Firion Corporation Cyber Security Policy
Amy Wees, Gary Coulter, Kyree Clarke, and Leonard Gentile
University of Maryland University College
Amy Wees, Gary Coulter, Kyree Clarke, and Leonard Gentile, Department of Information and Technology Systems, University of Maryland University College.
This research was not supported by any grants.
Correspondence concerning this research paper should be sent to Amy Wees, Gary Coulter, Kyree Clarke, Leonard Gentile, Department of Information and Technology Systems, University of Maryland University College, 3501 University Blvd. East, Adelphi, MD 20783. E-mail: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, and email@example.com
The Firion Corporation is a leader in the development of specialized safety outerwear and has a niche market in the waste disposal, chemical, and biological industries. Firion employees use technology in every aspect of the business. Databases contain private customer information, unique software assists in development and testing of proprietary designs, and marketing, financial, and sales data are accessed and stored on our private network. Protection of information is mandated by Firion policy and federal and state legislation. Unauthorized access to the network by cyber criminals or malicious insiders can result in loss of customer information, compromised proprietary business information, severe financial damage, and work outages. Cyber security threats and vulnerabilities can have a detrimental impact on the future of our business and every employee is considered a stakeholder in the protection of the network. Firion will continue to strive to ensure cyber security remains a priority at every level of the company. The goals of Firion’s cyber security policy include increasing awareness by providing employees with applicable illustrations of common threats and vulnerabilities in the industry, identifying data classification procedures and rationalize access control rules, and characterizing sensitive and critical systems and outlining their appropriate safeguards and utilization.
Firion Corporation Cyber Security Policy
Firion Organizational Business Mission
Welcome to Firion! The Firion Corporation is a leader in the development of specialized safety outerwear and has a niche market in the waste disposal, chemical, and biological industries. Our customers count on us to deliver quality products that are safe and reliable. Firion laboratories are constantly at work developing innovative coatings and unique designs to ensure our customers can be confident in the level of protection our products deliver (UMUC, 2010).
Firion’s employees use technology in every aspect of our business. Databases contain private customer information, unique software assists in the development and testing of proprietary designs, and marketing, financial, and sales data are accessed and stored on our private network. Protection of information is mandated by Firion policy and federal and state legislation. Unauthorized access to the network by cyber criminals or malicious insiders can result in loss of customer information, compromised proprietary business information, severe financial damage, and work outages. Cyber security threats and vulnerabilities can have a detrimental impact on the future of our business and every employee is considered a stakeholder in the protection of the network. Firion will continue to strive to ensure cyber security remains a priority at every level of the company.
Cyber Security Goals
Firion’s cyber security policy will be kept relevant and up-to-date to the technology in use. The policy will be communicated to employees on an annual basis to ensure compliance, comprehension, and clarity. The goals of the cyber security policy are as follows:
· Increase awareness by providing employees with applicable illustrations of common threats and vulnerabilities in the industry
· Identify data classification procedures and rationalize access control rules
· Characterize sensitive and critical systems and outline their appropriate safeguards and utilization
- Address physical security as the first line of defense in a defense-in-depth security strategy to include use of personal computing devices on corporate networks and business devices on the road
- Ensure all employees understand their role in business continuity and disaster recovery
- Explain acceptable use of technologies as well as applicable federal and state legislations
- Corporate privacy policies will disclose what information is collected and how information is utilized and stored
- All e-mails sent over Firion networks are subject to monitoring. Employees are expected to conduct business communications in a professional manner, limiting e-mail sent for personal use
- Employees will not present themselves as representatives of Firion outside of corporate functions nor use their professional title in public online forums
- Internet usage is monitored, and employees are expected to use corporate Internet for business and limited personal use purposes. Certain Internet Web sites are blocked if considered a threat to the network or not necessary for business practices
- Employees must use software issued and approved by Firion. Unlicensed software or freeware is not authorized for use on corporate assets. Exceptions to this policy can be granted by Firion’s Information Assurance manager
- Personal computing devices and mobile telephones are not authorized on corporate property. Employees will be provided with lockboxes for securing their valuable items
- All company issued mobile computing devices are subject to auditing and virus scanning prior to being connected to corporate networks
- Employee passwords will not be shared with anyone or recorded. Passwords must meet minimum complexity requirements and change every 90 days
- Ethical computing concerns can be brought to Firion’s Information Assurance manager for consideration or evaluation at any time
Ethical practices are about doing the right thing when no one is looking. Firion is committed to preserving a reputation for sound ethical computing practices. Though Firion will take every precaution to protect employee and customer private data located on its systems, it is important to understand that no system is 100 percent secure. Employees and network users can contribute to network security and information privacy by following ethical guidelines:
Cyber Security Policy Introduction
Cyber security is essential for just about any organization, including Firion. One of the reasons why it is so vital to ensure that computer networks and systems within an organization are secure is that cyber criminals both inside and outside the organization pose a serious security threat to businesses. In order to protect against the threat of cyber attackers, whether they are inside or outside the organization, Firion has developed a policy that describes how it intends to secure its computer networks and systems.
