UnderGround Information
UnderGround Information
BIBLIOGRAPHY OF GUIDELINES
(1974 through 1988
Note: A bibliography is now being developed to encompass 1989.
AUTHORS SPECIFIED
ABUSE/MISUSE/CRIME
AUTHOR: Ruder, Brian and Madden, J.D.
TITLE: An Analysis of Computer Security Safeguards
for Detecting and Preventing Intentional
Computer Misuse
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-25
PUBLICATION DATE: January 1978
CATEGORY: Abuse/Misuse/Crime
COST: $11.95
DESCRIPTION: Analyzes 88 computer safeguard
techniques that could be applied to recorded, actual
computer misuse cases.
ACCESS CONTROL
AUTHOR: Brand, Sheila L. and Makey, Jeffrey D.
TITLE: Department of Defense Password Management
Guidelines
ORGANIZATION: Department of Defense Computer
Security Center
PUBLISHER/ORIGINATOR: Department of Defense Computer
Security Center
REPORT NO: CSC-STD-002-85
PUBLICATION DATE: April 12, 1985
CATEGORY: Access Control
COST: $1.75
DESCRIPTION: This guideline is also known as the
Green Book. This document provides a set of good
practices related to the use of password-based user
authentication mechanisms in automatic data
processing systems.
AUTHOR: Branstad, Dennis
TITLE: Computer Security and the Data Encryption
Standard
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-27
PUBLICATION DATE: February 1978
CATEGORY: Access Control
COST: $16.95
DESCRIPTION: Includes papers and summaries of
presentations made at a 1978 conference on computer
security.
AUTHOR: Branstad, Dennis
TITLE: Standard on Password Usage
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 112
PUBLICATION DATE: March 1985
CATEGORY: Access Control
COST: $13.95
DESCRIPTION: Discusses ten minimum security criteria
to consider when designing a password-based access
control system for a computer.
AUTHOR: Cole, Gerald and Heinrich, Frank
TITLE: Design Alternatives for Computer Network
Security (Vol.I) The Network Security Center: A
System Level Approach to Computer Network Security
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-21
PUBLICATION DATE: January 1978
CATEGORY: Access Control
COST: $10.00
DESCRIPTION: This study focuses on the data
encryption standard and looks at the network
security requirements and implementation of a
computer dedicated to network security.
AUTHOR: Gait, Jason
TITLE: Maintenance Testing for the Data
Encryption Standard
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-61
PUBLICATION DATE: August 1980
CATEGORY: Access Control
COST: $9.95
DESCRIPTION: Describes the SRI hierarchical
development methodology for designing large software
systems such as operating systems and data
management systems that meet high security
requirements.
AUTHOR: Gait, Jason
TITLE: Validating the Correctness of Hardware
Implementations of the NBS Data Encryption
Standard
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-20
PUBLICATION DATE: November 1977
CATEGORY: Access Control
COST: $9.95
DESCRIPTION: Describes the design and operation of
the ICST testbed that is used for the validation of
hardware implementations of (DES).
AUTHOR: Orceyre, M.J. and Courtney, R.H. Jr.
TITLE: Considerations in the Selection of
Security Measures of Automatic Data
Processing Systems
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-33
PUBLICATION DATE: No Date Given
CATEGORY: Access Control
COST: $8.50
DESCRIPTION: This publication list techniques that
can be used for protecting computer data transmitted
across telecommunications lines.
AUTHOR: Smid, Miles E.
TITLE: A Key Notarization System for Computer
Networks
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-54
PUBLICATION DATE: October 1979
CATEGORY: Access Control
COST: $4.50
DESCRIPTION: Looks at a system for key
notarization that can be used with an encryption
device which will improve data security in a
computer network.
AUTHOR: Troy, Eugene F.
TITLE: Security for Dial-Up Lines
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-137
PUBLICATION DATE: May 1986
CATEGORY: Access Control
COST: $3.75
DESCRIPTION: Methods for protecting computer systems
against intruders using dial-up telephone lines are
discussed.
AUTHOR: Wood, Helen
TITLE: The Use of Passwords for Controlled
Access to Computer Resources
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-9
PUBLICATION DATE: May 1977
CATEGORY: Access Control
COST: $11.95
DESCRIPTION: Describes the need for and uses of
passwords. Password schemes are categorized
according to selection technique, lifetime,
physical characteristics, and information content.
AUDIT AND EVALUATION
AUTHOR: Brand, Sheila L.
