|
 ABSTRACT
With the growing requirements for protection generated by legislation such as the 1974 Privacy Act, the increasing complexity of computer and data communications applications, and increasing awareness regarding computer vulnerabilities, the discipline of computer security is achieving independent recognition. Current data processing literature is a rich source of information. Articles and papers regarding security, design of software protection, operational practices and auditing number in the thousands. Most of them are very narrow in scope or so general that they are of little use.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
Abbott, Robert P. et al, A Bibliography on Computer Operating Systems Security, Lawrence Livermore Laboratory, University of California, The RISOS Project, Report UCRL-51555, April 1974. Technically oriented bibliography of key articles and papers relating to internal protection for computer systems.
|
| |
2
|
Allen, Brandt, "Danger Ahead---Safeguard Your Computer," Harvard Business Review, November-December 1968. One of the early, well publicized articles on computer security. Helped achieve an awareness of physical security requirements.
|
| |
3
|
Allen, Brandt, "Embezzler's Guide to the Computer," Harvard Business Review, July-August, 1975. The author talks directly to the would-be embezzler and cautions him not to be concerned about getting caught. The real big embezzlement schemes are still working and the perpetrators are not being caught. Shows how to defraud through manipulation of payroll, accounts payables, inventory, shipping documents and accounts receivable records that are maintained in computers.
|
| |
4
|
AICPA, Audits of Service-Center Produced Records, American Institute of Certified Public Accountants, Auditing Standards Division, New York, 1974. This is a guide for Certified Public Accountants for their use in examining and reporting on the financial statements of clients whose records are produced by a computer service center or timesharing firm. It is the basis for third-party audit reviews of such firms, and is oriented toward security and controls.
|
| |
5
|
Anderson, James P., Computer Security Technology Planning Study, USAF Electronic Systems Division (MCIT), ESD-TR-73-51, October 1972. The "classic" study of computer security requirements in the later 1970's.
|
| |
6
|
Anderson, James P., "Information Security in a Multi-User Computer Environment," In Advances in Computers, Vol. 12, 1972, Morris Rubinoff, Editor, Academic Press, New York. Stresses the technical problems and prospects for protecting data or information in multi-user computer environments. Shows how it is possible and profitable to penetrate systems for purposes of manipulation or unauthorized viewing.
|
| |
7
|
Baran, Paul, On Distributed Communications: IX. Security and Tamper-Free Considerations, Rand RM 3765, August 1964. An unclassified discussion of cryptography: It anticipates the distributed data network exemplified by the ARPA net. It also anticipates the need for secure communications links.
|
| |
8
|
Bates, William S., "Security of Computer-Based Information Systems," Datamation, May 1970, pp. 60--65. A survey article, written by a Marine captain.
|
| |
9
|
Beardsley, Charles W., "Is Your Computer Insecure?" IEEE Spectrum, January 1972. A survey article that updates the earlier work of Lance Hoffman.
|
| |
10
|
Berg, John L. (Editor), Exploring Privacy and Data Security Costs---A Summary of a Workshop, U. S. Dept. of Commerce, National Bureau of Standards, NBS Technical Note 876, August 1975. On 2/20/75 nine informed DP professionals were invited to NBS to discuss the costs of implementing privacy legislation. This is an edited summary of those discussions.
|
| |
11
|
Bergart, J. F. and Marvin Denicoff and David K. Hsiao, An Annotated and Cross-Referenced Bibliography on Computer Security and Access Control in Computer Systems, Ohio State University, Computer and Information, Science Research Center Report OSU-CISRC-TR-72-12, November 1971.
|
| |
12
|
Bigelow, Robert P., "Legal and Security Issues Posed by Computer Utilities," Harvard Business Review, Vol. 43, September-October 1967, pp. 150--161.
|
| |
13
|
Bigelow, Robert P., "The Privacy Act of 1974," The Practical Lawyer, Vol. 21, #6, September 1, 1975. Covers the 1974 Privacy Act in some detail, and shows the effect on computerized personal information systems.
|
| |
14
|
Bingham, H. W., Security Techniques for EDP of Multi-Level Classified Information, RADC-TR-65-415, December 1, 1965. A classic study that predates much of the efforts in authorization technology. This was a study of military intelligence security control techniques for the Burroughs D825. Hardware and software techniques currently under study are explained in great detail.