It is not enough for Firion to simply develop a cyber security policy and sit back, thinking that its network and systems will suddenly be secure. Firion must also ensure that employees understand and comply with the cyber security policy. This is necessary because Firion’s employees, or employees of any organization for that matter, are the weakest part of the network. Even the most state-of-the-art cyber security technologies will not be able to protect Firion’s networks and systems from cyber security threats if its employees are engaging in behavior that jeopardizes the security of those networks and systems. Sharing passwords, leaving passwords on Post-It notes for display on their computer monitors, or clicking on links in e-mails that are sent by people that they do not know are all examples of how easily a network can be jeopardized. In order to prevent these and other behaviors that may open Firion’s network and systems up to cyber security threats, the company must be sure that its employees understand and are complying with the company’s cyber security policy.
By implementing a strong cyber security policy and ensuring that employees understand and comply with that policy, Firion is taking a crucial step in securing the network and its systems from cyber security threats. In addition, a strong cyber security policy coupled with employee understanding and buy-in will help prevent Firion from experiencing the negative effects of cyber security breaches. For instance, by protecting its systems from cyber security threats, Firion will also be working to prevent the unauthorized access of information that is stored on its systems, including trade secrets, customer payment information, and any confidential personnel information, such as Social Security numbers. The loss of such information could have serious consequences for Firion. The consequences of a competitor obtaining the company’s trade secrets could be very serious, since these secrets form the basis of our business. In addition, the loss of sensitive information such as employees’ Social Security numbers could result in Firion absorbing the expense of credit monitoring for affected employees, while the confiscation of customer payment information could result in a loss of trust among Firion’s customers. Customer dissatisfaction can also result in financial ramifications for the company and could cause potential legal liability (Feigelson & Calman, 2010).
Achieving Employee Buy-In for Firion’s Cyber Security Policy
Now that the importance of employee understanding and compliance with Firion’s cyber security policy has been demonstrated, it is pertinent to spell out how Firion plans to achieve the level of employee support and buy-in that is necessary for this cyber security policy to be effective. Firion will practice a three-pronged approach: education, rewards for compliance, and penalties for non-compliance.
Firion will seek to educate employees about cyber security by requiring them to participate in a Web-based training program when they are hired. An annual refresher course will also be required for all employees. Web-based training has proven to be one of the most effective ways to educate employees about cyber security issues (Rudolph, 2009, p. 28). Web-based courses are an optimal method for training because courses can be taken at any time and are self-paced (Rudolph, 2009, p. 29). In addition, Web-based courses can be tailored to the needs of employees based in their levels of experience and various interests (Rudolph, 2009, p. 29).
Rewarding or Punishing Employees for Complying or Not Complying with Firion’s Cyber Security Policy
Additional steps will need to be taken to ensure that employees understand and comply with Firion’s cyber security policy. For example, employees will be required to sign an agreement stating that they understand the policy and that they intend to comply with it. Requiring employees to sign compliance statements is an effective way of making them more security aware and committing them to comply with policies that are put in place to protect Firion’s network and computer systems (Rudolph, 2009, p. 30).
