Annex 2. Handbook Bibliography

This Annex covers resources that were used and cited in the main text of this document. Additional resources will be listed in Annexes 3, 4, and 5.

Practical Unix & Internet Security, by Simson Garfinkel, Gene Spafford, and Alan Schwartz (O’Reilly & Associates, Inc.: CA, 2003)

Web Security, Privacy & Commerce, by Simson Garfinkel with Gene Spafford (O’Reilly & Associates, Inc.: CA, 2002)

IT Security: Risking the Corporation, by Linda McCarthy, Forward by Gene Spafford (Prentice Hall PTR: NJ, 2003)

PART 1

The future of global policy making site : http://www.markle.org/globalpolicy/index.html Includes the DOT Force Roadmap and the Louder Voices Study.

Digital Opportunity Taskforce (DOT) reports: http://www.dotforce.org/teams Includes material on eStrategies:

http://www.dotforce.org/reports/documents/65/E-Strategies_e.pdf

See also plans for the International e-Development Resource Network:

http://www.dotforce.org/teams/IeDRNBusinessPlan.ppt

Government guidelines for the development of the information society:

http://www.innovazione.gov.it/eng/documenti/linee_guida_eng.shtml

OECD Electronic Commerce site:

http://www.oecd.org/EN/home/0,,EN-home-29-nodirectorate-no-no-no-29,00.html

OECD Electronic Commerce for Development Study (2002) http://www.oecd.org/EN/document/0,,EN-document-273-nodirectorate-no-15-36384-29,00.html

OECD eGovernment:

http://www.oecd.org/EN/about/0,,EN-about-301-nodirectorate-no-no-no-13,00.html

OECD ICT policy:

http://www.oecd.org/EN/home/0,,EN-home-40-nodirectorate-no-no-no-29,00.html

Global Internet Policy Initiative:

http://www.gipiproject.org/

Center for Democracy and Technology:

http://www.cdt.org/ and also the eGovernment handbook pages, completed in collaboration with infoDev: http://www.cdt.org/egov/handbook/

From the text footnotes for Part 1:

DOT-Force, http://www.dotforce.org/about/

Draft Declaration of Principles, World Summit on the Information Society, Document

WSIS03/PCIP/DT/4(Rev.3)-E.

Moore, Paxson, Savage, Shannon, Staniford and Weaver, "Inside the Slammer Worm," IEEE Security and Privacy,

Vol. 1, No. 4, July/August 2003, pp. 33-39.

PART 2

The IEEE fosters the development of standards that often become national and international standards. The organization publishes a number of journals, has many local chapters, and several large societies in special areas, such as the IEEE Computer Society. For further information on the IEEE and the IEEE Computer Society, see http://standards.ieee.org and http://www.computer.org/

Information about definitions and functional requirements for 802.11 may be found in this document: http://grouper.ieee.org/groups/802/11/Documents/DocumentArchives/1992_docs/1192091.DOC

The Unicode standard was developed to produce international software and to process

and render data in most of the world's languages. The following paper presents the background of the development of this standard among vendors and by the International Organization for Standardization (ISO). The paper describes the design goals and principles. It also discusses how an application handles Unicode text. It concludes with a description of some approaches that can be taken to support Unicode and a discussion of Microsoft's implementation. Microsoft's decision to use Unicode as the native text encoding in its Windows NT (New Technology) operating system is of particular significance for the success of Unicode. http://research.compaq.com/wrl/DECarchives/DTJ/DTJB02/DTJB02SC.TXT

Additional material on the technical aspects of security may be found at the following links:

The Sans Institute Reading room:

http://www.sans.org/rr/catindex.php?cat_id=48

http://www.securityfocus.com

http://www.sysinternals.com offers a variety of freeware utilities for monitoring

system usage and handling other aspects of systems security.

http://www.deter.com/unix/index.html is a Unix security page.

http://msgs.securepoint.com contains mailing lists for a number of popular security tools.

http://www.cert.org/tech_tips/unix_configuration_guide lines.html offers Unix configuration guidelines from CERT.

http://www.cert.org/tech_tips/win_configuration_guidelines.html offers Microsoft Windows configuration guidelines from CERT.

http://www.cert.org/securityimprovement/modules/m09.html covers CERT guidelines on detecting signs of intrusions.

http://sites.inka.de/lina/freefire-l/index.en.html is a link to the FreeFire project for free security software.

http://www.counterpane.com/log-analysis.html contains advice and how-to's on analyzing system logs.

