The Perils of Mount Must Read™: Confessions of a Cliff Note Junky [Go to Preface] [Table of Contents] Are you sure I’m in recovery? I will conquer Mount Must Read™ Waste no time Compliance Farm™(sidebar) What should an IS Auditor eat? Touchdown! Blame someone Legal G-A-P What I dont know Please don’t ... back to high school Congress paid to think Say "Goodbye" to statute virginity Give up the white paper crutch Can someone help me down My Mother told me to say I’m sorry Basic principals of a well rounded diet How do you keep that stunning figure? Trade secrets You can’t make me download! GAO, is that you? Regarding recovery Even the score The diet starts today Birth records, death certificates If it makes sense, it exists A trip to the Standards Mall Lowest Common Denominator How low can you go? The more you know, the less you Fundamental Five A simpler selection criteria How did I miss the Common Criteria? These are not Cliff Notes Seems like a Schema to me Where are you taking me? Honest Doc, I looked Get to higher ground Open the computer bay, HAL Naked without our tools Second greatest hook of all time COTS alone can’t save us Process alone can’t save us Factors affecting world trade: Birth announcement Enough about them, let’s talk about Did you happen to notice ? A problem not owned You want me to kill them now? “Dreams are like stars... I don’t want a baby brother Competition is the spice of life Get the data and proportionality Does the punishment fit the crime? Do you mind one last question? Why didn’t I write any of that? Conclusion & Appendix Stuff Just Rules Play Evolution Printer Friendly Text

Preface: ...Why should anyone read a story about a possessed reading pile and a recovering workaholic? With liberal dose of fantasy and humor, “The Perils of Mount Must Read™ chronicles a quest to conquer the mountain of reading required to just stay competent in information audit and technology. Admittedly, the intended audience has some background in compliance and IT. Even if the reader is not an IT auditor, the challenge to stay ahead of new tools and research in an industry with no respect for “too much information” is a familiar predicament. Add to that, an ego driven compulsion to make sense of every digitally available IT resource, and you have the essence of a modern day tragic hero, an information overload villain, and a quest for information peace and enlightenment. Becoming caught up in the race to remain competent in one’s profession is probably not unique to audit or technology. Blending fiction and truth, the tale aims for insight, suggesting solutions to the problem of what to read and who to regard as “expert” in our field. Laugh with me or at me, but please relax and consider quality over quantity as an alternative to drinking from the digital fire hose. Events transpire between October and December, and conclude with the New Year, 2006. Part fantasy and part truth, the characters admit their flaws and evolve a strategy for survival against “The Perils of Mount Must Read™.“ Many thanks to the persons who provided a wealth of great resources. Credits are scattered throughout the story and detailed in the endnotes. Hope you enjoy the read. Kind Regards, Robin Basham, M.IT, M.Ed. CISA, ITsM [TOP]

Basic principals of a well rounded diet

Being a cliff note junky, my health condition had long shown signs of chronic “Vertical Stack.” Left untreated for a period of many years, I ran risk of acquiring “Swiss Cheese” syndrome.

Well rounded, balanced consumption across all major food groups, minimizing potential gaps in awareness as might cause failures during periods of stress (i.e., climate change in career stalls, shifts in corporate regulations, and so on). Balanced consumption is best achieved by a diet of mainly raw publications, as processing is known to remove most essential nutrients.

At the opposite end of “well rounded” is the malnutrition condition known as “vertically stacked.” A stacked professional maximizes consumption in a narrow selection of food groups producing single areas of expertise characterized by tremendous height. Weakness includes, stacks can’t roll, tip easily, and once down, are impossible to stand back up. Similar to “Stack” is a state known as “Swiss Cheese”; low calorie snack, full of holes, not a substantial meal.

These conditions are quickly cured by a steady diet including areas high in nutritional content. Fresh, inexpensive content is found in a range of local markets including the FFIEC[68], NIST[69], AICPA[70], COSO[71], National Archives and Records Administration, (NARA)[72] and Government Accountability Office, (GAO)[73]. Deciding what to read has a lot to do with where we find it. My lists began as “scraping”, taking titles from news and e-mail, especially those from George Spafford Jr.[74] and Dan Swanson[75]. Having plenty of caloric content the links are rolled in a spreadsheet preservative allowing them to appear fresh during the next Future Surf (F.S.) event. First cousin to Mount Must Read™ (MMR™ in most health journals), F.S.’s virtual tasty bone flavor has an addictive quality, causing even the healthiest Dog to indiscriminately bury them in a digital back yard.

How do you keep that stunning figure?

