Braithwaite 02] Braithwaite, Timothy. Securing E-Business Systems: A Guide for Managers and Executives. John Wiley & Sons, Inc., 2002.

[BRT 05] Business Roundtable. Principles of Corporate Governance 2005, Business Roundtable, November 2005.
http://www.businessroundtable.org/sites/default/files/CorporateGovPrinciples.pdf (pdf).

[BSA 03] Business Software Alliance. "Information Security Governance: Toward a Framework for Action." October 2003.
http://www.bsa.org/country/Research%20and%20Statistics/~/media/BD05BC8FF0F04CBD9D76460B4BED0E67.ashx.

[BSI 06] Business continuity management - Part 1: Code of Practice, (BS 25999-1:2006). London, United Kingdom, British Standards Institute, November 2006. Ordering information available at
http://shop.bsigroup.com/ProductDetail/?pid=000000000030157563.

[Caralli 04] Caralli, Richard. "Managing for Enterprise Security" (CMU/SEI-2004-TN-046). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, December 2004.
http://www.sei.cmu.edu/library/abstracts/reports/04tn046.cfm.

[CGTF 04] Information Security Governance: A Call to Action, Corporate Governance Task Force Report, National Cyber Security Summit Task Force, April 2004.
http://www.cyberpartnership.org/InfoSecGov4_04.pdf (pdf).

[Chew 06] Elizabeth, Chew, et al. Guide for Developing Performance Metrics for Information Security, Initial Public Draft (NIST Special Publication 800-80). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, May 2006.
http://csrc.nist.gov/publications/nistpubs/index.html.

[CISWG 04] Corporate Information Security Working Group. Adam H. Putnam, Chairman; Subcommittee on Technology, Information Policy, Intergovernmental Relations & the Census Government Reform Committee, U.S. House of Representatives. "Report of the Best Practices and Metrics Teams." November 17, 2004; updated January 10, 2005.
http://www.educause.edu/LibraryDetailPage/666&ID=CSD3661.

[COC 06a] Achieving Competitiveness and Security: Financial Services Sector Study, Council on Competitiveness, 2006.

[COC 6b] "The Value of Resilience." Council on Competitiveness, Oct. 13, 2006.

[Cashell 04] Cashell, Brian, et al. "The Economic Impact of Cyber-Attacks." Congressional Research Service, April 2004.
http://www.cisco.com/warp/public/779/govtaffairs/images/CRS_Cyber_Attacks.pdf (pdf).

[CNSS 01] Committee on National Security Systems. National Information Assurance Glossary, CNSS Instruction No. 4009, National Security Agency, June 2006.
http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf (pdf).

[DHS 06] Privacy Impact Assessments: Official Guidance. U.S. Department of Homeland Security, The Privacy Office, March 2006.
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_guidance_march_v5.pdf (pdf).

[EPIC 06] Privacy & Human Rights: An International Survey of Privacy Laws and Developments. Electronic Privacy Information Center and Privacy International, 2006. Ordering information available at
http://www.powells.com/biblio/1893044254?&PID=24075.

[FIPS 04] Standards for Security Categorization of Federal Information and Information Systems, Federal Information Processing Standards Publication (FIPS PUB 199). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, February 2004.
http://csrc.nist.gov/publications/fips/.

[FISMA 02] Federal Information Security Management Act, Title III of E-Government Act of 2002, Pub. Law 107-347,
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ347.107.pdf (pdf).

[FTC 02a] In re Eli Lilly and Co., File No. 012 3214, Docket No. C-4047.
http://www.ftc.gov/os/2002/01/lillycmp.pdf (pdf).

[FTC 02b] In re Eli Lilly and Co., Agreement Containing Consent Order, FTC No. 0123214, Jan 18, 2002.
http://www.ftc.gov/os/2002/01/lillyagree.pdf (consent order accorded final approval on May 10, 2002).

[Friedman 06] Friedman, Thomas. The World Is Flat [Updated and Expanded]: A Brief History of the Twenty-first Century, Farrar, Straus and Giroux, 2006.

[GAO 99] U.S. General Accounting Office. Federal Information Systems Control Audit Manual. U.S. General Accounting Office, Accounting and Information Management Division, GAO/AIMD-12.19.6, January 1999. http://www.gao.gov/special.pubs/ai12.19.6.pdf (pdf).

[Gerdes 05] Gerdes, Michael. Review comments to [Allen 05], May 2005.