PART 3

The Human Development Report 2001: Making New Technologies Work for Human Development” (UNDP: NY, 2001).

See a number of works by Glaessner, Kellermann, and McNevin including “Electronic Safety and Soundness: Securing Finance in a New Age, Public Policy Issues (October 2003). This Monograph is the culmination of efforts over the past three years and builds upon a series of papers. These include: “Electronic Security: Risk Mitigation in Financial Transactions” (May 2002, June 2002, July 2002), “Electronic Finance: A New Approach to Financial Sector Development?” (2002), and “Mobile Risk Management: E-Finance in the Wireless Environment” (May 2002). All papers are available at: http://www.worldbank1.org/finance

(click on E-security).

Further material on research projects and security management products is available at the IT Governance Institute (ITGI): www.itgi.org.

For information on the cases and programs, see the Information Systems Audit and Control Association at: www.isaca.org. One such study featured the country of Uruguay which might be of particular interest to readers of this handbook: http://www.isaca.org/ct_case.htm.

COBIT (http://www.isaca.org/cobit.htm, or http://www.itgi.org) is an open source product that provides a reference framework on e-Security for management, users, and IS audit, control, and security practitioners. The latest communication from ISACA will give you a good overview of current and future developments of the Association: Volume 8 2003 of Global CommuniquÈ:

http://ISACF:RESEARCH4@www.isaca.org/@member/gcomm/gcv034.pdf

Due to the rise in security incidents globally, a number of consulting firms have been producing reports on IT in an international context. See, for example, Ernst & Young recently released the 2003 Global Information security survey:

http://www.ey.com/global/download.nsf/US/TSRS_Global_Information_Security_Survey_2003/$file/TSRS_- _Global_Information_Security_Survey_2003.pdf

Information on security issues including survey data on incidents and organizational responses may be found at the Sans Institute: http://www.sans.org.

InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. At its most basic level, InfraGard is a cooperative undertaking between the U.S. Government (led by the FBI) and an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to increasing the security of United States critical infrastructures. For further information on a wide range of security issues, see www.infragard.net.

A second organization focused on a wide range of threats to individual. State and national security is the newly formed Department of Homeland Security in the United States. The new department's first priority is to protect the nation against further terrorist attacks. Component agencies will analyze threats and intelligence, guard U.S. borders and airports, protect U.S. critical infrastructure, and coordinate the response of the country for future emergencies. DHS is also dedicated to protecting the rights of American citizens and enhancing public services, such as natural disaster assistance and citizenship services, by dedicating offices to these important missions. See, www.dhs.gov.

The FBI has recently published a survey on computer crime: see www.gocsi.com for the main Computer Security Institute website and http://i.cmpnet.com/ gocsi/db_area/pdfs/fbi/FBI2003.pdf for the Survey itself.