TITLE: Department of Defense Trusted Computer
System Evaluation Criteria
ORGANIZATION: Department of Defense
PUBLISHER/ORIGINATOR: Department of Defense Computer
Security Center
REPORT NO: CSC-STD-001-83
PUBLICATION DATE: August 15, 1983
CATEGORY: Audit and Evaluation
COST: Free
DESCRIPTION: This document forms the basic
requirements and evaluation classes needed for
assessing the effectiveness of security and controls
used by automatic data processing (ADP) systems.
AUTHOR: Dallas, Dennis A. & Vallabhaneni, Rao S.
TITLE: Auditing Program Libraries for Change
Controls
ORGANIZATION: Institute of Internal Auditors
PUBLISHER/ORIGINATOR: Institute of Internal Auditors
REPORT NO: 693
PUBLICATION DATE: 1986
CATEGORY: Audit and Evaluation
COST: $12.00
DESCRIPTION: This monograph is a concise how-to
guide for reviewing program libraries and associated
computer program change controls that are risky and
prone to human error.
AUTHOR: Ruthberg, Zella and McKenzie,
Robert, ed.
TITLE: Audit and Evaluation of Computer Security
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-19
PUBLICATION DATE: October 1978
CATEGORY: Audit and Evaluation
COST: $7.50
DESCRIPTION: An examination of the recommendations
by computer auditing experts on how to improve
computer security audit practices.
AUTHOR: Ruthberg, Zella, ed.
TITLE: Audit and Evaluation of Computer Security
II: System Vulnerabilities and Control
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-57
PUBLICATION DATE: April 1980
CATEGORY: Audit and Evaluation
COST: $7.00
DESCRIPTION: Proceedings of the second NIST/GAO
workshop to develop improved computer security audit
procedures.
AUTHOR: Ruthberg, Zella, Fisher, Bonnie,
Perry, William, Lainhart, John, Cox, James,
Gillen, Mark, Hunt, Douglas
TITLE: Guide to Auditing for Controls and Security:
A System Development Life Cycle Approach
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC 500-153
PUBLICATION DATE: April 1988
CATEGORY: Auditing & Evaluation
COST: $25.95
DESCRIPTION: This guide addresses auditing the
system development life cycle process for an
automated information system, to ensure that
controls and security are designed and built into
the system.
AUTHOR: Ruthberg, Zella & Fisher, Bonnie
TITLE: Work Priority Scheme for EDP Audit and
Computer Security Review
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBSIR 86-3386
PUBLICATION DATE: August 1986
CATEGORY: Audit and Evaluation
COST: $11.95
DESCRIPTION: Describes a methodology for
prioritizing the work performed by EDP auditors and
computer security reviewers.
CERTIFICATION
AUTHOR: Giragosian, P.A., Mastbrook, D.W. &
Tompkins, F.G.
TITLE: Guidelines for Certification of Existing
Sensitive Systems
ORGANIZATION: Mitre Corporation
PUBLISHER/ORIGINATOR: National Aeronautics and
Space Administration
REPORT NO: PB84-223122
PUBLICATION DATE: July 1982
CATEGORY: Certification
COST: $11.95
DESCRIPTION: This document describes a way to
perform evaluations of the security of a computer
system that has sensitive software applications.
AUTHOR: Ruthberg, Zella G. & Neugent, William
TITLE: Overview of Computer Security Certification
and Accreditation
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-109
PUBLICATION DATE: April 1984
CATEGORY: Certification
COST: $1.50
DESCRIPTION: These guidelines describe the major
features of the certification and accreditation
process. It is intended to help ADP managers and
their staff understand this process.
CONTINGENCY PLANNING
AUTHOR: Isaac, Irene
TITLE: Guide on Selecting ADP Backup Process
Alternatives
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
of Standards and Technology
REPORT NO: NBS SPEC PUB 500-134
PUBLICATION DATE: November 1985
CATEGORY: Contingency Planning
COST: $1.75
DESCRIPTION: Discusses the selection of ADP backup
processing support in advance of events that cause
the loss of data processing capability.
AUTHOR: Schabeck, Tim A.
TITLE: Emergency Planning Guide for Data
Processing Centers
ORGANIZATION: None Specified
PUBLISHER/ORIGINATOR: Assets Protection
REPORT NO: ISBN No. 0-933708-00-9
PUBLICATION DATE: 1979
CATEGORY: Contingency Planning
COST: $10.00
DESCRIPTION: This checklist provides an audit tool
to evaluate a data processing center's current
disaster defense mechanisms and recovery capability.
AUTHOR: Shaw, James K. and Katzke, Stuart
TITLE: Executive Guide to ADP Contingency
Planning
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-85
PUBLICATION DATE: July 1981
CATEGORY: Contingency Planning
COST: $7.00
DESCRIPTION: This document discusses the background
needed to understand the developmental process for
Automatic Data Processing contingency plans.
