BIBLIOGRAPHY OF GUIDELINES (1974 through 1988 Note: A bibliography is now being developed to encompass 1989. AUTHORS SPECIFIED ABUSE/MISUSE/CRIME AUTHOR: Ruder, Brian and Madden, J.D. TITLE: An Analysis of Computer Security Safeguards for Detecting and Preventing Intentional Computer Misuse ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-25 PUBLICATION DATE: January 1978 CATEGORY: Abuse/Misuse/Crime COST: $11.95 DESCRIPTION: Analyzes 88 computer safeguard techniques that could be applied to recorded, actual computer misuse cases. ACCESS CONTROL AUTHOR: Brand, Sheila L. and Makey, Jeffrey D. TITLE: Department of Defense Password Management Guidelines ORGANIZATION: Department of Defense Computer Security Center PUBLISHER/ORIGINATOR: Department of Defense Computer Security Center REPORT NO: CSC-STD-002-85 PUBLICATION DATE: April 12, 1985 CATEGORY: Access Control COST: $1.75 DESCRIPTION: This guideline is also known as the Green Book. This document provides a set of good practices related to the use of password-based user authentication mechanisms in automatic data processing systems. AUTHOR: Branstad, Dennis TITLE: Computer Security and the Data Encryption Standard ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-27 PUBLICATION DATE: February 1978 CATEGORY: Access Control COST: $16.95 DESCRIPTION: Includes papers and summaries of presentations made at a 1978 conference on computer security. AUTHOR: Branstad, Dennis TITLE: Standard on Password Usage ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 112 PUBLICATION DATE: March 1985 CATEGORY: Access Control COST: $13.95 DESCRIPTION: Discusses ten minimum security criteria to consider when designing a password-based access control system for a computer. AUTHOR: Cole, Gerald and Heinrich, Frank TITLE: Design Alternatives for Computer Network Security (Vol.I) The Network Security Center: A System Level Approach to Computer Network Security ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-21 PUBLICATION DATE: January 1978 CATEGORY: Access Control COST: $10.00 DESCRIPTION: This study focuses on the data encryption standard and looks at the network security requirements and implementation of a computer dedicated to network security. AUTHOR: Gait, Jason TITLE: Maintenance Testing for the Data Encryption Standard ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-61 PUBLICATION DATE: August 1980 CATEGORY: Access Control COST: $9.95 DESCRIPTION: Describes the SRI hierarchical development methodology for designing large software systems such as operating systems and data management systems that meet high security requirements. AUTHOR: Gait, Jason TITLE: Validating the Correctness of Hardware Implementations of the NBS Data Encryption Standard ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-20 PUBLICATION DATE: November 1977 CATEGORY: Access Control COST: $9.95 DESCRIPTION: Describes the design and operation of the ICST testbed that is used for the validation of hardware implementations of (DES). AUTHOR: Orceyre, M.J. and Courtney, R.H. Jr. TITLE: Considerations in the Selection of Security Measures of Automatic Data Processing Systems ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-33 PUBLICATION DATE: No Date Given CATEGORY: Access Control COST: $8.50 DESCRIPTION: This publication list techniques that can be used for protecting computer data transmitted across telecommunications lines. AUTHOR: Smid, Miles E. TITLE: A Key Notarization System for Computer Networks ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-54 PUBLICATION DATE: October 1979 CATEGORY: Access Control COST: $4.50 DESCRIPTION: Looks at a system for key notarization that can be used with an encryption device which will improve data security in a computer network. AUTHOR: Troy, Eugene F. TITLE: Security for Dial-Up Lines ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-137 PUBLICATION DATE: May 1986 CATEGORY: Access Control COST: $3.75 DESCRIPTION: Methods for protecting computer systems against intruders using dial-up telephone lines are discussed. AUTHOR: Wood, Helen TITLE: The Use of Passwords for Controlled Access to Computer Resources ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-9 PUBLICATION DATE: May 1977 CATEGORY: Access Control COST: $11.95 DESCRIPTION: Describes the need for and uses of passwords. Password schemes are categorized according to selection technique, lifetime, physical characteristics, and information content. AUDIT