[Gordon 06] Gordon, Lawrence & Loeb, Martin. Managing Cybersecurity Resources: A Cost-Benefit Analysis, McGraw-Hill, 2006.

[Grance 04a] Grance, Tim, et al. Computer Security Incident Handling Guide (NIST Special Publication 800-61). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, January 2004.
http://csrc.nist.gov/publications/nistpubs/index.html.

[Grance 04b] Grance, Tim, et al. Security Considerations in the Information System Development Life Cycle (NIST Special Publication 800-64 Rev. 1). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, June 2004.
http://csrc.nist.gov/publications/nistpubs/index.html.

[Harris 06] Harris, Shon. "Introduction to Security Governance." SearchSecurity.com, August 22, 2006.
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1210565,00.html
?track=NL-431&ad=559554&asrc=EM_NLT_479998&uid=790142

[Hash 05] Hash, Joan, et al. Integrating IT Security into the Capital Planning and Investment Control Process (NIST Special Publication 800-65). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, January 2005.
http://csrc.nist.gov/publications/nistpubs/index.html.

[IFAC 04] International Federation of Accountants. Enterprise Governance: Getting the Balance Right, International Federation of Accountants, Professional Accountants in Business Committee, 2004.
http://www.ifac.org/Members/DownLoads/EnterpriseGovernance.pdf (pdf).

[IIA 01] Information Security Governance: What Directors Need to Know. Institute of Internal Auditors, Critical Infrastructure Assurance Project, 2001.
http://www.theiia.org/?doc_id=3061.

[ISACA 05a] Convergence of Enterprise Security Organizations. Information Systems Audit and Control Association, November 8, 2005.
http://www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=22607.

[ISACA 05b] Segregation of Duties Within Information Systems. Information Systems Audit and Control Association, Certified Information Systems Auditor (CISA) Review Manual 2005 at 88-91.
http://www.isaca.org/Content/ContentGroups/Certification3/CRM_Segregation_of_Duties.pdf (pdf).

[ISO 05a] International Organization for Standardization. Information technology - Security techniques - Code of practice for information security management. ISO/IEC 17799:2005(E), Second edition, June 15, 2005.

[ISO 05b] International Organization for Standardization. Information technology - Security techniques - Information security management systems - Requirements. ISO/IEC 27001:2005(E), First edition, October 15, 2005.

[ITCI 06] IT Audit Checklist: Risk Management. IT Compliance Institute, 2006.
http://www.t2pa.com/analysis-a-advice/library/178-it-audit-checklist-risk-management.

[ITGI 03] IT Governance Institute. Board Briefing on IT Governance, IT Governance Institute, 2003.
http://www.itgi.org/Template_ITGIc9a4.html?Section=About_IT_Governance1&Template=/
ContentManagement/ContentDisplay.cfm&ContentID=6658
.

[ITGI 05a] Aligning CobiT, ITIL and ISO 17799 for Business Benefit: Management and Summary. IT Governance Institute, Office of Government Commerce, the IT service Management Forum, 2005.
http://www.itgovernance.co.uk/files/ITIL-COBiT-ISO17799JointFramework.pdf
#search=%22mapping%20cobit%20iso%2017799%22.

[ITGI 05b] Information Technology Governance Institute. COBIT 4.0 Control Objectives for Information and related Technology. ITGI, 2005.
http://www.itgi.org and http://www.isaca.org.

[ITGI 06] Information Technology Governance Institute. Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition. ITGI, 2006.
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/
Information-Security-Governance-Guidance-for-Information-Security-Managers.aspx
.

[NIST 05] Revised NIST SP 800-26 System Questionnaire with NIST SP 800-53 References and Associated Security Control Mappings, (NIST SP 800-26Q). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, April 2005.
http://csrc.nist.gov/publications/nistpubs/index.html.

[Ross 04] Ross, Ron, et al. Guide for the Security Certification and Accreditation of Federal Information Systems, (NIST Special Publication 800-37). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, May 2004.
http://csrc.nist.gov/publications/nistpubs/index.html.

[Ross 05a] Ross, Ron, et al. Recommended Security Controls for Federal Information Systems, Draft (NIST Special Publication 800-53, Revision 1). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, December 2006.
http://csrc.nist.gov/publications/nistpubs/index.html.