|
| |
15
|
Bisbey, Richard L. II and Gerald J. Popek, "Encapsulation: An Approach to Operating System Security," Proceedings, 1973 ACM Conference, San Diego, California, also, AD-771-758, October 1973, ARPA. Encapsulation is the removal of access controls from the host computer, and the placing of a mini-computer-based access control system at the peripheral interfaces. This is a logical extension of the hypervisor, or virtual machine monitor. It is one solution to problems of security in fourth generation computer architecture.
|
| |
16
|
Bjork, L. A. and C. T. Davies, Jr., Technical Report: The Semantics of the Preservation and Recovery of Integrity in a Data System, International Business Machines, Inc., Systems Development Division, TR-02.540, December 1972, also in Proceedings, SHARE Conference, November 1973. Discusses a unified view of data base recovery mechanisms, and proposes a set of concepts and principles revolving around spheres of control.
|
| |
17
|
Branstad, Dennis K., "Security Aspects of Computer Networks," Proceedings, AIAA Computer Network Conference, Huntsville, Alabama, April 1973. Discusses the relevant issues of communications protocol, switching techniques and protection techniques in relation to design of secure computer/communications networks.
|
| |
18
|
Branstad, Dennis K. and Susan K. Reed (editors), Controlled Accessibility Workshop Report, US Department of Commerce, National Bureau of Standards, NBS Technical Note 827, May 1974. Presents the results of a three day workshop in San Diego, sponsored by NBS and ACM. About 75 computer security professionals were invited, and discussed at length the technical and managerial issues of protection in computer systems. The results are significant, because much developmental work since then can be traced to the workshop.
|
| |
19
|
Branstad, Dennis K., "Encryption Protection in Computer Data Communications," Proceedings: Fourth Data Communications Conference, Quebec City, Canada, October 1975, IEEE, New York. Encryption can be an effective process for protecting data during transmission. The degree of protection depends on the encryption algorithm, the implementation of the algorithm, and the associated administrative procedures. Additional security requirements of user identification, access authorization and auditing may be satisfied by combining encryption technology with a network access control machine (computer). This paper presents the proposed Federal encryption standard and the security requirements satisfied by proper use of the algorithm. It also discusses implementation.
|
| |
20
|
Brown, William (editor), Computer and Software Security, AMR International, New York, 1971. This book contains the essential contents of the AMR Seminar on computer security. Physical security, development of a computer security plan, backup, legal, auditing, insurance, software and cryptographic techniques are all covered with varying levels of competency and detail. Included is a key-word-in-context bibliography covering citations up to mid-1971.
|
| |
21
|
Browne, Peter S., "Computer Security---A Survey," Data Base, Quarterly Publication of ACM Special Interest Group on Business Data Processing, Fall 1972. An annotated bibliography of over 100 items presents the 'state of the art' as of 1972. It makes reference to some little publicized material, and shows the importance of then classified Department of Defense activity in the field.
|
| |
22
|
Browne, Peter S. and Dennis D. Steinauer, A Model for Access Control, 1971 ACM/SIGFIDET Workshop on Data Description, Access and Control, San Diego, Nov. 11--12, 1971. Authorization is discussed from the standpoint of requirements for access to given objects. A conceptual model, based on the work of Weissman is developed.
|
| |
23
|
Browne, Peter S., "Computer Security---A Risk Management Approach," Security Register, December 1973. Overviews the problems of security, shows how to systematically approach a computer security program, and calls for a risk management approach.
|
| |
24
|
Browne, Peter S., Security in Computer Networks, NBS Special Publication 404, U. S. Dept. of Commerce, National Bureau of Standards, 1974. Also in Data Communications User, January 1975. Makes the point that security in networks is an extension of security in multi-user computer systems. Physical and administrative controls come first, followed by the technical requirements of hardware, software and encryption security controls.
|
| |
25
|
Buskin, Arthur A., A Framework for Computer Security, SDC Technical Memorandum, TM-WD-5733, System Development Corporation, McLean, Virginia, June 1975. Presents an overview of the computer security problem and an interrelated set of axioms and principles of computer security as the beginning of a top-down, structured approach.
|
| |
26
|
Canadian Institute of Chartered Accountants, Computer Control Guidelines, Canadian Institute of Chartered Accountants, 1970. An early attempt to define controls in computer systems for auditor guidelines.
|
| |
27
|
Canning, Richard G., "Data Security in the CDB," EDP Analyzer, May 1970.
|
| |
28
|
Canning, Richard G., "Security of the Computer Center," EDP Analyzer, December 1971.
