References

• Acquisition, Preservation and Exchange of Identification Records and Information, U.S. Code of Federal Regulations, Title 28, Part II, Chapter 33, Sec. 534, Judiciary and Judicial Procedure, U.S. Department of Justice, Federal Bureau of Investigation, Acquisition, http://www.access.gpo.gov/
  uscode/uscmain.html.
• The Biometric Consortium, http://www.biometrics.org/html/standards.html.
• The Biometrics Resource Center Web site, National Institute of Standards and Technology, http://www.itl.nist.gov/div893/biometrics/standards.html.
• Center for Internet Security (CIS), Hershey, PA, http://www.cisecurity.org/.
• CERT® Coordination Center (CERT/CC), Carnegie Mellon Software Engineering Institute, http://www.cert.org.
• Computer Security Resource Center (CSRC), National Institute of Standards and Technology (NIST), Computer Security Division (CSD), compilation of computer-related security best practices, http://csrc.nist.gov/.
• Confidential Information, United States Code, Title 28, Appendix Rule 81: Papers Filed Conformity, Section (h), http://uscode.house.gov/uscode-cgi/fastweb.exe?getdoc+uscview+t26t28+4317+5++%28confidential%20
  Information%27%20%27papers%20filed%20conformity%27%29%20%20
  AND%20%28%2811%29%20ADJ%20USC%29%3ACITE%20%20%20
  %20%20%20%20%20%20
  
