How low can you go?
I recall having seen the VISA standard as a single file pulled back by a Google search. Out of surrounding context, I initially felt the standard served no purpose, seeming to paraphrase a number of standards in the public domain, and lacking attribution or recorded peer review. The Global Technology Audit Guide (GTAG) only needed to make one point to inspire me to dig out the standards from the stack and re-prioritize its reading. The GTAG simply stated that the PCI VISA Data Standard is in wide use.
Definition for a “good” standard clearly needed an adjustment. Is it more important to represent every security detail, or prioritize a high level list of concepts? What we see in the PCI CISP, (aka CISP V2.3), is that merchants and electronic markets get it.
Even if it looked to me like an ISO Light, anything extending critical security practice to businesses engaging in poor data security, is at the very least “spot on.”
Maybe it’s “spot on” for another reason. A small amount of digging for contributors to the credit card standards revealed the chairman of ISO TC68 SC2 Security Management and General Banking Operations, Mike Versace and Secretary Cynthia L. Fuller. With biographies published in English and French, their efforts to assure financial industry standards and automation reap results that go way beyond humbling. Ms. Fuller’s name leads to the “ISO 20022 Universal Financial Industry message scheme”, which can be viewed at ISO 20022 Financial Repository: Business Process Catalogue & Data Dictionary. Mike Versace, in addition to full time industry position, travels world wide in support of numerous financial security standards. ISO delegates representing: Canada, United Kingdom, United States, Germany, France, South Korea and Japan include organization and business representation from CLEARSTREAM, IBN, MasterCard, SWIFT, UN/ECE, and of course, VISA[110].
Reviewing current works and the 34 published and current standards used in security and banking, as produced by this single TC, did not lower the height of Mount Must Read™. The study of the VISA standard, however, provided a means for quick demonstration of compliance evidence is specific areas of data and retention management. The PCI Visa Data standard test procedure check list is clean, clear and achieavable.
“Good things, when short, are twice as good”
Baltasar Gracián y Morales (1601-1658)
The more you know, the less you have to say
The second “short and sweet” standard, also listed in the GTAG, is the "Fundamental Five.” I first heard of it while reading posts in the ISACA information security list service. Mike S. Hines, a frequent contributor within many substantial information security organizations, made no mention of working on the project[111]. He simply asked me if I had seen the ISG Tool and if I knew about the work of the Corporate Information Security Working Group: CISWG. This was a humbling day. As current as this 2005 writing, they work to introduce the ‘‘Corporate Information Security Accountability Act of 2003.’’ The bill will further amend the Securities Exchange Act of 1934 with bolder restrictions controlling IT products on a scale that many find to be excessive. Stating the need for “Internet Service Providers and Operating Systems manufacturers to work more aggressively with other public and private stakeholders to provide consumers of all levels of sophistication with information about affordable and user-friendly tools that are available to help them protect themselves and immediately improve their cyber security hygiene.” this act has potential to impact technology manufacturing with force equal to the wallop of SOX[112].
Produced by the subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, chaired by Adam H. Putnam, few efforts compare with the CISWG’s elegance in considering all best and current contribution to security, and compiling them to a single list; Information Security Management References.
The ISG Tool gives cyber security what the home pregnancy instant strip test gave to medical practice. The Fundamental Five concept answers tell us fairly quickly if information practice is healthy or having problems. No pretense of an easy fix or exhaustive technical detail is made. IT control is simply made accessible to education, affecting practice as witnessed by our youngest minds, and in protecting our country's most valuable asset; our intellectual capital.
Fundamental FiveThe Consensus Benchmarks, from the Center for Internet Security (www.cisecurity.org), provide guidance on the “Fundamental Five” of basic security hygiene. Use of these benchmarks typically results in an 80 percent to 95 percent reduction of known vulnerabilities.