AND EVALUATION AUTHOR: Brand, Sheila L. TITLE: Department of Defense Trusted Computer System Evaluation Criteria ORGANIZATION: Department of Defense PUBLISHER/ORIGINATOR: Department of Defense Computer Security Center REPORT NO: CSC-STD-001-83 PUBLICATION DATE: August 15, 1983 CATEGORY: Audit and Evaluation COST: Free DESCRIPTION: This document forms the basic requirements and evaluation classes needed for assessing the effectiveness of security and controls used by automatic data processing (ADP) systems. AUTHOR: Dallas, Dennis A. & Vallabhaneni, Rao S. TITLE: Auditing Program Libraries for Change Controls ORGANIZATION: Institute of Internal Auditors PUBLISHER/ORIGINATOR: Institute of Internal Auditors REPORT NO: 693 PUBLICATION DATE: 1986 CATEGORY: Audit and Evaluation COST: $12.00 DESCRIPTION: This monograph is a concise how-to guide for reviewing program libraries and associated computer program change controls that are risky and prone to human error. AUTHOR: Ruthberg, Zella and McKenzie, Robert, ed. TITLE: Audit and Evaluation of Computer Security ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-19 PUBLICATION DATE: October 1978 CATEGORY: Audit and Evaluation COST: $7.50 DESCRIPTION: An examination of the recommendations by computer auditing experts on how to improve computer security audit practices. AUTHOR: Ruthberg, Zella, ed. TITLE: Audit and Evaluation of Computer Security II: System Vulnerabilities and Control ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-57 PUBLICATION DATE: April 1980 CATEGORY: Audit and Evaluation COST: $7.00 DESCRIPTION: Proceedings of the second NIST/GAO workshop to develop improved computer security audit procedures. AUTHOR: Ruthberg, Zella, Fisher, Bonnie, Perry, William, Lainhart, John, Cox, James, Gillen, Mark, Hunt, Douglas TITLE: Guide to Auditing for Controls and Security: A System Development Life Cycle Approach ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC 500-153 PUBLICATION DATE: April 1988 CATEGORY: Auditing & Evaluation COST: $25.95 DESCRIPTION: This guide addresses auditing the system development life cycle process for an automated information system, to ensure that controls and security are designed and built into the system. AUTHOR: Ruthberg, Zella & Fisher, Bonnie TITLE: Work Priority Scheme for EDP Audit and Computer Security Review ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBSIR 86-3386 PUBLICATION DATE: August 1986 CATEGORY: Audit and Evaluation COST: $11.95 DESCRIPTION: Describes a methodology for prioritizing the work performed by EDP auditors and computer security reviewers. CERTIFICATION AUTHOR: Giragosian, P.A., Mastbrook, D.W. & Tompkins, F.G. TITLE: Guidelines for Certification of Existing Sensitive Systems ORGANIZATION: Mitre Corporation PUBLISHER/ORIGINATOR: National Aeronautics and Space Administration REPORT NO: PB84-223122 PUBLICATION DATE: July 1982 CATEGORY: Certification COST: $11.95 DESCRIPTION: This document describes a way to perform evaluations of the security of a computer system that has sensitive software applications. AUTHOR: Ruthberg, Zella G. & Neugent, William TITLE: Overview of Computer Security Certification and Accreditation ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-109 PUBLICATION DATE: April 1984 CATEGORY: Certification COST: $1.50 DESCRIPTION: These guidelines describe the major features of the certification and accreditation process. It is intended to help ADP managers and their staff understand this process. CONTINGENCY PLANNING AUTHOR: Isaac, Irene TITLE: Guide on Selecting ADP Backup Process Alternatives ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of of Standards and Technology REPORT NO: NBS SPEC PUB 500-134 PUBLICATION DATE: November 1985 CATEGORY: Contingency Planning COST: $1.75 DESCRIPTION: Discusses the selection of ADP backup processing support in advance of events that cause the loss of data processing capability. AUTHOR: Schabeck, Tim A. TITLE: Emergency Planning Guide for Data Processing Centers ORGANIZATION: None Specified PUBLISHER/ORIGINATOR: Assets Protection REPORT NO: ISBN No. 0-933708-00-9 PUBLICATION DATE: 1979 CATEGORY: Contingency Planning COST: $10.00 DESCRIPTION: This checklist provides an audit tool to evaluate a data processing center's current disaster defense mechanisms and recovery capability. AUTHOR: Shaw, James K. and Katzke, Stuart TITLE: Executive Guide to ADP Contingency Planning ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-85 