|
| |
29
|
Canning, Richard G., "Computer Security: Backup and Recovery Methods," EDP Analyzer, January 1972.
|
| |
30
|
Canning, Richard G., "Protecting Valuable Data," EDP Analyzer, December 1973, Vol. 11, No. 12. EDP Analyzer, January 1974, Vol. 12, #1.
|
| |
31
|
Canning, Richard G., "Computer Fraud and Embezzlement," EDP Analyzer, April 1975, Vol. 13, #4. These issues, written by one of the world's experts in business data processing, are each a concise yet complete exposition of current thinking on each topic.
|
| |
32
|
Chastain, Dennis R., "Security vs. Performance," Datamation, November 1973. Scrambling devices, file access validation and subversion tests are all part of a security environment. The author discusses his measurement efforts at the Defense Intelligence Agency regarding the overhead of these mechanisms.
|
| |
33
|
Clements, Don and Lance J. Hoffman, Computer Assisted System Design, Electronics Research Laboratory, College of Engineering, Univ. of California, Berkeley, CA, ERL-M468, November 1974. Describes a computer software package that partially automates the selection of security techniques applicable to a particular system design.
|
| |
34
|
Computer Security Research Group, Computer Security Handbook, Computer Security Research Group, Douglas B. Hoyt, Chairman, Macmillan and Company, Inc., New York, October 1973. Provides detailed information on management's role in the accountability and reporting, hardware/software controls, computer risk insurance, auditing computerized systems and outside contract services. The Computer Research Group was sponsored by the Atlantic and New Jersey Chapters of Association for Systems Management. Authors are Arthur Hutt, Belden Menkus, Eugene Redmond, Seymour Bosworth, Ralph Jones, Herbert Dickson, Robert Daley, Dick Brandon, Joseph Wasserman, Theodore Christiansen, Guy Migliaccio and Stephen Falb.
|
 |
35
|
|
| |
36
|
|
| |
37
|
Richard Conway , William Maxwell , Howard Morgan, Selective security capabilities in ASAP: a file management system, Proceedings of the November 16-18, 1971, fall joint computer conference, November 16-18, 1971, Las Vegas, Nevada
[doi> 10.1145/1478873.1479029]
|
| |
38
|
Cotton, Ira W. and Paul Meissner, "Approaches to Controlling Personal Access to Computer Terminals," Proceedings of the 1975 Symposium, Computer Networks, Trends and Applications, National Bureau of Standards Institute for Computer Science and Technology. Considers a number of approaches to protection against unauthorized access to computers. Surveys the current state of the art of personal identification. Explains how devices can be compared, and introduces criteria that can be used in personal identification system evaluation and/or comparison.
|
| |
39
|
Courtney, Robert H. Jr., Forty Commonly Found Deficiencies in the Security of Data Processing Activities, IBM, June 1971. A common sense primer to management, outlining frequently overlooked security deficiencies.
|
| |
40
|
Courtney Robert H., Jr., Security Risk Assessment in Electronic Data Processing Systems. National Bureau of Standards, Task Group 15, October 1975. An approach toward determination of risk to data processing is postulated. It shows how to quantify the potential benefits afforded by given security protection for comparison with costs.
|
| |
41
|
Davies, C. T., Jr., A Recovery/Integrity Architecture for a Data System, IBM, Systems Development Division, May 1972. Discusses concepts of integrity as related to operating system and data base architecture.
|
| |
42
|
Dean, Albert L., Jr., "Data Privacy and Integrity Requirements for On-Line Data Management Systems," 1971 ACM-SIGFIDET Workshop on Data Description, Access and Control, Nov. 1971, San Diego, CA. Identifies security requirements for an on-line data base management system. Concepts were implemented in work by the author for the US government.
|
| |
43
|
Denning, Peter J. (Chairman), An Undergraduate Course on Operating Systems Principles (Module 6-Protection), Interim Report of the COSINE Committee of the National Academy of Engineering (Commission on Education), June 1971. Embodies the principles of protection as discussed in the paper by Graham and Denning.
|
| |
44
|
Department of Defense, ADP Security Manual: Techniques and Procedures for Implementing, Deactivating, Testing and Evaluating Secure Resource-Sharing ADP Systems; also see Industrial Security Manual for Safeguarding Classified Information, DOD 5200.28M, January 1973 and DOD 5220.22M, April 1970, order from Superintendent of Documents, US Government Printing Office, Washington, DC 20402. These two manuals provide very helpful guidance for non-DOD government and commercial organizations in defining and implementing physical and data processing security programs. Even though the concepts of the DOD classification of information hierarchy are pervasive, the methods, ideas and procedures are valuable in any environment.