A simpler selection criteria
High school graduates use either MLA or APA standard in submission of writing and research[114]. Not meaning to compare a writing standard to the ISO template, smaller standards still accomplish many of the same goals with infinitely less complexity. Provided by Leslie Murtha, to support her Rutgers students, a simple common criteria for evaluation of information resources lends value to how we might organize a collection of rated sources[115]. The points simply reinforce that resources be reviewed for Authority, Accuracy, Currency, Clarity, Purpose, and Content.
The IIA GTAG for information technology controls lists types of control framework, as applied to technology practice and its assessment by information systems audit. The suggested grouping of standards included:
- Systems Development Processes
- Systems Software Configuration
- Application Controls
- Data Structures
- Documentation
Perhaps the bite size model won’t satisfy all appetites, but it certainly organizes a broad view of current thinking. My experience using ITIL® Service and Infrastructure framework and CobiT’s 34 domains for IT control left me feeling this list is not going to carry me to lunch. Being a collector, I’ve squirreled away 200 process titles and flow diagrams in a Facilitated Compliance Management™ (FCM) tool. Normalizing process by aligning ITIL® functional domains and COBIT® IT and application controls, provides a baseline for mapping process to standard, supporting visibility over process architecture, and documenting compliance in activities throughout business and systems management. I’m part rescue Dog. Like most rescue dogs, my mission has been bringing relief to one stranded victim at a time. Maybe spending October through December of 2005 in “recovery” exposed me to a few too many FEMA failure and Katrina devastation news reels. Perhaps it was the night I stayed up to watch “Enron: The Smartest Guys in the Room” (see the Roger Ebert summary for more information), but my sense of personal contribution had shrunk to complete insignificance. A feeling of utter urgency to push audit and standards to a stronger level of automation and implementation became paramount.
Even after ISO creates the classification schema for the catalogue of standards, we will still need a universal standards blood bank. Highlighting all distinct types, as we do with our national blood bank, our standards would form a configuration database. This standard CMDB would facilitate the baseline allowing us visibility over what we have and what we need, establishing status regarding our effort to keep current with other countries and reveal any potential for yet another moral and technology standards driven crisis.
A common criterion for evaluation frameworks of information standards and would have to operate independently of infrastructure or industry. Its greatest challenge is simply the ability to correctly represent the problem. All control assessment frameworks begin with a context, be it geographic, legal, technical or social, because there is no such thing as compliance unless it answers the question: “Compliance with what?”
The closest all encompassing framework, spanning tremendous size, considering enormous number of business and social conditions, leveraging centuries in contributed wisdom by the world's greatest minds, is the United States Code - Fifty volumes of Federal Regulation.
How did I miss the Common Criteria?
Any valid comparative technology standard points to work by NIST and CISWG, but even they are limited by the context of the United States legal parameters. Leading the pack in attacking the picture are the collective members responsible for the ISO/IEC 15408 International Standard; Common Criteria for Information Technology Security Evaluations[116]. Seven government organizations, known as “Common Criteria Project Sponsoring Organizations” grant ISO/IEC a non-exclusive license to provide the standards for purchase:
ISO/IEC 15408-1:2005 Ed. 2 Current stage 60.60 JTC 1/SC 27
Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 1: Introduction and general model
ISO/IEC 15408-2:2005 Ed. 2 Current stage 60.60 JTC 1/SC 27
Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 2: Security functional requirements
ISO/IEC 15408-3:2005 Ed. 2 JTC 1/SC 27
Information technology Security techniques, Evaluation
criteria for IT security --
Part 3: Security assurance requirements ISO/IEC 15408-3:2005
The standards are also available at the ITTF web site. ITTF endeavors to supply a solution for the uniform evaluation and certification of technology products. ISO/IEC Information Technology Task Force (ITTF) web site provides a great deal of information.
With all the reading I’ve done in the area of SAS 70 and Systrust, I don’t understand how I missed product based certification. Although the standard does not extend to all areas of technology, I would not use a network product in the future, unless it aligned to this certification.
How did we miss Common Criteria for Product Evaluation? Feeling like a Dog caught drinking from the toilet bowl; I immediately began to explore everything on the site. The write-ups on product testing provide unbiased simple assessments in a manner infinitely more impacting than the white papers primarily written for advertising. Even if the words are exactly the same, reading it here means the study counts. Organization of products provides an interesting ontology for the review of technology control resources.
