APPENDIX H

References and Sources of Information

From its inception, the book has been designed so that each of the chapters are self-contained. For your convenience, all recommended readings and resources have been collected in this single location.

      • (ISC)². www.isc2.org.

      • “Top-Down Approach for Security.” Network Magazine. Indian Express Newspapers, June 2003. www.networkmagazineindia.com/20030h6/is15.shtml.

      • ACM Computing Curricula Information Technology Volume: Model Curriculum. ACM, Dec. 12, 2008. http://campus.acm.org/public/comments/it-curriculum-draft-may-2008.pdf.

      • AICPA. GAAP Codification. www.aicpa.org/InterestAreas/BusinessIndustryAndGovernment/Resources/FinancialAccountingReportingTax/DownloadableDocuments/FASB%20%20accounting%20means%20to%20CFOpdf.pdf.

      • Aiello, B. “How to Implement CM and Traceability in a Practical Way.” September 2013. www.cmcrossroads.com/article/how-implement-cm-and-traceability-practical-way.

      • Alles, E. J., Z.J. Geradts, and C.J. Veenman. “Source Camera Identification for Heavily JPEG Compressed Low Resolution Still Images.” Journal of Forensic Sciences, 2009. 54(3): 628–638.

      • American Recovery and Reinvestment Act of 2009 (ARRA). Title XIII, “Health Information Technology for Economic and Clinical Health Act (HITECH),” § 13600, 2009. www.gpo.gov/fdsys/pkg/BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf.

      • An Introduction to Computer Security: The NIST Handbook (Special Publication 800-100). NIST, p. 16.

      • An Introduction to Computer Security: The NIST Handbook (Special Publication 800-12). NIST, 1996.

      • Armistead, E.L. Information Warfare Separating Hype from Reality. Potomac Books, 2007.

      • Assante, M.J. Testimony on Securing Critical Infrastructure in the Age of Stuxnet. National Board of Information Security Examiners, November 17, 2010.

      • Baker, Dixie B. Assessing Controlled Access Protection. The National Computer Security Center, Dec. 1, 2006. www.fas.org/irp/nsa/rainbow/tg028.htm.

      • BCI. www.thebci.org/about.htm.

      • Bejtlich, R. Extrusion Detection: Security Monitoring for Internal Intrusion. Addison-Wesley, 2005.

      • Bejtlich, R. The Tao of Network Security Monitoring: Beyond Intrusion Detection. Addison-Wesley, 2004.

      • Bem, Derek, and E. Huebner. “Computer Forensic Analysis in a Virtual Environment.” International Journal of Digital Evidence, 2007. 6, no. 2: 1–13.

      • Böhme, Rainer, et al. “Multimedia Forensics Is Not Computer Forensics.” Computational Forensics, 2009. pp. 90–103.

      • Bottom-up Investing in Investopedia.com. Investopedia ULC, 2007. www.investopedia.com/terms/b/bottomupinvesting.asp.

      • Bowen, P., et al. Information security: A Guide for Managers (Special Publication 800-100). NIST, 2006.

      • Braid, M. “Collecting Electronic Evidence After a System Compromise.” AUSCERT, 2001. www.auscert.org.au/render.html?it=2247.

      • Brehmer, B. “The Dynamic OODA Loop: Amalgamating Boyd’s OODA Loop and the Cybernetic Approach to Command and Control.” 10th International Command and Control Research and Technology Symposium, 2005. pp. 1–15.

      • Brooks, Frederick P. The mythical man-month. Vol. 1995. Addison-Wesley, 1975.

      • Casey, E., and G.J. Stellatos. The Impact of Full Disk Encryption on Digital Forensics. ACM SIGOPS Operating Systems Review, 2008. 42(3), 93–98.

      • Catalogue of Threat 2004 in IT-grundschutz Manual 2004, BSI (Bundesamt für Sicherheit in der Informationstechnik) Federal office for Information Security, Germany, 2004. www.bsi.de/english/gshb/manual/download/threat-catalogue.pdf.

      • Center for Democracy and Technology. Health Privacy (web page), 2013. https://www.cdt.org/issue/health-privacy.

      • CERT-SA, Computer Emergency Response Team: Saudi Arabia, 2008. www.cert.gov.sa/.

      • Cheddad, A., et al. “Digital Image Steganography: Survey and Analysis of Current Methods. Signal Processing, 2010. 90(3), 727–752.