|
| |
45
|
Chadwick, H. A., "Burning Down the Data Center," Datamation, Vol. 21, #10, October 1975, pp. 60--64. A well written article that discusses DP insurance from the point of view of the data processing expert. Complex insurance related terms and concepts are clearly explained. Guidance is given as to what insurance coverage is needed, why various forms should be considered and who can provide insurance services to DP installers.
|
| |
46
|
Enger, I. Sador, Guy T. Merriman and Ann L. Bussemy, Automatic Security Classification Study, RADC TR 67--472, October 1967. Report of an investigation of the feasibility of using computers to assign the government security classification to textual material. The "correctness" was only 54% but the techniques used did show promise for further research.
|
| |
47
|
Federal Fire Council, Recommended Practices No. 1---Fire Protection for Essential Electronic Equipment, March 1962, Clearinghouse for Federal Scientific and Technical information. Discusses practices in dealing with the threat of fire. Is the most thorough and concrete guidance to date.
|
| |
48
|
Feistel, H., Cryptographic Coding for Data Bank Privacy, IBM Research Report, RC-2827, March 1970, also in Scientific American as "Cryptology and Computer Privacy," May 1973. Discusses concepts of cryptography that eventually led to the development of an IBM pilot project and the Federal encryption standard.
|
| |
49
|
Fenwick, William A., "Marketing EDP Services: Reviewing the Legal Considerations," Computers and Automation, November 1971. A misnomer. The author is really talking about security measures to protect the confidentiality of data.
|
| |
50
|
FIPS PUB-39 Glossary of Terminology for Computer Systems Security) Federal Information Processing Standards Task Group 15: Computer Systems Security, National Bureau of Standards, US Department of Commerce, Washington, DC. September, 1975. A glossary of 70 terms relating solely to the concepts of privacy and computer security. The terms were exacted from many sources and renned through the joint efforts of FIPS Task Group 15, which was established in 1975 to develop standards and guidelines in computer systems security. Emphasis is on technical terms that relate to computer security architecture and communications security.
|
| |
51
|
Foster, Caxton C., "Data Banks---A Position Paper," Computers and Automation, March 1971, p. 28. A summary of what can go wrong (machine failure, logical errors, eavesdropping, wiretapping) and what to do about it.
|
| |
52
|
Friedman, T. D., "The Authorization Problem in Shared Files," IBM Systems Journal #4, 1970, pp. 258--280. The problem of sharing information yet providing proper authorization is reviewed. A model of a secured file system provides the basis for much current work in the field. Friedman rejects the hierarchial approach to authorization in favor of compartments or categorization of access rights.
|
| |
53
|
|
| |
54
|
Girsdansky, M. B., "Cryptology, the Computer, and Data Privacy," Computers and Automation, April 1972. Also see Data Privacy: Cryptology and the Computer at IBM Research, IBM Research Reports, Vol. 7, #4, 1971. An interesting study on what researchers are doing to devise 'unbreakable' codes and how many classical approaches to encipherment are easily compromised. The paper discusses "Lucifer," a hardware encryption device.
|
| |
55
|
|
| |
56
|
GMIS, An Administrative Guideline: Security and Confidentiality for Government Data Centers, GMIS, December 1973. A report for state and local government members of GMIS that views computer security from an organizational viewpoint, and structures guidance on legislation, administrative control, personnel security, data flow security, physical security, hardware/software protection and confidentiality codes of ethics.
|
| |
57
|
Goldstein, Robert C., "The Cost of Privacy, Datamation, Vol. 21, #10, October 1975, pp. 65--71, also see PhD dissertation, published by Honeywell Information Systems, Brighton, MA, 1975. Discusses implementation requirements for operators of personnel data systems in order to comply with privacy legislation. Physical security and clerical costs appear to be high-cost categories. Some possibilities for reducing the impact of privacy legislation are outlined.
|
| |
58
|
Goode, George E. "Security for Teleprinters and Data Communications," Data Management, January 1973. Decribes cryptographic methods for securing communications.
|
| |
59
|
|
| |
60
|
|
| |
61
|
Guide International, Data Center Security Guidelines, Guide Data Center Security Project---GSD 28--070, February 1972. Provides a set of guidelines for implementation and management of security in a data processing operations environment. Developed from a dedicated project at GUIDE, the major IBM user group.