• Criminal Justice Information Systems, U.S. Code of Federal Regulations (CFR), 28 CFR 20.1, Judiciary and Judicial Procedure, U.S. Department of Justice.
• Data Encryption Standard (DES) was, until recently, used by the United_States government for protecting sensitive but unclassified data. This standard has since been superseded by Triple DES due to increases in computer power that have allowed DES encryption to be broken. Advanced Encryption Standard (AES) has now become recognized by NIST CSD CSRC and has been officially approved for use by the United_States government under Federal Information Processing Standard (FIPS) 197.
• Data Security and Classification Guidelines, Section III: Data and Computing Policy Guidelines, The University of Massachusetts, http://media.umassp.edu/massedu/policy/DataComputingStandard.pdf.
• Directive 95/46/EC on Data Protection (the Directive), European Union (EU), http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!
  CELEXnumdoc&lg=EN&numdoc=31995L0046&model=guichett.
• Domestic Disaster Recovery Plan for PCs, OIS, and Small VS Systems, National Institute of Standards and Technology (NIST), Gaithersburg, MD, U.S._Department of State, Washington, DC, National Technical Information Service (NTIS), U.S. Department of Commerce, http://www.ntis.gov/search/
  product.asp?ABBR=PB90265240&starDB=GRAHIST.
• Electronic Authentication Guideline, NIST Special Publication 800-63, http://csrc.nist.gov/publications/nistpubs/index.html#sp800-63.
• The Electronic Communications Privacy Act of 1986 (ECPA), United_States Code, Title 18, Part 1, Chapter 119, Section 2511: Interception and disclosure of wire, oral, or electronic communications prohibited, http://www4.law.cornell.edu/uscode/18/2511.html.
• Engineering Principles for Information Technology Security (A Base Line for Achieving Security), NIST Special Publication 800-27, June 2001, http://csrc.nist.gov/publications/nistpubs/800-27/sp800-27.pdf.
• Evaluation Assurance Level 4 (EAL4), Common Criteria for Information Technology Security Evaluation (CCITSE), The Trust Technology Assessment Program (TTAP), National Security Agency (NSA) and National Institute of Standards and Technology (NIST), Radium Customer Information Provider. EALs provide a uniformly increasing scale that balances the level of assurance obtained with the cost and feasibility of acquiring that degree of assurance. There are seven hierarchically ordered EALs. The higher the EAL, the greater the degree of assurance.
• Federal Agency Security Practices, National Institute of Standards and Technology (NIST), http://csrc.nist.gov/fasp/.
• Federal Information Security Management Act of 2002 (FISMA), Public Law 107-347, December 17, 2002.
• The Freedom of Information Reform Act (1986), United States Code, Title 5, Part I, Chapter 5, Subchapter II, Section 552: Public information; agency rules, opinions, orders, records, and proceedings, http://www4.law.cornell.
  edu/uscode/5/552.html.
• F-Secure, Symantec, and McAfee (antivirus software providers),
  http://www.fsecure.com, http://www.symantec.com,
  and http://www.mcafee.com.
• Generally Accepted System Security Principles (GASSP) as defined by the International Information Security Foundation,
  http://www.infosectoday.com/Articles/gassp.pdf.
• Guide for the Security Certification and Accreditation of Federal Information Systems, NIST Special Publication 800-37, June 2003 (second public draft), http://csrc.nist.gov/publications/nistpubs/.
• Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Organisation for Economic Cooperation and Development (OECD), http://www.oecd.org/document/18/0,2340,en_2649_34255_181
  5186_1_1_1_1,00.html.
• Health Insurance Portability and Accountability Act (HIPAA) of 1996, Centers for Medicare and Medicaid Services, http://www.cms.gov/hipaa/.
• Health Insurance Portability and Accountability Act (HIPAA) of 1996, Fact Sheet, Administrative Simplification Under HIPAA: National Standards for Transactions, Security, and Privacy, U.S. Department of Health and Human Services, http://www.hhs.gov/news/press/2002pres/hipaa.html.
• IEEE/EIA STD 12207 . Software Lifecycle Processes,
  http://standards.ieee.org/reading/ieee/std_public/description/se/12207.0-1996_desc.html, http://standards.ieee.org/reading/ieee/std_public/description/se/12207.1-1997_desc.html, and
  http://standards.ieee.org/reading/ieee/std_public/description/se/12207.2-1997_desc.html.
• Industry Working Group (IWG), IJIS Institute, http://www.ijis.org.
• Information Technology Security Training Requirements: A Role- and Performance-Based Model, NIST Special Publication 800-16, April 1998, http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf.
• The Internet Engineering Task Force, four documents under current review:
  • Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition, David Curry, Hervé Debar, January 31, 2003.
  • The Intrusion Detection Exchange Protocol (IDXP), Benjamin_Feinstein, Gregory Matthews, John White, October 23, 2002.
  • The TUNNEL Profile, Darren New, December 6, 2002.
  • Intrusion Detection Message Exchange Requirements, Mark Wood, Michael Erlinger, October 23, 2002, http://www.ietf.org/ids.by.
    wg/idwg.html.
• Internet Storm Center, (DID) Systems, http://isc.sans.org/.
• IP Security Protocol (IPsec), Internet Engineering Task Force (IETF), http://www3.ietf.org/proceedings/97dec/97dec-final-110.htm.
• The ISO 17799 Service and Software Directory. ISO 17799 is a comprehensive set of controls comprising best practices in information security. It is essentially an internationally recognized generic information security standard, International Organization for Standardization, http://www.computersecuritynow.com.
• Justice Information Privacy Guideline: Developing, Drafting, and Assessing Privacy Policy for Justice Information Systems, National Criminal Justice Association, September 2002, http://www.ncja.org/
  Content/NavigationMenu/PoliciesPractices/JusticeInformationPrivacy
  Guideline/default.htm.
• Lightweight Directory Access Protocol (LDAP), The Internet Engineering Task Force, Network Working Group, http://www.ietf.org/rfc/rfc1777.txt.
• MIT Business Continuity Plan, Massachusetts Institute of Technology (MIT), 1995, http://web.mit.edu/security/www/pubplan.htm.
• National Association of State Chief Information Officers (NASCIO), Lexington, KY, http://www.nascio.org.
• Omnibus Crime Control and Safe Streets Act of 1968, Pub. L. No. 90-351, 82 Stat. 197, 1968 U.S.C.C.A.N. 237, as amended.
• Personnel Security Standard, Treasury Board of Canada, http://www.tbs-sct.gc.ca/pubs_pol/gospubs/TBM_12A/CHAPT2-4_e.asp.
• Safe Harbor Act, U.S. Department of Commerce, Export Portal, http://www.export.gov/safeharbor/.
• The SANS Security Policy Project, The SANS Institute, http://www.sans.org/resources/policies/.
• Secure Hash Standard, Federal Information Processing Standard Publication 180-1, April 17, 1995, http://www.itl.nist.gov/fipspubs/fip180-
  1.htm.
• Security Assertion Markup Language (SAML), Organization for the Advancement of Structured Information Standards (OASIS), Security Services Technical Committee, http://www.oasis-open.org/committees/
  documents.php?wg_abbrev=security.
• Security Classification of Information, Classification Levels, Chapter 7, Volume 2. Principles for Classification of Information, Oak Ridge National Laboratory, U.S. Department of Energy, Department of Energy Federation of American Scientists Web site, http://www.fas.org/sgp/library/quist2/
  chap_7.html.
• Security Self-Assessment Guide for Information Technology Systems, National Institute of Standards and Technology, Publication 800-26, November 2001, http://csrc.nist.gov/publications/nistpubs/800-26/sp800-
  26.pdf.
• Summary of the Intrusion Detection and Isolation Protocol (IDIP) Project, Intrusion Detection and Isolation Protocol, University of California, Davis, http://seclab.cs.ucdavis.edu/projects/idip.html.
• Underlying Technical Models for Information Technology Security, National Institute of Standards and Technology Special Publication 800-33, December 2001, http://csrc.nist.gov/publications/nistpubs/800-33/sp800-
  33.pdf.
• Washington State Information Technology Security Policy Audit Standards, Washington State Auditor's Office, September 2001, http://www.sao.wa.gov/StateGovernment/ITSecurity/ITStandards.htm.
• Washington State Public Records Privacy Protection Policy, Access Washington, Department of Information Services, http://isb.wa.gov/policies/portfolio/804P.doc.
• *http://www.leo.gov/lesig/cjis/cjis_pub/information/poly2002_feb/POLY2002
  _Feb.htm.
  *Note: Only LEO members may access the www.leo.gov Web site.

Note: Those who are interested in computer and information systems security are encouraged to consult the Web site of the National Institute for Standards and Technology (NIST) at http://csrc.nist.gov/index.html. At this site, the Computer Security Resource Center (CSRC) at NIST offers a series of publications on security terminology, issues, and policies for justice information specialists to use as guidance.