Rewards and punishments are another necessary component of Firion’s efforts to ensure that employees understand and comply with the cyber security policy. Firion should not take the approach of considering compliance with its cyber security policy a core requirement for employees as this approach has proven to be unsuccessful in the past. Government agencies, for example, once treated cyber security as a core requirement and did not make an attempt to give it special emphasis (Rudolph, 2009, p. 8). These agencies eventually began to suffer from a growing number of security breaches (Rudolph, 2009, p. 8). Firion should not and cannot make the same mistake that these government agencies did. We at Firion recognize that security needs to be an area of special concern that is emphasized frequently so that our network and systems can be properly protected from cyber security threats (Rudolph, 2009). In order to emphasize security as a special area of focus, employees will be given rewards for complying with Firion’s cyber security policy. These rewards will be given out partly on the basis of informal security audits performed by members of Firion’s information technology (IT) security department. Once a month, a member of Firion’s IT security department will walk around the company’s office and observe employee behavior, such as whether or not passwords are written on Post-It notes and visible in the work area as well as whether or not computers are powered on and logged in while employees are away from their desks. Employees who are found not to be engaging in these and other behaviors will be given a small reward, such as a gift card to a local retailer or restaurant or a small cash bonus. Rewards will also be given out to the company as a whole based on company-wide compliance with the cyber security policy. For example, all employees can be rewarded with some type of perk if the number of cyber security incidents declines on a quarterly or yearly basis since this would likely be an indication that employees understand and are complying with Firion’s cyber security policy. Such perks could include breakfast for the employees, paid for by Firion. Conversely, employees who are found to be violating Firion’s cyber security will be punished. This punishment will be based on the severity of the violation, with the most serious violations resulting in termination and potential legal implications. The severity of a violation will be determined by Firion’s Chief Information Officer (CIO).
In addition, compliance with Firion’s cyber security policy will be one of the areas that managers will consider when conducting annual performance reviews. Employees who are found not to have violated Firion’s cyber security policy over the past year will be given a monetary bonus. Those who are found to have violated Firion’s cyber security policy over the past 12 months will be punished. This punishment could include the loss of vacation time or other perks. The type of punishment that is given will be decided on a case-by-case basis, though more severe violations will warrant a more severe punishment. Once again, the severity of a violation of Firion’s cyber security policy will be determined by the CIO.
Procedures for Reporting Security Breaches, Violations of Cyber Security Policy, and Security Vulnerabilities
All employees are required to report security breaches, violations of Firion’s cyber security policy, and security vulnerabilities that they are aware of. As soon as employees become aware of any security breach, cyber security policy violations, and/or security vulnerabilities, they should immediately notify an IT systems administrator and provide any information that they may have. This information can include the name of the person who is involved in the cyber security breach or policy violation, the system that contains the security vulnerability, or the system that has been breached, among other things. Immediate notification will allow Firion’s IT security department to take action on any urgent issues that arise. By urging employees to report any information that they have about the nature of a security breach, policy violation, or security vulnerability, the IT security department will be able to determine whether or not the issue requires immediate attention. Any reports that are deemed to be legitimate will be investigated by the IT security department. The time frame of such an investigation will depend on the seriousness of the security breach, policy violation, or security vulnerability. After the conclusion of the investigation, the IT security department will address the issue in an appropriate manner. This includes correcting the security vulnerability, reporting the employee who was found to have violated Firion’s cyber security policy, and taking steps to end the security breach.
Awareness and Information Security
Employees of Firion pride themselves on the quality of the jackets the company produces, the safety these products provide, and the science that goes into making Firion a cutting edge company. That pride can have negative effects on the company and its future business. Because Firion is a cutting edge company, special attention must be applied to the security of its physical and intellectual assets. This intellectual property is not just what might be considered a secret formula, or an important release date, but can include small pieces of information that could easily be incorporated into a much larger piece. At Firion we call this desire to be cognizant of information, its use, and how it is protected “Information Security” (Information Security, n.d.).
Many individuals may desire to gain access to information that Firion owns for a variety of reasons. These actors may desire to access to the company’s systems for personal profit or to gain additional information about Firion’s scientific developments in order to further their own research or to sell the information to competitors. It is also possible that an actor may be disgruntled with Firion and seek to cause harm to the company as a whole (Campbell & Kennedy, 2009).
These actors can be blunt and seek to gain information directly from an employee. More likely the actor will lie, cheat, steal or apply subterfuge in order to obtain the information they desire. It is essential that employees are aware that these actors are present, as knowing a threat exists is the first step in being able to create a defense (Voiskounsky & Smyslova, 2003).
In order to protect the employees of Firion, there are a number of procedures in place to prevent the deliberate or inadvertent sharing of company information. It is preferred that employees of Firion do not act as representatives of the company on either public or private forums unless their job duties entitle them to be public relations representatives. This protects not only Firion by assuring that company data is shared in a controlled fashion, but also protects the employee so they do not become a target for any derogatory information that may be reported against the company.