      • Christensen, Sharon, et al. “An Achilles Heel: Denial of Service Attacks on Australian Critical Information Infrastructures.” Information & Communications Technology Law. 19, no. 1 (2010): 61–85.

      • Cloud Computing Synopsis and Recommendations. U.S. National Institute of Standards and Technology, 2012. http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf.

      • Cloud Security Alliance. Cloud Controls Matrix Version 3, 2014. https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/.

      • CNSSI-4012, National Information Assurance Training Standard for Senior Systems Managers. June 2004. Supersedes NSTISSI No. 4012, August 1997.

      • CNSSI-4013, National Information Assurance Training Standard for System Administrators (SA). March 2004.

      • CNSSI-4014, Information Assurance Training Standard for Information Systems Security Officers. April 2004. Supersedes NSTISSI No. 4014, August 1997.

      • CNSSI-4016, National Information Assurance Training Standard for Risk Analysts. November 2005.

      • Code of Federal Regulations, Part 5 Administrative Personnel, Subpart C—Employees Responsible for the Management or Use of Federal Computer Systems, Section 930.301 through 930.305 (5 C.F.R 930.301-305).

      • Conklin, Wm. Arthur, et al. Introduction to Principles of Computer Security: Security+ and Beyond. McGraw-Hill Education, March 2004.

      • Data classification. HDM Clariza Initiatives, June 16, 2007. www.trehb101.com/index.php?/archives/71-data-classifation.html.

      • Data Protection Act 1998, Chapter 29. 1998. www.legislation.gov.uk/ukpga/1998/29/data.pdf.

      • DeCew, JW. In Pursuit of Privacy: Law, Ethics, and the Rise of Technology. Cornell University Press, 1997.

      • Directive Administrative Controls. China Education and Research Network Computer Emergency Response Team (CCERT). https://www.cccure.org/Documents/HISM/015-019.html (Citing (ISC)²).

      • Dittrich, David, and S. Dietrich. “P2P As Botnet Command and Control: A Deeper Insight.” Proceedings of the 2008 3rd International Conference on Malicious and Unwanted Software (Malware), October 2008. http://staff.washington.edu/dittrich/misc/malware08-dd-final.pdf.

      • Do’s and Don’ts for Effective Configuration Management, TechTarget. http://blogs.pinkelephant.com/images/uploads/pinklink/Dos_Donts_For_Effective_Configuration_Management.pdf.

      • Dove, R. “Embedding Agile Security in System Architecture.” Insight 12, no. 2 (2009): 14–17.

      • DRI International. Generally Accepted Practices for Business Continuity Practitioners. Disaster Recovery Journal and DRI International, 2005. DRII. www.drii.org.

      • Drucker, Peter F. The Age of Discontinuity: Guidelines to Our Changing Society. William Heinemann Ltd., 1969.

      • Drucker, Peter F. Management: Tasks, Responsibilities, Practices. Harper & Row, 1973.

      • Electronic Privacy Information Center. http://epic.org/.

      • Encyclopedia of Applied Ethics. Academic Press, 1998.

      • Fabro, M., and V. Maio. Using Operational Security (OpSec) to Support a Cyber Security Culture in Control System Environment, 2007. http://csrp.inl.gov/Documents/OpSec%20Rec%20Practice.pdf.

      • Falliere N., L.O. Murchu, and E. Chien. W32.Stuxnet Dossier. Symantex, February 2011. www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf.

      • Federal Information Security Management Act of 2002 (Public Law 107-347, Title III). December, 2002. http://csrc.nist.gov/drivers/documents/FISMA-final.pdf.

      • Federal Reserve Bank of Atlanta. Into the Breach: Protecting the Integrity of the Payment System, February 10, 2014. http://portalsandrails.frbatlanta.org/emv/.

      • Financial Accounting Standards Board., GAAP Report. www.fasb.org.

      • Financial Fraud Action UK. Fraud the Facts, 2013. www.financialfraudaction.org.uk/download.asp?file=2772.

      • FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems. National Institute of Standards and Technology, 2004. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.

      • First Data, EMV, and Encryption + Tokenization: A Layered Approach to Security, 2012. www.firstdata.com/downloads/thought-leadership/EMV-Encrypt-Tokenization-WP.PDF.

      • Friedlob, GT, and FJ Plewa. “An Auditor’s Primer on Encryption.” CPA Journal, 67.11 (1997): 40–46.

      • Friedlob, GT, FJ Plewa, T. Schleifer, and C.D. Schou. “An Auditor’s Introduction to Encryption.” Institute of Internal Auditors, 1998.

