What should an Information Systems Auditor eat?
Back to the quest: There had to be a faster approach to the overlapping mandates question, like one single standards/frameworks and laws inventory. Starting points included sources I use regularly, acclaimed web sites like K-NET[17], Security Benchmark[18], CERT/CC®[19], IIA[20], and the ISACA Member Downloads[21]. If you spend a portion of every day at these sites you will never be disappointed. On this particular day, I landed a substantial jewel, the newly released Aligning COBIT® ITIL® and ISO 17799 for Business Benefit[22]. Nothing speaks louder to the cause of harmony among standards than the highly planned marriage of giants; ISO/IEC 17799:2005 (developed by ISO[23] and the IEC[24]), COBIT®. 3rd Edition[25] (under ISACA copyright[26]), and ITIL® (the flagship standard and product, produced by the United Kingdom’s Office of Government and Commerce[27]). Barriers to effectively combine assessment frameworks are dismantled as each body revises their newest release, adapting wherever possible vocabulary and control concepts. The organizations worked together, leveraging the best each offers to business, supplying one definitive meaning; a single unified model which is useful to any person engaged IT Governance.
I felt a new confidence, (counted the pills again), and looked right into Must Read's™ eyes asking: “You still here? Take a hike! Beat it, scram. You’ve seen the list on K-Net. I don’t need you.”
This wasn’t even dignified by a response. Must Read™ smirked, the kind that mothers and high school teachers use to say “You can’t be serious,” which would have been bad enough, but then Mount Must Read’s™ reign of terror truly came down.
“Where do you get the a-u-d-a-c-i-t-y to claim competence using the exclusive direction of Everett C. Johnson[28] (ITGI's International President), Tom Lamm[29] (ISACA's Director of Research, Standards, and Academics), and a handful among thousands of standards from ISO? Can you even spell G-A-A-P?[30] It’s the perfect word to describe the span of your pathetic attempts at thinking. Can you tell me one thing about David Richards[31] (President of IIA)?”
This is when he threw the killer blow, tossing the Global Technology Audit Guide (GTAG[32]), Information Technology Controls[33] right in my face.
I live on a quiet street. No one will care if I scream.
Cliff Notes[34] were too risky. I might miss a critical detail, never having time to get off a second shot.
This would end in a single bullet. I picked up the Global Technology Audit Guide (GTAG) and without stopping, read every word to the last reference and copyright on the report cover’s back page.
In addition to appeasing Must Read™, the learning experience was tremendous. Like great documents produced by ITGI and contributors to ISACA, this IIA’s Technology Audit Guide provided a comprehensive overview in approach and standards for IT Control Audit, including COBIT® as a primary and foundation IT Control standard. The journey, however, went beyond familiar ground, displaying a scrumptious menu of dishes I did not even know an IT Auditor was allowed to eat.
Reviewing the resources and contributor background shows IIA's coordinated efforts with the AICPA[35], CIS – Center for Internet Security[36], CMU/SEI (Carnegie-Mellon University - Software Engineering Institute)[37], ISSA (Information Systems Security Association)[38], NACD (National Association of Corporate Directors)[39], and SANS Institute[40]. Just getting a group this size to agree to one paragraph is notable, but this document amounted to agreement on the entire IT Control Map. I’m sure I’ll continue my heavy us of COBIT® Online[41] as a fundament tool for my practice, but the list of additional resources found in the GTAG held a great deal of promise.
Triumphant: “I shaved 7/10 cm off your peak without downloading Cliff Notes, summary, or random surfing. Bet you weren’t expecting that?”
Mount Must Read™ is still laughing. “Did you catch those footnotes, hyperlinks, appendixes, and references? You’ll be downloading all night!” He was right. They were new titles.
Touchdown! Mount Must Read™ 7, Hometown 0
I knew the “newly fallen Must Read's” might accumulate a light dusting. November nights are like that. This single night’s accumulated information fall dumped the equivalent of two years of collected readings. I tried to relax, telling myself the titles would melt off by halftime. Nine years of paper grazing, web surfing, earned degrees, and professional collaboration built a library more than 2000 files high. Timestamps alone attested my entire 21st century digital whereabouts. How many titles could I miss? Halftime came and went with little to no melting. 900+ substantial regulations, frameworks, events and organizations remained firmly fallen aiding only height to the perilously high Mount Must Read™[42]? I need a better defense, or at least to get within punting range.
Blame someone
I wish I’d been raised by wolves. The cubs next door had it made; eating off the floor, playing in dirt, chasing mice for school credit and earning advanced degrees with nothing more than their instinct. Their Dad has a seat in the Senate. I’m the grown up child of Mr. and Mrs. Quality Management. Mom’s name is ISO. Her life is a standard. Dad’s a complete perfectionist. His name is TQM[43]. What would they say if they could see me? Ivey League obedience school, private barking lessons and constant lectures; “there’s more to life than digging holes, chasing cars, HIPAA[44], SOX and GLBA[45]!”