|
| |
62
|
GUIDE SHARE, Data Base Management System Requirements, Joint GUIDE-SHARE Data Base Requirements Group, November 11, 1970. An important document that outlines idealized requirements for data base management. Security and integrity play a dominant role.
|
| |
63
|
Held, Gilbert, "Locking Intruders Out of a Network," Data Communications, January-February, 1975, pp. 27--31. The author favors a password scheme for controlling access to network components. Security is gained through use of nonprinting characters. Interesting statistics are presented on compromise possibilities utilizing a minicomputer and repeated attempts to exhaustively enumerate possible password combinations.
|
| |
64
|
Healy, R. J., Emergency and Disaster Planning, New York, Wiley Press, 1969. An industrial security expert writes on the principles of emergency planning.
|
| |
65
|
Hemphill, Charles F., Jr., Security for Business and Industry, Homewood, Illinois, Dow Jones, Irwin, Inc. 1971. This book has very little to do with EDP (only one chapter talks about computer room safeguards) but the principles of physical security are worth reading.
|
| |
66
|
|
| |
67
|
|
| |
68
|
Hoffman, Lance J. and W. F. Miller, "Getting a Personal Dossier From a Statistical Data Bank," Datamation, May 1970. An interesting example of how to input information by indirect means from innocent files.
|
| |
69
|
Hoffman, Lance J. (editor), Security and Privacy in Information Systems, Melville Publishing Company, Los Angeles, California, 1973. The book developed from a collection of readings used in a graduate course on the technological methods of providing security in computer systems.
|
| |
70
|
Hollingsworth, Dennis, Steve Glaseman and Martha Hopwood, Security Test and Evaluation Tools: An Approach to Operating System Security Analysis, Rand Corporation, p. 5298, September 1974. As of this paper, the techniques for determining the security characteristics of system software are primitive, based generally upon the notion of penetration testing, and manual examination of system source code. The paper suggests ways of developing and refining the tools of operating system security analysis.
|
| |
71
|
Honeywell Information Systems, "Computer Security and Privacy," Symposium Proceedings, April 1975. A symposium sponsored by Honeywell Information Systems. Includes 20 papers covering security approaches, requirements, technical solutions, and data center management.
|
| |
72
|
Hsiao, David K., A File System for a Problem Solving Facility, PhD dissertation, University of Pennsylvania, 1968, published by NTIS, Springfield, VA, AD-671826. Hsiao discusses the use of an "authority item" which allows protection below the file level. The system is based on a multilist file structure.
|
| |
73
|
Hunt, Kathleen and Rein Turn, Privacy and Security in Databank Systems: An Annotated Bibliography, 1970--1973, Rand Corporation, Santa Monica, CA, R-1351-NSF, March 1973.
|
| |
74
|
International Business Machines, Data Security and Data Processing, (Volumes 1--6) IBM, Data Processing Division, June 1974. Presents the findings of the May 1972 data study project at MIT, TRW Systems, State of Illinois and IBM's Federal Systems Division. The IBM Resource Security System (RSS) was evaluated. Results of cost studies and implementation measurements as well as general papers on the subject are included in this unevenly presented, but valuable collection.
|
| |
75
|
International Business Machines, Inc., The Considerations of Data Security in a Computer Environment, IBM, Data Processing Division, 1968. A widely distributed monograph on data security: it helped bring attention to some of the needs and the problems.
|
| |
76
|
International Business Machines, Inc., The Considerations of Physical Security in a Computer Environment, IBM, security monograph of 1968; it draws largely upon the work and experiences of Robert Courtney.
|
| |
77
|
International Business Machines, Inc., The Fire and After the Fire, IBM, Data Processing Division, G520-2741-0, January 1973. A marketing oriented brochure that explains how IBM averted a major disaster by its implementation of a backup and recovery plan following a fire at their Program Information Department facility.
|
| |
78
|
International Business Machines, Inc., Proceedings: IBM Data Security Forum, Denver, Co., September 1974. IBM, Data Processing Division, G520-2965-0, 1974. Contains a number of papers on data security related topics, including risk management, hardware protection, and operational controls to enhance data security.
|
| |
79
|
Jacobson, Robert V., Peter S. Browne and William F. Brown (editors), Guidelines for Automatic Data Processing Physical Security and Risk Management, US Department of Commerce, National Bureau of Standards, FIPS PUB 31, June 1974. Basic reference guidelines for implementation of physical security and risk management. Reference is made to numerous sources of information that will aid an installation manager in defining security requirements and making essential security decisions.