DATA BASE SECURITY
AUTHOR: Patrick, Robert L.
TITLE: Performance Assurance and Data Integrity
Practices
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-24
PUBLICATION DATE: January 1978
CATEGORY: Data Base Security
COST: $10.00
DESCRIPTION: Describes methods that have been
successful in preventing computer failure caused by
programming and data errors.
GENERAL SECURITY
AUTHOR: Fletcher, J.G.
TITLE: Security Policy for Distributed Systems
ORGANIZATION: Lawrence Livermore National
Laboratory
PUBLISHER/ORIGINATOR: National Technical
Information Service
REPORT NO: DE82-022517
PUBLICATION DATE: April 6, 1982
CATEGORY: General Security
COST: $9.95
DESCRIPTION: This document provides a security
policy for distributed systems. It has been modeled
according to security procedures for non-computer
items.
AUTHOR: Moore, Gwendolyn B., Kuhns, John L.,
Treffs, Jeffrey, & Montgomery, Christine
TITLE: Accessing Individual Records from Personal
Data Files Using Non-unique Identifiers
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-2
PUBLICATION DATE: February 1977
CATEGORY: General Security
COST: $11.95
DESCRIPTION: Analyzes methodologies for retrieving
personal information using non-unique identifiers
such as name, address, etc. This study presents
statistical data for judging the accuracy and
efficiency of various methods.
AUTHOR: Smid, Miles
TITLE: Standard on Computer Data Authentication
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 113
PUBLICATION DATE: March 1985
CATEGORY: General Security
COST: $9.95
DESCRIPTION: This publication describes a data
authentication algorithm that can detect
unauthorized modification to computer data
either intentionally or accidentally.
AUTHOR: Tompkins, F.G.
TITLE: NASA Guidelines for Assuring the Adequacy
and Appropriateness of Security Safeguards
in Sensitive Applications
ORGANIZATION: Mitre Corporation
PUBLISHER/ORIGINATOR: National Aeronautics and
Space Administration
REPORT NO: PB85-149003/XAB
PUBLICATION DATE: September 1984
CATEGORY: General Security
COST: $18.95
DESCRIPTION: This document discusses security
measures that should be taken in order to help
conform with Office of Management and Budget
Circular A-71.
AUTHOR: Westin, Allen F.
TITLE: Computers, Personnel Administration, and
Citizen Rights
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-50
PUBLICATION DATE: July 1979
CATEGORY: General Security
COST: $34.95
DESCRIPTION: Reports on impact of computers on
citizen rights in the field of personnel record
keeping.
MICROCOMPUTER SECURITY
AUTHOR: Steinauer, Dennis D.
TITLE: Security of Personal Computer Systems: A
Management Guide
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-120
PUBLICATION DATE: No Date Given
CATEGORY: Microcomputer Security
COST: $3.00
DESCRIPTION: This publication provides practical
advice on the issues of physical and environmental
protection system and data access control, integrity
of software and data, backup and contingency
planning, auditability, and communications
protection.
PRIVACY
AUTHOR: Fong, Elizabeth
TITLE: A Data Base Management Approach to Privacy
Act Compliance
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-10
PUBLICATION DATE: June 1977
CATEGORY: Privacy
COST: $4.50
DESCRIPTION: Looks at commercially available data
base management systems that can be used in meeting
Privacy Act requirements for the handling of
personal data.
AUTHOR: Goldstein, Robert, Seward, Henry, &
Nolan, Richard
TITLE: A Methodology for Evaluating Alternative
Technical and Information Management
Approaches to Privacy Requirements
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: PB 254048
PUBLICATION DATE: June 1976
CATEGORY: Privacy
COST: $11.50
DESCRIPTION: Describes the methods to be used by
recordkeepers to comply with the Privacy Act. A
computer model is included to help determine the
most cost-effective safeguards.
RISK MANAGEMENT
AUTHOR: Courtney, Robert H. Jr.
TITLE: Guideline for Automatic Data Processing
Risk Analysis
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 65
PUBLICATION DATE: August 1979
CATEGORY: Risk Management
COST: $8.50
DESCRIPTION: Shows how to use a technique that
provides a way of conducting risk analysis of an ADP
facility. It gives an example of the risk analysis
process.
AUTHOR: Jacobson, Robert V., Brown, William F.,
& Browne, Peter S.
TITLE: Guidelines for ADP Physical Security and
Risk Management
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 31
PUBLICATION DATE: June 1974
CATEGORY: Risk Management
COST: $11.95
DESCRIPTION: Provides guidance to federal
organizations in developing physical security and
risk management programs for their ADP facilities.