PUBLICATION DATE: July 1981 CATEGORY: Contingency Planning COST: $7.00 DESCRIPTION: This document discusses the background needed to understand the developmental process for Automatic Data Processing contingency plans. DATA BASE SECURITY AUTHOR: Patrick, Robert L. TITLE: Performance Assurance and Data Integrity Practices ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-24 PUBLICATION DATE: January 1978 CATEGORY: Data Base Security COST: $10.00 DESCRIPTION: Describes methods that have been successful in preventing computer failure caused by programming and data errors. GENERAL SECURITY AUTHOR: Fletcher, J.G. TITLE: Security Policy for Distributed Systems ORGANIZATION: Lawrence Livermore National Laboratory PUBLISHER/ORIGINATOR: National Technical Information Service REPORT NO: DE82-022517 PUBLICATION DATE: April 6, 1982 CATEGORY: General Security COST: $9.95 DESCRIPTION: This document provides a security policy for distributed systems. It has been modeled according to security procedures for non-computer items. AUTHOR: Moore, Gwendolyn B., Kuhns, John L., Treffs, Jeffrey, & Montgomery, Christine TITLE: Accessing Individual Records from Personal Data Files Using Non-unique Identifiers ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-2 PUBLICATION DATE: February 1977 CATEGORY: General Security COST: $11.95 DESCRIPTION: Analyzes methodologies for retrieving personal information using non-unique identifiers such as name, address, etc. This study presents statistical data for judging the accuracy and efficiency of various methods. AUTHOR: Smid, Miles TITLE: Standard on Computer Data Authentication ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 113 PUBLICATION DATE: March 1985 CATEGORY: General Security COST: $9.95 DESCRIPTION: This publication describes a data authentication algorithm that can detect unauthorized modification to computer data either intentionally or accidentally. AUTHOR: Tompkins, F.G. TITLE: NASA Guidelines for Assuring the Adequacy and Appropriateness of Security Safeguards in Sensitive Applications ORGANIZATION: Mitre Corporation PUBLISHER/ORIGINATOR: National Aeronautics and Space Administration REPORT NO: PB85-149003/XAB PUBLICATION DATE: September 1984 CATEGORY: General Security COST: $18.95 DESCRIPTION: This document discusses security measures that should be taken in order to help conform with Office of Management and Budget Circular A-71. AUTHOR: Westin, Allen F. TITLE: Computers, Personnel Administration, and Citizen Rights ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-50 PUBLICATION DATE: July 1979 CATEGORY: General Security COST: $34.95 DESCRIPTION: Reports on impact of computers on citizen rights in the field of personnel record keeping. MICROCOMPUTER SECURITY AUTHOR: Steinauer, Dennis D. TITLE: Security of Personal Computer Systems: A Management Guide ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-120 PUBLICATION DATE: No Date Given CATEGORY: Microcomputer Security COST: $3.00 DESCRIPTION: This publication provides practical advice on the issues of physical and environmental protection system and data access control, integrity of software and data, backup and contingency planning, auditability, and communications protection. PRIVACY AUTHOR: Fong, Elizabeth TITLE: A Data Base Management Approach to Privacy Act Compliance ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-10 PUBLICATION DATE: June 1977 CATEGORY: Privacy COST: $4.50 DESCRIPTION: Looks at commercially available data base management systems that can be used in meeting Privacy Act requirements for the handling of personal data. AUTHOR: Goldstein, Robert, Seward, Henry, & Nolan, Richard TITLE: A Methodology for Evaluating Alternative Technical and Information Management Approaches to Privacy Requirements ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: PB 254048 PUBLICATION DATE: June 1976 CATEGORY: Privacy COST: $11.50 DESCRIPTION: Describes the methods to be used by recordkeepers to comply with the Privacy Act. A computer model is included to help determine the most cost-effective safeguards. RISK MANAGEMENT AUTHOR: Courtney, Robert H. Jr. TITLE: Guideline for Automatic Data Processing Risk Analysis ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 65 PUBLICATION DATE: August 1979 CATEGORY: Risk Management COST: $8.50 DESCRIPTION: Shows how to use a technique that provides a way of conducting risk analysis of an ADP facility. It gives an example of