      • Frost, J.C. Springer, J.M. Springer, and C.D. Schou. Instructor guide and materials to accompany principles of Introduction to Principles of Computer Security: Security+ and Beyond. McGraw-Hill Education, 2004.

      • Frost, James, and C.D. Schou. “Looking Inward for Competitive Strength in the International Arena.” Presented at the Mountain Plains Management Association Meetings. October 1993.

      • G Data Development. G Data TechPaper #0271, 2013, G Data, Germany, Patch Management Best Practices, www.cpni.gov.uk/Documents/Publications/2006/2006029-GPG_Patch_management.pdf.

      • Garfinkel, Simson. “Anti-forensics: Techniques, Detection, and Countermeasures.” The 2nd International Conference on i-Warfare and Security (ICIW), 2007. pp. 77–84.

      • Good Practice Guide Patch Management. NISCC National Infrastructure Security Co-ordination Center, 2006. www.docstoc.com/docs/7277421/Good-Practice-Guide-Patch-Management.

      • Good Practice Guidelines. A Framework for Business Continuity Management. Business Continuity Institutes (BCI). 2005.

      • Gross, I., and P. Greaves. Risk Management: A Guide to Good Practice for Higher Education Institutions. HEFCE, 2001. www.hefce.ac.uk/pubs/hefce/2001/01_28/01_28.pdf.

      • Guide to CISSP. Information Security Certification, 2007. www.guidetocissp.com.

      • Gurgul, P. “Access Control Principles and Objective.” securitydocs.com, 2004. www.securitydocs.com/library/2770.

      • Hellman, Martin E. “The Mathematics of Public-Key Cryptography.” Scientific American, August 1979, pp.146–157.

      • Hernandez, Steven G. The Official (ISC)² Guide to the HCISPP CBK. (ISC)² Press, 2014.

      • Herold, R. Multi-dimensional Enterprise-wide Security: Corporate Reputation and The Definitive Guide to Security Inside the Perimeter. Realtime Publishers. http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1156151,00.html.

      • Hill, K. “How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did.” Forbes, 2014. www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/.

      • HIPAA Case Examples and Resolution Agreements. www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

      • Holtzman, DH. Privacy Lost: How Technology Is Endangering Your Privacy. Jossey-Bass, 2006.

      • Homeland Security Presidential Directive 12. Policy for a Common Identification.

      • Honeypot Background. honeyd.org, 2002. www.honeyd.org/background.php.

      • Howard, M., and S. Lipner. The Security Development Lifecycle, Microsoft Press, 2006.

      • Hu, Vincent, and K. Scarfone. Interagency Report 7874, “Guidelines for Access Control System Evaluation Metrics.” U.S. National Institute of Standards and Technology, September 2012. http://csrc.nist.gov/publications/nistir/ir7874/nistir7874.pdf.

      • Hu, Vincent, D.F. Ferraiolo, and D.R. Kuhn. Interagency Report 7316, “Assessment of Access Control Systems.” NIST, September 2006. http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf.

      • IBM Internet Security Systems. A Strategic Approach to Protecting SCADA and Process Control Systems. www.iss.net/documents/whitepapers/SCADA.pdf.

      • Information Government Toolkit. Information Security Assurance – Social Care Guidance. National Health Service (NHS). United Kingdom, June 16, 2007. https://www.igt.connectingforhealth.nhs.uk/guidance/IS_Sc_310_V5%2007-04-27.doc.

      • Information Security Media Group. “NIST Issues Access-Control Guidance.” Bank Info Security, Sept. 23, 2012. www.bankinfosecurity.com/nist-issues-access-control-guidance-a-5134.

      • Information Technology – Security Techniques – Code of Practice for Information Security Management (ISO/IEC 17799), ISO/IecIEC.

      • Intelligence Community Directive Number 704. “Personnel Security Standards and Procedures Governing Eligibility for Access to Sensitive Compartmented Information and Other Controlled Access Program Information.” October 2008.

      • Interim Report to the Department of Homeland Security. Development of a Baseline Set of Technical Metrics, January 2007.

      • International Organization Standardization and the International Electrotechnical Commission 2005. Information Technology – Security Techniques – Code of Practice for Information Security Management (ISO/IEC 17799). ISO/IecIEC, 2005.

      • International Organization Standardization and the International Electrotechnical Commission 2013. Information Technology – Security Techniques – Code of Practice for Information Security Controls (ISO/IEC 27002). ISOIEC. www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54533.

