InfoSecurity Infrastructure, Inc.

Books by
Charles Cresson Wood
CISA, CISM, CISSP
Independent Information Security Consultant

Information Security Roles & Responsibilities Made Easy [job descriptions, mission statements, and reporting relationship templates provided in hardcopy book and CD-ROM form], 2003; Publisher: Information Shield, Inc., Houston, TX; ISBN#1-881585-08-5.
Information Security Policies Made Easy [a book of 1350+ already-written policies provided in both hardcopy and CD-ROM], and in it's 10th edition, 2005; Publisher: Information Shield, Inc., Houston, TX, USA; ISBN#1-881585-06-9.
Best Practices in Internet Commerce Security [derived from a survey of Internet merchants, Internet service providers (ISPs), Internet commerce hosting firms, Internet Trusted Third Parties (TTPs), and Internet commerce software vendors], 1998; Publisher: Information Shield, Inc., Houston, TX, USA; ISBN#1-881585-05-0.
How to Handle Internet Electronic Commerce Security: Risks, Controls & Product Guide [a guide for the design and specification of Internet security measures], released in 1996; Publisher: Information Shield, Inc., Houston, TX, USA; ISBN#1-881585-03-4.
Effective Information Security Management [a book of tools and techniques for dealing with information security problems], 1991; Publisher: Elsevier Advanced Technology, Oxford, England; ISBN#1-85617-070-5. Now out of print.
Computer Security: A Comprehensive Controls Checklist [a book detailing standard control practices -- particularly useful for audits and reviews], 1987; Publisher: John Wiley & Sons, New York, NY, USA; ISBN#O-471-84795-X.

Here is a sampling of over 300 security-related articles by Charles Cresson Wood:

"Five Ways Of Closing The Policy Gap," Information Security Magazine, March 2005; Publisher: TechTarget Media Group, Needham, MA [pub. no. 302]

"Prohibiting Surreptitious Collection Of Personal Data," Computer Security Alert, No. 256, October 2004; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 301]

"Secret Information Must Have Content Management System Protection," Computer Security Alert, No. 255, October 2004; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 300]

"Institutionalizing The Risk Management Lifecycle," information security portal which can be reached at http://searchsecurity.techtarget.com, policy tips column, December 2004; Publisher: TechTarget Media Group, Needham, MA [pub. no. 299]

"Sharing A Business-Related Personal Computer With Others," Computer Security Alert, No. 254, October 2004; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 298]

"Reselling, Disposing of, Recycling, or Donating Office Machines," Computer Security Alert, No. 253, November 2004; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 297]

"Owning Responsibility For Information Security," information security portal which can be reached at http://searchsecurity.techtarget.com, policy tips column, November 2004; Publisher: TechTarget Media Group, Needham, MA [pub. no. 296]

"Documenting Production Access Control Processes," Computer Security Alert, No. 252, October 2004; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 295]

"A Sensible Approach To Using Information Security Policy Templates," information security portal which can be reached at http://searchsecurity.techtarget.com, policy tips column, October 2004; Publisher: TechTarget Media Group, Needham, MA [pub. no. 294]

"Accepting Security Assistance From Outsiders," Computer Security Alert, No. 251, September 2004; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 293]

"Security Policies Can Fix The Ignorance Cycle," information security portal which can be reached at http://searchsecurity.techtarget.com, policy tips column, September 2004; Publisher: TechTarget Media Group, Needham, MA [pub. no. 292]

"Using Positive Reinforcement To Encourage Problem Reporting," Computer Security Alert, No. 250, August 2004; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 291]

"Policy: A Critical Component Of The Risk Management Process," information security portal which can be reached at http://searchsecurity.techtarget.com, policy tips column, August 2004; Publisher: TechTarget Media Group, Needham, MA [pub. no. 290]

"Locking Down Personal Computer Software," Computer Security Alert, No. 249, July 2004; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 289]

"The Benefits Of Writing A Policy Before New System Deployment," information security portal which can be reached at http://searchsecurity.techtarget.com, policy tips column, July 2004; Publisher: TechTarget Media Group, Needham, MA [pub. no. 288]

"So Your Organization Violated Its Own Policy...," information security portal which can be reached at http://searchsecurity.techtarget.com, policy tips column, June 2004; Publisher: TechTarget Media Group, Needham, MA [pub. no. 287]

"When Digital Rights Management Is Required," Computer Security Alert, No. 248, June 2004; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 286]

"Why ROI And Similar Financial Tools Are Not Advisable For Evaluating The Merits Of Security Projects," Computer Fraud & Security, pp. 8-10, May 2004; Publisher: Elsevier Advanced Technology, Oxford, ENGLAND (co-author with Donn B. Parker) [pub. no. 285]