the risk analysis process. AUTHOR: Jacobson, Robert V., Brown, William F., & Browne, Peter S. TITLE: Guidelines for ADP Physical Security and Risk Management ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 31 PUBLICATION DATE: June 1974 CATEGORY: Risk Management COST: $11.95 DESCRIPTION: Provides guidance to federal organizations in developing physical security and risk management programs for their ADP facilities. AUTHOR: Neugent, William, Gilligan, John, Hoffman, Lance & Ruthberg, Zella G. TITLE: Technology Assessment: Methods for Measuring the Level of Computer Security ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-133 PUBLICATION DATE: October 1985 CATEGORY: Risk Management COST: $8.00 DESCRIPTION: This document covers methods for measuring the level of computer security and addresses individual techniques and approaches, as well as broader methodologies. AUTHOR: Tompkins, F.G. TITLE: Guidelines for Contingency Planning NASA ADP Security Risk Reduction Decision Studies ORGANIZATION: Mitre Corporation PUBLISHER/ORIGINATOR: National Aeronautic and Space Administration REPORT NO: PB84-189836 PUBLICATION DATE: January 1984 CATEGORY: Risk Management COST: $13.95 DESCRIPTION: How to determine an acceptable level of ADP security risks is described as well as the role of risk management in problem solving and information systems analysis and design. AUTHOR: Tompkins, F.G TITLE: Guidelines for Developing NASA ADP Security Risk Management Plans ORGANIZATION: Mitre Corporation PUBLISHER/ORIGINATOR: National Aeronautics and Space Administration REPORT NO: PB84-171321 PUBLICATION DATE: August 1983 CATEGORY: Risk Management COST: $13.95 DESCRIPTION: This report looks at how NASA develops ADP security risk management plan. Risk management processes have six components and each are identified and discussed. SECURITY MANAGEMENT AUTHOR: Rosenthal, Lynne S. TITLE: Guidance on Planning and Implementing Computer Systems Reliability ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-121 PUBLICATION DATE: January 1985 CATEGORY: Security Management COST: $2.25 DESCRIPTION: The basic concepts of computer system security are given to provide managers and planners with background for improving computer system reliability. SOFTWARE & OPERATING SYSTEM SECURITY AUTHOR: Levitt, Karl, Neumann, Peter, and Robinson, Lawrence TITLE: The SRI Hierarchical Development Methodology (HDM) and its Application to the Development of Secure Software ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: NBS SPEC PUB 500-67 PUBLICATION DATE: October 1980 CATEGORY: Software and Operating System Security COST: $4.25 DESCRIPTION: Shows how to design large software systems, such as an operating system, that will meet the hardest security requirements. TRAINING & AWARENESS AUTHOR: Davis, Bevette TITLE: Computer Security Bibliography ORGANIZATION: Mitre Corporation PUBLISHER/ORIGINATOR: Mitre Corporation REPORT NO: MTR 9654 PUBLICATION DATE: April 1985 CATEGORY: Training & Awareness COST: DESCRIPTION: Identifies organizations and individuals that have published documents, magazine and journal articles, conference proceedings, and reports concerning computer security. AUTHOR: Tompkins, Frederick G. TITLE: Guidelines for Development of NASA Computer Security Training Programs ORGANIZATION: Mitre Corporation PUBLISHER/ORIGINATOR: National Aeronautics and Space Administration REPORT NO: PB84-171339/LP PUBLICATION DATE: May 1983 CATEGORY: Training & Awareness COST: $11.95 plus $3.00 shipping & handling DESCRIPTION: This report identifies computer security training courses and is intended to be used by NASA in developing training requirements and implementing computer security training programs. AUTHORS NOT SPECIFIED AUTHOR: N/A TITLE: Computer Fraud and Abuse Act of 1986 ORGANIZATION: PUBLISHER/ORIGINATOR: REPORT NO: Public Law 99-474 PUBLICATION DATE: October 16, 1986 CATEGORY: Abuse/Misuse/Crime COST: Free DESCRIPTION: Provides additional penalties for fraud and related activities in connection with access devices and computers. AUTHOR: N/A TITLE: Federal Manager's Financial Integrity Act of 1982 ORGANIZATION: PUBLISHER/ORIGINATOR: REPORT NO: Public Law 97-255 PUBLICATION DATE: September 8, 1982 CATEGORY: Abuse/Misuse/Crime COST: Free DESCRIPTION: This law amends the accounting and auditing act of 1950 to require ongoing evaluations and reports on the adequacy of the systems of internal accounting and administrative control