      • International Organization Standardization and the International Electrotechnical Commission. Information Technology – Security Techniques – Information Security Management Systems – Requirements (ISO/IEC 27001). International Organization Standardization and the International Electrotechnical Commission, 2005.

      • ISACA. www.isaca.org/.

      • ISO 9000:2000 Frequently Asked Questions. International Standardization for Organization (ISO), 2004. www.iso.org/iso/en/iso9000-14000/explore/transition/faqs.html?printable=true.

      • ISO TR 13569. Banking and Related Financial Services – Information Security Guidelines.

      • ISO/IEC 13335. Information Technology – Security Techniques – Management of Information and Communications Technology Security.

      • ISO/IEC 27001:2005. Information Technology – Security Techniques – Information Security Management Systems – Requirements.

      • ISO/IEC 27002:2005. Information Technology – Security Techniques – Requirements for Bodies Providing Audit and Certification of Information Security Management System.

      • ISO/IEC 27003:2010. Information Technology – Security Techniques – Information Security Management System Implementation Guidance.

      • ISO/IEC 27004:2009. Information Technology – Security Techniques – Information Security Management – Measurement.

      • ISO/IEC 27005:2011. Information Technology – Security Techniques – Information Security Risk Management.

      • ISO/IEC 27006:2011. Information Technology – Security Techniques – Requirements for Bodies Providing Audit and Certification of Information Security Management Systems.

      • ISO/IEC 27007:2011. Information Technology – Security Techniques – Guidelines for Information Security Management Systems Auditing.

      • ISO/IEC 27010:2012. Information Technology – Security Techniques – Information Security Management Guidelines for Inter-sector and Inter-organizational Communications.

      • ISO/IEC 27011:2008. Information Technology – Security Techniques – Information Security Management Guidelines for Telecommunications Organizations Based on ISO/IEC 27002.

      • ISO/IEC TR 27008:2011. Information Technology – Security Techniques – Guidelines for Auditors on Information Security Controls.

      • ISSA. www.issa.org/.

      • Jansen, W. Directions in Security Metrics Research. NIST special publications, April 2009.

      • Jelen. G. SSE-CMM Security Metrics, The National Institute of Standards and Technology (NIST) and Computer System Security and Privacy Advisory Board (CSSPAB) Workshop. Washington, D.C., June 13–14, 2000.

      • Jones, K.J., R. Bejtlich, and C.W. Rose. Real Digital Forensics: Computer Security and Incident Response. Addison-Wesley, 2005.

      • Karen, R. We’ve Had an Incident, Who Do We Get to Investigate. SANS Institute, 2002. www.sans.org/rr/whitepapers/incident/652.php.

      • Kent, K., and M. Souppaya. Guide to Computer Security Log Management (Management (SP800-92). NIST, 2006.

      • Kessler, Gary C. “Anti-forensics and the Digital Investigator.” Australian Digital Forensics Conference, 2007. p. 1.

      • Kirk, P. Crime Investigation: Physical Evidence and the Police Laboratory. Interscience Publishers, 1953.

      • Korea Internet Security Agency (KISA). www.kisa.or.kr/eng/main.jsp.

      • Kruse II, WG, and JG Heiser. Computer Forensics: Incident Response Essentials. Addison-Wesley, 2005.

      • Kurosawa, K., K. Kuroki, and N. Akiba. “Individual Camera Identification Using Correlation of Fixed Pattern Noise in Image Sensors.” Journal of Forensic Sciences, 54(3), 2009. 639–641.

      • Linden, E.V. Focus on Terrorism, Volume 9. Nova Science Publishing, 2007.

      • Little Inefficiencies Could Lead to Large Operational Losses/Risks in Hi-Tech Security Solutions, 004, Technews Publishing Ltd, 2006. www.securitysa.com/news.aspx?pklNewsId=14 4&pklIssueId=60&pklCategoryID=106.

      • Little, D.B., and D.A. Chapa. Implementing Backup and Recovery: The Readiness Guide for the Enterprise. Wiley, 2003.

      • Maconachy, V.C., et al. “A Model for Information Assurance: An Integrated Approach.” Proceedings of the 2nd Annual IEEE Systems, Man, and Cybernetics Information Assurance Workshop, West Point, New York. June 5–6, 2001. pp. 306–310.

      • Malaysian Public Sector Information Security Risk Assessment Methodology (MyRAM), 2006, Malaysian Administrative Modernisation and Management Planning Unit (MAMPU), Malaysia.