|
| |
80
|
Jacobson, Robert V., "Cornerstones for Computer Security," Security Register, Vol. 1, No. 2, January-February, 1974. Discusses some of the fallacies of the "amulet" approach towards computer security, as traditionally practiced. Risk analysis, quality control, contingency planning and independent audit are postulated as the four cornerstones of computer security.
|
| |
81
|
Kahn, David, The Code Breakers, The MacMillan Company, New York, 1967. The classic book for those interested in cryptology and cryptanalysis.
|
| |
82
|
Karush, A. D. and Larson, R. H., Analysis and Measurement of the Audit Recording Function, System Development Corp., TM-4435, August 1969. Early research in system audit mechanisms.
|
| |
83
|
Krauss, Leonard I., Administering and Controlling the Company Data Processing Function, Prentice Hall, Englewood Cliffs, NJ, 1969.
|
| |
84
|
|
| |
85
|
|
| |
86
|
Lipner, Steven, "A Minicomputer Security Control System," Compcon 74, San Francisco, February 1974. Lipner is a pioneer in espousing and developing a protected hardware/software system based on the concept of a "security kernel," a certifiably small, protected module that itself is the authorization mechanism for other system components.
|
| |
87
|
|
| |
88
|
Martin, James and Adrian Norman, The Computerized Society, Prentice-Hall, Englewood Cliffs, NJ, 1970, pp. 481--498. Security and privacy are extensively treated in this book which explores the effect of computers on society.
|
| |
89
|
Menkus, Belden, "Computer Security Needs a Common Sense Approach," Administrative Management, March 1973. Discusses two aspects of comprehensive physical security. The first step is to build security into the facility by making it inconspicuous, installing access controls, and providing basic environmental support. The second step is to ensure integrity of processing through controls over input and file access, and ensuring good facility operating procedures.
|
| |
90
|
MITRE Corporation, The Privacy Mandate---Planning for Action, National Bureau of Standards and MITRE Corp. Washington DC, August 1975. A summary of a workshop sponsored by the publishing organizations to develop recommendations for action in implementing privacy legislation. Four working panels covered the issues of individual privacy rights, institutional responsibilities, technological implications and the economics of privacy. Viewpoints of many interested organizations are also included. Unfortunately, the proceedings do not capture the depth of discussion that actually took place.
|
| |
91
|
|
| |
92
|
National Bureau of Standards, Computer Security Guidelines for Implementing the Privacy Act of 1974, Department of Commerce, National Bureau of Standards, FIPS PUB 41, September 1975. Provides a set of guidelines for the use of technical procedures for safeguarding personal data in automated information systems. Covers physical security procedures, information management practices and computer system/network security controls.
|
| |
93
|
National Fire Protection Association, Standards for the Protection of Electronic Computer Systems, NFPA Standard 75, May 1962. Covers fire detection and suppression equipment requirements.
|
| |
94
|
Neumann, Peter, "On the Design and Verification of a Secure Operating System," Proceedings, 1974 National Computer Conference, AFIPS Press, pp. 978--979. Neumann of Stanford Research Institute, has been doing work for government agencies and others in proving the correctness of software, with ultimate security and protection implications.
|
| |
95
|
Noll, A. Michael, "The Interactions of Computers and Privacy," Honeywell Computer Journal, Vol. 7, #3, 1973. A survey of the existing relationship between computer usage and the concepts of confidentiality, security and privacy. Explores where new problems raised by technology show gaps and inadequacies in laws. Covers computer security threats, levels, costs and surveys the technological aspects of computer security.
|
| |
96
|
Notz, W. A. and J. L. Smith, An Experimental Application of Cryptography to a Remotely Accessed Data System, IBM Corp., RC 3508, August, 1971. Describes "Lucifer," a hardware encryption and decoding device attached to a time-shared IBM 360/67.
|
| |
97
|
Office of Emergency Preparedness, Disaster Preparedness, Report to the Congress by Executive Office of the President, Office of Emergency Preparedness, US Government Printing Office, January 1972. A comprehensive study useful for the data processing risk manager. Discusses and quantifies risks due to floods, wind, fire, earthquakes, landslides, volcanos, freezes and droughts.
|
| |
98
|
Owens, Richard C. Jr., "Evaluation of Access Authorization Characteristics of Derived Data Sets," 1971 SIGFIDET Workshop on Data Definition, Access and Control, pp. 263--278, ACM, New York. Project MAC---TR89, July 1971, also NTIS AD-728036. The two papers by Owens describe the access control for the MACAIMS Data Management project at MIT. The concepts are quite sophisticated.