of each executive agency, and for other purposes. ACCESS CONTROL AUTHOR: Not Specified TITLE: Data Encryption Standard ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 46 PUBLICATION DATE: January 1977 CATEGORY: Access Control COST: $7.00 DESCRIPTION: Discusses an algorithm to be used for the cryptographic protection of sensitive, but unclassified, computer data. Tells how to transform data into a cryptographic cipher and back again. AUTHOR: Not Specified TITLE: DES Modes of Operation ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 81 PUBLICATION DATE: December 1980 CATEGORY: Access Control COST: $8.50 DESCRIPTION: This publication discusses the four modes of operation used by the Data Encryption Standard. AUTHOR: N/A TITLE: Electronic Communications Privacy Act of 1986 ORGANIZATION: PUBLISHER/ORIGINATOR: REPORT NO: Public Law 99-508 PUBLICATION DATE: October 21, 1986 CATEGORY: Access Control COST: Free DESCRIPTION: Amends title 18, United States Code, with respect to the interception of certain communications, and other forms of surveillance, and for other purposes. AUTHOR: Not Specified TITLE: Guidelines on Evaluation of Techniques for Automated Personnel Identification ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 48 PUBLICATION DATE: April 1977 CATEGORY: Access Control COST: $7.00 DESCRIPTION: The performance and evaluation of personal identification devices is explained. Considerations for their use in a computer system is given. AUTHOR: Not Specified TITLE: Guidelines for Implementing and Using the NBS Data Encryption Standard ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 74 PUBLICATION DATE: April 1981 CATEGORY: Access Control COST: $8.50 DESCRIPTION: Discusses the guidelines that federal organizations should use when cryptographic protection is required for sensitive or valuable computer data. AUTHOR: Not Specified TITLE: Guideline on User Authentication Techniques for Computer Network Access Control ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 83 PUBLICATION DATE: September 1980 CATEGORY: Access Control COST: $8.50 DESCRIPTION: Details the use of passwords, identification tokens, and other means to protect against unauthorized access to computers and computer networks. AUTHOR: Not Specified TITLE: Information Security: Products and Services Catalogue ORGANIZATION: National Computer Security Center PUBLISHER/ORIGINATOR: National Computer Security Center REPORT NO: None Specified PUBLICATION DATE: Published Quarterly CATEGORY: Access Control COST: Free DESCRIPTION: This catalogue contains the endorsed cryptographic products list, NSA endorsed data encryption standard products list, protected services list, evaluated products list, and preferred products list. AUTHOR: Not Specified TITLE: National Policy on Controlled Access Protection ORGANIZATION: National Telecommunications and Information Systems Security PUBLISHER/ORIGINATOR: NTISSC Ft. George G. Meade, MD REPORT NO: NTISSP No. 200 PUBLICATION DATE: July 15, 1987 CATEGORY: Access Control COST: Free DESCRIPTION: Defines a minimum level of protection for automated information systems operated by executive branch agencies and departments of the federal government and their contractors. AUTHOR: Not Specified TITLE: Standard on Computer Data Authentication ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 113 PUBLICATION DATE: May 1985 CATEGORY: Access Control COST: $9.95 DESCRIPTION: Specifies a data authentication algorithm which, when applied to computer data, automatically and accurately detects unauthorized modifications, both intentional and accidental. AUTHOR: Not Specified TITLE: Standard on Password Usage ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 112 PUBLICATION DATE: May 1985 CATEGORY: Access Control COST: $13.95 DESCRIPTION: Discusses ten minimum security criteria to consider when designing a password-based access control system for a computer. AUTHOR: Not Specified TITLE: Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria ORGANIZATION: National Computer Security Center PUBLISHER/ORIGINATOR: National Computer Security Center REPORT NO: NCSC-TG-005 PUBLICATION DATE: July 31, 1987 CATEGORY: Access Control COST: DESCRIPTION: This is also known as the Red Book. This guidelines examines interpretations to extend the evaluation classes of the Trusted Systems Evaluation Criteria to trusted network systems and components. AUDIT AND EVALUATION AUTHOR: Not Specified TITLE: Assessing