"Peer-To-Peer File-Sharing Software Prohibited," Computer Security Alert, No. 247, May 2004; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 284]

"A Corporate Culture Of Non-Compliance," information security portal which can be reached at http://searchsecurity.techtarget.com, policy tips column, April 2004; Publisher: TechTarget Media Group, Needham, MA [pub. no. 283]

"Action Forcing Mechanisms," information security portal which can be reached at http://searchsecurity.techtarget.com, policy tips column, April 2004; Publisher: TechTarget Media Group, Needham, MA [pub. no. 282]

"Ten Reasons Why Organizations Should Perform Risk Assessments," Information Security Magazine, April 2004; Publisher: TechTarget Media Group, Needham, MA [pub. no. 281]

"Centralized Source For Information Security Training," information security portal which can be reached at http://searchsecurity.techtarget.com, policy tips column, April 2004; Publisher: TechTarget Media Group, Needham, MA [pub. no. 280]

"Vulnerability Testing For Production Application Code," Computer Security Alert, No. 246, April 2004; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 279]

"One Internal Source For All Information Security Policies," information security portal which can be reached at http://searchsecurity.techtarget.com, policy tips column, March 2004; Publisher: TechTarget Media Group, Needham, MA [pub. no. 278]

"Reporting Of Inadvertent Access To Prohibited Material," Computer Security Alert, No. 245, March 2004; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 277]

"Action Forcing Mechanisms," information security portal which can be reached at http://searchsecurity.techtarget.com, policy tips column, February 2004; Publisher: TechTarget Media Group, Needham, MA [pub. no. 276]

"Collection Of Information About Competitors," Computer Security Alert, No. 244, February 2004; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 275]

"Why Information Security Has Become Multi-Disciplinary, Multi-Departmental, And Multi-Organizational," Computer Fraud & Security, January 2004, Publisher: Elsevier Advanced Technology, Oxford, England [pub. no. 274]

"Only Most Recent Non-Beta Browsers Supported," Computer Security Alert, No. 243, January 2004; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 273]

"Intellectual Property Must Stay On Company-Provided Machines," Computer Security Alert, No. 242, December 2003; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 272]

"Centralized Orchestration Of Information Security," Computer Security Alert, No. 241, November 2003; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 271]

"Separation Of Duties Required For Production Systems," Computer Security Alert, No. 240, October 2003; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 270]

"Self-Service Computers Must Issue Receipts," Computer Security Alert, No. 239, September 2003; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 269]

"Placement Of Video Cameras To Protect Security Parameters," Computer Security Alert, No. 238, August 2003; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 268]

"Information Security Is An Overhead Function, Not Charged Back To Organizational Units," Computer Security Alert, No. 237, July 2003; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 267]

"Restricting The Transfer Of Private Data To Third Parties," Computer Security Alert, No. 236, June 2003; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 266]

"Work At Home Requirements For Staff Performing Critical Tasks," Computer Security Alert, No. 235, May 2003; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 265]

"Project Manager Notification Regarding Third Party Access," Computer Security Alert, No. 234, April 2003; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 264]

"Custodians For Third-Party Recipients Of Private Data," Computer Security Alert, No. 233, March 2003; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 263]

"Redistribution Of Information Posted On-Line," Computer Security Alert, No. 232, February 2003; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 262]

"Centralization Or Synchronization Of Customer Databases," Computer Security Alert, No. 231, January 2003; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 261]

"Opt-In For Sensitive Private Data Sharing, Opt-Out For Other Sharing," Computer Security Alert, No. 230, December 2002; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 260]

"Using Only Widely-Deployed Information Systems Technology," Computer Security Alert, No. 229, November 2002; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 259]

"Sensitive Data Must Be Encrypted When Not In Use," Computer Security Alert, No. 228, October 2002; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 258]

"Standard Configurations For All Computers And Networks," Computer Security Alert, No. 227, September 2002; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 257]

"Outbound Electronic Mail Messages Receive Standard Addendum," Computer Security Alert, No. 226, August 2002; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 256]

"Secondary Review Of All Materials Slated For Destruction," Computer Security Alert, No. 225, July 2002; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 255]

"De-Identification For Private Information That Is No Longer Required," Computer Security Alert, No. 224, June 2002; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 254]

"Do Not Destroy Documents You Expect To Be Relevant To Litigation," Computer Security Alert, No. 223, May 2002; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 253]

"Be Clear About Roles & Responsibilities Inside, But Not Outside, Your Organization," Computers & Security, June 2002; Publisher: Elsevier Advanced Technology, Oxford, England [pub. no. 252]

