References

• Allen, Julia & Stoner, Ed. Detecting Signs of Intrusion. (CMU/SEI-SIM-009). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2000, http://www.cert.org/security-improvement/modules/m09.html.
• The Biometric Consortium, http://www.biometrics.org/html/standards.html.
• Biometrics Standards and Current Standard-Related Activities, The Biometrics Resource Center Web site, National Institute of Standards and Technology, http://www.itl.nist.gov/div895/biometrics/standards.html.
• Center for Internet Security (CIS), Hershey, PA, http://www.cisecurity.org/.
• CERT® Coordination Center (CERT/CC), Carnegie Mellon Software Engineering Institute, http://www.cert.org.
• The Computer Security Act of 1987, Title 40, Section 1441, Responsibilities Regarding Efficiency, Security, and Privacy of Federal Computer Systems, http://uscode.house.gov/usc.htm.
• Computer Security Resource Center (CSRC), National Institute of Standards and Technology (NIST), Computer Security Division (CSD), compilation of computer-related security best practices, http://csrc.nist.gov/.
• Confidential Information, United States Code, Title XI, Rule 81: Papers Filed Conformity, Section (h), http://www4.law.cornell.edu/uscode/28/appendix-rule81PapersFiledConformity.html.
• Criminal Justice Information Systems, U.S. Code of Federal Regulations (CFR), 28 CFR 20.1, Judiciary and Judicial Procedure, U.S. Department of Justice.
• Data Encryption Standard (DES) was, until recently, used by the United States government for protecting sensitive but unclassified data. This standard has since been superseded by Triple DES due to increases in computer power which have allowed DES encryption to be broken. Advanced Encryption Standard (AES) has now become recognized by NIST CSD CSRC and has been officially approved for use by the United States government under Federal Information Processing Standard (FIPS) 197.
• Data Security and Classification Guidelines, Section IX: Data and Computing Policy Guidelines, The University of Massachusetts, http://www.umassp.edu/policy/data/itcdatasec.html.
• Directive 96/46/EC on Data Protection (the Directive), European Union (EU), http://www.privacyinternational.org/agreements.html.
• Domestic Disaster Recovery Plan for PCs, OIS, and Small VS Systems, National Institute of Standards and Technology (NIST), Gaithersburg, MD, U.S. Department of State, Washington, DC, National Technical Information Service (NTIS), U.S. Department of Commerce, http://www.ntis.gov/search/product.asp?ABBR=PB90265240&starDB=GRAHIST.
• The Electronic Communications Privacy Act of 1986 (ECPA), United States Code, Title 18, Part 1, Chapter 119, Section 2511: Interception and disclosure of wire, oral, or electronic communications prohibited, http://www4.law.cornell.edu/uscode/18/2511.html.
• Engineering Principles for Information Technology Security (A Base Line for Achieving Security), NIST Special Publication 800-27, June 2001, http://csrc.nist.gov/publications/nistpubs/800-27/sp800-27.pdf.
• Evaluation Assurance Level 4 (EAL4), Common Criteria for Information Technology Security Evaluation (CCITSE), The Trust Technology Assessment Program (TTAP), National Security Agency (NSA) and National Institute of Standards and Technology (NIST), Radium Customer Information Provider. EALs provide a uniformly increasing scale which balances the level of assurance obtained with the cost and feasibility of acquiring that degree of assurance. There are seven hierarchically ordered EALs. The higher the EAL, the greater the degree of assurance. http://www.radium.ncsc.mil/tpep/process/faq-sect3.html.
• Federal Agency Security Practices, National Institute of Standards and Technology (NIST), http://csrc.nist.gov/fasp/.
• Federal Information Security Management Act of 2002 (FISMA), Public Law 107-347, December 17, 2002.
• Ford, Gary, et al. Securing Network Servers. (CMU/SEI-SIM-007). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1999, http://www.cert.org/security-improvement/modules/m10.html.
• The Freedom of Information Reform Act (1986), United States Code, Title 5, Part I, Chapter 5, Subchapter II, Section 552: Public information; agency rules, opinions, orders, records, and proceedings, http://www4.law.cornell.edu/uscode/5/552.html.
• F-Secure, Symantec, and McAfee (antivirus software providers),
  http://www.fsecure.com; http://www.symantec.com; http://www.mcafee.com.
• Generally Accepted System Security Principles (GASSP) as defined by the International Information Security Foundation, http://web.mit.edu/security/www/GASSP/gassp11.html.
• Global Security Working Group (authentication policy samples), Global Justice Information Sharing Initiative, http://www.it.ojp.gov/topic.jsp?topic_id=58.
• Government Information Technology Agency (sample working, multiagency program, with Central Response Team membership application), http://gita.state.az.us/policies_procedures/p800_s855_incident_resp.htm.
• Guide for the Security Certification and Accreditation of Federal Information Systems, NIST Special Publication 800-37, June 2003 (second public draft), http://csrc.nist.gov/sec-cert/.
• Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Organization for Economic Cooperation and Development (OECD), http://oecdpublications.gfi-nb.com/cgi-bin/OECDBookShop.storefront/EN/product/932002011P1.
• Health Insurance Portability and Accountability Act (HIPAA) of 1996, Centers for Medicare and Medicaid Services, http://www.cms.gov/hipaa/.
• Health Insurance Portability and Accountability Act (HIPAA) of 1996, Fact Sheet, Administrative Simplification Under HIPAA: National Standards for Transactions, Security, and Privacy, U.S. Department of Health and Human Services, http://www.hhs.gov/news/press/2002pres/hipaa.html.