Reliability of Computer Output - Audit Guide ORGANIZATION: U.S. General Accounting Office PUBLISHER/ORIGINATOR: U.S. General Accounting Office REPORT NO: AFMD-81-91 PUBLICATION DATE: June 1981 CATEGORY: Audit and Evaluation COST: Free (if less than 5 ordered) DESCRIPTION: This audit guide shows how to comply with GAO policy requirements by giving detailed procedures to help determine the degree of risk using information that could be incorrect. AUTHOR: Not Specified TITLE: Computer Security Requirements: Guidance for Applying the Dod Trusted Computer System Evaluation Criteria in Specific Environments ORGANIZATION: Department of Defense Computer Security Center PUBLISHER/ORIGINATOR: Department of Defense Computer Security Center REPORT NO: CSC-STD-003-85 PUBLICATION DATE: June 25, 1985 CATEGORY: Audit and Evaluation COST: $1.00 DESCRIPTION: These reports show how to use DOD 5200.28-STD in specific environments. AUTHOR: Not Specified TITLE: Evaluating Internal Controls in Computer- Based Systems - Audit Guide ORGANIZATION: U.S. General Accounting Office PUBLISHER/ORIGINATOR: U.S. General Accounting Office REPORT NO: AFMD-81-76 PUBLICATION DATE: June 1981 CATEGORY: Audit and Evaluation COST: Free (if less than 5 are ordered). DESCRIPTION: Describes an approach for evaluating a computer-based system that will enable an auditor to evaluate the entire system from original to output. AUTHOR: Not Specified TITLE: Technical Rationale Behind CSC-STD-003-85 Computer Security Requirements: Guidance for Applying the DoD Trusted Computer System Evaluation Criteria in Specific Environments ORGANIZATION: Department of Defense Computer Security Center PUBLISHER/ORIGINATOR: Department of Defense Computer Security Center REPORT NO: CSC-STD-004-85 PUBLICATION DATE: June 25, 1985 CATEGORY: Audit and Evaluation COST: $2.00 DESCRIPTION: Give guidance to applying the DOD CSC-STD-003-85. CERTIFICATION AUTHOR: Not Specified TITLE: Guideline for Computer Security Certification and Accreditation ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 102 PUBLICATION DATE: September 1983 CATEGORY: Certification COST: $11.50 DESCRIPTION: Describes ways of establishing and carrying out a computer security certification and accreditation program. CONTINGENCY PLANNING AUTHOR: Not Specified TITLE: Guidelines for ADP Contingency Planning ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 87 PUBLICATION DATE: March 1981 CATEGORY: Contingency Planning COST: $8.50 DESCRIPTION: Describes data processing management considerations for developing a contingency plan for an ADP facility. DATA BASE SECURITY AUTHOR: Not Specified TITLE: Guideline on Integrity Assurance and and Control in Database Applications ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 88 PUBLICATION DATE: August 1981 CATEGORY: Data Base Security COST: $11.50 DESCRIPTION: Gives detailed advice on how to achieve data base integrity and security control. A step-by- step procedure for examining and verifying the the accuracy and completeness of a data base is included. ENVIRONMENTAL SECURITY AUTHOR: Not Specified TITLE: Guideline on Electrical Power for ADP Installations ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 94 PUBLICATION DATE: September 1982 CATEGORY: Environmental Security COST: $13.00 DESCRIPTION: This publication discusses electrical power factors that can affect the operation of an ADP system. GENERAL SECURITY AUTHOR: N/A TITLE: Computer Security Act of 1987 ORGANIZATION: PUBLISHER/ORIGINATOR: REPORT NO: Public Law 100-235 PUBLICATION DATE: January 8, 1988 CATEGORY: General Security COST: Free DESCRIPTION: To provide for a computer standards program within the National Institute of Standards and Technology, to provide Government-wide computer security, and to provide for the training in secur- ity matters of persons who are involved in the management, operation, and use of Federal computer systems. AUTHOR: Not Specified TITLE: Glossary for Computer Systems Security ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 39 PUBLICATION DATE: February 1974 CATEGORY: General Security COST: $9.95 DESCRIPTION: A reference document containing approximately 170 terms and definitions pertaining to privacy and computer security. AUTHOR: Not Specified TITLE: Guidelines for Security of Computer Applications ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 73 PUBLICATION DATE: June 1980 CATEGORY: General Security COST: $10.00 DESCRIPTION: These