      • Manadhata P.K., et al. An Approach to Measuring a System’s Attack Surface, CMU-CS-07-146. Carnegie Mellon University, August 2007. http://reports archive .adm.cs.cmu.edu/anon/2007/CMU-CS-07-146.pdf.

      • Manson, Dan, et al. “Is the Open Way a Better Way? Digital Forensics Using Open Source Tools.” System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference, pp. 266b–266b. IEEE, 2007.

      • Marlin, S. “Customer Data Losses Blamed on Merchants and Software.” Information Week, 2005. www.informationweek.com/showArticle.jhtml?articleID=161601930.

      • McConnell, P. A Perfect Storm: Why Are Some Operational Losses Larger Than Others? Portal Publishing Ltd. www.continuitycentral.com/Perfect_Basel.pdf.

      • McKemmish, Rodney. “What Is Forensic Computing?” Australian Institute of Criminology, 1999.

      • Mitropoulos, S., et al. “On Incident Handling and Response: A State-of-the-Art Approach.” Computers & Security, 25, no. 5 (2006): 351–370.

      • Mohay, George M., et al. Computer and Intrusion Forensics. Artech House, 2003.

      • Morris, Thomas H., et al. “Engineering Future Cyber-physical Energy Systems: Challenges, Research Needs, and Roadmap.” North American Power Symposium (NAPS). pp. 1–6. IEEE, 2009.

      • Morris, Thomas, R. Vaughn, and Y.S. Dandass. “A Testbed for SCADA Control System Cybersecurity Research and Pedagogy.” Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research. p. 27. ACM, 2011.

      • MyCERT, Malaysia Computer Emergency Response Team. 2013. www.mycert.org.my/en/index.html.

      • NASA IT Security Handbook: Access Control. U.S. National Aeronautics and Space Administration, Dec. 21, 2011. www.nasa.gov/pdf/613762main_ITS-HBK-2810 .15-01_%5BAC%5D.pdf.

      • Nash, A., et al. PKI: Implementing and Managing E-security. McGraw-Hill Education, 2001.

      • National Cyber Security Research and Development Challenges Related to Economics. Physical Infrastructure and Human Behavior: An Industry, Academic and Government Perspective. The Institute for Information Infrastructure Protection (I3P), 2009.

      • National Institute of Standards and Technology Federal Information Processing Standard 199, Standards for Security Categorization of Federal Information and Information Systems. February 2004.

      • National Institute of Standards and Technology Federal Information Processing Standards Publication 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors. March 2006.

      • National Institute of Standards and Technology. Special Publication An Introduction to Computer Security: The NIST Handbook (Special Publication 800-12). 1996.

      • National Institute of Standards and Technology. Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. NIST, June 2004.

      • National Institute of Standards and Technology. Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems. February 2006.

      • National Institute of Standards and Technology. Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments. September 2012.

      • National Institute of Standards and Technology. Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. February 2010.

      • National Institute of Standards and Technology. Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations. August 2009.

      • National Institute of Standards and Technology. Special Publication 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans. June 2010.

      • National Institute of Standards and Technology. Special Publication 800-137, Initial Public Draft, Information Security Continuous Monitoring for Federal Information Systems and Organizations. December 2010.

      • National Institute of Standards and Technology. Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. February 2010.

      • National Institute of Standards and Technology. Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View. March 2011.

      • National Institute of Standards and Technology. Special Publication 800-16, A Role-Based Model for Federal Information Technology/Cyber Security Training. NIST. http://csrc.nist.gov/publications/drafts/800-16-rev1/draft_sp800_16_rev1_2nd-draft.pdf.

      • National Institute of Standards and Technology. Special Publication 800-100, Information Security Handbook: A Guide for Managers. October 2006.

      • National Institute of Standards and Technology. Special Publication 800-53, Revision 4, Recommended Security Controls for Federal Information Systems and Organizations. DOC, April 2013.

      • National Institute of Standards and Technology. Special Publication 800-60, Volume I Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories. NIST, 2008. http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf.

      • Nestler, Vincent J. Computer Security Lab Manual (Information Assurance and Security). McGraw-Hill Education, 2005.

      • Nestler, Vincent J., et al. Principles of Computer Security CompTIA Security+ and Beyond Lab Manual. McGraw-Hill Education, 2011.

