‫ ه

ا
ت‬
‫وات وات‬
‫اﻡ  ﻡل ا‬
‫اﻡ
 
و ت‬
‫ا!ﻡت‬

‫‪1‬‬
 I. Main International Security Policy Organizations:

1. AICPA – The American Institute of Certified Public Accountants, www.aicpa.org

2. ANSI – American National Standards Institute, www.ansi.org
3. ASBDC-US – The Association of Small Business Development Centers,
www.asbdc-us.org
4. BITS - The Technology Group for The Financial Services Roundtable,
www.bitsinfo.org
5. BR – Business Roundtable, www.businessroundtable.org
6. BSA – Business Software Alliance, www.bsa.org/usa
7. BSI – British Standards Institute, www.bsi.org.uk
8. BSI - Bundesamt für Sicherheit in der Informationstechnik, www.bsi.bund.de
9. CERT – Computer Emergency Response Team, www.cert.org
10. CIAO – Critical Infrastructure Assurance Office (formerly U.S. Dept. of
Commerce, now IAIP of DHS
11. CICA – Canadian Institute of Chartered Accountants www.cica.ca
12. CIS – The Center for Internet Security, www.cisecurity.org
13. CMU – Carnegie Mellon University, www.cmu.edu
14. COSO – Committee of Sponsoring Organizations for the Commission on
Fraudulent Financial Reporting (Treadway Commission), www.coso.org
15. DHS – Department of Homeland Security, www.dhs.gov
16. DISA - Defense Information Systems Agency www.disa.mil
17. FFIEC – Federal Financial Institutions Examination Council, www.ffiec.gov
18. FSR – Financial Services Roundtable, www.fsround.org
19. FTC - Federal Trade Commission, www.ftc.gov
20. GAISPC – Generally Accepted Information Security Principles Committee,
www.issa.org/gaisp.html
21. IAIP – Information Assurance and Infrastructure Protection Directorate of the
DHS, (See www.dhs.gov.)

2
22. ICAEW – Institute of Chartered Accountants in England & Wales,
www.icaew.co.uk
23. ICC – International Chamber of Commerce, www.iccwbo.org
24. IFAC – International Federation of Accountants, www.ifac.org
25. IIA – The Institute of Internal Auditors, Inc. (and IIA Research Foundation),
www.TheIIA.org
26. ISO – International Organization for Standardization, www.iso.org
27. ISSA – Information Systems Security Association, www.issa.org
28. NACD – National Association of Corporate Directors, www.nacdonline.org
29. NCSA – National Cyber Security Alliance, www.staysafeonline.info
30. NERC – North American Electric Reliability Council www.nerc.com
31. NIST – National Institute for Standards and Technology, www.nist.gov
32. NSA – National Security Agency, www.nsa.gov
33. OECD – Organization for Economic Cooperation and Development,
www.oecd.org
34. PCAOB – Public Company Accounting Oversight Board, www.pcaobus.org
35. SANS – Systems Administration, Audit, and Network Security Institute,
www.sans.org
36. SEC – Securities & Exchange Commission, www.sec.gov
37. SEI – Carnegie Mellon University Software Engineering Institute,
www.sei.cmu.edu
38. SNAC – Systems and Network Attack Center (NSA), www.nsa.gov/snac
39. US-CERT – U.S. Computer Emergency Readiness Team, www.uscert.gov
40. WB – World Bank, www.worldbank.org

3
 II. Main International Security Policy References:
1. ISO 17799 – Information Technology – Code of Practice for Information Security
Management, www.iso.org/iso/en/CatalogueDetailPage.
2. DTI Code of Practice for Information Security Management: Department of Trade
and Industry and British Standard Institute. London, 2005. (Became BS 17799),
www.dti.gov.uk
3. BS 7799 – Parts 1&2 Code Practice for Information Security Management London,
2005 (British Standards Institute), www.bsi.org.uk
4. Standard of Good Practice for Information Security (Information Security Forum),
www.isfsecuritystandard.com/index_ie.htm
5. Prof. Raymond R. Panko: Corporate Computer and Network Security, University of
Hawai`, Prentice Hall, 2004, ISBN 0130384712, Ray@Panko.com
6. OECD Guidelines for the Security of Information Systems and Networks" ,
December 2002
7. (Marianne Swanson & Barbara Guttman): GAPP – “Generally Accepted Principles
and Practices” NIST SP 800-18, “Guide for Developing Security Plans for
Information Technology Systems” December 1998
8. GASP – Generally Accepted Information Security Principles Currently available:
Generally Accepted Systems Security Principles (GASSP) consisting of Pervasive
Principles (PP), & Broad Functional Principle (BFP), June, 1999.
9. NIST 800-14 Generally Accepted Principles and Practices for Securing IT Systems,
1996 , http://csrc.nist.gov/publications/nistpubs/index.html
10. NIST 800-26 Self Assessment Guide for IT Systems,
http://csrc.nist.gov/publications/nistpubs/index.html
11. NIST 800-27 Engineering Principles for IT Security,
http://csrc.nist.gov/publications/nistpubs/index.html
12. IFAC International Guidelines on Information Technology Management—
Managing Information Technology Planning for Business Impact: International
Federation of Accountants, New York, 1999, www.ifac.org
13. ITCG: Information Technology: Control Guidelines 1998, www.cica.ca
14. ISO TR 13335 “Guidelines for the Management of Information Security”, Parts 1-
5, www.iso.org/iso/en/StandardsQueryFormHandler.

4
15. NIST 800-12 The Computer Security Handbook, 1995,
http://csrc.nist.gov/publications/nistpubs/index.html
16. NIST 800-37 Guide for The Security Certification and Accreditation of Federal
Information Systems, http://csrc.nist.gov/publications/nistpubs/index.html
17. NIST 800-53 - Recommended Security Controls for Federal Info Systems,
http://csrc.nist.gov/publications/nistpubs/index.html
18. Personal Information Protection and Electronic Documents, Act (PIPEDA),
Canadian, www.pipeda.org
19. FISCAM - Federal Information Systems Controls Audit Manual (GAO),
www.gao.gov
20. Systems Auditability and Control (SAC) – IIA RF, www.theiia.org/eSAC
21. Electronic Systems Assurance and Control (eSAC) – IIA RF, Series of reports on
IT management and security topics, www.theiia.org/eSAC
22. NIST 800-55 Security Metrics Guide for Information Technology Systems,
http://csrc.nist.gov/publications/nistpubs/index.html
23. ISO 21827 System Security Engineering Capability Maturity Model,
http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail
24. Information Security Governance: Guidance for Boards of Directors and Executive
Management”, 2001 – IT Governance Institute, www.itgi.org
25. Information Security Management and Assurance – Three report series from IIA,
NACD, CIAO, et al, http://www.theiia.org/esac/index.cfm?
26. Information Security Governance: Toward a Framework for Action (Business
Software Alliance), http://www.bsa.org/resources/loader.
27. Information Security Oversight: Essential Board Practices (Nat'l Assoc of
Corporate Directors), http://www.nacdonline.org/publications/pubDetails.asp
28. IT Governance Implementation Guide,
http://www.isaca.org/Template.cfm?Section=Browse_By_Topic
29. Building Security in the Digital Resource: An Executive Resource Business
Roundtable, Nov. 2002, www.businessroundtable.org
30. Information Security for Executives – Business and Industry Advisory Committee
to the OECD, and International Chamber of Commerce, Paris, November 2003,
http://www.iccwbo.org/home/e_business/word_documents/
31. ICC Handbook on Information Security Policy for Small to Medium Enterprises -
International Chamber of Commerce, April 11, 2003, www.iccwbo.org

5
32. Corporate Information Security Evaluation for CEO’s (TechNet),
www.technet.org/cybersecurity
33. NIST 800-26 Security Self-Assessment Guide for Information Technology
Systems, http://csrc.nist.gov/publications/nistpubs/index.html
34. NIST 800-50 Building an Information Technology Security Awareness and
Training Program, http://csrc.nist.gov/publications/nistpubs/index.html
35. NIST 800-60 Guide for Mapping Types of Information and Information Systems to
Security Categories, Volumes 1 & 2 ,
http://csrc.nist.gov/publications/nistpubs/index.html
36. NIST 800-30 Risk Management Guide for Information Technology Systems,
http://csrc.nist.gov/publications/nistpubs/index.html
37. Sound Practices for Mgmt & Supervision of Operational Risk,
http://www.bis.org/publ/bcbs96.pdf
38. Electronic Security: Risk Mitigation in Financial IT Transactions -The World Bank,
(Thomas Glaessner, Tom Kellermann, and Valerie McNevin), June 2002,
http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf
39. Interim Security Guidelines: Standard 1200 –Cyber Security North American
Electric Reliability Council (NERC), ftp://ftp.nerc.com/pub/sys/all_updl/standards/
40. Basel II – The New BASEL Capital Accord – Bank for International Settlements,
http://www.bis.org/publ/bcbsca.htm
41. ISO TR 13569 “Banking and Related Financial Services – Information Security
Guidelines, 9/9/2003,
http://www.iso.org/iso/en/stdsdevelopment/techprog/workprog/
42. BITS Framework: Managing Technology Risk for Information Technology (IT)
Service Provider Relationships – Financial Services Roundtable (FSR),
ww.bitsinfo.org
43. Federal Financial Institutions Examination Council (FFIEC) - FFIEC “Audit IT
Examination Handbook,” and “FFIEC Audit Examination Procedures”,
www.ffiec.gov
44. Federal Information Security Management Act of 2002 (FISMA) – U.S. Congress,
2002 , www.fedcirc.gov/library/legislation/FISMA.html
45. ISO 17799, A Code of Practice for Information Security Management (British
Standard 7799), National Communications System, Public Switched Network
Security Assessment Guidelines, September 2005. The basics of an IT Security

6
 Policy from ISO Web Sites, http://security.vt.edu/, http://security.isu.edu/,
http://www.itso.iu.edu/, http://www.ox.ac.uk/it/compsecurity/
46. [NIST 2002] National Institute of Standards and Technology: An Introduction to
Computer Security: The NIST Handbook (NIST Special Publication 800-12).
Gaithersburg, Md.48.
47. [NIST 2001] Stoneburner, Gary, Draft –Rev. A NIST Special Publication 800-30,
Risk Management Guide, February 16, 2001.
48. [NIST 2002] Swanson, Marianne and Barbara Guttman, NIST Special Publication
800-14, “Generally Accepted Principles and Practices for Security Information
Technology Systems (GSSP)”, Gaithersburg, MD, National Institute of Standards
and Technology.
49. [NIST 1989] Swanson, Marianne and Federal: “Computer Security Program
Managers’ Forum Working Group, NIST Special Publication 800-18, Guide for
Developing Security Plans for Information Technology Systems, Gaithersburg,
MD, National Institute of Standards and Technology, December 1998
50. [CERT/CC 2000]: “CERT/CC Incident Reporting Form”. Pittsburgh, Pa.: Software
Engineering Institute, Carnegie Mellon University.
ftp://ftp.cert.org/pub/incident_reporting_form
51. [CERT/CC 1998a] CERT Coordination Center. “Incident Reporting Guidelines.”
52. [CERT/CC 2002b]: “Computer Security Incident Response Team Frequently Asked
Questions.” Pittsburgh, Pa.: Software Engineering Institute, Carnegie Mellon
University. <http://www.cert.org/csirts/csirt_faq.html>.
53. [Pethia, Richard D 1990]: “Developing the Response Team Network.” Workshop
on Computer Security Incident Handling. Pleasanton, CA. June 1990.
54. [RFC 2196] Barbara Fraser, ed. Site Security Handbook (IETF Request for
Comments 2196). <http://www.faqs.org/rfcs/rfc2196.html> (1997).
55. [Wood 1998] Wood, Charles Cresson. Information Security Policies Made Easy,
6th ed. Sausalito, Calif.: Baseline Software Inc., 1998. ISBN# 1-881585-04-2.
56. Information Security Policy Papers : http://www.sans.org/rr/policy
57. Site Security Handbook, http://www.utoronto.ca/security/policies.html
58. DESC : Security Policies, http://www.ruskwig.com/security_policies.htm,
http://www.iwar.org.uk/comsec/resources/canadaia/ infosecawareness.htm
59. How to build a Security Policy, http://www.boran.com/security/detail_toc.html

7
60. How to develop Security Policies,
http://www.giac.org/practical/Caroline_Reyes_GSEC.doc
61. What makes a good Security Policy,
http://www.giac.org/practical/jack_albright_gsec.doc