AUTHOR: Neugent, William, Gilligan, John,
Hoffman, Lance & Ruthberg, Zella G.
TITLE: Technology Assessment: Methods for
Measuring the Level of Computer Security
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-133
PUBLICATION DATE: October 1985
CATEGORY: Risk Management
COST: $8.00
DESCRIPTION: This document covers methods for
measuring the level of computer security and
addresses individual techniques and approaches, as
well as broader methodologies.
AUTHOR: Tompkins, F.G.
TITLE: Guidelines for Contingency Planning NASA
ADP Security Risk Reduction Decision
Studies
ORGANIZATION: Mitre Corporation
PUBLISHER/ORIGINATOR: National Aeronautic and
Space Administration
REPORT NO: PB84-189836
PUBLICATION DATE: January 1984
CATEGORY: Risk Management
COST: $13.95
DESCRIPTION: How to determine an acceptable level
of ADP security risks is described as well as the
role of risk management in problem solving and
information systems analysis and design.
AUTHOR: Tompkins, F.G
TITLE: Guidelines for Developing NASA ADP Security
Risk Management Plans
ORGANIZATION: Mitre Corporation
PUBLISHER/ORIGINATOR: National Aeronautics and
Space Administration
REPORT NO: PB84-171321
PUBLICATION DATE: August 1983
CATEGORY: Risk Management
COST: $13.95
DESCRIPTION: This report looks at how NASA develops
ADP security risk management plan. Risk management
processes have six components and each are
identified and discussed.
SECURITY MANAGEMENT
AUTHOR: Rosenthal, Lynne S.
TITLE: Guidance on Planning and Implementing
Computer Systems Reliability
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-121
PUBLICATION DATE: January 1985
CATEGORY: Security Management
COST: $2.25
DESCRIPTION: The basic concepts of computer system
security are given to provide managers and planners
with background for improving computer system
reliability.
SOFTWARE & OPERATING SYSTEM SECURITY
AUTHOR: Levitt, Karl, Neumann, Peter, and
Robinson, Lawrence
TITLE: The SRI Hierarchical Development
Methodology (HDM) and its Application to
the Development of Secure Software
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: NBS SPEC PUB 500-67
PUBLICATION DATE: October 1980
CATEGORY: Software and Operating System Security
COST: $4.25
DESCRIPTION: Shows how to design large software
systems, such as an operating system, that will
meet the hardest security requirements.
TRAINING & AWARENESS
AUTHOR: Davis, Bevette
TITLE: Computer Security Bibliography
ORGANIZATION: Mitre Corporation
PUBLISHER/ORIGINATOR: Mitre Corporation
REPORT NO: MTR 9654
PUBLICATION DATE: April 1985
CATEGORY: Training & Awareness
COST:
DESCRIPTION: Identifies organizations and
individuals that have published documents, magazine
and journal articles, conference proceedings, and
reports concerning computer security.
AUTHOR: Tompkins, Frederick G.
TITLE: Guidelines for Development of NASA Computer
Security Training Programs
ORGANIZATION: Mitre Corporation
PUBLISHER/ORIGINATOR: National Aeronautics and
Space Administration
REPORT NO: PB84-171339/LP
PUBLICATION DATE: May 1983
CATEGORY: Training & Awareness
COST: $11.95 plus $3.00 shipping & handling
DESCRIPTION: This report identifies computer
security training courses and is intended to be used
by NASA in developing training requirements and
implementing computer security training programs.
AUTHORS NOT SPECIFIED
AUTHOR: N/A
TITLE: Computer Fraud and Abuse Act of 1986
ORGANIZATION:
PUBLISHER/ORIGINATOR:
REPORT NO: Public Law 99-474
PUBLICATION DATE: October 16, 1986
CATEGORY: Abuse/Misuse/Crime
COST: Free
DESCRIPTION: Provides additional penalties for
fraud and related activities in connection with
access devices and computers.
AUTHOR: N/A
TITLE: Federal Manager's Financial Integrity
Act of 1982
ORGANIZATION:
PUBLISHER/ORIGINATOR:
REPORT NO: Public Law 97-255
PUBLICATION DATE: September 8, 1982
CATEGORY: Abuse/Misuse/Crime
COST: Free
DESCRIPTION: This law amends the accounting and
auditing act of 1950 to require ongoing evaluations
and reports on the adequacy of the systems of
internal accounting and administrative control of
each executive agency, and for other purposes.
ACCESS CONTROL
AUTHOR: Not Specified
TITLE: Data Encryption Standard
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 46
PUBLICATION DATE: January 1977
CATEGORY: Access Control
COST: $7.00
DESCRIPTION: Discusses an algorithm to be used for
the cryptographic protection of sensitive, but
unclassified, computer data. Tells how to transform
data into a cryptographic cipher and back again.
AUTHOR: Not Specified
TITLE: DES Modes of Operation
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 81
PUBLICATION DATE: December 1980
CATEGORY: Access Control
COST: $8.50
DESCRIPTION: This publication discusses the four
modes of operation used by the Data Encryption
Standard.
AUTHOR: N/A
TITLE: Electronic Communications Privacy Act of
1986
ORGANIZATION:
PUBLISHER/ORIGINATOR:
REPORT NO: Public Law 99-508
PUBLICATION DATE: October 21, 1986
CATEGORY: Access Control
COST: Free
DESCRIPTION: Amends title 18, United States Code,
with respect to the interception of certain
communications, and other forms of surveillance, and
for other purposes.
AUTHOR: Not Specified
TITLE: Guidelines on Evaluation of Techniques for
Automated Personnel Identification
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 48
PUBLICATION DATE: April 1977
CATEGORY: Access Control
COST: $7.00
DESCRIPTION: The performance and evaluation of
personal identification devices is explained.
Considerations for their use in a computer system
is given.
AUTHOR: Not Specified
TITLE: Guidelines for Implementing and Using the
NBS Data Encryption Standard
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 74
PUBLICATION DATE: April 1981
CATEGORY: Access Control
COST: $8.50
DESCRIPTION: Discusses the guidelines that federal
organizations should use when cryptographic
protection is required for sensitive or valuable
computer data.
AUTHOR: Not Specified
TITLE: Guideline on User Authentication Techniques
for Computer Network Access Control
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 83
PUBLICATION DATE: September 1980
CATEGORY: Access Control
COST: $8.50
DESCRIPTION: Details the use of passwords,
identification tokens, and other means to protect
against unauthorized access to computers and
computer networks.
AUTHOR: Not Specified
TITLE: Information Security: Products and Services
Catalogue
ORGANIZATION: National Computer Security Center
PUBLISHER/ORIGINATOR: National Computer Security
Center
REPORT NO: None Specified
PUBLICATION DATE: Published Quarterly
CATEGORY: Access Control
COST: Free
DESCRIPTION: This catalogue contains the endorsed
cryptographic products list, NSA endorsed data
encryption standard products list, protected
services list, evaluated products list, and
preferred products list.
AUTHOR: Not Specified
TITLE: National Policy on Controlled Access
Protection
ORGANIZATION: National Telecommunications and
Information Systems Security
PUBLISHER/ORIGINATOR: NTISSC
Ft. George G. Meade, MD
REPORT NO: NTISSP No. 200
PUBLICATION DATE: July 15, 1987
CATEGORY: Access Control
COST: Free
DESCRIPTION: Defines a minimum level of protection
for automated information systems operated by
executive branch agencies and departments of the
federal government and their contractors.
AUTHOR: Not Specified
TITLE: Standard on Computer Data Authentication
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 113
PUBLICATION DATE: May 1985
CATEGORY: Access Control
COST: $9.95
DESCRIPTION: Specifies a data authentication
algorithm which, when applied to computer data,
automatically and accurately detects unauthorized
modifications, both intentional and accidental.
AUTHOR: Not Specified
TITLE: Standard on Password Usage
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 112
PUBLICATION DATE: May 1985
CATEGORY: Access Control
COST: $13.95
DESCRIPTION: Discusses ten minimum security
criteria to consider when designing a password-based
access control system for a computer.
AUTHOR: Not Specified
TITLE: Trusted Network Interpretation of the
Trusted Computer System Evaluation
Criteria
ORGANIZATION: National Computer Security Center
PUBLISHER/ORIGINATOR: National Computer Security
Center
REPORT NO: NCSC-TG-005
PUBLICATION DATE: July 31, 1987
CATEGORY: Access Control
COST:
DESCRIPTION: This is also known as the Red Book.
This guidelines examines interpretations to extend
the evaluation classes of the Trusted Systems
Evaluation Criteria to trusted network systems and
components.
AUDIT AND EVALUATION
AUTHOR: Not Specified
TITLE: Assessing Reliability of Computer Output -
Audit Guide
ORGANIZATION: U.S. General Accounting Office
PUBLISHER/ORIGINATOR: U.S. General Accounting Office
REPORT NO: AFMD-81-91
PUBLICATION DATE: June 1981
CATEGORY: Audit and Evaluation
COST: Free (if less than 5 ordered)
DESCRIPTION: This audit guide shows how to comply
with GAO policy requirements by giving detailed
procedures to help determine the degree of risk
using information that could be incorrect.
