Authoritative References

General

• "Control Objects for Information systems and related Technologies," (COBIT) version 4.0. Information Systems Audit and Control Foundation – IT Governance Institute.
   

• "Information Assurance Capability Maturity Model," (IA-CMM) version 3.
   

• "Information Assurance Technical Framework," version 3.1, National Security Agency.
   

• "Internal Control - Integrated Framework," Committee of Sponsoring Organizations of the Treadway Commission (COSO).
   

• "Enterprise Risk Management - Integrated Framework," Committee of Sponsoring Organizations of the Treadway Commission (COSO).
   

• "ISO/IEC 15408. Common Criteria for IT Security Evaluation," version 2.1.
   

• "ISO/IEC 17799:2005. Information technology – Security techniques - Code of practice for information security management."
   

• "ISO/IEC 27001:2005. Information technology - Security techniques - Information security management systems – Requirements."
   

• "IT Control Objectives for Sarbanes-Oxley," Information Systems Audit and Control Association IT-Governance Institute.
   

• "OECD Guidelines for the Security of Information Systems and Networks: towards a Culture of Security," Organization for Economic Co-operation and Development (OECD)
   

• "Principles of Corporate Governance: 2004," Organization for Economic Co-operation and Development (OECD)
   

• "Public Key Infrastructure Assessment Guidelines," American Bar Association
   

• Special Publication Series 800 on Computer security, National Institutes of Science and Technology (NIST)
   

• "Systems Security Engineering Capability Maturity Model," (SSE-CMM) version 2.
   

Finance/Banking

• “Electronic Security: Risk Mitigation in Financial Transactions”, Thomas Glaessner, et al, World Bank 2002
   

• "Enterprise Risk Management Framework," Committee of Sponsoring Organizations of the Treadway Commission (COSO)
   

• "Federal Financial Institutions Examiners Committee - FFIEC Information Technology Examination Handbook," and related interagency policy and rule publications.
   

• "High Risk Series: Protecting Information Systems Supporting the Federal Government and the Nation's Critical Infrastructures", General Accountability Office
   

• "Sound Practices for the Management and Supervision of Operational Risk," Basel Committee on Banking Supervision
   

• “The Director’s Book: The Role of The National Bank Director”, Office of the Comptroller of the Currency.

Federal Government

• "Critical Infrastructure Protection in the Information Age," Executive Order 13231
   

• "DoD Information Assurance," DoD 8500.1
   

• "DoD Information Assurance Implementation," DoD 8500.2
   

• "DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Application Manual," DoD 8510.1-M
   

• "E-Government Act of 2002," Title III, "Federal Information Security Management Act" (FISMA)
   

• "Management of Federal Information Resources," OMB A-130 Appendix III, "Security of Federal Automated Information Resources"
   

• "National Information Assurance Certification and Accreditation Process," (NIACAP) National Security Telecommunications and Information Systems Security Instruction, NSTISSI #1000.
   

• "National Training Standards for System Certifiers," National Security Telecommunications and Information Systems Security Instruction, NSTISSI #4015
   

• "National Policy on Certification and Accreditation of National Security Telelcommunications and Information Systems," National Security Telecommunications and Information Systems Security Policy, NSTISSP #6
   

• "Protecting Sensitive Compartmented Information Within Information Systems," Director of Central Intelligence, Directive & Manual 6/3.
   

• "Standards for Security Categorization of Federal Information and Information Systems," Federal Information Processing Standard 199.