|
| |
99
|
Palme, Jacob, "Software Security," Datamation, January 1974, Vol. 20, #1. Discusses the prevention of illegal access to, modification of and interference with data. A general, survey type article.
|
| |
100
|
Parker, Donn B., Susan Nycum and S. Stephen Gura, "Computer Abuse," Stanford Research Institute, Final Report, NSF Grant GI-37226, Report NSF/RA/S-73-017, November 1973. Describes results of a study of 148 cases of computer abuse. Provides technical, legal, and social perspectives on computer crime. The purpose of the report is to alert business and government users of the seriousness, extent, and potentials of computer abuse as a new and emerging social and technological problem.
|
| |
101
|
Parker, Donn B. and Susan Nycum, "The New Criminal," Datamation, January 1974, Vol. 20, #1. Discusses the old Trojan Horse program trick, and others that have netted millions for enterprising, crooked data processing personnel.
|
| |
102
|
Patrick, Robert B. (editor), AFIPS System Review Manual on Security, AFIPS Press, Montvale, NJ, 1974. The results of a two year study under the direction of a committee chaired by John Gosden of Equitable Life Insurance Co. It consists of a set of guides for evaluation and a series of checklists to aid in the review of system security.
|
| |
103
|
|
| |
104
|
|
| |
105
|
Pfaff, Alfred M., Toward A Taxonomy of Computer Security Requirements for Federal Agencies, Federal Information Processing Standards Task Group 15: Computer System Security, National Bureau of Standards, US Department of Commerce, Washington, DC, September, 1975. Computer security is defined as organized into the three distinct aspects of processing integrity, data integrity and data confidentiality. Security requirements are mapped to particular security countermeasures, and a system for rating the degree of compliance is proposed. A very useful addition is the extraction of relevant portions of US Codes (Public Law) relating to computer security.
|
| |
106
|
|
| |
107
|
Reed, Susan K. and Martha M. Gray, Controlled Accessibility Bibliography, US Department of Commerce, National Bureau of Standards, NBS Technical Note 780, June 1973. A Comprehensive, technically oriented bibliography prepared in conjunction with the San Diego Controlled Accessibility Workshop.
|
| |
108
|
Reed, Irving S., The Application of Information Theory to Privacy In Data Banks, Rand Corporation (NSF), R-1282-NSF, May 1973. Covers theoretical, mathematical aspects of information protection.
|
| |
109
|
Renninger, Clark R. and Dennis K. Branstad (editors), Government Looks at Privacy and Security in Computer Systems, US Department of Commerce, National Bureau of Standards, NBS Technical Note 809, February, 1974. Potential confrontations between society and technology over problems of individual privacy and data confidentiality can be defused by understanding and action. A conference on privacy and security was held at NBS, November 19 and 20, 1973. A number of speakers provided statements of governmental needs and problems. Also suggested was a broad range of activities for satisfying the needs.
|
| |
110
|
Renninger, Clark R. (Editor), Approaches to Privacy and Security in Computer Systems, US Department of Commerce, National Bureau of Standards, NBS Special Publication 404, September, 1974. This publication summarizes and contains the proceedings of a conference held at NBS on March 4--5, 1974 to continue the dialog in search of ways to protect confidential information in computer systems. Proposals were presented for meeting governmental needs for safeguarding data confidentiality. Among the proposals were the enactment of privacy legislation, improved computer system architecture and access controls, information and security management guidelines and the development of systematic, balanced approaches to system security. A number of prominent computer, legal and social professionals presented their views as to potential solutions.
|
| |
111
|
Saltzer, Jerome H., "Ongoing Research and Development on Information Protection," Operating Systems Review, July 1974; also Proceedings, Computer Security and Privacy Symposium, Honeywell Information Systems, April 1975. A survey of current research in the technical solutions to computer security.
|
| |
112
|
|
| |
113
|
Saltzer, Jerome H. and Michael D. Schroeder, "The Protection of Information in Computer Systems," Proceedings of the IEEE, IEEE Computer Society, September 1975. A thorough discussion of the technical aspects of providing protection in computer systems. This is the most complete and most valuable discussion of the concepts of protection to date.