guidelines are to be used in the development and operation of computer systems that require protection. Data validation, user authentication, and encryption are discussed. AUTHOR: Not Specified TITLE: NBS Publication List 91: Computer Security Publications ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: 003-003-00135-0 PUBLICATION DATE: August 1984 CATEGORY: General Security COST: $18.00 DESCRIPTION: Provides information on computer security publications that are available. AUTHOR: Not Specified TITLE: Sensitive Unclassified Computer Security Program Compliance Review Guidelines ORGANIZATION: U.S. Department of Energy PUBLISHER/ORIGINATOR: U.S. Department of Energy REPORT NO: DOE/MA-0188/1 PUBLICATION DATE: September 1985 CATEGORY: General Security COST: DESCRIPTION: This guideline contains questionaires for determining the level of security needed at a computer installation. Techniques for obtaining the required level of security are discussed. MICROCOMPUTER SECURITY AUTHOR: Not Specified TITLE: Computer Security- User Handbook for Microcomputers and Word Processors ORGANIZATION: U.S. Department of Energy PUBLISHER/ORIGINATOR: U.S. Department of Energy REPORT NO: None Specified PUBLICATION DATE: September 1986 CATEGORY: Microcomputer Security COST: DESCRIPTION: This guideline gives a synopsis on computer security requirements for users of microcomputers and/or word processors. AUTHOR: Not Specified TITLE: Personal Computer Security Considerations ORGANIZATION: National Computer Security Center PUBLISHER/ORIGINATOR: National Computer Security Center REPORT NO: NCSC-WA-002-85 PUBLICATION DATE: December 1985 CATEGORY: Microcomputer Security COST: Free DESCRIPTION: This publication provides a general discussion of a number of issues that are pertinent to microcomputer security in the home and business environment. AUTHOR: Not Specified TITLE: Security Guide for Users of Personal Computers and Word Processors ORGANIZATION: Pacific Northwest Laboratory PUBLISHER/ORIGINATOR: Pacific Northwest Laboratory REPORT NO: None Specified PUBLICATION DATE: June 1986 CATEGORY: Microcomputer Security COST: Free (for single copies). DESCRIPTION: Contains instructions on a variety of computer security techniques including protective storage and handling, passwords, emergency procedures, and other related security subjects. AUTHOR: Not Specified TITLE: Security Guidelines for Microcomputers and Word Processors ORGANIZATION: U.S. Department of Energy PUBLISHER/ORIGINATOR: U.S. Department of Energy ATTN: Information Services P.O. Box 62 Oakridge, TN 37831 REPORT NO: DOE/MA-0181 PUBLICATION DATE: March 1985 CATEGORY: Microcomputer Security COST: $9.45 DESCRIPTION: These guidelines are concerned with the training of in the protection of computers (hardcopy, storage media, etc.). Communications security, emergency procedures, and the prevention of system misuse are also discussed. PRIVACY AUTHOR: Not Specified TITLE: Computer Security Guidelines for implementing the Privacy Act of 1974 ORGANIZATION: Institute for Computer Sciences and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: FIPS PUB 41 PUBLICATION DATE: May 1975 CATEGORY: Privacy COST: $7.00 DESCRIPTION: This document shows how to protect personal data in automated information systems. Discusses how to improve system security using safeguards and controls. RISK MANAGEMENT AUTHOR: N/A TITLE: Internal Control Systems ORGANIZATION: Office Of Management and Budget PUBLISHER/ORIGINATOR: Office of Management & Budget REPORT NO: OMB Circular A-123 PUBLICATION DATE: August 4, 1986 CATEGORY: Risk Management COST: Free DESCRIPTION: This circular prescribes policies and procedures to be followed by executive departments and agencies in establishing, maintaining, evaluating, improving, and reporting on internal controls in their program and administrative activitiies. AUTHOR: Not Specified TITLE: NASA ADP Risk Analysis Guideline ORGANIZATION: National Aeronautics and Space Administration PUBLISHER/ORIGINATOR: National Aeronautics and Space Administration REPORT NO: None Specified PUBLICATION DATE: July 1984 CATEGORY: Risk Management COST: Free DESCRIPTION: This document describes guidelines for the ADP risk analysis methodology to be used at NASA ADP facilities and provides guidance for performing an ADP risk analysis without specialized contractor assistance. SECURITY MANAGEMENT AUTHOR: Not Specified TITLE: Computers: Crimes, Clues, and Controls. A Management