      • Ng, T.T., et al. “Passive-Blind Image Forensics.” Multimedia Security Technologies for Digital Rights. Academic Press, 2006. pp. 383–412.

      • NIATEC training materials web site. http://niatec.info/pdf.aspx?id=169.

      • Nichols, R. Defending Your Digital Assets Against Hackers, Crackers, Spies, and Thieves. McGraw-Hill Education, 2000.

      • NIST FIPS 140 Series. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.

      • NIST FIPS 140-1. http://csrc.nist.gov/publications/fips/fips1401.htm.

      • NIST FIPS 140-2. http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf.

      • NIST FIPS 199, Standards for Security Categorization of Federal Information and Information Systems. DOC, February 2004.

      • NIST FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. DOC, March 2006.

      • NIST. Process or Product Monitoring and Control. www.itl.nist.gov/div898/handbook/toolaids/pff/pmc.pdf.

      • NIST. What Are Process Control Techniques? www.itl.nist.gov/div898/handbook/pmc/section1/pmc12.htm.

      • NSTISSI-4011 National Training Standard for Information Systems Security (INFOSEC) Professionals. CNSS, June 1994.

      • NSTISSI-4011, National Training Standard for Information Systems Security (INFOSEC) Professionals. CNSS, 2004. https://www.cnss.gov/CNSS/issuances/Instructions.cfm.

      • NSTISSI-4015, National Training Standard for Systems Certifiers. November 2000.

      • Office of Management and Budget Memorandum M-01-05, Guidance on Inter-Agency Sharing of Personal Data—Protecting Personal Privacy. December 2000.

      • Office of Management and Budget Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002. September 2003.

      • Office of Management and Budget Memorandum M-04-26, Personal Use Policies and File Sharing Technology. September 2004.

      • Office of Management and Budget. Circular A-130, “Appendix III, Transmittal Memorandum #4, Management of Federal Information Resources.” November 2000.

      • Official Journal of the European Communities, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2000 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), www.spamlaws.com/f/docs/00-5-ec.pdf.

      • Organization for Economic Co-operation and Development. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1980. www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.

      • Panye, SC. A Guide to Security Metrics. SANS Institute, 2006. www.sans.org/reading_room/whitepapers/auditing/55.php.

      • Pauna, Adrian, and K. Moulinos. “Window of Exposure…A Real Problem for SCADA Systems?” ENISA, December 2013. www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems/window-of-exposure-a-real-problem-for-scada-systems.

      • Payment Card Industry (PCI) Data Security Standard, November 2013. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf.

      • Payment Card Industry (PCI). PCI Point-to-Point Encryption: Solution Requirements and Testing Procedures, July 2013. https://www.pcisecuritystandards.org/documents/P2PE_Hybrid_v1.1.1.pdf.

      • Payment Card Industry Data Security Standard. PCI DSS Applicability in an EMV Environment, Version 1, October 2010. https://www.pcisecuritystandards.org/documents/pci_dss_emv.pdf.

      • Payne, S.C. A Guide to Security Metrics. SANS Security Essentials GSEC Practical Assignment, Version 1.2e. June 19, 2006. www.sans.org/reading_room/whitepapers/auditing/55.php.

      • PCI Security Standards Council. PCI for Small Merchants. https://www.pcisecuritystandards.org/smb/index.html.

      • Physical and Environmental Security Guideline. Information Technology at Emory University, Atlanta. http://it.emory.edu/showdoc.cfm?docid=1860.

      • Pipkin, D. Information Security: Protecting the global enterprise. Hewlett-Packard, 2000.

      • Ponemon Institute. Third Annual Survey on Medical Identity Theft. June 2012. www.ponemon.org/local/upload/file/Third_Annual_Survey_on_Medical_Identity_Theft_FINAL.pdf.

      • Porter, EM. “Competitive Advantage.” Free Press, 2004. www.12manage.com/methods_ porter_competitive_advantage.html.

      • Prahalad, C.K., and G. Hamel. “The Core Competence of the Corporation.” Harvard Business Review, May–June 1990.

      • Preston, W.C. Backup & Recovery. O’Reilly Media, 2007.

      • Privacy Act of 1974 (P.L. 93-579).

      • Privacy Rights Clearinghouse. Chronology of Data Breaches 2005 – Present. https://www.privacyrights.org/data-breach.

      • Prosise, C., K. Mandia, and M. Pepe. Incident Response and Computer Forensics. McGraw-Hill Education, 2003.