[Ross 05b] Ross, Ron, et al. Guide to Assessing the Security Controls in Federal Information Systems, 2nd Public Draft (NIST Special Publication 800-53A). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, April 2006.
http://csrc.nist.gov/publications/PubsSPs.html.

[Ross 06] Ross, Ron. Managing Enterprise Risk in Today's World of Sophisticated Threats: A Framework for Developing Broad-Based, Cost-Effective Information Security Programs, National Institute of Standards & Technology, 2006. http://csrc.nist.gov/publications/nistpubs/index.html.

[Smedinghoff 06] Smedinghoff, Thomas J. "Where We're Headed-New Developments and Trends in the Law of Information Security." Wildman Harrold, Nov. 2006. http://www.wildmanharrold.com/index.cfm?fa=news.pubArticle&aid=5072F372-BDB9-4A10-554DF441B19981D7.

[Smedinghoff 07] Smedinghoff, Thomas J. "The State of Information Security Law." November 2007. http://www.cert.org/archive/pdf/state_infosec_law0801.pdf (pdf).

[Smedinghoff 07] Smedinghoff, Thomas J. "Trends in the Law of Information Security." Presentation to the Security Management Conference, ISACA Winnipeg chapter. November 2007. http://www.cert.org/archive/pdf/trends_law_infosec0801.pdf (pdf).

[Smedinghoff 07] Smedinghoff, Thomas J. "Information Compliance Overload: Dealing with a Growing Corporate Legal Nightmare." Presentation to the Security Management Conference, ISACA Winnipeg chapter. November 2007. http://www.cert.org/archive/pdf/info_compliance0801.pdf.

[Steven 06] Steven, John. "Adopting an Enterprise Software Security Framework." IEEE Security & Privacy, IEEE Computer Society, March/April 2006. https://buildsecurityin.us-cert.gov/daisy/bsi/resources/published/series/bsi-ieee/568.html.

[Stoneburner 02] Stoneburner, Gary, et al. Risk Management Guide for Information Technology Systems (Special Publication 800-30). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, July 2002.
http://csrc.nist.gov/publications/nistpubs/index.html.

[Swanson 01] Swanson, Marianne. Security Self-Assessment Guide for Information Technology Systems (NIST Special Publication 800-26). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, November 2001.
http://csrc.nist.gov/publications/nistpubs/index.html.

[Swanson 03] Swanson, Marianne, et al. Security Metrics Guide for Information Technology Systems (NIST Special Publication 800-55). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, July 2003.
http://csrc.nist.gov/publications/nistpubs/index.html.

[Swanson 06] Swanson, Marianne, et. al. Guide for Developing Security Plans for Federal Information Systems (NIST Special Publication 800-18 Rev. 1). Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Feb. 2006.
http://csrc.nist.gov/publications/nistpubs/index.html.

[Taylor 04] Taylor, Patrick. "A Wake Up Call to All Information Security and Audit Executives: Become Business-Relevant." Information Systems Control Journal 6, 2004.

[Westby 03] Westby, Jody R., editor. International Guide to Combating Cybercrime. American Bar Association, Privacy & Computer Crime Committee, Section of Science & Technology Law. American Bar Association, 2005. Ordering information available at
http://www.abanet.org/abastore/index.cfm?section=main&fm=Product.AddToCart&pid=5450030.

[Westby 04a] Westby, Jody R., editor. International Guide to Privacy. American Bar Association, Privacy & Computer Crime Committee, Section of Science & Technology Law. American Bar Association, 2004. Ordering information available at
http://www.abanet.org/abastore/index.cfm?section=main&fm=Product.AddToCart&pid=5450037.

[Westby 04b] Westby, Jody R., editor. International Guide to Cyber Security. American Bar Association, Privacy & Computer Crime Committee, Section of Science & Technology Law. American Bar Association, 2004. Ordering information available at
http://www.abanet.org/abastore/index.cfm?section=main&fm=Product.AddToCart&pid=5450036.

[Westby 05] Westby, Jody, editor. Roadmap to an Enterprise Security Program. American Bar Association, Privacy & Computer Crime Committee, Section of Science & Technology Law. American Bar Association, 2005. Ordering information available at
http://www.abanet.org/abastore/index.cfm?section=main&fm=Product.AddToCart&pid=5450039.

[Wilcox 06] Wilcox, John C. "What's Next for Boards? Ten Landscape-Altering Trends," Directors & Boards, 2006.
http://directorsandboards.com/DBEBRIEFING/November2006/ColumnNovember2006.html.