The ICC is an international body whose membership includes developing countries, the group is engaged with research and exchanges on ICT issues such as, e- Commerce, e-security, privacy, and law in the context of the Internet. The ICC web site and related pages may be found at: http://www.iccwbo.org/home/menu_electronic_business.asp

The following are several examples of recent work performed by the ICC:

a) Electronic Signatures Directive – review and response to the European Commission review of the Electronic Signatures Directive, which was submitted to the European Commission in September 2003.

b) Draft Privacy Toolkit - The Draft Privacy Toolkit develops the broad approach of ICC to the regulation of personal data and suggests the best way to protect privacy while allowing business to function effectively and continue to innovate.

c) Draft ICC policy statement on employee privacy, data protection and human resources -

This draft policy statement sets out ICC's positions on the key issues relating to data protection and human resources, and provides recommendations for government policy in this area.

d) Draft E-terms - E-terms 2004 is ICC's new selfregulatory legal instrument on electronic contracting. The document has been prepared by an informal drafting group. In its current form, the draft model clause is a focused instrument that addresses three identified issues: (i) contract formation; (ii) confidentiality issues; (iii) evidential value of electronic records. The clause is limited to issues that are specific for the electronic medium. Thus, E-terms 2004 must be read in the context of existing conventional contract regulations and rules.

Federal Information System Control Manual (FISCAM) offers technical and policy information at: www.gao.gov/special.pubs/ai12.19.6.pdf

The International Standards Organization (ISO) develops standards for the information technology sector worldwide. Its code of practice for information security management, ISO/ IEC 17799, transforms the British Standard BS 7799, which has been adopted in many countries, into an International Standard and it is expected to become the reference document for codes of good practice to ensure secure and trustworthy e-commerce. See documents posted at www.iso.org.

ADDITIONAL LINKS FOR PARTS 3 AND 4: FOCUS ON INTERNATIONAL BUSINESS ISSUES CASES AND LEGISLATION

1) Implementing e-Government - being ready:

http://www.audit.nsw.gov.au/guides-bp/e-govt-BPG.pdf) is an excellent and simple checklist for governments to implement e-government (20 pages). Of interest: chapters on privacy, security, and technology and information management (Audit Office of New-South Wales, Australia)

2) Case studies on protecting critical infrastructure through network security may be found at:

http://www.itu.int/osg/spu/ni/security/index.html Korea and Brazil are featured in the Country Examples.

3) "The government's guidelines for the development of the information society", Minister for Innovation and Technologies, Rome, June 2002 is an excellent example on a government approach to setting up a plan for ICT security. See also, http://www.innovazione.gov.it/eng/documenti/linee_guida_eng.pdf http://www.innovazione.gov.it/eng/documenti/linee_guida_eng.pdf which contains an executive summary on Italy's national plan for ICT security.

4) Reference to Global ICT Policy Themes, Issues and Venues, including security and privacy may be found at: http://www.markle.org/globalpolicy/ The organization focuses on enabling meaningful participation by developing-nation stakeholders and features an implementation team on local policy participation from the G8 digital opportunity task force, June 2002

5) THE ITU site contains a collection of links to policy and regulatory web sites: http://www.itu.int/osg/spu/ni/security/links/policy.htmlhttp://www.itu.int/osg/spu/ni/security/links/policy.html

There are also links for development and e-strategy issues:

http://www.itu.int/ITU-D/e-strategy/internet/ http://www.itu.int/ITU-D/e-strategy/internet/

The World e-Trust memorandum of understanding:

http://www.itu.int/ITU-D/e-strategy/MoU/world_e.html

and e-Business: A Technology Strategy for Developing Countries:

http://www.itu.int/ITU-D/e-strategy/ publicationsarticles/wmrcjune00/ntoko.html

2003 Australian Computer Crime and Security Survey

Canadian Criminal Code, Part VI, Invasion of Privacy and Part IX, Offences against rights of property.

Claessens Stijn, Glaessner Thomas and Klingebiel Daniela, “E-Finance in Emerging Markets: Is Leapfrogging Possible?”

Commission of the European Communities: Network and Information Security: Proposal for A European Policy Approach- Brussels, June 6, 2001.

Commission of the European Communities: Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computerrelated Crime – eEurope 2002, Brussels, January 26, 2001.

Department of Justice, Canada:

www.canada.justice.gc.ca/en/cons/la_al/index.html#toc: Lawful Access – Consultation Document.