      • Rasmussen, GT. Implementing Information Security: Risks vs. Cost. 2005. www.gideonrasmussen.com/article-07.html.

      • Report to the Department of Homeland Security. INL/EXT-06-12016, Cyber Security Metrics, December 2006.

      • Risk Management AS/NZS 4360:1999, 1999. Standards Association of Australia, Australia. www.google.com/search?sourceid=navclient&ie=UTF-8&rlz=1T4GGIH_enUS242US242&q=AS%2fNZS+4360%3a1999.

      • Rosenbush, Steve. Target Warning Shows Limits of Cyber Intelligence. http://blogs.wsj.com/cio/2014/02/14/target-warning-shows-limits-of-cyber-intelligence/.

      • Rusell, C. “Security Awareness – Implementing an Effective Strategy.” SANS Institute, 2002. www.sansorg/reading_room/whitepapers/awareness/416.php.

      • Ryan, D., et al. On Security Education, Training and Certifications. Information Systems Audit and Control Association, 2004.

      • Ryan, D., J.C.H. Julie, and C.D. Schou. On Security Education, Training, and Certifications. Information Systems Audit and Control Association, 2004.

      • Sademies, S. Process Approach to Information Security Metrics in Finnish Industry and States Institutions. VTT Technical Research Center of Finland, 2004. www.vtt.fi/inf/pdf/publications/2004/p544.pdf.

      • Sadowsky, G., et.al., Information Technology Security Handbook, The International Bank for Reconstruction and Development. www.infodev-security.net/book/.

      • SAI Global. Practitioners Guide to Business Continuity Management (HB 292-2006). SAI, 2006.

      • SANS Institute and Ed Skoudis. Incident Handling Guidelines. SANS, 2004.

      • SANS Institute. www.sans.org/.

      • Savola, Reijo M. Towards a Taxonomy for Information Security Metrics. International Conference on Software Engineering Advances (ICSEA 2007). Cap Esterel, France, August 2007.

      • Scarfone, K., and P. Mell. Guide to Intrusion Detection and Prevention Systems (SP800-94). NIST, 2007.

      • Schmidt, Howard A. Larstan’s The Black Book on Government Security. Transition Vendor, 2006.

      • Schmidt, Howard A. Patrolling Cyberspace: Lessons Learned from a Lifetime in Data Security. Larstan Publishing, 2006.

      • Schmidt, Howard A. Larstan’s The Black Book on Government Security. Transition Vendor, 2006.

      • Schou, Corey D., and D.P. Shoemaker. Information Assurance for the Enterprise: A Roadmap to Information Security. McGraw-Hill Education, 2008.

      • Schou, Corey D., et al. “Defining Information Security Education, Training, and Awareness Needs Using Electronic Meeting Space. In Enabling Technologies for Law Enforcement and Security (pp. 356–367). International Society for Optics and Photonics, January 1999.

      • Schou, Corey D., et al. “Business Process Reengineering: Increasing Empowerment And Enablement.” Proceedings Federal Software Technology Conference. Salt Lake, Utah. April 1995.

      • Schou, Corey D., and K. J. Trimmer. “Information Assurance and Security,” Journal of Organizational and End User Computing, vol. 16, no. 3, July–September 2004.

      • Schou, Corey D., W.V. Maconachy, and J. Frost. Developing Awareness, Training and Education: A Cost Effective Tool for Maintaining System Integrity. SEC 1993:53–63.

      • Security Standards Council. PCI SSC Data Security Standards Overview. https://www.pcisecuritystandards.org/security_standards/.

      • Security Tools to Administer Windows Server 2012. Microsoft, October 2012 http://technet.microsoft.com/en-us/library/jj730960.aspx.

      • Slay, J., and M. Miller. The Maroochy Water SCADA Breach: Implications of Lessons Learned for Research in Advances for Critical Infrastructure Protection. Springer, 2007.

      • Slay, J., et al. “Process Control System Security and Forensics: A Risk Management Simulation.” Proceedings of SIMTECT 09. Adelaide, June 15–19, 2009.

      • Stamp, M. Information Security Principles and Practice. Wiley-Interscience, 2005.

      • Standard for Federal Employees and Contractors. August 2004.

      • Sullivan, D. Balancing the Cost and Benefits of Countermeasures. RealTime Publishers, 2007. http://search security.techtarget.com/general/0, 295582, sid14_ gci1237327, 00.html.

      • Swanson, M., and B. Guttman. Generally Accepted Principles and Practices for Securing Information Technology Systems. NIST, 1996.