|
| |
114
|
|
| |
115
|
Shannon, C. E., Communications Theory of Secrecy Systems, Bell Telephone System Technical Journal, October 1949, Vol. 28, #4, pp. 656--715. The theory of cryptology has not been significantly improved since this landmark, unclassified study was published.
|
| |
116
|
Sorensen, J. L., "Common sense in computer Security," Journal of Systems Management, April 1972, pp. 12--14. A hypothesis is made that computer security is nothing more than rational decision making.
|
| |
117
|
Stern, Ludwig, "Contingency Planning: Why? How? and How Much?," Datamation, September 1974, Vol. 20, #9, pp. 83--95. Discusses an approach to contingency planning that has been implemented at a major corporation.
|
| |
118
|
Turn, Rein, Privacy and Security in Personal Information, The Rand Corporation, Santa Monica, CA, R-1044-NSF, March 1974. This report presents the results of a National Science Foundation research study on theoretical and technical aspects of protection of personal information in databanks. The protection requirements and design of protection is the key focus. The investigation led to the establishment of classifications of systems and the sensitivity of personal information and the development of a protector-intruder model.
|
| |
119
|
Turn, Rein, Remarks on the Instrumentation of Databank Systems For Data Security, The Rand Corporation, Santa Monica, CA, P-5151, January, 1974. This paper discusses the information requirements of an active security subsystem as well as auditing and threat monitoring. It explores ways of instrumenting a databank system for obtaining this information.
|
| |
120
|
Rein Turn , Norman Z. Shapiro, Privacy and security in databank systems: measures of effectiveness, costs, and protector-intruder interactions, Proceedings of the December 5-7, 1972, fall joint computer conference, part I, December 05-07, 1972, Anaheim, California
[doi> 10.1145/1479992.1480052]
|
| |
121
|
Van Tassel, Dennis, Computer Security Management, Prentice-Hall, Inc., Englewood Cliffs, NJ, April 1972. One of the first books to appear concerning computer security. It is largely a collection of previous articles by the author and a series of "horror stories."
|
| |
122
|
Walter, K. G. et al, Modeling the Security Interface, Department of Computing and Information Science, Case Western Reserve University, Cleveland, Ohio, Report #1158, August 1974. Presents developments in modeling a security kernel.
|
| |
123
|
Ware, Willis H., Computer Data Banks and Security Controls, The Rand Corporation, Santa Monica, CA, P-4329, 1970. A pioneering monograph by the dean of computer security professionals.
|
| |
124
|
|
| |
125
|
Wasserman, Joseph J., "Plugging the Leaks in Computer Security," Harvard Business Review, September 1969, pp. 119--129. One of the early and most thorough efforts to provide a framework for operational controls in computer systems.
|
| |
126
|
Wasserman, Joseph J., "Selecting a Computer Audit Package," Journal of Accountancy, April 1974. Explains a methodology and approach toward audit package evaluation.
|
| |
127
|
Weiss, Harold, "Computer Security: An Overview," Datamation, Vol. 20, #1, January 1974. Even though computer crime is increasing, fire, earthquakes and storms are postulated as the greater hazard to computer systems. Few installations have taken even the simple steps toward protection.
|
| |
128
|
|
| |
129
|
Weissman, Clark, System Security Analysis/Certification Methodology and Results, System Development Corporation, Santa Monica, CA, SP-3728, October 1973. Presents an approach toward system certification.
|
| |
130
|
Weissman, Clark, Tradeoffs in Security System Design, System Development Corporation, Santa Monica, CA, SP-3548, September 1970, also in Data Management, April 1972. A very important paper that clearly presents the issues of trade-off analysis in designing and implementing protection.
|
| |
131
|
Wessler, John, Edith Myers and W. David Gardner, "Physical Security---Facts and Fancies," Datamation, July 1, 1971. Another survey article on physical security.
|
| |
132
|
Westin, Alan F., Privacy and Freedom, Atheneum Press, New York, NY, 1967. The earliest and one of the clearest books on the subject.
|
| |
133
|
Winkler, Stanley and Lee Danner, "Data Security in the Computer Communication Environment," Computer, Volume 7, No. 23, February 1974, IEEE. Describes security concerns in multi-terminal computer systems. Useful as an introduction to the problems and the nature of network security. Describes a number of possible implementations of controlled access to data.
|
| |
134
|
Yourdan, Edward, "Reliability of Real-Time Systems," Modern Data, January-June 1972. A six-part series that thoroughly explores data integrity and reliability. Covered are the different concepts of reliability, causes of system failure, examples of failure and approaches to error recovery.
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf