APPENDIX 3: RESOURCES

Reference books and articles

Boyce JG and Jennings DW, (2002), Information Assurance: Managing Organizational IT Security Risks, Butterworth Heinemann, London, ISBN 0-7506-7527-3. (This article was published in Information Assurance: Managing Organizational IT Security Risks, pp.170–171, copyright Butterworth Heinemann (2002).)

British Standards Institution, (2009), ISO 31000: 2009, Risk Management Principles and Guidance Standard, London.

Dimitriadis CK, (2011), Information Security from a Business Perspective, ISACA Journal, vol. 1. [Accessed 18 February 2011.] Available at:

www.continuitycentral.com/feature0856.html.

Herrmann DS, (2002), A practical guide to Security Engineering and Information Assurance, Auerbach Publications, CRC Press, Florida, ISBN 0-8493-1163-2.

Hutton N, (2008), Information Assurance: ‘Must try harder’, ITAdviser, Winter, pp.16–17. [Accessed 7 February 2011.] Available at: www.360is.com/downloads/ncc-mag-issue-56-360is.pdf.

Information Assurance Advisory Council (IAAC), (2003), Engaging the Board – Corporate Governance and Information Assurance, Board Report, February 2003, www.iaac.org.uk.

ISACA, (2009), An Introduction to the Business Model for Information Security, p.13, Figure 2, Overview of BMIS, ISACA, Illinois. [Accessed 20 March 2011.] Available at:

www.isaca.org/bmis, www.isaca.org/Knowledge-Center/BMIS/Pages/Business-Model-for-Information-Security.aspx, © 2010, ISACA. ^® All rights reserved.

Kovacich GL, (1998), Information Systems Security Officer’s Guide, Establishing and Managing an Information Protection Program, Butterworth Heinemann, Woburn, ISBN 0-7506-9896-9.

Maconachy V, Schou C, Ragsdale D and Welch D, (2001), A Model for Information Assurance: An Integrated Approach, Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, June, U.S. Military Academy. West Point, New York, ISBN 0-7803-9814-9. [Accessed 8 July 2012.] Available at http://darpa.academia.edu/DanielRagsdale/Papers/762175/A_model_for_information_assurance_An_integrated_approach.

Marks N, (2011), Marks on Governance Blog – Podcast on GRC and a Related Discussion Forum, posted on 21 February 2011. [Accessed 27 February 2011.] Available at: www.theiia.org/blogs/marks/index.cfm/post/Norman’s%20 Podcast%20on%20GRC,%20and%20a%20Related%20Dis cussion%20Forum.

McCumber J, (1991), Information Systems Security: A Comprehensible Model. Paper presented at the Proceedings of 14th National Computer Security Conference, National Institute of Standards and Technology, Baltimore, MD, October. Contains the McCumber Cube. [Accessed 3 February 2011.] Available at: www.humanitarian.info/2008/03/25/pass-the-security-cube-aka-no-bullets-involved-part-3/.

McCumber J, (2004), Assessing and Managing Security Risk in IT Systems: A Structured Methodology, Auerbach Publications, Florida, ISBN 0-8493-2232-4.

McFadzean E, (2005), The case for Information Assurance and Corporate Strategy Alignment, Part 5, Henley Management College, provided via www.bl.uk ref 9350.837405.

Open Compliance and Ethics Group (OCEG), (2011), Governance Risk and Compliance [GRC]. [Accessed 27 February 2011.] Available at: www.oceg.org.

OSI Model, Wikipedia Commons,

http://en.wikipedia.org/wiki/File:Osi-model.png. [Accessed 8 July 2012.]

Petersen R, Larsen R, Schou C and Strickland L, (2004), What’s in a name? EDUCAUSE Quarterly, vol. 27, no. 3, p.5–8. [Accessed 13 May 2010.] Available at: www.educause.edu/EDUCAUSE+Quarterly/EDUCAUSEQ uarterlyMagazineVolum/WhatsinaName/157298.

Schneier B, (2008), Schneier on Security, Wiley Publishing, Canada, ISBN 978-0-470-39535-6.

Shostack A and Stewart A, (2008), New School of Information Security, Addison Wesley, Boston, ISBN-13: 978-0-321-508728-0.

Schou C and Shoemaker D, (2007), Information Assurance for the Enterprise: A Roadmap to Information Security, McGraw-Hill Irwin, New York, ISBN-10: 0-07-225524-2/ISBN-13: 978-0-07-225524-9.

Stoneburner G, (2001), Underlying Technical Models for Information Technology Security, NIST SP 800-33, US National Institute of Standards and Technology (NIST),

December. [Accessed 6 February 2011.] Available at: http://csrc.nist.gov/publications/nistpubs/800-33/sp800-33.pdf.

UK CESG, (undated), Certification, Cheltenham. [Accessed 20 March 2011.] Available at:

www.cesg.gov.uk/publications/Documents/cccert.pdf.

UK CESG, (undated), Protection Profiles, Cheltenham. [Accessed 20 March 2011.] Available at: www.cesg.gov.uk/publications/Documents/criteria.pdf.

US Department of the Air Force, (2001) AFI33-204, Information Assurance Awareness Program, September. [Accessed 2 February 2011.] Available at:

www.dtic.mil/cgibin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA405017.

Wylder J, (2004), Strategic Information Security, CRC/Auerbach Publications, Florida, ISBN 0-8493-2041-0. http://www.dtic.mil/cgibin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=A DA405017

Further resources

It is hoped that the following list of further resources will be useful to the reader wishing to embark on wider research of the topics discussed within this report.

Alexander D, Finch A and Sutton D, (2008), Information Security Management Principles, An ISEB Certificate, Andy Taylor (ed.), BCS Books, ISBN-13: 978-1-902505-90-9.

BSI Business Information Publishing, (2008), Exercising for Excellence, Delivering Successful Business Continuity Management Exercises, Crisis Solutions, (BIP 2143) ISBN-13: 978-0-580-50953-7.

Calder A (2005), The Case for ISO27001, IT Governance Publishing, ISBN-10: 1-905356-13-7.

Calder A, (2005), Nine Steps to Success, An ISO27001 Implementation Overview, IT Governance Publishing, ISBN-10: 1-905356-12-9.

Day K, (2003), Inside the Security Mind – Making the Tough Decisions, Prentice Hall, ISBN-10: 0-13-111829-3.

Denning DE, (2000), Information Warfare and Security, ACM Press, ISBN-10: 0-201-43303-6.

Desman MB, (2002), Building an Information Security Awareness Program, CRC/Auerbach Publications, Florida, ISBN 0-8493-0116-5.

Greene TC, (2004), Computer Security for the Home and Small Office, www.apress.com, ISBN-10: 1-590593-16-2.

Hare-Brown N, (2007), Information Security Incident Management – A Methodology, BSI Business Information Publishing, ISBN-13: 978-0-580-50720-5.

Holt J and Newton J (eds), (2004), A Manager’s Guide to IT Law, BCS Books, ISBN-10: 1-902505-55-7.

Institute of Internal Auditors, (2010), A Culture of Risk, Tone at the Top, Issue 46, February, Florida.

John Wylder, (2004), Strategic Information Security, Auerbach, ISBN-10: 0-8493-2041-0.

Jones A and Ashenden D, (2005), Risk Management for Computer Security, Protecting Your Network and Information Assets, Elsevier, ISBN-10: 0-75-6-7795-3.

Lierley M (compilation ed.), (2001), Security Complete, Sybex Inc, ISBN-10: 0-7821-2968-4.

Mitnick K and Simon WL, (2002), The Art of Deception, Wiley: www.wiley.com, ISBN-10: 0-7645-4280-X.

Moses R and Archer H, (2006), Delivering and Managing Real-World Network Security, BSI Business Information Publishing, ISBN 0-580-48985.

Nichols RK, Ryan DJ and Ryan JJCH, (2000), Defending Your Digital Assets, RSA Press, ISBN-10: 0-07-213024-5.

O’Hara K and Shadbolt N, (2008), The Spy in the Coffee Machine, Oneworld, Oxford, ISBN-13: 978-1-85168-554-7.

Oppliger R, (1998), Internet and Intranet Security, Artech House Publishers, ISBN-10: 0-89006-829-1.

Parker DB, (2010), Our Excessively Simplistic Information Security Model and How to Fix It, ISSA Journal, July.

Peltier TR, (2001), Information Security Risk Analysis, CRC/Auerbach Publications, Florida, ISBN 0-8493-0880-1.

Peltier TR, (2002), Information Security Policies, Procedures, and Standards, Guidelines for Effective Information Security Management, CRC/Auerbach Publications, Florida, ISBN 0-8493-1137-3.

Peltier TR, (2004), Information Security Policies and Procedures, A Practitioner’s Reference, Second Edition, CRC/Auerbach Publications, Florida, ISBN 0-8493-1958-7.

POA Publishing LLC, (2003), Asset Protection and Security Management Handbook, Auerbach Publishing, ISBN 0-8493-1603-0.

Rothke B, (2004), Computer Security, 20 Things Every Employee Should Know, McGraw-Hill, ISBN-10: 0-07-223083-5.

Schneier B, (2000), Secrets and Lies: Digital Security in a Networked World, John Wiley & Sons, New York, ISBN 0-471-25311-1.

Schneier B, (2003), Beyond Fear, Thinking Sensibly About Security in an Uncertain World, Copernicus Books, New York, ISBN 0-387-02620-7.

Schou CD, Trimmer CD and Trimmer KJ, (2004), Information Assurance and Security, Idaho State University, Journal of Organizational and End User Computing, Vol. 16, No. 3, pp.1.

Schwartau W, (1994), Information Warfare, Thunder’s Mouth Press, ISBN-10: 1-56025-132-8.

Sharp J, (2007), The Route Map to Business Continuity Management, Meeting the Requirements of BS25999, BSI Business Information Publishing, ISBN-13: 978-0-580-50952-0.

Thejendra BS, (2006) Disaster Recovery and Business Continuity, IT Governance Publishing, ISBN-13: 978-1-905356-14-0.

Wright S, (2008), PCI DSS, A practical guide to implementation, IT Governance Publishing, ISBN-13: 978-1-905356-45-4.

Zittrain J, (2008), The Future of the Internet – And How to Stop It, www.penguin.com, ISBN-13: 978-1-8461-4014-3.

Other websites

Become a member of the following groups and read their Journals regularly:

• The Information Systems Security Association http://www.issa.org/
• The Information Systems Audit & Control Association www.isaca.org/Membership/Professional-Membership/Pages/default.aspx?gclid=CPPPh8_25K0CFUNTfAod8Fs49Q.

Subscribe to Bruce Schneier’s monthly e-mail newsletter, Crypto-Gram available at www.schneier.com.