"The Human Firewall Manifesto," Computer Security Journal, Winter 2002; Publisher: Computer Security Institute (CMP Publishing), San Francisco, CA; pp. 15-18. [pub. no. 252]

"Don't Let Role Of Information Security Policies In The Arthur Andersen/Enron Case Go Without Mention To Your Chief Executive Officer ," Computer Fraud & Security, pp. 11 -13, May 2002; Publisher: Elsevier Advanced Technology, Oxford, England [pub. no. 251]

"Systems Administrators Must Not Handle Security Administration," Computer Security Alert, No. 222, April 2002; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 250]

"Announcing That Computers Are Unavailable Before Login Process," Computer Security Alert, No. 221, March 2002; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 249]

"Disclosing Passwords To Data Aggregators And Other Third Parties," Computer Security Alert, No. 220, February 2002; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 248]

"Two Category Data Classification Scheme," Computer Security Alert, No. 219, January 2002; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 247]

"Top Ten Information Security Policies to Protect Against Cyberterrorism," Network Magazine, January 2002; page 48; Publisher: Network Magazine, Skokie, IL [pub. no. 246]

"Document Information Security Roles, Responsibilities & Procedures," Computer Security Alert, No. 218, December 2001; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 245]

"Temporary Workers Must Have Background Checks Before Accessing," Computer Security Alert, No. 217, November 2001; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 244]

"Establishing A Back-Up Outsourcing Provider For Mission-Critical Services," Computer Security Alert, No. 216, October 2001; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 243]

"Installing Production System Software Patches, Bug Fixes & Upgrades," Computer Security Alert, No. 215, September 2001; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 242]

"Centralized Database Of Access Control Privileges For Terminations," Computer Security Alert, No. 214, August 2001; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 241]

"Using Tools Developed By Hackers Anywhere On Production Systems," Computer Security Alert, No. 213, July 2001; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 240]

"Public Disclosure Of Information Security Products Installed," Computer Security Alert, No. 212, June 2001; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 239]

"Access Controls Defined Prior To Cut-Over To Production Operation," Computer Security Alert, No. 211, May 2001; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 238]

"Blocking, Filtering, And Censoring Internet Traffic," Computer Security Alert, No. 210, April 2001; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 237]

"Unappreciated Dangers Of Using Aggregated Personal Data," Computer Security Alert, No. 209, March 2001; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 236]

"Cellular Phones Must Not Be Used In Computer Center," Computer Security Alert, No. 208, February 2001; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 235]

"Moving Systems Into Production Consistent With An Architecture," Computer Security Alert, No. 207, January 2001; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 234]

"Providing Robust Notice That Personal Information Is Collected," Computer Security Alert, No. 206, December 2000; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 233]

"Designated Responsible Manager For Vendors With System Access," Computer Security Alert, No. 205, November 2000; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 232]

"A Rapid Risk Assessment Process For Use With An Internet Commerce Arrangement," EDPACS (The EDP Audit, Control, and Security Newsletter); October 2000 (vol. XXVIII, no. 4); Publisher: Auerbach, CRC Press, Boca Raton, FL [pub. no. 231]

"An Unappreciated Reason Why Information Security Policies Fail," Computer Fraud & Security, October 2000; Publisher: Elsevier Science, Oxford, England [pub. no. 230]

"Releasing Sensitive Information In Phases," Computer Security Alert, No. 204, October 2000; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 229]

"Outsourcing Firms Must Provide Access To All Records," Computer Security Alert, No. 203, September 2000; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 228]

"Developers Must Notify Management Of Potential Security Problems," Computer Security Alert, No. 202, August 2000; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 227]

"All Networked Systems Must Display An Approved Banner," Computer Security Alert, No. 201, July 2000; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 226]

"Posted Web Privacy Policies As Contracts," Computer Security Alert, No. 200, June 2000; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 225]

"Archiving All Versions Of Web And Commerce Pages," Computer Security Alert, No. 199, May 2000; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 224]

"Providing Biometric Data To Third Parties," Computer Security Alert, No. 198, April 2000; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 223]

"Researchers Must Disclose All Sponsors And Potential Conflicts," Computer Security Alert, No. 197, March 2000; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 222]

"Integrated Approach Includes Information Security," Security, pp. 43-44, February 2000; Publisher: Cahners, Des Plains, IL [pub. no. 221]

"Get Data Safety Policies In Place," American Banker, 11 February 2000, p. 7; Publisher: American Banker, New York, NY [pub. no. 220]

"All Internet Personal Data Gathering Techniques Must Be Disclosed," Computer Security Alert, No. 196, February 2000; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 219]