      • Swanson, M., et al. Contingency Planning Guide for Information Technology Systems (SP 800-34). NIST, 2002.

      • Swanson, M., et al. Security Metrics Guide for Information Technology Systems (Special Publication 800-55). U.S. Government Printing Office, 2003.

      • The CIS Security Metrics Service. The Center for Internet Security (CIS), July 1, 2008. http://securitymetrics.org/content/attach/Metricon3.0/metricon3-kreitner%20handout.pdf.

      • The Common Criteria Evaluation and Validation Scheme. www.niap-ccevs.org/cc-scheme/.

      • The European Data Protection Directive, 2001. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2001:008:0001:0022:en:PDF.

      • The First National Security Statement to the Australian Parliament. The Prime Minister of Australia the Hon. Kevin Rudd MP, December 4, 2008. http://pmrudd.archive.dpmc.gov.au/sites/default/files/file/documents/20081204_national_security_statement.pdf.

      • The Honeynet Project. www.honeynet.org/about.

      • The Patient Protection and Affordable Care Act of 2010. Pub. L. No. 111-148, § 124 Stat. 119, 2010. www.gpo.gov/fdsys/pkg/PLAW-111publ148/pdf/PLAW-111publ148.pdf.

      • Tipton, Harold F., and S. Hernandez, Official (ISC)² guide to the CISSP CBK 3rd edition. ((ISC)² Press, 2012.

      • Tipton, Harold F., and M. Krause. Information Security Management Handbook, 5th edition. Auerbach, 2006.

      • Tipton, Harold F., and M. Krause. Information Security Management Handbook, 4th Edition. Auerbach, 2002.

      • Toigo, J.W. Holy Grail of Data Storage Management. Prentice Hall, 1999.

      • Tom, P. Data Protection and Information Lifecycle. Prentice Hall, 2006.

      • Trimmer, K.J., C.D. Schou, and K. Parker. “Enforcing Early Implementation Of Information Assurance Precepts Throughout The Design Phase.” Journal of Informatics Education Research, 2007.

      • U.S CERT. United States Computer Emergency Readiness Team, 2013. www.us-cert.gov/.

      • U.S. General Accounting Office. “Report to the Ranking Minority Member, Subcommittee on 21^st Century Competitiveness, Committee on Education and the Workforce, House of Representatives, EMPLOYEE PRIVACY – Computer-Use, Monitoring Practices, and Policies of Selected Companies.” www.gao.gov/new.items/d02717.pdf. GAO-02-717,2002.

      • United States National Initiative for Cybersecurity Education (NICE). National Cybersecurity Workforce Framework. http://csrc.nist.gov/nice/framework/.

      • User’s Guide: How to Raise Information Security Awareness. European Network and Information Security Agency, Dec. 1, 2006. www.enisa.europa.eu/doc/pdf/deliverables/enisa_a_users_guide_how_to_raise_IS_awareness.pdf.

      • Vaughn, R. Jr., R. Henning, and A. Siraj. Information Assurance Measures and Metrics – State of Practice and Proposed Taxonomy. 30th Hawaii International Conference on System Sciences, Big Island, Hawaii, January 7–10, 2002.

      • Verizon. The 2013 Data Breach Investigations Report. www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf.

      • Von Lubitz, Dag KJE, et al. “All Hazards Approach to Disaster Management: The Role of Information and Knowledge Management, Boyd’s OODA Loop, and Network-Centricity.” Disasters. 32, no. 4 (2008): 561–585.

      • Wang, Abigail. Smart Chip Credit Cards Wouldn’t Have Saved Target. http://securitywatch.pcmag.com/internet-crime/320071-smart-chip-credit-cards-wouldn-t-have-saved-target.

      • Wen, J., D. Schwieger, and P. Gershuny. “Internet Usage Monitoring in the Workplace: Its Legal Challenges and Implementation Strategies.” Information Systems Management Archive, January 2007), Volume 24, Issue 2. pp. 185–196.

      • What Is a Honeynet? SearchSecurity.com, 2007. http://searchsecurity.techtarget.com/definition/honeynet.

      • Wood, CC. Information Security Roles & Responsibilities Made Easy. PentaSafe Security Technologies, 2002.

      • Yasinsac, Alec, and Y. Manzano. “Policies to Enhance Computer and Network Forensics.” Proceedings of the 2001 IEEE Workshop on Information Assurance and Security United States Military Academy. West Point, NY, June 5–6, 2001.