Employees at Firion, depending on duties, are asked to sign non-disclosure agreements. These agreements are written to protect especially sensitive information. They are legally binding and allow for Firion to maintain control of its company-based intellectual property and are enforced under U.S. federal law. The Economic Espionage Act of 1996 is designed not only to protect company’s secrets from being sold to a foreign power, but to protect the sale of corporate secrets in total. Under this law, any individual who discloses a trade secret to the economic benefit to anyone other than the owner of that secret can be imprisoned for not more than 10 years, or face up to $5 million in fines (44 USC § 3542, 2002).
Data Classification and Access Control
Data is a critical asset at Firion. Beyond the day-to-day production of protection equipment, the company has thousands of employees who have provided private, economic, and health based information to the company. This data is just as critical to protect as any company secret. All employees are responsible for information security. As such the company has instituted a series of data classifications to help guide employees as to how data should be treated both inside and outside of Firion.
This classification of data is designed to be a tool to help employees protect critical information from being disclosed to illicit actors. These actors could utilize this data to further their own economic or personal goals (Woodbury, 2007). Firion classifies data into four separate categories: public, official use only, confidential, and secret.
Public data is that which is made publically available from the company. This type of data can include company produced brochures, pamphlets, or catalogs. It may also include publically available press releases as approved or issued from Firion’s public affairs branch. Finally, it includes any and all interactive, publically-available data that may reside on the company Web site.
Official use only data is content that must be guarded due to ethical or privacy concerns. It must be protected from access, modification, transmission, storage or any other use other than what has been authorized by Firion. This data type is restricted to employees of Firion and should not be shared outside of the company. This information can include employment data, company phone books, internal e-mails, or internal memos and should be stored in protected forms of physical and electronic storage. Official use only information should not be posted or shared in public forums to include both physical and electronic mediums. When it is no longer needed it should be destroyed, shredded, or sanitized.
Confidential data is contractual or protected by statutes or regulations. This type of data is only disclosed to individuals on a need-to-know basis. The disclosure of this data can only be authorized by the company president, vice president, or board of governors. Examples of this type of data may include medical records, Social Security numbers, personnel and payroll records, bank account numbers, personal financial information, and any data that is identified by government regulation to be treated as protected data. This data should only be stored in a physically locked container or in a password-protected electronic format. It should not be disclosed without explicit management authorization and must not be published in any public forum. Finally, confidential data can only be destroyed by shredding or if in electronic format, sanitized and degaussed prior to disposal.
Secret data is information that if released could potentially damage Firion or lead to substantial loss of economic standing. This data shall never be disclosed outside of the company. Individuals who may have access to this data shall be under the non-disclosure agreement, which will legally bind them not to disclose this information. Examples of this data may include current internal economic statistics, protected manufacturing techniques, or on-going negotiation information. This data should only be stored in authorized systems that are separate and protected from day-to-day systems. All data on this system should be protected by a strong password at a minimum. This information should never be shared, printed, or created into a physical form. Destruction of this data must be through an authorized electronic format that includes sanitization and degaussing of magnetic materials.
Data classification is designed to ensure Firion is in compliance with a number of federally mandated laws. All health related information is required to be protected by the Health Insurance Information Portability and Accountability Act (HIPPA) (HHS, 2003). The Privacy Act of 1974 guarantees the protection of personal information (5 USC § 552A, 1974). Financial data is regulated, protected, and managed based upon the Sarbanes-Oxley Act of 2002 (Public Law 107-204, 2002). Finally, company secrets are protected under the Economic Espionage Act of 1996 (44 USC § 3542, 2002).
Sensitive and Critical Systems
Because of the importance of data at Firion there are many different types of authorized systems utilized inside the company. These systems can include the computers that individuals use on a day-to-day basis, the laptop that a team uses when it travels to create a presentation for a potential customer, the Blackberry that an executive receives e-mail on, or the closed network computer that individuals utilize while working on proprietary data.
These systems are increasingly vulnerable to potential attack or intrusion by an ever-growing community of qualified people with the intent to steal data. These actors may seek access to these systems for monetary gain for themselves or the company they work for, they may have personal reasons for seeking out data in Firion’s systems, or they may desire to destroy Firion’s capabilities from the inside (Verduyn, 2005). These actors can use a number of vectors to access Firion’s systems, including direct attacks from an external network source such as the Internet, a virus spread from a Universal Serial Bus (USB) drive, or utilization of pirated or unauthorized software as a cover to gain access. These actors are smart and will utilize any and all potential avenues to gain access to Firion’s systems.