For me, people like George Spafford Jr., Gene Kim, Dan Swanson, Bruce Winters, Kevin Behr, Mike S. Hines, Tim Howes, James Bryce Clark[76] and far too many more to list, collectively represent the Eagles. They remain a vigilant look-out, perched high, eyes watching for movement legal, technical, and/or social on everyone’s horizon. Their letters and posts amount to a habit of vision, spotting nourishment and vermin at a distance of a thousand feet.

Contrary to popular belief, long lists are not the ultimate tie breaker for the last seat in heaven. Lists don’t help us find a mate or increase our salary. I’m fairly certain they send us the information as a reminder. They’re telling us to look alive and keep sharp[77].

Trade secrets

On the point of “where” we find things, valid security portals meet every resource information criteria, with one providing particular advantage to audit. They explain their current legal mandates and current best strategies for implementation of specific published standards. For example, “OMB Circular A-130: Management of Federal Information Resources [78]," OMB Circular A-119, Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities [79], The Cyber Security Research and Development Act [80], enforce, among other things, National Institute of Standards and Technology (NIST)[81] authority to perform oversight, research and development, management and distribution of security standards and various benchmarking tools. Security Technical Implementation Guides (STIGS)[82], found at DISA Checklists / Implementation Guides, exemplify a regulated and monitored security source. Equal in rank, and including duplication in some areas of information, is the Center for Internet Security (CIS). CIS checklists[83] are categorized by use, as applied to various industry requirements. U.S. Commerce Department's Technology Administration funding and guidance to NIST is a part of our United States Law, and plays a leading role in our “National Strategy to Secure Cyberspace [84].” The works produced by NIST, under U.S. Commerce Department's Technology administration’s authority, is “critical” and essential to our practice. It’s at the top of my list.

You can’t make me download!

It took several days just to review publication dates, document contents, organizations and authors. In spite of Mount Must Read™, I resisted impulses to save and print. The titles remained in their native homes, while records only stored hyperlinks, along with background details and high level metadata regarding criticality, use and contents. The most notable reference was a very short document simply listing titles used to evaluated best security practices by the House of Representatives committee known as the CISWG[85]. United States Cyber Security Reference List [86] highlights a standards review process resulting in improvements to the way we define, prevent, regulate, and criminally penalize cyber crimes. CISWG Human and Eagle efforts continue to impact law, standards, and technology as an industry[87]. Under the Directive of the Cyber Security Enhancement Act, Report To The Congress: Increased Penalties For Cyber Security Offenses (As Required By Section 225(C) of The Homeland Security Act of 2002, Public Law 107-296), provides excellent summary of laws designed to manage international and national cyber risk, explaining the nature of data privacy rulings and the need for greater controls, in a manner I found unsurpassed[88].

GAO, is that you?

Beware of our Government Accountability office, GAO. Pack a lunch before you launch, as you may become glued to the monitor for the next several days. Auditors and IT professionals will feel compelled to read the “Yellow Book” series, but my advice is to go straight for the Federal Information and Communications Audit Management Guide (FISCAM)[89]. Skip the search for Cliff Notes. You simply have to put on high boots and march through these pages one at a time. Having a mental picture of FISCAM’s framework will alter all future thinking in terms of what is available to us in the world of audit.

A mental hierarchy will evolve. With visibility, you gain confidence in the knowledge that two reams of unread white papers are, by virtue, obsolete better practices. This is a reminder that federally mandated standards (FIPS) should be exclusively viewed at the Computer Security Resource Center’s (CSRC's) Computer Security Division (CSD) web site, which is the only place that holds responsibility for their distribution and content[90]. Similarly, keep COBIT® standards linked to the ISACA web site and check back often for new release and updates. There are thousands of sites posting rogue copies of out of date standards. As IT professionals, this is a habit we all should break.

If this is your first exposure to the words FIPS and NIST, excellent presentations by Marianne Swanson and Dr. Ron Ross can help to quickly fill in what you missed[91]. As indicated in their presentations, they collectively manage projects, publications, and training for the Computer Security Division of the Information Technology Laboratory at NIST. In draft, NIST SP 800 53-a, identifies Dr. Ross as government appointed FISMA Implementation Project Leader. Most recently, Dr. Ross made publicly available, Building More Secure Information Systems [92], A Strategy for Effectively Applying the Provisions of FISMA.

Regarding recovery

I knew I’d completely lost my mind. Anyone with impulse to wrap their head in tin foil in order to conceal thoughts from a stack of reading material, (even if the stack has glaring eyes, and a pitching arm), is minimally experiencing “a cry for help.” I made many calls, left messages, demanding information about my anesthesia and the array of federally regulated recovery aids. NFL nurses kept me from reaching the surgeon, since apparently paranoid delusional panic is completely normal. The nurses kept saying, “You just had surgery. These things take time. You’re in recovery for crying out loud. Go back to bed.”

Even the score

I realized I had to find a way to slip Must Read™ all of my remaining drugs. After all, I’m in recovery, so he needs the pills more than I.

The Ruse: An entire bottle of sleeping pills ground to fine powder and sprinkled between the pages of bogus publication, tucked deep within his stack, under pretext of adding fresh reading. While Must Read™ surrendered to a deeply delusional power nap, I snatched away redundant copies of web enabled resources. 47 inches shorter, Must Read™ eventually woke, oblivious to any change.

The diet starts today: All right today... first thing in the morning... I mean it this time

After consuming twenty five pounds of regulation and Halloween candy, the previous night’s reading fall began to melt. I’d gained a range of tools, saved $75.00 in ink, and noticed common evolutionary patterns in the list of significant mandates.

Returning to the Compliance Farm™ Theory of Evolution[93], the details aligned to framework quite nicely. Eagles report observed faults, which spawn wolf teams to analyze risk impact. Wolves define details of the problems, breeding theories, tools, and best practice. These discoveries influence ideals, and Humans form committees to amend our laws. This leads to regulation requiring supporting standards. The standards evolve increasingly efficient methods to mitigate the exact same observation that started the cycle in the first place, a fault, a perceived weakness affecting the survival of the pack.

These factors further strengthen the quest to conquer Must Read™:

Duplications exist across organization and lists because most webmasters apply unique names to identical content. Focus on the diamond domains like www.crcs.nist or www.gpo.gov.

Laws are introduced, amended, enacted and codified, each version having its own short title. With the help of LOC (our Library of Congress) and institutions like Cornell, Duke and Harvard Law, legal lists normalize by 80%, if you simply check the history on any law or act.

Favorite discovery: Among the Humans (i.e., authors, organization leaders, committee chairs), were names I actually know. If you take part in the ISACA list services, you may be posting with them on a regular basis. Members of ISACA, CMU, Perdue and IIA had cross pollinated years ago. Reference after reference demonstrate the same sets of names, executive board members, professors, engineers, directors, corporate owners (large and small), and security professionals; essentially a list of people that look and feel a lot like “us.”

A good diet can make anyone strong. I told Mount Must Read™ (MMR™, since we’ve become more familiar) to “Back off! I don’t have to pick a winner. The frameworks don’t compete.” Mount Must Read™ only shrugged in submission. We both knew the “building in isolation” hypothesis wasn’t working.

“Is it possible” I asked aloud, “that the proliferation of laws and standards is just our need to improve on existing ideas? All I need to solve this problem is to start finding document nutrition labels and checking for expiration dates.”

Did I have him now? Was this the blow that would take him down?

“Expired Ideas? Blah ha, ha, ha! You’re killing me!” Mount Must Read™ exploded in earth quaking laughter.

“Laws have Sundown dates. Drugs have "use by" dates. Even car parts have warranty and recall dates. Why shouldn't standards have "applicable by" dates? Stop laughing at me!”

Birth records, death certificates and standards euthanasia

It seemed reasonable to me, a rule that let a standard it has outlived its usefulness. We could establish a committee to determine recommendations for putting various standards down. On second thought, I was beginning to see Mount Must Read’s™ point. We are not a culture that likes to throw things out, never mind recognize when it’s time to gracefully step-down. The solution had to be data driven and non-emotional.

First attempts at gathering a baseline inventory of registered standards, relied on non-member area publications at ISO\IETF hosted sites. Unfortunately, the number of technical committees alone spans hundreds of web locations, and the 2004 year end report by ISO lists more than a thousand standards in active use. FFIEC, ANSI, NIST, and NISO had more generic lists, but still failed to establish an altitude to consistently represent domains, framework concepts, categories, or classes. Listing everything would be too much information and instantly obsolete. There must be a Standard for the Classification of Standards. How can organizations like ANSI and ISO exist without it?

Long time user of the ISO’s 9000 and 17799 series, I can’t tell where the standards end and my own thinking begins. With bias, I’ll suggest that published ISO/IEC Directives make the best model for a framework to create or manage standards. A review of recent Supplement Procedures specific to ISO [94], located at the ISO TC Portal, reveals that ISO committees, by design, will not approve the scope of a Technical Committee (TC), unless thorough review, which verifies the standard to be unique and not in conflict with a known charter or activity by any other registered standards body. ISO is without question the highest ranking standards organization world wide. Templates for the development of a standard alone can make other efforts and products appear trivial, (although I’m not saying that they are). To consider a means for evaluation and comparison of standards should begin with consideration for the values expressed in a world report published December 2004, stating the criteria for the adoption of any ISO standard. They should:

Respond effectively to global regulatory requirements, market needs and scientific/technical developments;
Not distort markets nor have adverse effects on fair competition;
Not stifle innovation or technological development;
Not give preference to the requirements of specific countries or regions; and
Be performance-based rather than design-prescriptive[95].

ISO provides templates for the development of standards. The models found here should be part of the collective consideration establishing the bar for the quality of standards produced by any organization. There is a published standard for the Conformity Assessment: Code of Good Practice: ISO/IEC Guide 60:2004, describing “[…] all elements of conformity assessment, including normative documents, bodies, systems, schemes, and results. It is intended for use by individuals and bodies who wish to provide, promote or use ethical and reliable conformity assessment services. ISO/IEC Guide 60:2004 is designed to facilitate trade at the international, regional, national and sub-national level(s)[96]." This guide establishes a clear target for the implication of a standard to promote safe trade through a process of clear measurement.

If it makes sense, it exists

I wondered if I could just buy the data. ANSI pointed to the following sources:

A trip to the Standards Mall

Do you see it? There is a Standards Mall. For a fee of only $99.00, anyone can obtain a database of coordinates, locations and access to an untold number of standards. Actually, the number is over a quarter million.

The NSSN: A National Resource for Global Standards includes contributions by 600 developers and are grouped into six categories:

Approved Industry Standards
Approved International Standards
Approved U.S. Government Standards
Industry Standards Under Development
International Standards Under Development
U.S. Government Standards Under Development

With updates ranging from weekly to monthly, this number is no doubt already greatly increasing. Standards Tracking and Automated Reporting (STAR) Services are described this way:

In today's world of change, the best laid business plans can be swept away almost without warning. Speed has become the name of the game and instant information provides the competitive edge.

Users require immediate access to data organized in a meaningful format. The NSSN's Standards Tracking and Automated Reporting (STAR) Service […] keeps you informed by tracking critical updates in the standards arena. Current status reports on more than 270,000 standards under development, revision and maintenance are as close as your desktop and as easy as sitting back and reading your e-mail.

Available only by subscription via NSSN, STAR identifies new project proposals and automatically tracks changes in status of a development project or standard under maintenance[97].

Each change of document status is compared to a directory of user-established profiles - profiles broad enough to span an entire industry or focused enough to track updates to a single standard. Users impacted by an update receive an e-mail summary and a URL link to a personal web page cataloguing details of the modification.

After 30 or 40 links, it was clear I had too many choices and no compelling hierarchy for gathering a baseline of standards. I left the mall hungry for one high level list.

NISO, the National Information Standards Organization [98], for example, provides a comprehensive overview of TC international standards, commentary regarding how standards are created, as well as current U.S. (Technical Committee), JTC (joint) and WG (Working Group) involvement with ISO[99]. The U.S. involvement in technical standards is vast. U.S. TAG to ISO TC 46 on Information and Documentation provides information regarding naming classifications, libraries and works across all organizations involved in creation and management of standards; and is organized in the following five categories.

SC 4 Technical Interoperability
SC 8 Quality - Statistics and Performance Evaluation
SC 9 Identification and Description
SC 11 Archives/Records Management
WG 2 Coding of Country Names and Related Entities

Attempting any single Joint Technical Committee's list of standards is a mistake. There are hundreds of subcommittees, each managing hundreds of standards, and their own lists. Clearly, this issue is important to all of our nations, as ISO has a committee dedicated to nothing more than a means to simply classify the standards. ISO 5963:1985 aims to provide a catalogue of standards, with scope including “Documentation - Methods for examining documents, determining their subjects, and selecting indexing terms.”

Updates to drafts and release occur with all the regularity of an atomic clock[100]. In 2004, ISO reported 1,247 publications in use by a member body, which can only be counted by number of countries and member associations[101]. It is clear that if any group has in its possession a true need for an ontology governing the comparative record of all known standards, it will be found in the coordinated efforts of ISO, IEC, ANSI and NIST. This core group is regulated by a variety of local, industry, national and international laws. Bound by MOU (Methods of Understanding) and in accordance with The Agreement on technical cooperation between ISO and CEN [102], Public Law 104-113 [103], and the WTO - Final Act of the Uruguay Round, this core group is recognized by the principle of US National Conformity Assessment to the extent that their implementation may be assessed by conformity assessment bodies, such as CASCO[104].

To speak for the workings of even one technical area requires a long period of involvement. To speak with authority to any single standard, one would at least need to be a contributing member of the Information Technology Task Force (ITTF)[105]. I find it hard to believe anyone knows every consideration ever made within every area of ISO, IEC, ANSI and NIST aligned committees.

