University of Oregon Applied Information Management Master's Degree Program Managing IT/IS Security Winter 2013 Course Resources Books and Articles Alyias, D., Batchelder, D., Blackbird, J., Faulhaber, J., Felstead, D., Grimes, R., & Zink, T. (2012). Microsoft security intelligence report: January through June, 2012 (Vol. 13). Retrieved from http://www.microsoft.com/security/sir/ Anonymous. (2008, April 30). Background checks: How not to hire an information security officer who's on parole. Retrieved from http://www.csoonline.com/article/332264/background-checks-how-not-to-hire-aninformation-security-officer-who-s-on-parole Belicove, M. E. (2012, October 26). The 10 dos and don'ts of conducting employee background checks [Web log post]. Retrieved from http://www.forbes.com/sites/mikalbelicove/2012/10/26/the-10-dos-and-donts-oconducting-employee-background-checks/ Biswas, A. (2009, October 19). Change management - the ITIL way. Retrieved from http://www.articlesbase.com/information-technology-articles/change-managementthe-itil-way-1356376.html Bolkan, J. (2012, October 17). Northwest Florida State College data breach compromises 300,000 students and employees. Campus Technology. Retrieved from http://campustechnology.com/articles/2012/10/17/northwest-florida-state-collegedata-breach-compromises-300000-students-and-employees.aspx?sc_lang=en Bowcut, S. (2010, May 7). Access control systems: The basics. Intranet Journal. Retrieved from http://www.brighthub.com/computing/smb-security/articles/12093.aspx Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012, August). Computer security incident handling guide (NIST Special Publication 800-61, Revision 2). Gaithersburg, MD. Retrieved from Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf CIO Update Staff. (2011, December 16). Top 13 security trends to watch in 2012. CIO Update. Retrieved from http://www.cioupdate.com/technology-trends/top-13security-trends-to-watch-in-2012.html Croy, M. (2005). Landing on your feet: Being prepared in the 21st century. Disaster Recovery Journal, 18(Winter). Retrieve from http://www.drj.com/pre-2006/winter2005/landing-on-your-feet-being-prepared-in-the-21st-century.html Gaudin, S. (2006, December 7). Are background checks necessary for IT workers? Ask UBS PaineWebber. InformationWeek. Retrieved from http://www.informationweek.com/news/security/showArticle.jhtml?articleID=196602 415 Goldman, J. (2012, October 24). Hackers compromise Barnes and Noble PIN pads. Retrieved from http://www.esecurityplanet.com/hackers/hackers-compromisebarnes-and-noble-pin-pads.html GoogleApps. (2011). Google data center security [Video clip]. Available from http://www.google.com/apps/intl/en/business/infrastructure_security.html Headlines. (2011, May 20). Symantec: SMB's lack understanding of mobile security [Web log post]. Retrieved from https://www.infosecisland.com/blogview/13887-SMBsLack-Understanding-of-Mobile-Device-Security.html?amp& Information Assurance Solutions Group. National Security Agency. (n.d.). Defense in depth. Retrieved from http://www.nsa.gov/ia/_files/support/defenseindepth.pdf Information Systems Audit and Control Association. (2005). Critical elements of information security program success. Rolling Meadows, IL: Author. Retrieved from http://www.isaca.org/Knowledge-Center/Research/Documents/CritElemInfoSec.pdf Joint Task Force Transformation Initiative. (2012). Guide for Conducting Risk Assessments. Gaithersburg, MD: U.S. Department of Commerce. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf Kadam, A. (2003, March). A cautious approach to information exchange. Network Magazine. Retrieved from http://www.networkmagazineindia.com/200303/security2.shtml Kadam, A. (2002, December). Identifying and classifying assets. Network Magazine. Retrieved from http://www.networkmagazineindia.com/200212/security2.shtml Kissel, R. (Ed.). (2011, February). Glossary of key information security terms. Retrieved from http://csrc.nist.gov/publications/nistir/ir7298-rev1/nistir-7298-revision1.pdf Kissel, R., Stine, K., Scholl, M., Rossman, H., Fahlsing, J., & Gulick, J. (2008, October). Security considerations in the system development life cycle (NIST Special Publication 800-64 Revision 2). Gaithersburg, MD. Retrieved from Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-64Rev2/SP800-64-Revision2.pdf Messmer, E. (2008, July 30). Telecommuting poses security, privacy risks. Retrieved from http://www.csoonline.com/article/440074/Telecommuting_Poses_Security_Privacy_R isks?page=1 Perrin, C. (2007, August 15). The three elements of access control [Web log post]. Retrieved from http://www.techrepublic.com/blog/security/the-three-elements-ofaccess-control/272 Praxiom Research Group Limited. (2012, July 18). ISO IEC 27001 2005: Translated into plain English. Retrieved from http://www.praxiom.com/iso-27001.htm Rashid, F. Y. (2011, April 20). Oak Ridge National Laboratory breached by phishing email, IE exploit. eWeek. Retrieved from http://www.eweek.com/c/a/Security/Oak-RidgeNational-Laboratory-Breached-by-Phishing-Email-IE-Exploit-361033/ Roper, E. (2012, November 3). Data-breach payouts top $1 million for ex-cop. Minneapolis StarTribune. Retrieved from http://www.startribune.com/local/minneapolis/177055151.html?refer=y The SANSTM Institute. (2011). SANS glossary of terms used in security and intrusion detection. Retrieved from http://www.sans.org/resources/glossary.php Scalet, S. D. (2005, November 1). 19 ways to build physical security into a data center. Retrieved from http://www.csoonline.com/read/110105/datacenter.html Seagate. (2007, October). Drive disposal best practices: Guidelines for removing sensitive data prior to drive disposal (Publication No. TP582.1-0710US). Retrieved from http://www.harddriveshredding.com/include/papers/Seagate disposal.pdf Separation of Duties. (n.d.). In Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Separation_of_duties Sollis, D. (2010). Compliance for compliance sake? ISACA Journal. Retrieved from http://www.isaca.org/Journal/Past-Issues/2010/Volume-1/Pages/Compliance-forCompliance-s-Sake-1.aspx Toigo, J. W. (2003). Chapter 3: Facility protection. In J. W. Toigo Disaster recover planning: Preparing for the unthinkable (3rd ed.). Upper Saddle River, NJ: Prentice Hall PTR. Verizon RISK Team, Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, & United State Secret Service. (2012). 2012 Data breach investigations report. Retrieved from http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigationsreport-2012_en_xg.pdf Vijayan, J. (2012, October 26). South Carolina breach exposes 3.6M SSNs. Computerworld. Retrieved from http://www.computerworld.com/s/article/9232965/South_Carolina_breach_exposes_ 3.6M_SSNs?taxonomyId=17 Whitman, M.E., and Mattord, H.J. (2010). Management of information security (3rd ed.). Boston, MA: Course Technology. ISBN: 1435488849 or 978-1435488847. (Course textbook) Web Sites CSO: Security and Risk http://www.csoonline.com/ Dark Reading http://www.darkreading.com/ HIPAA o Security Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html o GLBA http://www.ftc.gov/privacy/privacyinitiatives/glbact.html o FERPA http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html o FISMA http://csrc.nist.gov/drivers/documents/FISMA-final.pdf IBM: Internet Security Systems http://xforce.iss.net/ SANS http://www.sans.org/top-cyber-security-risks/ SecurityNewsPortal.com http://www.securitynewsportal.com/index.shtml SearchSecurity.com http://searchsecurity.techtarget.com/ Uptime Institute: The Global Data Center Authority http://www.uptimeinstitute.org/