- Access Control Devices and Systems
- Boundary Protection Devices and Systems
- Databases
- Data Protection
- Detection Devices and Systems
- ICs, Smart Cards and Smart Card related Devices and Systems
- Key Management Systems
- Network and Network related Devices and Systems
- Operating systems
- Other Devices and Systems[117]
I ‘d love to say that my addiction to reading Cliff Notes, saving files and printing is now conquered, but that would be a BIG FAT LIE. Even as a Dog, I couldn’t swallow that I’d never seen this before. A full text search showed the files had not been downloaded to my hard drive or network. I marched over to Mount Must Read™ and began to take him down by chunks. “Why don’t you have these files?” I recall saying in a crazed stammer. I had to touch these, feel them as paper and ink.
Realizing the potential for reams of new reading, it was clear I’d need two pots of coffee and a really good sponsor. I medicated with 20 pages, the Introduction to Common Criteria, and uninstalled all the printers.
These are not Cliff Notes
Quoting the Common Criteria (CC) introduction, as it explains the nature of assessment, "the project has tremendous fit with technology audit needs."
An evaluation is an assessment of an IT product or system against defined criteria. A CC evaluation is one using the CC as the basis for evaluating the IT security properties. Evaluations against a common standard facilitate comparability of evaluation outcomes. In order to enhance comparability between evaluations results even further, evaluations should be performed within the framework of an authoritative evaluation scheme, which sets standards and monitors the quality of evaluations. Such schemes currently exist in several nations[118].
Models used to compare security best practices are astoundingly comprehensive. Unfortunately, I began by reading items pulled back by Google searches, which provided out of date (1999) text of CCV.1 and CCV.2, then finding out just today that CC had already released Version 3 of the Common Criteria and the Common Evaluation Methodology, CC V3.0.
As explained at the organization portal, “The Common Criteria (CC) was published as Version 2.1 in 1999. Some updates were subsequently incorporated in version 2.2, which was published in 2004. The CC and the associated evaluation methodology (CEM) are used by the nations involved in the Common Criteria Recognition Arrangement (CCRA) to gain assurance in products, protection profiles, etc. evaluated under the various schemes.”
As explained at the organization portal, “The Common Criteria (CC) was published as Version 2.1 in 1999. Some updates were subsequently incorporated in version 2.2, which was published in 2004. The CC and the associated evaluation methodology (CEM) are used by the nations involved in the Common Criteria Recognition Arrangement (CCRA) to gain assurance in products, protection profiles, etc. evaluated under the various schemes.”
The Common Criteria Project summary explaining the reason to update and change their standard is a model of why we continue to optimize all of our standards. Taking some liberty, here is my summation of their points.
- Cause for update to an existing release is to provide by new release:
- Simplicity, Clarity and Consistency, (in all cases reducing length)
- Rationalization and removal of duplication, (especially those created by other standards), Improved ease of use, (as in leveraging organizations dedicated to the training of professional such as the ISPI)
- Provide for Additional support
CC Part 1: Introduction and general model ccpart1 V3.0.pdf
CC Part 2: Security functional components ccpart2 V3.0.pdf
CC Part 3: Security assurance components ccpart3 V3.0.pdf
CEM: Evaluation Methodology cem V3.0.pdf
Any company needing product based security compliance certification, as means to advance in international markets, should own and adopt the Common Criteria standard released by ISO.
This is not the answer to my quest, but it offers a lot of insight in the process. The Common Criteria, ISO/IEC 1528 standard provides a method that includes uniform comparisons, response to changes in current application and security conformance to best practice. The approach aligns all known best inputs from literally dozens of organizations.
Here are two more snippets from the introduction. I liked the simple idea that any standard might be aligned to a protection profile, so here is just one taste from the CC.
"Protection Profile (PP) A protection profile defines an implementation-independent set of security requirements and objectives for a category of products or systems which meet similar consumer needs for IT security. A PP is intended to be usable and to define requirements which are known to be useful and effective in meeting the identified objectives. The PP concept has been developed to support the definition of functional standards, and as an aid to formulating procurement specifications. PPs have been developed for firewalls, relational databases, etc, and to enable backwards compatibility with TCSEC B1 and C2 ratings.
Security Target (ST)
A security target contains the IT security objectives
and requirements of a specific identified TOE and defines the functional and
assurance measures offered by that TOE to meet stated requirements. The ST may claim conformance to one or
more PPs, and forms the basis for an evaluation[119]."
Common Criteria for Information Technology Security Evaluation, Part 3: Security assurance components, 2005 release, I found a design model that offered some insight into a standard for all standards approach. Classes of information used to evaluate products against their relative claim in providing technology controls are presented as class and family, across the following domains:
- ACO: Composition
- ADV: Development
- AGD: Guidance documents
- ALC: Life-cycle support
- ASE: Security Target evaluation
- ATE: Tests
- AVA: Vulnerability assessment
Assurance Class |
Assurance Family |
Composition |
|
Development |
|
Guidance Document |
|
Life-Cycle Support |
|
Security Target Evaluation |
|
Tests |
|
Vulnerability Assessment |
|
Seems like a Schema to me
Reading any representation of standards will at some point propose a common schema for application and digital communication. Tom O’Reilly’s published “What is Web 2.0, in which he summarizes these points as Core Competencies for companies claiming their software or service meets the standard to be described as Web 2.0. If a framework for all standards has any hope for success, it will at the very least be Web 2.0 compliant. His summary suggests that success comes from:
- Services, not packaged software, with cost-effective scalability
- Control over unique, hard-to-recreate data sources that get richer as more people use them
- Trusting users as co-developers
- Harnessing collective intelligence
- Leveraging the long tail through customer self-service
- Software above the level of a single device
- Lightweight user interfaces, development models, AND business models
With an interesting side bar titled “The Architecture of Participation”, O’Reilly pitches the development of data, not in a predetermined design pattern, but it a pattern based in common use[120]. The side bar notes Dan Bricklin’s work. The Cornucopia of the Commons, which three ways to build a large database.
“The first, demonstrated by Yahoo!, is to pay people to do it. The second, inspired by lessons from the open source community, is to get volunteers to perform the same task. The Open Directory Project, an open source Yahoo competitor, is the result. But Napster demonstrated a third way. Because Napster set its defaults to automatically serve any music that was downloaded, every user automatically helped to build the value of the shared database. This same approach has been followed by all other P2P file sharing services. […] One of the key lessons of the Web 2.0 era is this: Users add value. But only a small percentage of users will go to the trouble of adding value to your application via explicit means. Therefore, Web 2.0 companies set inclusive defaults for aggregating user data and building value as a side-effect of ordinary use of the application. As noted above, they build systems that get better the more people use them[121]."
Seems like our society runs in two directions at the same time. Blogs, Wiki and RSS have us overtaking outmoded rules for everything from spelling to acceptable business attire. Moving rapidly in parallel, laws restricting digital expression, increasing the girth of copyright and extending legal jurisdiction to every form and channel of communication, is the subject of both world and local news. We have never struggled harder to be compliant with greater numbers of independent variations of conformity, to such granular levels of performance and standard.
Is this why I feel dizzy?
The Common Criteria project is among the Open Source
initiatives heavily supported by U.S. Government, (see open
source memo). In fact, the
U.S federal government uses open source software in response to the E-Government
Act of 2002. Various news releases
describe the E-Government Act as a regulation that: “promotes the sharing
of best practices and innovative approaches in acquiring, using, and managing
information resources for the government.” An outstanding example is found at the Government
Open Code Collaborative Repository, which provides, among other things, an open
source Content Management System. The repository contains code available for use in meeting state and
local governments requirements CMS. The Commonwealth of Massachusetts
Information Technology Division; the Rhode Island Office of the Secretary of
State; the Pennsylvania Office of Information Technology; the Utah
Governor’s Office, CIO Section; the Kansas Secretary of State Office; the
Kansas Treasurer’s Office; the Missouri Secretary of State Office; the West
Virginia Auditor’s Office; the City of Gloucester, MA; the City of
Worcester, MA; and the City of Newport News, VA, launched the formation of the
Government Open Code Collaborative (GOCC) in June of
2004, as a means for collaboration and sharing of computer code developed for
and by government entities. Additional links found at this site point to: WorkforceConnections, Advanced Distributed Learning, W3C Web
Content Accessibility Guidelines and www.core.gov
All conferences and articles concerned with open source and code reuse
mention OASIS and in particular, the SAML standard. The approach used for evaluation of
product security offered some similarity to the approach used for the creation
of SAML 2.0, the OASIS Security Assertion Markup Language[122]. The most significant difference in the
Common Criteria and SAML projects however, is that one evaluates and the other
creates assurance from the very start. CC is focused to the evaluation of meeting standards, the committees of
OASIS and the SAML TC strive to constrain information by schema, creating
preventive controls and uniform communication of data such that compliance is
embedded in both form and function. Reading the introduction and end references of SAML 2.0 reveals that
this TC applied common security evaluation constructs, leveraging many of the
same elements found in the 15408 ISO/IEC series, reworked to normalize use case
requirements, enforcing industry security terms in its glossary, and listing
various IETF RFC and government standard considerations, such as NIST SP 800
26. For example, SAML is used to
demonstrate conformity to web security standards, such as Federal Information
Processing Standard, FIPS 140.
Constraint and normalization of information is a cornerstone in meeting regulatory compliance requirements. Concepts around the representation of information have existed for many decades, but the most compelling manner of representing information is probably “DocBook.” The concept of the DocBook[123] may have been the initial draw for many persons among the Information Technology Audit community, and as it offered the basis of what would become Financial Assertion markup language and the representation of bank regulation compliant financial reporting. I know it attracted and inspired me to join and participate with several configuration and network data center OASIS TCs. This volunteer organization is at the forefront of compliance and automation. Remarkably, both teams and standards evolve through raw collaboration, commitment, and talent. In spite of tremendous success, leaders like the creator of DocBook XSL: The Complete Guide, Bob Stayton, and DocBook: The Definitive Guide, author Norman Walsh, provide daily support to OASIS XML use groups[124].
The concept of stylesheets as a means to validate any standard is long and well implemented by the web application and electronic industry user communities. BPEL, (Business Process Execution Language) offers process documentation and controls modeling a lot of hope. It is already an adopted standard by the FFIEC. A profound product is the recently released “Enterprise Technical Reference Model (ETRM) v3.5. ERTM incorporates a new Discipline for Data Formats within the Information Domain. This Discipline addresses the acceptable formats in which data can be presented and captured for viewing and download at http://www.mass.gov. ERTM, announced by several news feeds for it’s bold and eloquent use of Open Standards, is said to jump ahead of the compliance curve. Quoting a small portion of what I find to truly be a Must Read shows the importance of OASIS to security and IT.
“[…] Domain: Security - Discipline: Identity Management
Description: Identity Management is a broad administrative area that deals with identifying individuals in a system and controlling their access to resources within that system by associating user rights and restrictions with the established identity. The driver licensing system is a simple example of identity management: drivers are identified by their license numbers and user specifications (such as "can not drive after dark") are linked to the identifying number.
In a wider context, industry standards groups such as the World Wide Web Consortium and OASIS are developing standards that would enable global identity management, in which each individual would be uniquely identified, and all applicable data would be linked to that identity
Relevant Standards Organizations
OASIS – The organization for advancement of structured information standards (OASIS) is currently working two sets of Service Registry standards, i.e. UDDI and ebXML. More information about OASIS can be found at www.oasis-open.org
W3C - The World Wide Web Consortium was created in October 1994 to lead the World Wide Web to its full potential by developing common protocols that promote its evolution and ensure its interoperability. W3C has around 400 Member organizations from all over the world and has earned international recognition for its contributions to the growth of the Web. More information about W3C can be found at www.w3.org
WS-Interoperability – The Web Services Interoperability Organization is an open industry effort chartered to promote Web Services interoperability across platforms, applications, and programming languages. More information about WS-I can be found at www.ws-i.org
IETF- the Internet Engineering Task Force (IETF) is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual. The actual technical work of the IETF is done in its working groups, which are organized by topic into several areas (e.g., routing, transport, security, etc.). More information on the IETF can be found at http://www.ietf.org/home.html.
Where are you taking me?
OASIS teams, such as the TC members of SAML, represent a vast array of business, government and industry contribution, with representation from W3C, ISO, IEC, ANSI, and BSA, just to start. SAML is in use, is valuable and is current to the recent year. The interpretation this or any standard, however, suffer common vulnerabilities. As with any standards body or TC, it may miss adopting best criteria simply for a lack of correctly representing a problem, caused for example, by a lack of involvement with an outside organization. While the OASIS processes for standards development is highly successful, it is by virtue of contributing members, commitment, consensus, and a broad distribution of stakeholders. SAML is one of the best standards in our time. OASIS is an amazing collection of people and thinkers. It is not, however, immune to obsolescence, lost efficiency or redundancy.
OASIS is a model for standards evolution. The following is a 2005 list of the technical committees:
- Adoption Services
- Computing Mgmt
- Document-Centric
- e-Commerce
- Law & Government
- Localization
- Security
- SOA
- Standards Adoption
- Supply Chain
- Web Services
- XML Processing
The standards adoption offers sound advice in the evaluation of newly developed standards, their use and quality. There are no “buts” in my statement of support to OASIS. Unfortunately, we are left to stringing all these standards together and subject to the limits in each technical scope. In the absence of a uniform ontology for the classification of all existing comparative and or potentially redundant standards, we are still facing the same challenge of recognizing apples for apples and oranges for oranges[125].
Honest Doc, I looked everywhere. No expiration date.
Like most dogs, anything I can chew and swallow, is labeled “food.” I don’t generally confirm that a hyperlink is the best or most recent source for any type of information. I’ve only recently made a habit of reading dates and source code on most web sites. Even the most reputable sources, such as Common Criteria Portal and NIST, provide a few dead links. No one organization is dedicated to or has the scope to recognize everyone else’s expiration date. It’s not deliberate. Most portals come with disclaimers. The Common Criteria Evaluation Portal is under the NIST domain. The disclaimer reads, “Any mention of commercial products within NIST web pages is for information only; it does not imply recommendation or endorsement by NIST.”
In the absence of distributed accountability and liability agents, everyone’s afraid of definitive answers. As a result, there’s no mandate to label expiration by concepts. Words like “to the best of my ability” and “not an endorsement” have become excuses to for even a few Human beings to slip back to the realm of sheep.
A universal schema to manage the expiration of ideas may sound like a Roddenberry plot. Broadcasting over 80:80, a best practice validation algorithm, provides a warning beacon based in an authors or organizations current positional authority to claim guidance in any domain. Wouldn’t it be great if we had an automated agent screening a document on launch and providing guidance on content relevance? Imagine an agent that could say:
Darker and deeper
We have standards for submitting written works, research design, chemical and products, and even requirements that require creation of more standards[126]. I was starting think Mount Must Read™ had called in a ringer, a seedy underworld association from his days with snakes, pigs and rats. I could sense all this reading taking me down a dark alley.
Sucked in by detail
There’s a reason that Eagles fly at a thousand feet in the air. The choice is fly fast or fly low. Try to do both and you slam against a wall. This reality poses an interesting dilemma. If Eagles can’t think on a scale of detail that is both miniscule and grand, how do the detail thinkers work with the visionaries, and vice versa?
[109] VISA International Service Association. Security Programs. Retrieved December 1, 2005 from http://corporate.visa.com/st/programs.jsp. Note:
“Visa has collaborated with other payment card companies to create a single set of worldwide requirements, called the Payment Card Industry (PCI) Data Security Standard, for consumer data protection across the entire industry. The PCI Data Security Standard aligns Visa's Account Information Security (AIS) program, also known as Cardholder Information Security Program (CISP) in the U.S., and MasterCards' Site Data Protection (SDP) program, streamlining requirements, compliance criteria and validation processes. It also addresses merchants' and acquirers' concerns about having to meet more than one set of standards to accomplish a single goal.”
© Copyright 1996-2005, Visa International Service Association.
[110] ISO. Standards and/or guides of TC 68/SC 2. Retrieved December 1, 2005 from http://www.iso.org/iso/en/stdsdevelopment/tc/tclist/TechnicalCommitteeStandardsListPage.
TechnicalCommitteeStandardsList?COMMID=2193.
Note: Standards in the last three years, by the Security management and general
banking operations, are listed here as:
- ISO 8732:1988/Cor 1:1999
- ISO 9564-2:2005 Banking -- Personal Identification Number management and security -- Part 2: Approved algorithms for PIN encipherment
- ISO 9564-3:2003 Banking -- Personal Identification Number management and security -- Part 3: Requirements for offline PIN handling in ATM and POS systems
- ISO/TR 9564-4:2004 Banking -- Personal Identification Number (PIN) management and security -- Part 4: Guidelines for PIN handling in open networks
- ISO 11568-1:2005 Banking -- Key management (retail) -- Part 1: Principles
- ISO 11568-2:2005 Banking -- Key management (retail) -- Part 2: Symmetric ciphers, their key requirements and evaluation methods
- ISO 13491-2:2005 Banking -- Secure cryptographic devices (retail) -- Part 2: Security compliance checklists for devices used in financial transactions
- ISO 15782-1:2003 Certificate management for financial services -- Part 1: Public key certificates
- ISO 16609:2004 Banking -- Requirements for message authentication using symmetric techniques
- ISO/TR 17944:2002 Banking -- Security and other financial services -- Framework for security in financial systems
- ISO/TR 19038:2005 Banking and related financial services -- Triple DEA -- Modes of operation Implementation guidelines.
[111] Skadden
Biography. Michael S. Hines. ,
Retrieved December 1, 2005
from http://www.skadden.com/index.cfm?contentID=45&bioID=2732. Note:
Michael S. Hines has dedicated himself to distribution of accurate, timely
security information, making about as much as anyone could from a career in
Systems Administration at Purdue University (West Lafayette, IN). It seems hard
to believe that with all he writes, he spend his own share of time putting out
fires, just like the rest of us. It
was a post by Mike that led me to the Common Criteria project.
http://archives.neohapsis.com/archives/win2ksecadvice/1999-q4/0188.html,
tipping off his peer group to Commercial Product Evaluations Main Page as early
as 1999! Perhaps this is why Purdue’s infrastructure systems
administrator, entrusted with their entire IT Infrastructure, was named
president of the Central Indiana Information Systems and Control Association,
an organization with more than 35,000 members. Watching Mike makes me feel like
a potato!
[112] United States Congress & Subcommittee On Technology, Information Policy, Intergovernmental Relations and the Census (2004). Oversight Hearing Statement by Adam Putnam, Chairman, Identity Theft: The Causes, Costs, Consequences, and Potential Solutions. Retrieved December 1, 2005 from http://www.reform.house.gov/UploadedFiles/Final%20Press%20Opening%20Statement%202.pdf, p. 5.
[113] GTAG, op.cit, p. 17.
[114] Joseph Gibaldi (2003). MLA Handbook for Writers of Research Papers, 6th Edition. Retrieved December 1, 2005 from http://www.mla.org/handbook. & APA (2001). Publication Manual of the American Psychological Association, 5th Edition. Retrieved December 1, 2005 from http://www.apastyle.org/pubmanual.html.
[115] NIST Information Technology Laboratory (2002), International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management, Frequently Asked Questions, Retrieved December 1, 2005 from http://csrc.nist.gov/publications/secpubs/otherpubs/reviso-faq.pdf.
[116] ITTF. Freely Available Standards, In accordance with ISO/IEC JTC 1 and the ISO and IEC Councils these International Standards are publicly available. Retrieved December 1, 2005 from http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/ITTF.htm. Note: The standards are available for download at the ITTF web site. This does not imply free use or permission to copy any materials found. The files are in zip format. I had no difficulty with them but always use a staging are to run additional anti-virus/spyware before opening anyone’s files: http://standards.iso.org/ittf/PubliclyAvailableStandards/c040612_ISO_IEC_15408-1_2005(E).zip, http://standards.iso.org/ittf/PubliclyAvailableStandards/c040613_ISO_IEC_15408-2_2005(E).zip, & http://standards.iso.org/ittf/PubliclyAvailableStandards/c040614_ISO_IEC_15408-3_2005(E).zip.
[117] Note: Product evaluation results in certification and explanation of product compliance with acknowledge best practice and industry standards for certification as required by any type of company or branch of government or international service. Tripwire Manager 3.0 with Tripwire for Servers 3.0, Tripwire Manager 3.0 with Tripwire for Servers Check Point Edition 3.0, a product heavily supported by the IIA has listed certification since 2003.
[118] CESG (UK) & NIST (USA). Common Criteria, An Introduction. Retrieved December 1, 2005 from http://www.commoncriteriaportal.org/public/files/ccintroduction.pd. Note: "The Common Criteria work is an international initiative by the following organizations: CSE (Canada), SCSSI (France), BSI (Germany), NLNCSA (Netherlands), CESG (UK), NIST (USA) and NSA (USA).", p. 2.
[119] Ibid., p. 6.
[120] Tim O'Reilly, What Is Web 2.0, Design Patterns and Business Models for the Next Generation of Software, 09/30/2005 Retrieved December 30, 2005 from http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/what-is-web-20.html?page=1, What is Web 2.0
[121] Idem, Article cites: Daniel Bricklin, “The Cornucopia of the Commons: How to get volunteer labor, © Copyright 1999-2005, Retrieved December 31, 2005 http://www.bricklin.com/cornucopia.htm
[122] OASIS (2005). Security Assertion Markup Language (SAML) v2.0. Retrieved December 1, 2005 from http://www.oasis-open.org/specs/index.php#samlv2.0, & http://docs.oasis-open.org/security/saml/v2.0/saml-2.0-os.zip.
[123] DocBook Schemas. Retrieved December 1, 2005 http://docbook.org/oasis/index.html. Note: As stated on the website: “DocBook is a schema (available in several languages including RELAX NG, SGML and XML DTDs, and W3C XML Schema) maintained by the DocBook Technical Committee of OASIS. It is particularly well suited to books and papers about computer hardware and software (though it is by no means limited to these applications)."
[124] Norman Walsh & Leonard Muellner, DocBook: The Definitive Guide, O'Reilly & Associates, Inc., Version 1.0.2 (1999). Retrieved December 1, 2005 from http://www.oreilly.com/catalog/docbook/chapter/book/docbook.html. Note: This is the official documentation for DocBook. & Bob Stayton, DocBook XSL: The Complete Guide, Sagehill Enterprises, Third Edition (2005). Retrieved December 1, 2005 from http://www.sagehill.net/docbookxsl/. Note: This is the definitive guide to using the DocBook XSL stylesheets. It provides the necessary documentation to realize the full potential of DocBook publishing. It covers all aspects of DocBook publishing tools, including installing, using, and customizing the stylesheets and processing tools.
[125] The phrase "apples and oranges," is not mine, but the source cannot be found at this time. Interesting to note, is an article by Scott Berinato found at Darwin, The Chief Security Officer magazine/ website, where attempted to find the origin of this phrase. http://www.darwinmag.com/read/0502/apples.html
[126] United States Congress, "Computer Security Enhancement Act of 1997", in Public Law 100-418, H.R. 1903, Calendar No. 718, & Report No. 105-412 (1998), SEC. 1-14. Note: "To amend the National Institute of Standards and Technology Act to enhance the ability of the National Institute of Standards and Technology to improve computer security, and for other purposes."