AUTHOR: Not Specified
TITLE: Computer Security Requirements: Guidance for
Applying the Dod Trusted Computer System
Evaluation Criteria in Specific Environments
ORGANIZATION: Department of Defense Computer
Security Center
PUBLISHER/ORIGINATOR: Department of Defense
Computer Security Center
REPORT NO: CSC-STD-003-85
PUBLICATION DATE: June 25, 1985
CATEGORY: Audit and Evaluation
COST: $1.00
DESCRIPTION: These reports show how to use DOD
5200.28-STD in specific environments.
AUTHOR: Not Specified
TITLE: Evaluating Internal Controls in Computer-
Based Systems - Audit Guide
ORGANIZATION: U.S. General Accounting Office
PUBLISHER/ORIGINATOR: U.S. General Accounting Office
REPORT NO: AFMD-81-76
PUBLICATION DATE: June 1981
CATEGORY: Audit and Evaluation
COST: Free (if less than 5 are ordered).
DESCRIPTION: Describes an approach for evaluating a
computer-based system that will enable an auditor to
evaluate the entire system from original to output.
AUTHOR: Not Specified
TITLE: Technical Rationale Behind CSC-STD-003-85
Computer Security Requirements: Guidance for
Applying the DoD Trusted Computer System Evaluation
Criteria in Specific Environments
ORGANIZATION: Department of Defense Computer
Security Center
PUBLISHER/ORIGINATOR: Department of Defense
Computer Security Center
REPORT NO: CSC-STD-004-85
PUBLICATION DATE: June 25, 1985
CATEGORY: Audit and Evaluation
COST: $2.00
DESCRIPTION: Give guidance to applying the DOD
CSC-STD-003-85.
CERTIFICATION
AUTHOR: Not Specified
TITLE: Guideline for Computer Security
Certification and Accreditation
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 102
PUBLICATION DATE: September 1983
CATEGORY: Certification
COST: $11.50
DESCRIPTION: Describes ways of establishing and
carrying out a computer security certification and
accreditation program.
CONTINGENCY PLANNING
AUTHOR: Not Specified
TITLE: Guidelines for ADP Contingency Planning
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 87
PUBLICATION DATE: March 1981
CATEGORY: Contingency Planning
COST: $8.50
DESCRIPTION: Describes data processing
management considerations for developing a
contingency plan for an ADP facility.
DATA BASE SECURITY
AUTHOR: Not Specified
TITLE: Guideline on Integrity Assurance and
and Control in Database Applications
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 88
PUBLICATION DATE: August 1981
CATEGORY: Data Base Security
COST: $11.50
DESCRIPTION: Gives detailed advice on how to achieve
data base integrity and security control. A step-by-
step procedure for examining and verifying the
the accuracy and completeness of a data base is
included.
ENVIRONMENTAL SECURITY
AUTHOR: Not Specified
TITLE: Guideline on Electrical Power for ADP
Installations
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 94
PUBLICATION DATE: September 1982
CATEGORY: Environmental Security
COST: $13.00
DESCRIPTION: This publication discusses electrical
power factors that can affect the operation of an
ADP system.
GENERAL SECURITY
AUTHOR: N/A
TITLE: Computer Security Act of 1987
ORGANIZATION:
PUBLISHER/ORIGINATOR:
REPORT NO: Public Law 100-235
PUBLICATION DATE: January 8, 1988
CATEGORY: General Security
COST: Free
DESCRIPTION: To provide for a computer standards
program within the National Institute of Standards
and Technology, to provide Government-wide computer
security, and to provide for the training in secur-
ity matters of persons who are involved in the
management, operation, and use of Federal computer
systems.
AUTHOR: Not Specified
TITLE: Glossary for Computer Systems Security
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 39
PUBLICATION DATE: February 1974
CATEGORY: General Security
COST: $9.95
DESCRIPTION: A reference document containing
approximately 170 terms and definitions pertaining
to privacy and computer security.
AUTHOR: Not Specified
TITLE: Guidelines for Security of Computer
Applications
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 73
PUBLICATION DATE: June 1980
CATEGORY: General Security
COST: $10.00
DESCRIPTION: These guidelines are to be used in the
development and operation of computer systems that
require protection. Data validation, user
authentication, and encryption are discussed.
AUTHOR: Not Specified
TITLE: NBS Publication List 91: Computer Security
Publications
ORGANIZATION: Institute for Computer Sciences and
Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: 003-003-00135-0
PUBLICATION DATE: August 1984
CATEGORY: General Security
COST: $18.00
DESCRIPTION: Provides information on computer
security publications that are available.