Dr Chae, Kijoon, “Introduction to Critical Network Infrastructures,” May 20-22, 2002, Seoul, Korea.

Dr Lim, Chaeho, “Creating Trust in Critical Network Infrastructures: Korean Case Study.” May 20-22, 2002, Seoul.

European Union Directive 2000/31/EC - on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce)

European Union Directive 97/33/EC – on Interconnection in Telecommunications.

European Union Directive 2002/58/EC – on privacy and Electronic Communications.

Glaessner, Thomas, Kellerman Tom, and McNevin, “Electronic Security: Risk Mitigation in Financial Transactions -Public Policy Issues,” June 2002, The World Bank.

Global Dialogue “E-Security: Risk Mitigation in the Financial Sector,” The World Bank, Integrator Group, September 25, 2002

Goodman E., Seymour, Hassebroek B., Pamela, King, Davis and Ozment, Andy, “ International Coordination to Increase the Security of Critical Network Infrastructures,” May 20-22, 2002, Seoul.

Harrop, Mike, “Creating Trust in Critical Network Infrastructures –Canadian Case Study,” May 20-22, 2002, Seoul, Korea.

International Telecommunications Union- Telecommunications Standardization Sector (ITU-T) – Lead Study Group 17 on Communications and Systems Security (www.itu.int/ITU-T/) .

Internet Security Alliance – Common Sense Guide for Senior Managers – Top Ten Recommended Security Practices, July 2002.

Keck, Richard and Satola, David, “Entering the Grid Computing Marketplace – A Primer of Key Legal Issues,” April 1, 2003.

Kellerman, Thomas, “Mobile Risk Management: E-finance in the Wireless Environment,” The World Bank, May 2002.

McCullagh, Declan, “Will Canada’s ISPs become spies?” CNET News.com, August 27, 2002.

Monetary Authority of Singapore – Technology Risk Management Guidelines for Financial Institutions – February 28, 2003.

Official Journal of the European Communities – Council Resolution on a common approach and specific actions in the area of network and information security, January 28, 2002.

Official Journal of the European Communities – Council Resolution on the Implementation of the eEurope 2005 Action Plan, February 18, 2003.

OECD Guidelines for the Security of Information Systems and Networks – Towards a Culture of Security.

Privacy Amendment Act of Australia (Private Sector) - Act 2000

“Security of Internet Enabled Wireless Devices,” Wireless Task Force Findings, National Security Telecommunications Advisory Committee, January 2003.

Shaw, Robert, “Creating Trust in Critical Network Infrastructures: The Case of Brazil.” May 20-22, 2002, Seoul.

The National Strategy to Secure Cyberspace, President’s Critical Infrastructure Board, United States, September 2002.

“Wireless Security,” Wireless Task Force Report, National Security Telecommunications Advisory Committee, January 2003.

PART 4

Once source on privacy is the annual survey by EPIC and Privacy International, "Privacy and Human Rights 2003" (Sept. 2003)

http://www.privacyinternational.org/survey/phr2003/

See also, the Global Privacy Report - a lengthy report on privacy conditions around the world, funded by the Japanese Ministry of Public Management, Home Affairs, Posts and Telecommunications.,August 14, 2003 http://joi.ito.com/joiwiki/PrivacyReport

Links to anti-spam laws and organizations all around the world, as well as to articles in law journals analyzing the problem in more depth may be found at: http://www.spamlaws.com/

WIPO has published a summary of intellectual property legislation in WIPO Member States, available at http://www.wipo.org/aboutip/en/ipworldwide/index.html.

From the text footnotes for Part 4:

http://www.usdoj.gov/04foia/privstat.htm

A more extensive, although dated, discussion of legal issues in the U.S. can be found in Computer Crime: A Crimefighter’s Handbook (O’Reilly). The book is out of print, but used copies are available.

The Global Internet Policy Initiative has a host of resources on the full range of policy issues affecting ICT development: http://www.internetpolicy.net.