Legal G-A-P
I had to turn this around quick. First order of clean up was the legal G-A-P[46]. The investment in reading on the topics of the Sarbanes-Oxley Act (SOA or SOX) Public Law 107-204[47], Gramm-Leach Bliley Act of 1999 (GLBA) Public Law 106-102[48], and The Health Insurance Portability and Accountability Act of 1996 (“HIPAA” not HIPA) Public Law 104-191[49] exposed me to Securities Exchange Act of 1934[50], crimes involving computer abuse and fraud, and specific areas affecting records management in audit such as 17a-4 in final rule by the SEC. Please don’t ask how I missed FISMA, FOIA[51], or that government regulated industries, use NIST[52] and FIPS as mandated by law. The list of regulations affecting IT standard alone quickly jumped over one hundred. Realizing there had to be a strategy to get arms around this task; I began rating laws based in immediate IT Audit requirement. This still left over sixty regulations. Relegating laws exclusive to Britain and Canada to the items with less immediate impact only lowered the list by two[53]. Even attempts to separate “critical” or “background” material, did not change that when I asked “how can not knowing this hurt me?” the answers were fairly substantial, and at the least, not to be ignored. I settled on the following three dozen laws, spending time reviewing each, and keeping the summary in a database. I eventually read all the laws, but there are still items from the recent blizzard that compel me as more threatening areas of my mental g-a-p.
What I don't know can't hurt me
Title Type |
Regulation
Primary Name |
Date |
Valid Copy in
Public Domain: Web
Reference |
| United States of America Patriot Act of 2001 United States Federal Law |
P.L. 107-56, 115 Stat. 272 | October 26, 2001 | Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (U.S. Patriot Act) Act of 2001 |
| United States Copyright Law, Title 17 United States Code (U.S. Code) |
17 U.S.C. §§ 101 - 810 | October 19, 1976 | Circular 92: Copyright Law of the United States of America and Related Laws Contained in Title 17 of the United States Code |
| Uniform Accountancy Act State Board |
Uniform Accountancy Act | November, 2002 | Uniform Accountancy Act, Third Edition, Revised, November, 2002 |
| Title 21 Code of Federal Regulations (21 CFR Part 11)
Electronic Records; Electronic Signatures Code of Federal Regulation |
21 CFR Part 11 | August 2003 | 21 CFR Part 11: Electronic Records; Electronic Signatures |
| Securities Exchange Act of 1934 United States Code (U.S. Code) |
15 U.S.C. §§ 78 | July 1934 | Securities Exchange Act of 1934 |
| Section 17a-4: Final Rule: Applicability of CFTC and SEC
Customer Protection, Recordkeeping, Reporting, and Bankruptcy Rules and the
Securities Investor Protection Act of 1970 to Accounts Holding Security
Futures Products United States Federal Law |
15 U.S.C. §§ 78 Rule 17a-4 | 1934 | Final Rule: Applicability of CFTC and SEC Customer Protection, Recordkeeping, Reporting, and Bankruptcy Rules and the Securities Investor Protection Act of 1970 to Accounts Holding Security Futures Products |
| Sarbanes-Oxley Act of 2002 United States Federal Law |
P.L. 107-204 | July 2002 | Public Law 107–204—July 30, 2002—116 Stat. 745 |
| Safe Harbor Privacy Framework United States Code (U.S. Code) |
15 U.S.C. §§ 44-58 Section 5 | July 21, 2000 | Introduction to the Safe Harbor |
| Ronald W. Reagan National Defense Authorization Act
for Fiscal Year 2005 United States Federal Law |
P.L. 108-375 | October 2004 | Public Law 108–375 - October. 28, 2004 - 118 Stat. 1811 |
| Paperwork Reduction Act of 1995 United States Federal Law |
P.L. 104–13 | May 1995 | PUBLIC LAW 104–13 |
| OMB Circular A-130: Management of Federal Information
Resources United States Office of Management and Budget Circular/Bulletin/Memorandum |
OMB Circular A-130 | September 29, 1995 | Circular A-130 -- Management of Federal Information Resources |
| OMB Circular A-119, Federal Participation in the
Development and Use of Voluntary Consensus Standards and in Conformity
Assessment Activities United States Office of Management and Budget Circular/Bulletin/Memorandum |
OMB Circular A-119 | Effective February 19, 1998 | Revised OMB Circular A-119 |
| National Technology Transfer and Advancement Act of 1995 United States Federal Law |
P.L. 104-113 | March 7, 1996. | Public Law 104-113 |
| National Archives and Records Administration United States Code (U.S. Code) |
44 U.S.C. §§ 2101 to 2118 | Founded in 1934 | NARA |
| Homeland Security Act of 2002 United States Federal Law |
P.L. 107-296 | 2002 | Homeland Security Act of 2002 |
| Health Insurance Portability and Accountability Act of
1996 United States Federal Law |
P.L. 104-191 | April 2003 | Public Law 104-191 |
| Gramm-Leach Bliley Act of 1999 United States Federal Law |
P.L. 106-102 | November 12, 1999 | Gramm-Leach Bliley Act |
| Freedom of Information Act United States Code (U.S. Code) |
P.L. 104-231 | 1966, Amended in 2002 | Freedom of Information Act |
| Foreign Corrupt Practices Act 1977 United States Federal Law |
P.L. 105-366 | 1977 | Foreign Corrupt Practices Act 1977 |
| FIPS Publication 201, Personal Identity Verification (PIV)
for Federal Employees and Contractors Federal Information Processing Standard |
FIPS 201 | February 2005 | FIPS Publication 201, Personal Identity Verification (PIV) for Federal Employees and Contractors |
| FIPS Publication 200, Minimum Security Requirements for
Federal Information and Information Systems Federal Information Processing Standard |
FIPS 200 | July 2005 | FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems |
| FIPS Publication 199, Standards for Security
Categorization of Federal Information and Information Systems Federal Information Processing Standard |
FIPS 199 | February 2004 | FIPS Publication 199: Standards for Security Categorization of Federal Information and Information Systems |
| Final Act of The 1986-1994 Uruguay Round Of Trade
Negotiations Agreement On Technical Barriers To Trade International Trade Agreement |
P.L. 103-465, 108 Stat. 4809 | April 15, 1994 | WTO |
legal texts - A Summary of the Final Act of the Uruguay Round |
| Federal Trade Commission (FTC) Act of 1914, amended in
1938 United States Code (U.S. Code) |
15 U.S.C. §§ 41-58 | 1914, Amended in 1938 and in 2000 | Federal Trade Commission Act, Title 15 - Commerce and Trade |
| Federal Information Security Management Act of 2002 United States Federal Law |
P.L. 107-347, Title III | July 30, 2002 | Federal Information Security Management Act of 2002, 44 USC 101 note. |
| Fair Credit Reporting Act or Bank Secrecy Act United States Federal Law |
P.L. 91-508 | 1970, Amended in 1996 and in 2003 | Internal Revenue Manual - 4.26.5 Bank Secrecy Act History and Law |
| Fair and Accurate Credit Transactions Act of 2003 United States Federal Law |
P.L. 108-159 | December 2003 | Public Law 108–159 - December 4, 2003 - 117 Stat. 1952; 15 U.S.C. §§ 1601 |
| Executive Order 13103 of September 30, 1998 - Computer
Software Piracy Executive Order |
Executive Order 13103 | September 30, 1998 | Executive Order 13103: Computer Software Piracy |
| E-Government Act of 2002 United States Federal Law |
P.L. 107-347 | December 2002 | H. R. 2458: E-Government Act of 2002 |
| DCI Directive 6/3, Protecting Sensitive Compartmented Information
within Information Systems Director of Central Intelligence Directive |
Central Intelligence Policy | June 1999 | DCID 6/3 - Policy |
| Cyber Security Research and Development Act of 2002 United States Federal Law |
P.L. 107-305 | February 7, 2002 | Cyber Security Research and Development Act of 2002 |
| National Institute of Standards and Technology Act
formerly Computer Security Enhancement Act of 1997, amendment to Computer
Security Act of 1987 United States Federal Law |
P.L. 100-418 (was P.L. 100-235) | October 1998 | Computer Security Enhancement Act of 1997 (Reported in Senate); THOMAS -- U.S. Congress on the Internet |
| Computer Fraud and Abuse Act of 1986 United States Code (U.S. Code) |
18 U.S.C. §§ 1030 | October 11, 1996 | Computer Fraud & Abuse Act |
| Clinger-Cohen Act of 1996 United States Federal Law |
P.L. 104-106 | 1996 | Illinois Land Conservation Act, P.L. 104-106 S.1124 |
| Chief Financial Officers Act of 1990, A Mandate for
Federal Financial Management Reform United States Federal Law |
P.L. 101-576 | September 1991 | GAO/AFMD-12.19.4 CFO Act |
Please don’t make me go back to high school
Maybe it was withdrawal from pain medication or just pure frustration, but taking down Mount Must Read™ required some clean up I’ve been putting off for too long. Most aspects of legal reference leaves me totally confused. Seeing what seemed to be the same law as U.S. Code, Public Law, Code of Federal Regulation, Bill, Section, Circular, Directive, Amendment or simply sited under a variety of entirely different names, convinced me that I wasn’t cut out to understand the law. In fact, I can’t tell if my own government follows the law. Maybe that is by design, but seems that I should. And I don’t mind shucking a little blame. Judging by printed and internet text, a lot of people are generally confused about the law.
Education Mandate: Almost every U.S. State has legally mandated basic mastery of U.S. Government and the foundations of our legal system as a requirement for high school graduation and or examination equivalency. (See, Citizenship Education Inclusion in Assessment and Accountability Systems[54], Copyright 2002 by the Education Commission of the States, ECS).
Seems safe to say then, that any college graduate should be able to read a law and minimally appreciate its intent. This would also suggest that by the time we are earning our audit credentials, it would not fall to our national standards organization to be accountable to this same requirement. I only suggest that the scope of our most impacting laws tends to be straightforward. My personal struggle is interpreting audit and business accountability within our own code of profession practice. I would never attempt to embark on this alone.
Good News, they pay people in congress to think
Researching legal statutes, national standards and the organization of code is a cared for by our own government. (See How Our Laws Are Made [55]). Congress has allocated budget to assure timely reports on all upcoming and recent changes to our legal system. Found at Internet: Think Tanks & Research Institutes[56], SIL DC - List of Think Tanks[57], and Earth's Common Sense Think Tank[58], three independent sources support the following conclusion; The United States still pays people to think.
Congressional Research Service Reports59] are legal summaries that even people with limited exposure to the law will fully understand. After drinking in a few days of legal process and glossary, I have to say, it isn’t as bad as you might think. Eventually, even I could swallow raw statute without holding my nose.
The short title, or name of a law, provides common language for the purpose of discussion and amendment by our members of congress. We avoid speaking with numbers, chapters, and sections by using “short titles” as a way to make laws and their amendments accessible. The overall intent of Bill, is enacted in the final rule of an Act, and enforced as positive law through a process of codification, where its language rests in permanent legal code[60]. (Codification is defined in endnote.)
I admit the choice to cite an act as Public Law vs. its final area(s) in U.S. code is for me at least, a judgment call. Laws, unlike us, are not created equal. How we cite them may require historical context. For example, dozens and even hundreds of amendments to any title or chapter of code can occur based in the final ruling of a single Act. In reverse, multiple acts can affect on single area of code. Whether we cite public law or code, we are talking about the exact same thing. Law is law. Regulation is regulation. Federal regulation for a single law will spawn further directives and regulation for alignment among all major regulatory bodies. Recognition plays a big factor in how we speak about legal ruling. When reading the word “SOX” (Public Law 107-204) most of us sense the allusion to financial controls and regulatory penalty. In ten years, reading “SOX” in text regarding ethics and financial control will likely be interpreted as a funny typographical error. Where a law is more recognized than its eventual areas of code, such as the legislation resulting in the Sarbanes-Oxley Act of 2002, using the short title makes more sense as a common frame of reference. The Security Exchange Act of 1934, for example, extends concepts in Security Exchange Act of 1933, but has different scope and intent. They are not the same law. It’s easy to see why people become confused. Where a collection of acts continue to affect a single area of code, it is practical to bundle discussion to a single substantial area of legal reference, as for example the Copyright Law of the United States of America[61], sometimes identified as just “Title 17” within U.S. Code. As noted in the preface of this GPO[62] document,
The United States copyright law is contained in chapters 1 through 8 and 10 through 12 of title 17 of the United States Code. The copyright Act of 1976, which provides the basic framework for the current copyright law, was enacted on October 19, 1976, as P. L. 94-553, 90 Stat. 2541. Listed below in chronological order of their enactment are subsequent amendments to copyright law. Chapters 9 and 13 of title 17 contain statutory design protection that is independent of copyright protection. Chapter 9 of title 17 is the Semiconductor Chip Protection Act of 1984 (SCPA), as amended. On November 8, 1984, the SCPA was enacted as title III of P. L. 98-620, 98 Stat. 3335, 3347. Chapter 13 of title 17 is the Vessel Hull Design Protection Act (VHDPA). It was enacted on October 28, 1998 as title V of the Digital Millennium Copyright Act (DMCA), P. L. 105-304, 112 Stat. 2860, 2905. Subsequent amendments to the SCPA and the VHDPA are also included in the list below, in chronological order of their enactment.
Please don’t let a block of text unravel the entire argument. Consider the block again. Here’s what I see.
The United States copyright law is contained in chapters 1 through 8 and 10 through 12 of title 17 of the United States Code. The copyright Act of 1976, which provides the basic framework for the current copyright law, was enacted on October 19, 1976, as =P. L. 94-553, 90 Stat. 2541. Listed below in chronological order of their enactment are subsequent amendments to copyright law. Chapters 9 and 13 of title 17 contain statutory design protection that is independent of copyright protection. Chapter 9 of title 17 is the Semiconductor Chip Protection Act of 1984 (SCPA), as amended. On November 8, 1984, the SCPA was enacted as title III of P. L. 98-620, 98 Stat. 3335, 3347. Chapter 13 of title 17 is the Vessel Hull Design Protection Act (VHDPA). It was enacted on October 28, 1998 as title V of the Digital Millennium Copyright Act (DMCA), P. L. 105-304, 112 Stat. 2860, 2905. Subsequent amendments to the SCPA and the VHDPA are also included in the list below, in chronological order of their enactment.
I am an Information Systems Auditor. This is my “take away” for “critical mass.”
Copyright Acts are Codified in Title 17 within = Chapter 1-8, 12-17 of Title 17 but not 9 and 13
Critical and current statute representing roll up of copyright laws: Digital Millennium Copyright Act (DMCA), P.L. 105-304, 112 Stat. 2860, 2905
Both items are immediately added to my source documents database, representing two, not six, items for “critical reading.”
(Note: Endnote includes directions for joining the Information Security Management group as sponsored by ISACA. Here’s your chance to speak with the Eagles who influence the design of the Digital Millennium Copyright Act[63].)
Laws resurface based in the context of historical events. In some cases, a new name will be used to identify the review of the Act. An example is the Computer Fraud and Abuse Act of 1986[64], also known as 18 U.S.C. § 1030, (as it is amended) National Information Infrastructure Protection Act of 1996, and § 1030. Fraud and related activity in connection with computers, as chapter heading as found in the Legal Information Institute’s sanctioned rendering by title of all U.S. Code.
Say "Goodbye" to statute virginity
Like any of the frameworks we use, understanding the shape of Code and Federal Regulation goes a long way.
Warning to Dog-Squirrels and Sheep under the age of 18: The following title is not an actual directive. “Download the United States Code - Office of the Law Revision Counsel[65]" is an online U.S. Code library, managed under the authority the U.S. House of Representatives. You can, search and, yes, legally download every character in our Code… but, trust me on this, don’t do it.
Title |
|
Title 5: Government Organization and Employees (and Appendix) |
|
Give up the white paper crutch
There’s nothing wrong with an occasional white paper. Many are nothing more than benign generalizations of laws and standards, usually written to pass a class or sell a product. Laws however are neither static nor general. Even when accurately cited, laws are amended, superseded, repealed, codified, and renamed. White papers just sit on our hard drives. This is why we need at least one government approved and maintained repository in our circle of reference. National Archives, The Government Accountability Office Portal, Thomas[66], and our Library of Congress are free and available on line resource.
Reading laws instead of reading what others say about them supercharged my diet and completely removed my craving for smudge (i.e., legal fudge). If you let reading law evolve into habit, you may experience vision of national landscape. The stronger our wings, they more our minds begin to soar. Mountains and valleys seen from a thousand feet in the air will take your breath away.
I only know this because I occasionally get a window seat to the West Coast. When I am lucky, I get to see the Rockies.
§ U.S. House of Representatives Internet Law Library
§ Statutes
§ Code Of Federal Regulations - Background
§ Code Of Federal Regulations - Searchable
§ Thomas, In the spirit of Thomas Jefferson, legislative information from the Library of Congress
Can someone help me down from my horse?
Panic Attack: “No Officer, I swear on my vintage Batman comic books, I have no idea how all those copyrighted files got there.”
On day sixteen of my Cliff Note recovery, I discovered there is no ladder down from a high horse. You just have to jump. Day sixteen was a Saturday deleting 2000+ standards and white papers spanning 15 blissful digital years of “right click, save target as” copies, stored for no better reason than because “I could.”
The effort gained back a maxed out drive share and an enormous waste of resources spent backing up essentially dead information. Even though we have long implemented Software Asset Management, content assets had been largely overlooked. Validating the right to store and save information extends beyond client and legal documents. Downloads need valid reason to be stored on a business network. Valid license and accurate workstation configurations includes all forms of contents.
Any standard or law identified as mandate will have one authoritative source. The documentation will be stored as a hyperlink reference, leaving copyrighted content in its rightful home, allowing for its timely removal and update by the document's legal owner. The only exception to keeping locally either publicly accessible or by authentication available links, are the books and materials we purchase. Representing standards and guidelines used in professional practice, these should be managed as a material assets with locations and copies managed in the context of their copyright.
My Mother told me to say I’m sorry
“I'm Sorry.”
I had no grounds to comment on laws that conflict. In the event I do come across a question or an actual issue, we have Codification Legislation as managed by the Office of the Law Revision Counsel:
Codification Legislation - Office of the Law Revision Counsel
As currently proposed by H.R. 866 (109th Congress, 1st Session), and under the management of the Law Revision Counsel
Technical Corrections to the United States Code Public Law 93-554 (2 U.S.C. 285b) currently enforces technical corrections to the United States Code relating to cross references, typographical errors, and stylistic matters. […]
“Positive law codification is the process of preparing and enacting, one title at a time, a revision, and restatement of the general and permanent laws of the United States.
Because many of the general and permanent laws that are required to be incorporated into the United States Code are inconsistent, redundant, and obsolete, the Office of the Law Revision Counsel of the House of Representatives has been engaged in a continuing comprehensive project authorized by law to revise and codify, for enactment into positive law, each title of the Code. When this project is completed, all the titles of the Code will be legal evidence of the general and permanent laws and recourse to the numerous volumes of the United States Statutes at Large for this purpose will no longer be necessary.
Positive law codification bills prepared by the Office do not change the meaning or legal effect of a statute being revised and restated. Rather, the purpose is to remove ambiguities, contradictions, and other imperfections from the law.
The legal process begins and ends with the same goal, to serve unique useful purpose with clear conditions, boundaries, and scope. Real issues of clarity can escalate as high as the United States Supreme Court. Representing a law left or right of original context, stretching its interpretation or extending its intent, creates the legal smudge that pollutes everyone’s atmosphere.
IIA and ISACA make frequent efforts to assure our accurate reference to U.S. and International Laws. In fact, my exposure to the EU Directive and cross border privacy began with the ISACA and ISACAF collaborated paper on Electronic and Digital Signatures: A Global Status Report[67].
[16] Robin Basham, “Fish", "Sheep", "Snake", "Dog", "Wolf", "Eagle”, in Compliance Farm™, 2005. Note: Inspired by and with thanks to A.J. Jacobs, Fractured Fairy tales (1997) & Warner Brother’, Looney Tunes (1961), amended by various mental pop ups, most recently 2005.
[17] K-NET. Retrieved December 1, 2005 http://www.isaca.org/knet. Note: K-NET is provided by ISACA as a professional resource and describes it as "a global knowledge network for IT Governance, Control and Assurance" and “K-NET contains over 5,200 peer-reviewed web site resources pertaining to knowledge covering IT Governance, Assurance, Security and Control. Full access to K-NET is reserved for association members. In addition, a personalized tracking feature […]. Reference items are organized into logical categories of interest and concern".
[18] Dan Swanson & Michael Legary (2005). Security Benchmark. Retrieved December 1, 2005 from http://www.securitybenchmark.com. Note: Dan Swanson and Michael Legary's list of Information Security Organizations is recently listed among the top 5 security resources worldwide.
[19] CERT/CC, Computer Emergency Readiness Team/Coordination Center. Retrieved December 1, 2005 http://www.cert.org/. Note: CERT Coordination Center resources are coordinated by Carnegie Mellon University and the Software Engineering Institute.
[20] IIA, The Institute of Internal Auditors. Retrieved December 1, 2005 http://www.theiia.org.
[21] ISACA, loc.cit., ISACA Downloads. Retrieved December 1, 2005 from http://www.isaca.org. Note: Most downloads require ISACA membership.
[22] ITGI & OGC (2005). Aligning COBIT®, ITIL® and ISO 17799 for Business Benefit. Retrieved December 1, 2005 from http://www.isaca.org/.
[23] ISO, International Organization for Standards. Retrieved December 1, 2005 http://www.iso.org.
[24] IEC, International Electrotechnical Commission. Retrieved December 1, 2005 http://www.iec.ch/.
[25] COBIT®, loc.cit., COBIT®: Project. Retrieved December 1, 2005 from http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/CobiT6/
Project1/CobiT_Project.htm. Note: COBIT® has recently released Edition 4.0.
[26] ITGI, IT Governance Institute. Retrieved December 1, 2005 http://www.itgi.org. Note: ITGI describes itself as "The IT Governance Institute (ITGI) exists to assist enterprise leaders in their responsibility to ensure that IT is aligned with the business and delivers value, its performance is measured, its resources properly allocated and its risks mitigated." and "[ITGI] is a not-for-profit research organization affiliated with the Information Systems Audit and Control Association® (ISACA®), a global not-for-profit professional membership organization focused on IT Governance, assurance and security, with more than 47,000 members in more than 140 countries. ITGI undertakes research and publishes COBIT®, an open standard and framework of controls and best practice for IT governance."
[27] OGC, Office of Government Commerce. Retrieved December 1, 2005 http://www.ogc.gov.uk. Note: As explained by the OGC as "[…] a UK government organization responsible for procurement and efficiency improvements in the UK public sector. OGC has produced world-class best practice guidance, including PRINCE (project management), MSP (Managing Successful Programs) and ITILŪ (IT service management). ITILŪ is used throughout the world and is aligned with the ISO/IEC 20000 international standard in service management."
[28] Everett C. Johnson, ITGI's International President, Named one of the top 100 most influential accountants in America, he additionally served on the American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee and currently chairs the AICPA Privacy Task Force. He has served as chairman for the International Federation of Accountants (IFAC) Information Technology Committee and the AICPA Information Technology Research Subcommittee. Johnson has more than 40 years of experience in IS audit, control and security. He most recently was a partner at Deloitte & Touche, where he served as the Latin American regional director of the company’s enterprise risk services line and the US national and global leader for the computer assurance services practice.
[29] Staff Liaison: Thomas Lamm, Director of Research, Standards, and Academic Relations (tlamm@isaca.org) is the primary organizer and facilitator for the Standards Board charged with definition and development of IS auditing standards and their associated interpretations and guidelines. The current product for this organization is found at http://www.isaca.org representing IS standards for IT Audit. This committee seeks ways to further disseminate ISACA's standards and guidelines through strategic alliances with other organizations. The IIA has adopted several ISACA guidelines as practice advisories.
[30] GAAP, Generally Accepted Accounting Principles. Retrieved December 1, 2005 http://www.fasab.gov/accepted.html.
[31] David Richards, President of IIA is described in public forum by IIA Chairman Bob McDonald, CIA, CGAP, as a leader who can build consensus on difficult issues such as globalization and strategic planning.
[32] The Institute of Internal Auditors. GTAG, Global Technology Audit Guide. Retrieved December 1, 2005 from http://www.theiia.org/index.cfm?doc_id=4706.
[33] GTAG, ibid., Guide 1: Information Technology Controls. Retrieved December 1, 2005 from http://www.theiia.org/index.cfm?doc_id=5166.
[34] John Wiley & Sons, Inc. Cliff Notes, CliffNotes®. Retrieved December 1, 2005 from http://www.cliffsnotes.com/WileyCDA/Section/id-106262.html. Note: CliffNote, without a space, is the registered trade mark for the study aids which are commonly referred to as Cliff Notes, with a space.
[35] AICPA, American Institute of Certified Public Accountants. Retrieved December 1, 2005 http://www.aicpa.org/index.htm.
[36] CIS, Center for Internet Security. Retrieved December 1, 2005 http://www.cisecurity.org/. Note: CIS provides Benchmarks and Scoring Tools, free of charge.
[37] CMU/SEI, Carnegie Mellon University/Software Engineering Institute. Retrieved December 1, 2005 http://www.sei.cmu.edu/.
[38] ISSA, Information Systems Security Association. Retrieved December 1, 2005 http://www.issa.org/.
[39] NASD, National Association of Corporate Directors. Retrieved December 1, 2005 http://www.nacdonline.org/.
[40] SANS Institute, SysAdmin Audit Network Security Institute. December 1, 2005 http://www.sans.org/aboutsans.php.
[41] COBIT®, loc.cit., COBIT® Online. Retrieved December 1, 2005 from http://www.isaca.org.
[42] Note: Town zoning committee warned me. The additional 63 meters of paper puts Mount Must Read™ in a new category of land mass. I continue to argue the definition of hill vs. mountain based in geological definition; “Hill: A natural land elevation, usually less than 1000 feet above its surroundings, with a rounded outline. The distinction between hill and mountain depends on the locality.” My view is, if its base is in my office I can call it a hill.
[43] TQM, Total Quality Management. Retrieved December 1, 2005 http://www.managementhelp.org/quality/tqm/tqm.htm.
[44] United States Congress, "HIPA", "Health Insurance Portability and Accountability Act of 1996", in Public Law 104-191, H.R. 3103, S. 1028, S. 1698, & Congressional Record Vol. 142 (1996), 110 STAT. 1936-2103.
[45] United States Congress, "GLBA", "Gramm–Leach–Bliley Act", in Public Law 106-102, H.R. 10, S. 900, & Congressional Record Vol. 145 (1999), Washington: U.S. Government Printing Office, 113 STAT. 1340-1481.
[46] GAP, Government Accountability Project. Retrieved December 1, 2005 http://www.whistleblower.org/template/index.cfm.
[47] United States Congress, "SOX", in Public Law 107-204, loc.cit.
[48] United States Congress, "GLBA", in Public Law 106-102, loc.cit.
[49] United States Congress, "HIPAA", in Public Law 104-191, loc.cit.
[50] United States Congress, "Securities Exchange Act of 1934", in 15 U.S.C. § 78, Title I - Regulation of Securities Exchanges, 1934, SEC 1-36.
[51] United States Congress, "FOIA", "Freedom of Information Act", in P.L. 104-231, FOIA Update Vol. XVII, No. 4, 1996, 110 STAT. 3048.
[52] NIST, National Institute of Standards and Technology. Retrieved December 1, 2005 http://www.nist.gov/. “The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347.
NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets; but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III. “
[53] European Parliament & The Council Of The European Union, "EUDPD", "EU Data Protection Directive", in Directive 95/46/EC, No L. 281 (1995), Luxembourg, Official Journal of the European Communities, p. 31. & Senate and House of Commons of Canada, Department of Justice Canada, "PIPEDA", "Personal Information Protection and Electronic Documents Act", in Bill C-54, 2000, c. 5, Note: EUDPD and PIPEDA will absolutely have impact in the way most publicly owner and operated company’s conduct their business. I simply narrowed these two items and the laws of WTO so I could create a consumable list.
[54] ECS, Education Commission of the States (2002). Citizenship Education Inclusion in Assessment and Accountability Systems. Retrieved December 1, 2005 from http://mb2.ecs.org/reports/Report.aspx?id=107.
[55] United States House of Representatives, Parliamentarian, Mr. Ney, & Charles W. Johnson. How Our Laws Are Made. Retrieved December 1, 2005 from http://thomas.loc.gov/home/lawsmade.toc.html.
[56] College of Liberal Arts. Think Tanks & Research Institutes. Retrieved December 1, 2005 from http://www.libarts.ucok.edu/political/links/think.htm.
[57] SIL International. Think Tanks. Retrieved December 1, 2005 from http://www.sil.org/sildc/ThinkTanks_DC.htm.
[58] Earth's Common Sense Think Tank. United States Think Tank List. Retrieved December 1, 2005 from http://www.venusproject.com/ecs/world_news/think_tank_list.html.
[59] National Council for Science and the Environment. Congressional Research Service Reports. Retrieved December 1, 2005 from http://www.ncseonline.org/NLE/CRS/.
[60] NHGRI, National Human Genome Research Institute. Retrieved December 1, 2005 http://www.genome.gov/. Note: NHGRI provides legal glossary including: “Codification “, defined as “laws or regulations that are codified are general and permanent laws or regulations that are arranged in subject-matter order by title or other major subdivision and section (as opposed to session laws, which are generally presented in chronological order). The text of the original law or regulation is collated with any subsequent amendments (additions to or deletions from the language of the original law or regulation), so as to provide the most up-to-date text of the law or regulation. Most bills or session laws indicate (either in either the text or the margin) the title (or other major subdivision) and section number of the U.S. Code or the state code in which the law will appear.”
[61] United States Congress, "Circular 92", "Copyright Law of the United States of America and Related Laws Contained in Title 17 of the United States Code", in United States Code, Title 17 (1976), Washington, U.S. Government Printing Office, Chapters 1-8 & 10-12.
[62] GPO, Government Printing Office. Retrieved December 1, 2005 http://www.gpoaccess.gov/index.html.
[63] United States Congress. "DMCA", "Digital Millennium Copyright Act", in Public Law 105-304, H.R. 2281, S. 2037, & Congressional Record Vol. 144 (1998), Washington: U.S. Government Printing Office, 112 Stat. 2860 & 2905. Note: Review of the DMCA reveals in contribution the name of Mike S. Hines, who is frequently in discussion on various ISACA and CMU sanctioned list services. Mike contributes to the Information Security Management group, under ISACA sponsor, mailto:info-sec-manager@orbit.sparklist.com. Recommendation, send email with the word “join” in subject and no other text to mailto:info-sec-manager@share.isaca.org. Here is a chance to speak with a few Eagles.
[64] United States Congress. "Computer Fraud and Abuse Act", in 18 U.S.C. § 1030, 1986. Retrieved December 1, 2005 from http://cio.doe.gov/Documents/CFA.HTM.
[65] U.S. House of Representatives. Download United States Code. Retrieved December 1, 2005 from http://uscode.house.gov/download/download.shtml.
[66] The Library of Congress. Thomas. Retrieved December 1, 2005 from http://thomas.loc.gov/.
[67] ISACAF, Information Systems Audit and Control Foundation (2002). Electronic and Digital Signatures - A Global Status Report. Retrieved December 1, 2005 from <http://www.isaca.org/Content/ContentGroups/Bookstore6/Intros_and_Summaries/
Electronic_and_Digital_Signatures__A_Global_Status_Report____Executive_Introduction.htm>. Note: ISACA membership may be required to review this report.