AUTHOR: Not Specified
TITLE: Sensitive Unclassified Computer Security
Program Compliance Review Guidelines
ORGANIZATION: U.S. Department of Energy
PUBLISHER/ORIGINATOR: U.S. Department of Energy
REPORT NO: DOE/MA-0188/1
PUBLICATION DATE: September 1985
CATEGORY: General Security
COST:
DESCRIPTION: This guideline contains questionaires
for determining the level of security needed at a
computer installation. Techniques for obtaining the
required level of security are discussed.
MICROCOMPUTER SECURITY
AUTHOR: Not Specified
TITLE: Computer Security- User Handbook for
Microcomputers and Word Processors
ORGANIZATION: U.S. Department of Energy
PUBLISHER/ORIGINATOR: U.S. Department of Energy
REPORT NO: None Specified
PUBLICATION DATE: September 1986
CATEGORY: Microcomputer Security
COST:
DESCRIPTION: This guideline gives a synopsis on
computer security requirements for users of
microcomputers and/or word processors.
AUTHOR: Not Specified
TITLE: Personal Computer Security Considerations
ORGANIZATION: National Computer Security Center
PUBLISHER/ORIGINATOR: National Computer Security
Center
REPORT NO: NCSC-WA-002-85
PUBLICATION DATE: December 1985
CATEGORY: Microcomputer Security
COST: Free
DESCRIPTION: This publication provides a general
discussion of a number of issues that are pertinent
to microcomputer security in the home and business
environment.
AUTHOR: Not Specified
TITLE: Security Guide for Users of Personal
Computers and Word Processors
ORGANIZATION: Pacific Northwest Laboratory
PUBLISHER/ORIGINATOR: Pacific Northwest Laboratory
REPORT NO: None Specified
PUBLICATION DATE: June 1986
CATEGORY: Microcomputer Security
COST: Free (for single copies).
DESCRIPTION: Contains instructions on a variety of
computer security techniques including protective
storage and handling, passwords, emergency
procedures, and other related security subjects.
AUTHOR: Not Specified
TITLE: Security Guidelines for Microcomputers
and Word Processors
ORGANIZATION: U.S. Department of Energy
PUBLISHER/ORIGINATOR: U.S. Department of Energy
ATTN: Information Services
P.O. Box 62
Oakridge, TN 37831
REPORT NO: DOE/MA-0181
PUBLICATION DATE: March 1985
CATEGORY: Microcomputer Security
COST: $9.45
DESCRIPTION: These guidelines are concerned with the
training of in the protection of computers
(hardcopy, storage media, etc.). Communications
security, emergency procedures, and the prevention
of system misuse are also discussed.
PRIVACY
AUTHOR: Not Specified
TITLE: Computer Security Guidelines for
implementing the Privacy Act of 1974
ORGANIZATION: Institute for Computer Sciences
and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO: FIPS PUB 41
PUBLICATION DATE: May 1975
CATEGORY: Privacy
COST: $7.00
DESCRIPTION: This document shows how to protect
personal data in automated information systems.
Discusses how to improve system security using
safeguards and controls.
RISK MANAGEMENT
AUTHOR: N/A
TITLE: Internal Control Systems
ORGANIZATION: Office Of Management and Budget
PUBLISHER/ORIGINATOR: Office of Management & Budget
REPORT NO: OMB Circular A-123
PUBLICATION DATE: August 4, 1986
CATEGORY: Risk Management
COST: Free
DESCRIPTION: This circular prescribes policies and
procedures to be followed by executive departments
and agencies in establishing, maintaining,
evaluating, improving, and reporting on internal
controls in their program and administrative
activitiies.
AUTHOR: Not Specified
TITLE: NASA ADP Risk Analysis Guideline
ORGANIZATION: National Aeronautics and Space
Administration
PUBLISHER/ORIGINATOR: National Aeronautics and
Space Administration
REPORT NO: None Specified
PUBLICATION DATE: July 1984
CATEGORY: Risk Management
COST: Free
DESCRIPTION: This document describes guidelines for
the ADP risk analysis methodology to be used at
NASA ADP facilities and provides guidance for
performing an ADP risk analysis without specialized
contractor assistance.
SECURITY MANAGEMENT
AUTHOR: Not Specified
TITLE: Computers: Crimes, Clues, and Controls. A
Management Guide
ORGANIZATION: President's Council on Integrity and
Efficiency
PUBLISHER/ORIGINATOR: National Technical
Information Service
REPORT NO: PB86-221850/XAB
PUBLICATION DATE: March 1986
CATEGORY: Security Management
COST: $13.95
DESCRIPTION: This publication, which is meant for
managers, deals with information security, physical
security, personnel security, and a plan of action.
Listed are ways to detect and prevent abuse of
computers.
AUTHOR: N/A
TITLE: Guidance for Preparation and Submission of
Security Plans for Federal Computer Systems
Containing Sensitive Information
ORGANIZATION: Office of Management & Budget
PUBLISHER/ORIGINATOR: Office of Management & Budget
REPORT NO: OMB Bulletin 88-16
PUBLICATION DATE: July 6, 1988
CATEGORY: Security Management
COST: Free
DESCRIPTION: Guidance for preparation and submission
of security plans for federal computer systems
containing sensitive information.
AUTHOR: N/A
TITLE: Management of Federal Information Resources
ORGANIZATION: Office of Management and Budget
PUBLISHER/ORIGINATOR: Office of Management and
Budget
REPORT NO: OMB Circular No. A-130
PUBLICATION DATE: December 12, 1985
CATEGORY: Security Management
COST: Free
DESCRIPTION: A general policy framework for the
management of federal information resources is given
in this circular.
AUTHOR: N/A
TITLE: National Policy on Telecommunications and
Automated Information Systems Security
ORGANIZATION: National Security Council
PUBLISHER/ORIGINATOR:
REPORT NO: National Security Decision Directive 145
PUBLICATION DATE: September 17, 1984
CATEGORY: Security Management
COST: Free
DESCRIPTION: This directive establishes a senior
steering group, an interagency group at the
operating level, an executive agent and a national
manager to implement national policy on
telecommunications and automated information systems
security.
TRAINING & AWARENESS
AUTHOR: Not Specified
TITLE: Computer Security Awareness and Training
(Bibliography)
ORGANIZATION: Martin Marietta Energy Systems, Inc.
PUBLISHER/ORIGINATOR: U.S. Department of Energy
REPORT NO: DOE/MA-320 Volume 1
PUBLICATION DATE: February 1988
CATEGORY: Training and Awareness
COST: $11.65
DESCRIPTION: This bibliography contains materials
and information that are available concerning
unclassified computer security.
AUTHOR: N/A
TITLE: Computer Security Training Guidelines
(Draft)
ORGANIZATION: National Institute of
Standards and Technology
PUBLISHER/ORIGINATOR: National Institute of
Standards and Technology
REPORT NO:
PUBLICATION DATE: July 8, 1988
CATEGORY: Training & Awareness
COST:
DESCRIPTION: These guidelines are intended to
assist agencies to meet the training requirements
of the computer security act of 1987.
AUTHOR: Not Specified
TITLE: Computer Security Awareness and Training
(Guideline)
ORGANIZATION: Martin Marietta Energy Systems, Inc.
PUBLISHER/ORIGINATOR: U.S. Department of Energy
REPORT NO: DOE/MA-0320 Volume 2
PUBLICATION DATE: February 1988
CATEGORY: Training & Awareness
COST: $11.00
DESCRIPTION: This guide presents fundamental
concepts, topics, and materials on many aspects of
unclassified computer security that should be
included in site level unclassified computer
security awareness and training programs within DOE.
AUTHOR: Not Specified
TITLE: Safeguards and Security Manual. Section 12:
Computer and Technical Security
ORGANIZATION: EG&G Idaho, Inc.
PUBLISHER/ORIGINATOR: None Specified
REPORT NO: None Specified
PUBLICATION DATE: April 8, 1987
CATEGORY: Training & Awareness
COST: Free
DESCRIPTION: This section of the safeguards and
security manual describes various computer security
procedures for users and security managers. Includes
security awareness training, computer protection
plan, audit, risk analysis, and related topics.
AUTHOR: N/A
TITLE: Small Business Computer Security and
Education Act of 1984
ORGANIZATION:
PUBLISHER/ORIGINATOR:
REPORT NO: Public Law 98-362
PUBLICATION DATE: July 16, 1984
CATEGORY: Training & Awareness
COST: Free
DESCRIPTION: Amended the Small Business Act to
establish a small business computer security and
education program.
AUTHOR: N/A
TITLE: Training Requirement for the Computer
Security Act
ORGANIZATION: Office Personnel Management
PUBLISHER/ORIGINATOR: Office of Personnel Management
Federal Register Part II
REPORT NO: Interim Regulation 5 CFR Part 930
PUBLICATION DATE: July 13, 1988
CATEGORY: Training & Awareness
COST: Free
DESCRIPTION: This regulation implements P.L. 100-
235, the Computer Security Act of 1987.