The National Strategy to Secure Cyberspace [United States], February 2003

http://www.whitehouse.gov/pcipb/

Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP)

http://www.ocipep.gc.ca/home/index_e.asp. For descriptions of how various other countries have responded to critical infrastructure protection, see “International Critical Information Infrastructure Protection Handbook,” edited by Andreas Wenger, Jan Metzger and Myriam Dunn, Center for Security Studies and Conflict Research, Swiss Federal Institute of Technology (2002) http://www.isn.ethz.ch/crn.

The U.K.’s Home Office has created a National Infrastructure Security Coordination Centre (NISCC) to coordinate critical infrastructure protection issues, provide alerts and attack response assistance, and facilitate public-private relationships to protect infrastructure. Within NISCC, there is a Computer Emergency Response Team, known as UNIRAS. An Electronic Attack Response Group (EARG) is also within NISCC to provide assistance to critical infrastructure organizations and government departments that suffer an attack. UNIRAS will provide an early warning and alert service to all UK businesses. The NISCC website (http://www.niscc.gov.uk) provides detailed information on the British government’s approach.

Under Australian law, Executive Agencies are nonstatutory bodies established by the Governor-General when a degree of independence within the governmental structure is needed and when the functions of the agency require a government-wide approach. The head of an Executive Agency is appointed by, and directly accountable to, a Minister, in this case the Minister for Communications, Information Technology and the Arts. See: http://www.noie.gov.au/Projects/confidence/Protecting/nat_agenda.htm.

International Critical Information Infrastructure Protection Handbook, edited by Andreas Wenger, Jan Metzger and Myriam Dunn, Center for Security Studies and Conflict Research, Swiss Federal Institute of Technology (2002) http://www.isn.ethz.ch/crn.

For descriptions of how various other countries have responded to critical infrastructure protection, see International Critical Information Infrastructure Protection Handbook, edited by Andreas Wenger, Jan Metzger and Myriam Dunn, Center for Security Studies and Conflict Research, Swiss Federal Institute of Technology (2002): http://www.isn.ethz.ch/crn.

United States Presidential Decision Directive 63: Critical Infrastructure Protection, May 22, 1998

http://www.fas.org/irp/offdocs/pdd-63.htm. See also PDD 62: http://www.fas.org/irp/offdocs/pdd-62.htm.

E.O. 13228, Establishing the Office of Homeland Security and the Homeland Security Council, October 8, 2001, http://fas.org/irp/offdocs/eo/eo-13228.htm; E.O. 13231, Critical Infrastructure Protection in the Information Age, October 16, 2001:

http://www.ciao.gov/News/EOonCriticalInfrastrutureProtection101601.html.

The National Strategy to Secure Cyberspace, Feb. 14,

2003, http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf.

The National Strategy to Secure Cyberspace was supplemented by The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, released March 4, 2003, http://www.dhs.gov/interweb/assetlibrary/Physical_Strategy.pdf. Both of these documents are implementing components of The National Strategy for Homeland Security, issued by the White House on July 16, 2002.

European Commission, Proposal for a Regulation of the European Parliament and of the Council Establishing the European Network and Information Security Agency, Feb. 11, 2003, COM(2003) 63 final, 2003/0032 (COD): http://europa.eu.int/information_society/eeurope/action_plan/safe/documents/nisa_en.pdf

Council resolution of 28 Jan. 2002; European Commission, Communication from the Commission to the Council, the European Parliament, the European Economic And Social Committee and the Committee of the Regions- Network and Information Security: Proposal for a European Policy Approach, June 6, 2001, COM (2001)

298 final, http://europa.eu.int/information_society/eeurope/news_library/new_documents/index_en.htm

European Commission, Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee on the Regions Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime, Jan. 26, 2001, COM(20000) 890 final, http://europa.eu.int/ISPO/eif/InternetPoliciesSite/Crime/CrimeCommEN.html

Homeland Security Act, http://www.whitehouse.gov/deptofhomeland/analysis/

Federal Information Security Management Act, Title III of E-Government Act of 2002, Pub. Law 107-347, http://csrc.nist.gov/policies/FISMA-final.pdf.