Guide ORGANIZATION: President's Council on Integrity and Efficiency PUBLISHER/ORIGINATOR: National Technical Information Service REPORT NO: PB86-221850/XAB PUBLICATION DATE: March 1986 CATEGORY: Security Management COST: $13.95 DESCRIPTION: This publication, which is meant for managers, deals with information security, physical security, personnel security, and a plan of action. Listed are ways to detect and prevent abuse of computers. AUTHOR: N/A TITLE: Guidance for Preparation and Submission of Security Plans for Federal Computer Systems Containing Sensitive Information ORGANIZATION: Office of Management & Budget PUBLISHER/ORIGINATOR: Office of Management & Budget REPORT NO: OMB Bulletin 88-16 PUBLICATION DATE: July 6, 1988 CATEGORY: Security Management COST: Free DESCRIPTION: Guidance for preparation and submission of security plans for federal computer systems containing sensitive information. AUTHOR: N/A TITLE: Management of Federal Information Resources ORGANIZATION: Office of Management and Budget PUBLISHER/ORIGINATOR: Office of Management and Budget REPORT NO: OMB Circular No. A-130 PUBLICATION DATE: December 12, 1985 CATEGORY: Security Management COST: Free DESCRIPTION: A general policy framework for the management of federal information resources is given in this circular. AUTHOR: N/A TITLE: National Policy on Telecommunications and Automated Information Systems Security ORGANIZATION: National Security Council PUBLISHER/ORIGINATOR: REPORT NO: National Security Decision Directive 145 PUBLICATION DATE: September 17, 1984 CATEGORY: Security Management COST: Free DESCRIPTION: This directive establishes a senior steering group, an interagency group at the operating level, an executive agent and a national manager to implement national policy on telecommunications and automated information systems security. TRAINING & AWARENESS AUTHOR: Not Specified TITLE: Computer Security Awareness and Training (Bibliography) ORGANIZATION: Martin Marietta Energy Systems, Inc. PUBLISHER/ORIGINATOR: U.S. Department of Energy REPORT NO: DOE/MA-320 Volume 1 PUBLICATION DATE: February 1988 CATEGORY: Training and Awareness COST: $11.65 DESCRIPTION: This bibliography contains materials and information that are available concerning unclassified computer security. AUTHOR: N/A TITLE: Computer Security Training Guidelines (Draft) ORGANIZATION: National Institute of Standards and Technology PUBLISHER/ORIGINATOR: National Institute of Standards and Technology REPORT NO: PUBLICATION DATE: July 8, 1988 CATEGORY: Training & Awareness COST: DESCRIPTION: These guidelines are intended to assist agencies to meet the training requirements of the computer security act of 1987. AUTHOR: Not Specified TITLE: Computer Security Awareness and Training (Guideline) ORGANIZATION: Martin Marietta Energy Systems, Inc. PUBLISHER/ORIGINATOR: U.S. Department of Energy REPORT NO: DOE/MA-0320 Volume 2 PUBLICATION DATE: February 1988 CATEGORY: Training & Awareness COST: $11.00 DESCRIPTION: This guide presents fundamental concepts, topics, and materials on many aspects of unclassified computer security that should be included in site level unclassified computer security awareness and training programs within DOE. AUTHOR: Not Specified TITLE: Safeguards and Security Manual. Section 12: Computer and Technical Security ORGANIZATION: EG&G Idaho, Inc. PUBLISHER/ORIGINATOR: None Specified REPORT NO: None Specified PUBLICATION DATE: April 8, 1987 CATEGORY: Training & Awareness COST: Free DESCRIPTION: This section of the safeguards and security manual describes various computer security procedures for users and security managers. Includes security awareness training, computer protection plan, audit, risk analysis, and related topics. AUTHOR: N/A TITLE: Small Business Computer Security and Education Act of 1984 ORGANIZATION: PUBLISHER/ORIGINATOR: REPORT NO: Public Law 98-362 PUBLICATION DATE: July 16, 1984 CATEGORY: Training & Awareness COST: Free DESCRIPTION: Amended the Small Business Act to establish a small business computer security and education program. AUTHOR: N/A TITLE: Training Requirement for the Computer Security Act ORGANIZATION: Office Personnel Management PUBLISHER/ORIGINATOR: Office of Personnel Management Federal Register Part II REPORT NO: Interim Regulation 5 CFR Part 930 PUBLICATION DATE: July 13, 1988 CATEGORY: Training & Awareness COST: Free DESCRIPTION: This regulation implements P.L. 100- 235, the Computer Security Act of 1987.