Because of these vulnerabilities, Firion has instituted a strict policy concerning utilization of systems. Personal systems, capabilities, or software are never to be used on or with company owned networks, systems, or software. It is unacceptable for employees to have USB drive, wireless devices, or personal electronics in the work place. No item is to be put in contact (wired or wireless) with a company owned system until such time as it is scanned and authorized by a qualified company network systems administrator. Also no company system will be allowed to connect to an unauthorized system outside of the company network architecture without the authorization of a system administrator and information assurance manager. Finally, any and all systems that are utilized outside of the company network will be audited as soon as they are returned to a company workspace and before they can be utilized on a company owned network architecture.
This regulation enables Firion to continue to be in compliance with the Sarbanes-Oxley Act of 2002. This act mandates that companies continue to maintain internal controls, specifically for financial information (Public Law 107-204, 2002). By assuring control of all systems within Firion and protecting those systems the company is able to assure that all financial data is secure.
Firion can prevent or counter some security mishaps by simply being proactive when it comes to the company’s physical security. Physical security relates to any device that is used to protect or prevent inside or outside threats from damaging an organization’s proprietary information, networks, or assets. If properly mandated, hackers and employees alike have less of a chance to infiltrate a system with malicious intent. Performing regular surveys to access exactly what Firions’ needs are regarding security allows management to see the threats and vulnerabilities faced by the company aside from human factors as well as the positive enforcement that is already in place.
With the amount of activity and people involved with the day to day operations on-site, it is mandatory for a company that deals with so many outside sources to have a strict entry and exit policy. Starting from the outside of the building, the physical security program includes guards that approve the entry of vehicles, specific identification badges that show each employee, contractor, or vendor access privileges and expiration dates, parking passes that correspond to specific cars as well as posts and patrols that are actively involved with patrolling their assigned area (U.S. Department of Education, 2008).
Firion will be proactive in securing its buildings so that the chances of unwanted guests or cybercriminals gaining access to the property are lessoned. A gate that is occupied by a guard will keep track of who is entering and exiting the facility and the company will also record these interactions on surveillance cameras. Once a person has been approved to enter the facility, access badges with proper identification will categorize exactly what access the person has and where he/she can go throughout the building. It is pertinent that Firion keep up to date with security compliance so that all individuals holding a badge are documented, recorded as they scan through turnstiles and are promptly revoked access after their badge has expired or after they have been terminated. Employees are also required to register their vehicles once they are given access to enter the facility as a way to keep track of vehicles that enter the premises without being overly burdensome. Marked parking passes eliminate extra work for the security guards and patrols as their attention can be focused more on visitors and other vehicles that are new to the building or making drop-offs.
With these procedures in place, threats and vulnerabilities associated with physical security are lessened. Employees will not have access to areas that do not relate to their job functions nor will they be able to enter certain parts of the facility during the day or after hours without their badge being scanned. Once scanned, a log is kept to track exactly where they are located in the building and how long they remain before entering a new section. Employees will also utilize access badges when logging into computers as level of computing privileges and information access is stored on each individual badge. A simple user will not have the same access privileges as an administrator and will ultimately not able to modify any settings on their computer or be able to download any unlicensed software that may unknowingly harm the system or network they are connecting to. By utilizing this mechanism, separation of duties will be clear for employees and they will never have to question if they have certain rights to perform certain actions.
Outside threats and vulnerabilities for employees working while on travel or from home can be a problem if employees do not take necessary precautions. Employees that have portable laptops should always be cautious when on travel and connecting to other networks or unsecured Wi-Fi. The Information Technology (IT) department will ensure proper security settings are in place before distributing laptops as well as require users to attend a mandatory training session on what is and what is not acceptable when it comes to downloading software, or using USB and other external devices.
Employees, contractors, and vendors alike must be aware of the acceptable use policy in place at Firion. Ongoing security awareness training and mandatory continuing education are areas that will help reduce human errors that could contribute to possible security violations and other mishaps. When the whole company follows proper standards and procedures, it is easier to see where the problem areas rest. With employees being identified before reaching the building, wearing access badges and locking computers when in not in use, physical security becomes less of a risk to the organization. Once employees are made aware of how important their role is in making the company more secure and have shown positive reinforcement of some sort, compliance naturally increases.
Data Back-up and Disaster Recovery
In order to recover from a disaster or data-loss incident, Firion will securely back up data on a regular basis depending on the system, and store back-ups at an off-site location. Firion will have data access control in which archived data can be retrieved without much effort and is readily available when needed. Storing information (servers, hard drives, or copyrights) at the off-site location is a good way to mitigate threats to security. Not only is the off-site facility secure, it has a better chance of surviving a natural disaster and is unknown to virtually anyone that works for the company except the specifically identified members of the disaster recovery team. As such, each team member with access to the off-site facility is recorded and is required to sign in and out when entering and exiting the building; which keeps a running log of who is accessing what and when.
To be sure Firion is able to maintain business continuity; a disaster recovery plan will be regularly updated. One cannot automatically assume that having a disaster recovery plan means that it will ever be put to use; however, it should be looked to as preventative maintenance. A company is more apt to survive a disaster when it is prepared for the worst. Having systems or networks that have been hacked or attacked by malware and/or viruses, normally results in downtime as well as financial loss. With a recovery plan in place, data is backed up and easily accessible, risk assessments have been periodically given to ensure security policies are sufficient, and government regulations have been taken into consideration.
The threats and vulnerabilities associated with faulty equipment such as the firewall that was not patched with the most up to date software would have been addressed during the initial creation of the disaster recovery plan. Outsider threats that could potentially damage the organization would be denied and insider threats would be easily detected. Each member that participates in the disaster recovery plan will have a clear understanding as to what their roles and responsibilities are and have an active role in updating the user community with policies and procedures.
Overall, if employees of Firion stick to the cyber security policy that has been put in place, the company will have a successful track record when dealing with insider and outsider threats. Positive reinforcement, mandatory training, and simply being knowledgeable about security vulnerabilities are all motivating factors for employees to follow process and procedures. The monthly periodic reviews are also a good way to make sure the security policy is being enforced. Although physical security, inside and outside the organization, are definitely key factors when it comes to protecting a company’s assets, the manner in which Firion deals with human factors is what will determine how successful the company will be in mitigating the threat from cyber criminals or malicious insiders.
5 USC § 552A. (1974). Privacy Act of 1974. Retrieved from http://www.law.cornell.edu/uscode/text/5/552a
44 USC § 3542. (2002). Economic Espionage Act of 1996. Retrieved from http://www.law.cornell.edu/uscode/text/44/3542
Campbell, Q. & Kennedy, D.M. (2009). The Psychology of Computer Criminals. Computer and Security Handbook Volume 1, 5th Edition (pp. 12.4-12.8). Hoboken, NJ: John Wiley & Sons, Inc.
Department of Health and Human Services (HHS). (2003, May). U.S. Department of Health and Human Services: Summary of HIPAA Privacy Rules. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf
Fiegelson, J., & Calman, C. (2010, April). Liability for the costs of phishing and Internet theft. Journal of Internet Law, 13(10), 1. Retrieved from http://www.aspenpublishers.com/
Information Security. (n.d.). definition from PCmag.com Encyclopedia. Retrieved from http://www.pcmag.com/encyclopedia_term/0,1233,t=information+security&i=44958,00.asp
Public Law 107-204: Sarbanes-Oxley Act of 2002. (2002). Retrieved from http://www.gpo.gov/fdsys/pkg/PLAW-107publ204/content-detail.html
Rudolph, K. (2009). Implementing a security awareness program. In S. Bosworth, M.E. Kabay, & E. Whyne (Eds.), Computer security handbook volume 2, 5th edition (pp. 8, 28-30). Hoboken, NJ: John Wiley & Sons, Inc.
Smith J. & Kelley, D.E. (2010, July). UFC/ISC security design criteria overview and comparison. Applied research associates, INC. Retrieved from http://www.wbdg.org/resources/ufc_isc.php
UMUC. (2010). Interactive Case Study. Document posted in University of Maryland University College CSEC 620 9082 online classroom, archived at: http://webtycho.umuc.edu/
U.S. Department of Education. (2008, January). Administrative communications system, Departmental directive. Retrieved from http://www2.ed.gov/policy/gen/leg/foia/acsom4114.pdf
Verduyn, B. (2005). 2005 FBI Computer Crime Survey. Retrieved from http://mitnicksecurity.com/media/2005%20FBI%20Computer%20Crime%20Survey%20Report.pdf
Voiskounsky, A. & Smyslova, O. (2003). Flow-Based Model of Computer Hackers’ Motivation. Cyber Psychology & Behavior vol. 6 (2), 171-180, doi: 10.1089/109493103321640365
Woodbury, C. (2007). The Importance of Data Classification and Ownership. Retrieved from http://www.srcsecuresolutions.eu/pdf/Data_Classification_Ownership.pdf