Federal Information Security Management Act, Title III of E-Government Act of 2002, Pub. Law 107-347, http://csrc.nist.gov/policies/FISMA-final.pdf.

Thomas J. Smedinghoff, “The Developing U.S. Legal Standard for Cyber-security,” Baker & McKenzie, Chicago, http://www.bmck.com/ecommerce/us%20cybersecurity%20standards.pdf; In the United States, the Securities and Exchange Commission has brought actions against corporations that insufficiently protected their computer systems from unauthorized access. See SEC v. National Business Communications Corp., SEC Litig. Release No. 11223, Sept. 19, 1986, SEC Litig. Release No. 11229, Sept. 26, 1986. In the Matter of Material Sciences Corporation, SEC Litig. Release No. 41930, Sept. 28, 1999.

Sarbanes-Oxley Act of 2002, Pub. Law 107-204.

http://www.aicps.org; http://www.isaca.org.

As is made clear throughout this handbook, there is a growing body widely accepted computer security standards, ranging from the Organization for Economic Cooperation and Development (OECD) Guidelines for the Security of Information Systems to the information security standards adopted by non-governmental standards bodies. See generally, Michael Nugent, It Can’t Happen Here, Wall Street Technology Association, Ticker, A Technology Magazine For Industry Profession (2003), http://www.wsta.org/publications/articles/0402_article03.html

Carol A. Siegel, Ty R. Sagalow, Paul Serritella, Cyber-Risk- Management Technical and Insurance Controls for Enterprise-Level Security, Security Management Practices, pg. 42, (September/October 2002). http://www.gsu.edu/ ~accrss/Security_and_Business_Risk.pdf.

NIST’s Computer Security Resource Center (CSRC) publishes information on a broad range of security topics, including cryptographic standards and applications, security testing, security research, system certification and accreditation guidelines, return on security investments, small business computer security, and federal agency security practices.

http://csrc.nist.gov/. NIST publications are available at http://csrc.nist.gov/publications/index.html.

National Security Agency, Security Recommendation Guides, http://nsa1.www.conxion.com/.

CERT/Coordination Center, Software Engineering Institute, Carnegie Mellon University, http://www.cert.org/.

European Commission, Communication from the Commission to the Council, the European Parliament, the European Economic And Social Committee and the Committee of the Regions - Network and Information Security: Proposal for a European Policy Approach, June 6, 2001, COM(2001) 298 final,

http://europa.eu.int/information_society/eeurope/news _library/new_documents/index_en.htm.

Proposal for a Regulation of the European Parliament and of the Council Establishing the European Network and Information Security Agency, Commission of the European Communities, Feb. 11, 2003, COM(2003) 63 final, 2003/0032 (COD), http://europa.eu.int/information_society/eeurope/action_plan/safe/documents/nisa_en.pdf

“Protecting Developing Economies from Cyber Attack – Assistance to Build Regional Cyber-security Preparedness,” APEC Media Release, Mar. 18, 2003, http://www.apecsec.org.sg/whatsnew/press/PressRel_ProtectgFromCyberAttack_180303.html.

http://www.ncs.gov/NSTAC/attf.html

The American Bar Association’s Privacy & Computer Crime Committee has published a detailed report covering cybercrime in depth. Jody R. Westby, ed., International Guide to Combating Cybercrime, American Bar Association, Section of Science & Technology Law, Privacy & Computer Crime Committee, 2003, http://www.abanet.org/abapubs/books/cybercrime/.

UN General Assembly, Resolution 55/63, Combating the criminal misuse of information technologies, Dec. 4, 2000, http://www.nvk2000.ru/apec/documents/International_Agreements/55-63_English.pdf

UN General Assembly, Resolution 56/121, Combating the criminal misuse of information technologies, Jan. 23, 2002, http://ods-dds-ny.un.org/doc/UNDOC/GEN/N01/482/04/PDF/N0148204.pdf?OpenElement.