• IEEE/EIA STD 12207 . Software Lifecycle Processes, http://standards.ieee.org/reading/ieee/std_public/description/se/12207.0-1996_desc.html, http://standards.ieee.org/reading/ieee/std_public/description/se/12207.1-1997_desc.html, and http://standards.ieee.org/reading/ieee/std_public/description/se/12207.2-1997_desc.html.
• Industry Working Group (IWG), Integrated Justice Information Systems (IJIS), http://www.ijis.org.
• Information Technology Security Training Requirements: A Role and Performance-Based Model, NIST Special Publication 800-16, April 1998, http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf.
• The Internet Engineering Task Force, four documents under current review:
  • Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition, David Curry, Hervé Debar, 31-Jan-03.
  • The Intrusion Detection Exchange Protocol (IDXP), Benjamin Feinstein, Gregory Matthews, John White, 23-Oct-02.
  • The TUNNEL Profile, Darren New, 06-Dec-02.
  • Intrusion Detection Message Exchange Requirements, Mark Wood, Michael Erlinger, 23-Oct-02, http://www.ietf.org/ids.by.wg/idwg.html.
• Internet Storm Center, (DID) Systems, http://isc.sans.org/.
• IP Security Protocol (IPsec), Internet Engineering Task Force (IETF), http://www.ietf.org/html.charters/ipsec-charter.html.
• The ISO 17799 Service and Software Directory. ISO 17799 is a comprehensive set of controls comprising best practices in information security. It is essentially an internationally recognized generic information security standard, International Organization for Standardization, http://www.iso17799software.com/.
• Justice Information Privacy Guideline - Developing, Drafting, and Assessing Privacy Policy for Justice Information Systems, National Criminal Justice Association, September 2002, http://www.ncja.org/publications.html.
• Kossakowski, Klaus-Peter, et al. Responding to Intrusions. (CMU/SEI-SIM-006). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1999, http://www.cert.org/security-improvement/modules/m06.html.
• Lightweight Directory Access Protocol (LDAP), The Internet Engineering Task Force, Network Working Group, http://www.ietf.org/rfc/rfc1777.txt.
• MIT Business Continuity Plan, Massachusetts Institute of Technology (MIT), 1995, http://web.mit.edu/security/www/pubplan.htm.
• MIT Emergency Response System, Massachusetts Institute of Technology (MIT), http://web.mit.edu/emergency/ers/index.html.
• National Association of State Chief Information Officers (NASCIO), Lexington, KY, http://www.nascio.org.
• Omnibus Crime Control and Safe Streets Act of 1968, Pub. L. No. 90-351, 82 Stat. 197, 1968 U.S.C.C.A.N. 237, as amended.
• Personnel Security Standard, Treasury Board of Canada, http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/CHAPT2-4_e.asp.
• Preservation and Exchange of Identification Records and Information, U.S. Code of Federal Regulations, Title 28, Part II, Chapter 33, Sec. 534, Judiciary and Judicial Procedure, U.S. Department of Justice, Federal Bureau of Investigation, Acquisition, http://www.access.gpo.gov/uscode/uscmain.html.
• Privacy Act of 1974, United States Code, Title 5, Part I, Chapter 5, Subchapter II, Section 552a, http://www4.law.cornell.edu/uscode/5/pIch5schII.html.
• Recommendation for Electronic Authentication, NIST Special Publication 800-63, http://fasp.nist.gov/publications/drafts.html#draft-sp80063.
• Safe Harbor Act, U.S. Department of Commerce, Export Portal, http://www.export.gov/safeharbor/.
• Sample Operating Policies and Procedures, Institute for Intergovernmental Research (IIR), http://www.iir.com/28cfr/sample_operating_Policies_procedures.htm.
• The SANS Security Policy Project, The SANS Institute, http://www.sans.org/resources/policies/.
• Security Assertion Markup Language (SAML), Organization for the Advancement of Structured Information Standards (OASIS), Security Services Technical Committee, http://www.oasis-open.org/committees/security/.
• Security Classification of Information, Classification Levels, Chapter 7, Vol. 2. Principles for Classification of Information, Oak Ridge National Laboratory, U.S. Department of Energy, Department of Energy Federation of American Scientists Web site, http://www.fas.org/sgp/library/quist2/chap_7.html.
• Secure Hash Standard, Federal Information Processing Standard Publication 180-1, 1995 April 17, http://www.itl.nist.gov/fipspubs/fip180-1.htm.
• Summary of the Intrusion Detection and Isolation Protocol (IDIP) Project, Intrusion Detection and Isolation Protocol, University of California, Davis, http://seclab.cs.ucdavis.edu/projects/idip.html.
• Swanson, Marianne. Security Self-Assessment Guide for Information Technology Systems, National Institute of Standards and Technology, Publication 800-26, http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf.
• Underlying Technical Models for Information Technology Security, Stoneburner, G., NIST Special Publication 800-33. December 2001, http://csrc.nist.gov/publications/nistpubs/800-33/sp800-33.pdf.
• Washington State Information Technology Security Policy Audit Standards, Washington State Auditor's Office, September 2001, http://www.sao.wa.gov/StateGovernment/ITSecurity/ITStandards.htm.
• Washington State Privacy Policy, Access Washington, Department of Information Services, http://www.wa.gov/dis/aboutdis/pdpnotice.htm.
• *http://www.leo.gov/lesig/cjis/cjis_pub/information/poly2002_feb/POLY2002_Feb.htm. *Note: Only LEO members may access the www.leo.gov Web site.

Note: Those who are interested in computer and information systems security are encouraged to consult the Web site of the National Institute for Standards and Technology (NIST) at http://csrc.nist.gov/index.html. At this site, the Computer Security Resource Center (CSRC) at NIST offers a series of publications on security terminology, issues, and policies for justice information specialists to use as guidance.