Given the choice to build a list or get the list from ISO, the choice is fairly obvious. ISO wins.

I’m not suggesting we can’t perform an information audit unless we use standards as created by ISO. If I try to isolate and extract all ISO influence in my own thinking, I’m left with a big empty space in my head.

At best, I have evolved to the professional ranks of dog-squirrel. Part squirrel and part rescue dog, I don’t pick up the principals of ISO based in pure wolf instinct. I sniff at everything new and then bury it in the yard, I store nuts for winter, and I need a good master to tell me what to do. I’m pretty loyal to ISO.

In the event you are not familiar with ISO, I suggest a warm up using the two documents I mentioned before. Start with the GTAG Information Control Guidance, because it is easy to understand, and provides thoughtful insight in the way we conduct our practice. Then read Aligning COBIT®, ITIL® and ISO 17799 for Business Benefit, because exposure begins with the advantage of ISO standards in an audit context[106].

Lowest Common Denominator

High School math is not often listed as a “critical thinking” requirement. It should be. Halfway through the ninth grade, most of us learned how to reduce miles of numbers to their lowest common denominator. No matter how large, any equation could be reduced according to a few simple rules. I wonder what our task would be like if IT audit had been planned by Socrates and Euclid[107]? Every standard would have applicable rules for the factoring, reduction and calculated probability of its impact to any organization.

Committees for audit organizations produce a list of authors whose names can be placed at the scene of every significant law and standard affecting IT over the entire digital age. Given generations of cross pollination, our major standard bodies share expression of a mission to simplify, de-duplicate and align information controls to one common framework of standards. In spite of differing charters, they are all concerned with efficiency and effective controls. For example, in recent interpretive documents, the PCAOB and the FASB ask that we make it easier, not harder, to meet audit requirements. ISACA and IIA publications consistently consider the FASB[108] and PCAOB concerns over cost and waste by offering tools and resources designed to support the process of audit, to measure, benchmark and report, and to guide the selection of critical controls using a risk based audit management approach.

All groups agree that frameworks are resources made available to our audit strategy. They are not laws in of themselves. All committees share a valid concern for the oversimplification and misinterpretation of laws governing business and systems. Unfortunately, Euclid and Socrates aren’t here to help us. We rely, in their absence, on ethical judgment in selecting the fewest requirements necessary to the attestation of control. The better we are in selecting a lowest common denominator of standards, laws and frameworks, the more we benefit our clients while reducing escalating and burdensome compliance costs.

The true test of those ethics is maintaining the intent of the law and being certain our method of reducing the numbers also keep those numbers real. Our challenge is to remember, no matter how long and complicated the equation, when we've found that lowest common denominator, it must still be the same number.

Reduction versus oversimplification is the essence of detection risk. It is a legitimate and driving fear that keeps us from proclaiming an algorithm to reduce regulatory requirements. We must not cross the line between standard of practice and code, as if a practice were a mathematic law. We are not served by “dumming down” the information problem. So we are left with a truly ethical challenge: How do we reduce complexity and verify that at the end of the day, we still have the same raw number?

The GTAG, references two works reflecting summary of larger security standards. They reduce complexity define standards for secure technology for specific areas of industry. Both standards are widely used by merchants and educators, primarily those in the United States. The Payment Card Industry (PCI) Data Security Standard, produced by VISA, enforces the management of credit card data and the protection for an industry that is constantly under attack[109].

[68] FFIEC, Federal Financial Institutions Examination Council. Retrieved November 1, 2005 http://www.ffiec.gov/.

[69] NIST, loc.cit.

[70] AICPA, loc.cit.

[71] COSO, loc.cit.

[72] NARA, National Archives and Records Administration. Retrieved December 1, 2005 http://www.archives.gov/ , .

[73] GAO, Government Accountability Office. Retrieved December 1, 2005 http://www.gao.gov/.

[74] George Spafford Jr.. President, Spafford Global Consulting, Inc. Note: George Spafford Jr. provides substantial direction in current information affecting IT audit and information systems law. Spafford Global Consulting, Inc., 3353 Celina Avenue, Saint Joseph, MI 49085 USA. mailto:george@spaffordconsulting.com , http://www.spaffordconsulting.com, .

[75] Dan Swanson, Security Benchmark. Note: Dan Swanson’s SEC daily email has over 6000 reading members. He provides summaries and reminders regarding our profession’s most substantial contributions, and includes many pointers to public companies and products supporting audit and legal requirements. To become members of these mailing email mailto:dswanson@theiia.org , . (Update: Dan Swanson’s email has since moved to Yahoo. Current process to join the mail list is

[76] James Bryce Clark (jamie.clark@oasis-open.org), Director of Standards Development for OASIS, is responsible for managing the consortium's industry standards efforts. He is an e-commerce and information technology attorney who began his practice as a financing and corporate restructuring lawyer with Shearman & Sterling at 53 Wall Street in New York. He represented high technology companies in their banking, trade finance, acquisitions and securities transactions throughout the 1990's, and served two terms as chairman of the American Bar Association's business law subcommittee on electronic commerce. While a practicing attorney, he was a contributor to the original ebXML project (now ISO 15000), co-editor of its business process standards in 2001, and chairman of the ebXML Joint Coordinating Committee. Prior to joining OASIS, he was vice president and general counsel of a healthcare e-commerce company, and corporate partner in a Los Angeles law firm. He is a U.S. delegate to the e-commerce working group of the United Nations Commission on International Trade Law (UNCITRAL), and an expert adviser on automated contracting and Internet law for the U.S. State Department. He is a frequent speaker and author in e-commerce and information security law as well as complex finance transactions. Jamie holds JD and BSc degrees from the University of Minnesota, and is based in Los Angeles. He is joined at OASIS by an amazing set of peers. Read more at http://www.oasis-open.org/who/tab.php#jclark

[77] Participation in a TC, such as the OASIS DCML/ Configuration and Standards, will expose any participant to more brilliant thinkers and areas of technology previously thought possible. http://www.oasis-open.org/who/ , .Participation with the ISACA community offers witness to world leadership. The lists are available for IT and Audit professionals interested in Governance, COBIT®, Legal Issues in Audit, and IT Audit in general. The following links to join are all you need. mailto:join-SARBANES-OXLEY@share.isaca.org , mailto:join-IT-Governance@share.isaca.org , mailto:join-COBIT-L@share.isaca.org , mailto:join-info-sec-manager@share.isaca.org .

[78] Office of Management and Budget. "Circular No. A-130 Revised", in Transmittal Memorandum No. 4, Memorandum For Heads Of Executive Departments And Agencies. Retrieved December 1, 2005 from http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html .

[79] Office of Management and Budget. "Circular No. A-119 Revised, Accompanying Federal Register Materials", in Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities. Retrieved December 1, 2005 from http://www.whitehouse.gov/omb/circulars/a119/a119.html .

[80] United States Congress, "Cyber Security Research and Development Act", in Public Law 107-305, H.R. 3394, S. 2182, & Congressional Record Vol. 148 (2002), Washington: U.S. Government Printing Office, 116 STAT. 2367-2382. Retrieved December 1, 2005 from http://thomas.loc.gov/cgi-bin/bdquery/z?d107:H.R.3394:@@@L&summ2=m&. Note: Summary of impacts resulting from this law, as amended 10/16/2002, include reference to NIST including:“[…]Requires the NIST Director to develop CNS checklists for Federal Government computer hardware or software systems. (Sec. 9) Amends NISTA to authorize appropriations to enable the Computer System Security and Privacy Advisory Board to: (1) identify emerging issues related to computer security, privacy, and cryptography; (2) convene public meetings, and (3) publish and disseminate information. (Sec. 10) Requires NIST to carry out specified types of intramural computer security research. (Sec. 11) Authorizes appropriations to the Secretary of Commerce for NIST for: (1) the CNS research program; and (2) intramural computer security research. (Sec. 12) Requires the NIST Director to arrange with the National Research Council of the National Academy of Sciences to study and report to specified congressional committees on vulnerabilities of the Nation's network infrastructure and recommendations for improvements.(Sec. 13) Requires the NSF and NIST Directors to: (1) coordinate the research programs under this Act; and (2) work with the Director of the Office of Science and Technology Policy to ensure that programs under this Act are taken into account in any Government-wide cyber security research effort. […].

[81] NIST, op.cit.

[82] FASP, Federal Agency Security Practices. STIGs, Security Technical Implementation Guides. Retrieved December 1, 2005 from http://csrc.nist.gov/pcig/cig.html .

[83] CIS, Center for Internet Security. CIS Benchmarks/Scoring Tools. Retrieved December 1, 2005 from http://www.cisecurity.org/bench.html .

[84] NIAC, National Infrastructure Advisory Council (February 2003). The National Strategy to Secure Cyberspace, Washington: Department of Homeland Security. Retrieved December 1, 2005 from http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf .

[85] CISWG (2004). Corporate Information Security Working Group, Report of the Best Practices and Metrics Teams. Retrieved December 1, 2005 from http://www.educause.edu/ir/library/pdf/CSD3661.pdf .

[86] Information Security Management References. Retrieved December 1, 2005 http://reform.house.gov/UploadedFiles/Best%20Practices%20Bibliography.pdf .

[87] Emily Frye, “Cybersecurity and Corporate Governance Now: Does It Take Liability to Get Attention?”, in American Bar Association, Section Of Science & Technology Law, Chicago 2005, Retrieved December 1, 2005 from http://www.documation.com/aba/pdfs/004.pdf . Note: “[…] Adam Putnam (R-FL) circulated a draft of a bill he contemplated introducing in the House. Titled the Corporate Information Security Accountability Act (CISAA), it would have imposed information security audit reporting by all publicly traded companies. Adam Putnam, as Chair of the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census (under the umbrella of the Committee on Government Reform), had become increasingly concerned about what he perceived to be apathy toward a cybersecurity crisis on the part of corporate America. Contemplation of a bill like CISAA set off an uproar among the private sector. Within weeks, almost every industry coalition that plays in this space was attacking the bill. On December 5, 2003, Adam Putnam convened the first meeting of a new coalition: The Corporate Information Security Working Group (CISWG). Putnam asked two questions: what's wrong with the draft of the bill? And – can you offer me a viable private-sector- led alternative to Congressional action?".

[88] United States Sentencing Commission (2003), Report to Congress: Increased Penalties for Cyber Security Offenses (As required by section 225(c) of the Homeland Security Act of 2002, Public Law 107-296). Retrieved December 1, 2005 from http://www.ussc.gov/r_congress/cybercrime503.pdf . Note: Report includes names Dan Swanson, Mike Hines

[89] GAO Accounting and Information Division (1999). FISCAM, Federal Information System Controls Audit Manual Volume I: Financial Statement Audits, Washington: Government Accountability Office. Retrieved December 1, 2005 from http://www.gao.gov/special.pubs/ai12.19.6.pdf .

[90] CSRC CSD, Computer Security Resource Center's Computer Security Division. "With the passage of the Federal Information Security Management Act (FISMA) of 2002, there is no longer a statutory provision to allow for agencies to waive mandatory Federal Information Processing Standards (FIPS). The waiver provision had been included in the Computer Security Act of 1987; however, FISMA supersedes that Act. Therefore, the references to the "waiver process" contained in many of the FIPS listed below are no longer operative.

Note, however, that not all FIPS are mandatory; consult the applicability section of each FIPS for details. FIPS do not apply to national security systems (as defined in FISMA).". Retrieved December 1, 2005 from http://csrc.nist.gov/publications/fips/.

[91] Dr. Ron Ross & NIST. Protecting Federal Information Systems and Networks, A Standards-based Security Certification Program for Operational Environments. Retrieved December 1, 2005 from http://cio.doe.gov/Conferences/Security/Presentations/RossRNIST.pps .

[92] Dr. Ron Ross & The OWASP Foundation. Building More Secure Information Systems, A Strategy for Effectively Applying the Provisions of FISMA. Retrieved December 1, 2005 from http://csrc.nist.gov/organizations/fissea/conference/2005/presentations/Ross/Abstract-Ross.pdf .

[93] Charles Darwin, Theory of Evolution,

[94] ISOTC Portal. Standards Development Processes. Retrieved December 1, 2005 from http://isotc.iso.org/livelink/livelink/fetch/2000/2122/3146825/4229629/sds_base.htm .

[95] Idem.

[96] ISO & CASCO, ISO/IEC Guide 60:2004 Conformity Assessment -- Code of Good Practice, Geneva: ISO Store. Retrieved December 1, 2005 from
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=37035&ICS1=
3&ICS2=120&ICS3=20&showrevision=y .

[97] NSSN, National Standards Systems Network. STAR, Standards Tracking and Automated Reporting, Services. Retrieved December 1, 2005 from http://www.nssn.org/star_intro.html .

[98] NISO, National Information Standards Organization. Retrieved December 1, 2005 http://www.niso.org/index.html .

[99] NISO. About ISO Technical Information and Documentation Committee 46. Retrieved December 1, 2005 from http://www.niso.org/international/TC46/index.html .

[100] ISO. General information on technical committees. Retrieved December 1, 2005 from http://www.iso.ch/iso/en/stdsdevelopment/tc/TC.html .

[101] ISO. "Achieving Optimal Output", in ISO Annual Report 2004, 2004, Chapter 4. Retrieved December 1, 2005 from http://www.iso.ch/iso/en/aboutiso/annualreports/pdf/chapter4.pdf .

[102] ISO. The Agreement on technical cooperation between ISO and CEN (Vienna Agreement). Retrieved December 1, 2005 from http://isotc.iso.org/livelink/livelink.exe/fetch/2000/2122/3146825/4229629/4230450/4230458/customview.html

?func=ll&objId=4230458&objAction=browse&sort=subtype . Note: This is summarized by ISO as follows:

“The Agreement on technical cooperation between ISO and CEN (Vienna Agreement) is an agreement on technical cooperation between ISO and the European Committee for Standardization (CEN). Formally approved on 27 June 1991 in Vienna by the CEN Administrative Board following its approval by the ISO Executive Board at its meeting on 16 and 17 May 1991 in Geneva, it replaced the Agreement on exchange of technical information between ISO and CEN" (Lisbon Agreement) concluded in 1989. The 'codified' Vienna Agreement was approved by ISO Council and the CEN Administrative Board in 2001.”

[103] United States Congress, "National Technology Transfer and Advancement Act of 1995'', in Public Law 104-113, H.R. 2196 & Congressional Record Vol. 141 (1995), Washington: U.S. Government Printing Office, 110 STAT. 775-784.

[104] ANSI. U.S. National Conformity Assessment Principles. Retrieved December 1, 2005 from http://www.ansi.org/conformity_assessment/ncap.aspx?menuid=4 . Note:

"The National Conformity Assessment Principles for the United States articulates the principles for U.S. conformity assessment activities that the consumer, buyers, sellers, regulators and other interested parties should be aware of to have confidence in the processes of providing conformity assessment, while avoiding the creation of unnecessary barriers to trade. We base these principles on the conformity assessment language in the Agreement on Technical Barriers To Trade, one of the agreements within the World Trade Organization (WTO).

[1] These principles supplement the language of the agreement to give national clarity and focus to conformity assessment in the United States. We intend the concise and clear presentation of these principles for the United States to promote national and international understanding and recognition of competently conducted U.S. conformity assessment processes resulting in increased acceptance of U.S. products

[2] within national and international markets. National and international acceptance is vital to the continued economic health of the United States, as well as to the protection of human health, safety and the environment. Because standards underlie all conformity assessment activities, this document is intended to be a companion to the principles of the U.S. standards system as described in the 'National Standards Strategy for the United States.' These two sets of principles should be considered together in the evaluation of standards and conformity assessment activities and related issues."

[105] ITTF, ISO/IEC Information Technology Task Force. Retrieved December 8, 2005 http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/ITTF.htm . Note: ITTF maintains access to all freely available ISO standards, a list that grows daily, and on December 8, 2005 included 253 free ISO standards.

[106] ITGI & OGC, Aligning COBIT®, ITIL® and ISO 17799 for Business Benefit, op.cit.

David A. Richards, CIA, President, The IIA, Alan S. Oliphant, MIIA, QiCA, MAIR International, and Charles H. Le Grand, CIA, CHL Global are listed as primary writers for GTAG; Global Technology Audit Guide; Information Technology Controls. Notable contributions by Corporations include Tripwire, ACL, and BindView, Note: Michael S. Hines, CIA, Purdue University, Julia H Allen, CMU/SEI Carnegie-Mellon University/Software Engineering Institute, Gene Kim, CTO, Tripwire Inc., USA, George Spafford Jr., President, Spafford Global Consulting, and Dan Swanson, CIA, IIA are again in the mix of contributors, innovators, Eagles and Humans.

[107] Euclid of Alexandria is the “most prominent mathematician of antiquity” as explained by http://www-groups.dcs.st-and.ac.uk/~history/Mathematicians/Euclid.html. He is only mentioned for having been named on the cover of most High School Algebra One text books.

[108] Lawrence W. Smith, "The FASB’s Efforts Toward Simplification", in The FASB Report, February 28, 2005. Retrieved December 1, 2005 from http://www.fasb.org/articles&reports/fasb_efforts_toward_simplification_tfr_feb_2005.pdf . Note: This article summarizing Bob Herz, FASB chairman of Financial Accounting Standards Board to show the complexity of GAAP as it relates to application of consistent standards and codification in the current 180 of US GAAP articles within U.S. Code.

[109] VISA International Service Association. Security Programs. Retrieved December 1, 2005 from http://corporate.visa.com/st/programs.jsp . Note:

“Visa has collaborated with other payment card companies to create a single set of worldwide requirements, called the Payment Card Industry (PCI) Data Security Standard, for consumer data protection across the entire industry. The PCI Data Security Standard aligns Visa's Account Information Security (AIS) program, also known as Cardholder Information Security Program (CISP) in the U.S., and MasterCards' Site Data Protection (SDP) program, streamlining requirements, compliance criteria and validation processes. It also addresses merchants' and acquirers' concerns about having to meet more than one set of standards to accomplish a single goal.”

Having the longest list doesn't mean you win....