The treaty, ETS no. 185, is online at http://conventions.coe.int/treaty/EN/cadreprincipal.htm along with an extensive Explanatory Report.

Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, Havana, Aug. 27- Sept. 7, 1990, report prepared by the Secretariat, UN publication, Sales No. E.91.IV.2, chap I. For the text of these recommendations, see United Nations Commission on Crime Prevention and Criminal Justice, Report on the Eighth Session, Apr. 27-May 6, 1999, E/CN.15/1999/12, http://www.un.org/documents/ecosoc/docs/1999/e1999-30.htm.

UN, International Review of Criminal Policy - United Nations Manual on the Prevention and Control of Computer-Related Crime, http://www.uncjin.org/Documents/EighthCongress.html.

Report of UN Economic and Social Council’s Commission on Crime Prevention and Criminal Justice effectively summarizes UN and other international work in the cybercrime and cyber-security area. Effective measures to prevent and control computer-related crime, E/CN.15/2002/8, Report of the Secretary-General, United Nations, Economic and Social Council, Commission on Crime Prevention and Criminal Justice, Eleventh Session, Vienna, Apr. 16-25, 2002, http://www.unodc.org/pdf/crime/commissions/11comm/8e.pdf.

Gramm-Leach Bliley Act, 15 USC, Subchapter 1, ß 6801.

“Appendix B to Part 570—Interagency Guidelines Establishing Standards for Safeguarding Customer Information,” Part III, http://www.occ.treas.gov/fr/fedregister/66fr8616.htm.

“Financial Institutions and Customer Data: Complying with the Safeguards Rule,” http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm

Standards for Safeguarding Customer Information, 67 Fed. Reg. 36484-94, May 23, 2000, (codified at 16 C.F.R. Part 314), http://www.ftc.gov/os/2002/05/67fr36585.pdf.

Technology Risk Management Guidelines for Financial Institutions, Monetary Authority of Singapore, Draft Nov. 11, 2002, http://www.mas.gov.sg/display.cfm?id=94D063CD-5EB6-4636-82B5A725F9F6E9F5.

45 CFR ß160, 162, 164; http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp

HIPAA, 42 U.S.C. Section 1320d-2(d)(2).

Linda A. Malek and Brian R. Krex, “HIPAA’s security rule becomes effective 2005,” The National Law Journal, Mar. 31, 2003 at B14.

http://europa.eu.int/comm/internal_market/privacy/law_en.htm.

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Article 4(1), Official Journal L 201/37, July 31, 2002, at 37-47 (replacing EU Directive 97/66/EC),

http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=en&numdoc=32002L0058&model=guichett.

Security Breach Information Act (SB 1386), added to the California Civil Code as Section 1798.29; Keith Poulsen, “California disclosure law has national reach,” SecurityFocus Online, Jan. 6, 2003, http://online.securityfocus.com/news/1984. Other disclosure proposals have been put forth in the U.S. See [Michael Vatis, Testimony before the House Government Reform Committee, April 8, 2003; Sen. Bennett’s proposal.

PART 5

http://news.cnet.com/news/0-1005-200-4523277.html

http://www.wired.com/news/technology/0,1282,34496,00.html

http://www.microsoft.com/technet/security/bulletin/MS01-017.asp

Forum of Incident Response and Security Teams, the worldwide consortium of major computer incident response groups. Visit http://www.first.org for more information. ISS reported a security problem to 11 vendors in December 1999, then released the information about the vulnerability to the press in February 2000. For further information, see http://www.cnn.com/2000/TECH/computing/02/04/shop.glitch.idg

“Dos and Don’ts of Client Authentication on the Web,” USENIX and MIT Technical Report 818, by Kevin Fu, Emil Sit, Kendra Smith, and Nick Feamster