"All Critical Information Must Be Backed Up Off-Site," Computer Security Alert, No. 195, January 2000; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 218]

"Archive And Review Of All Electronic Mail," Computer Security Alert, No. 194, December 1999; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 217]

"The Information Security Profession: Evolutionary Career Paths," Information Security, November 1999; Publisher: published by ICSA.net, Norwood, MA [pub. no. 216]

Two chapters (respectively dealing with information security policies and Internet commerce security) in IPAK: Information Security Protection Kit, November 1999, published by Computer Security Institute, San Francisco, CA (also provided input to the prior edition) [pub. no. 215]

"Disclosures Of Private Information Without Data Subject Consent," Computer Security Alert, No. 193, November 1999; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 214]

"Second Job Impact On Objectivity And Competition With Employer," Computer Security Alert, No. 192, October 1999; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 213]

"Termination Of Outsourcing Contracts For Security Violations," Computer Security Alert, No. 191, September 1999; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 212]

"Top Ten Impediments To Implementing An Information Security Policy," Information Security, September 1999, Publisher: Information Security, Norwood, MA (cover story) [pub. no. 211]

"Systems Development Process Requires Information Security Sign-Off," Computer Security Alert, No. 190, August 1999; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 210]

"A Functional Comparison Of Tandem Data Replication Software Packages," an extensive independent report prepared for customers and prospects, August 1999; Publisher: Compaq Corporation, Cupertino, CA [pub. no. 209]

"Data Gathering Points And Corporate Privacy Policy," Computer Security Alert, No. 190, July 1999; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 208]

"Subjects Given Opportunity To Block Private Information Disclosures," Computer Security Alert, No. 189, June 1999; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 207]

"Prohibition Against Sharing Information About Security Systems," Computer Security Alert, No. 188, May 1999; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 206]

"Fixed Passwords Must Never Be Written Down Near Related Access Devices," Computer Security Alert, No. 187, April 1999; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 205]

"Use Of Personal Digital Assistants, Hand-Held Computers, And Smart Phones For Corporate Business Information," Computer Security Alert, No. 186, March 1999; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 204]

"All Systems Access Privileges Cease When Workers Terminate," Computer Security Alert, No. 185, February 1999; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 203]

"Risk Acceptance Memos Required For Out-Of-Compliance Situations," Computer Security Alert, No. 184, January 1999; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 202]

Best Practices in Internet Commerce Security: A Standard of Due Care Requirements List for Merchants, a special report funded by Visa International and CommerceNet, distributed to all Visa member banks; Publisher: Baseline Software, Sausalito, CA, October, 1998 [pub. no. 201]

"All Critical Systems Must Have Y2K Contingency Plans," Computer Security Alert, No. 183, December 1998; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 200]

"Non-Compliance And Disciplinary Action," Computer Security Alert, No. 182, November 1998; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 199]

"Twelve Reasons Why People Aren't Responding To The Y2K Crisis," Computer Fraud & Security, November 1998, Publisher: Elsevier Science, Oxford, England [pub. no. 198]

"Convenience Versus Multi-Factor User Authentication," Computer Security Alert, No. 181, October 1998; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 197]

"Twelve New Vulnerabilities Introduced by Internet Commerce," Information Security Bulletin, September 1998 (volume 3, issue 6, cover story), Publisher: Chi Publishing Ltd., London, England. [pub. no. 196]

"Remote Systems Must Employ Access Control Packages," Computer Security Alert, No. 180, September 1998; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 195]

"Information Security Staffing Levels: Calculating the Standard of Due Care," Computer Security Journal, Summer 1998; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 194]

"All Telephone Transactions Require Positive Caller Identification," Computer Security Alert, No. 179, August 1998; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 193]

"Public Exposure of Personal Identifiers," Computer Security Alert, No. 176, July 1998; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 192]

"Selling, Renting, or Giving Away Information About Customers," Computer Security Alert, No. 178, June 1998; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 191]

"Help Wanted Ads Must Not Disclose Company Name," Computer Security Alert, No. 177, May 1998; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 190]

"Perform Annual Organizationwide Risk Assessments," Computer Security Alert, No. 176, April 1998; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 189]

"Tamper-Proof Modules for Key Storage on Multi-User Machines," Computer Security Alert, No. 176, March 1998; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 188]

"Restricted Uses of Financial Account Numbers," Computer Security Alert, No. 175, February 1998; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 187]

"Don't Reveal Your Password, Ever -- Period," Computer Security Alert, No. 174, January 1998; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 186]

"Unauthorized Information Disclosure and Loss of Stock Options," Computer Security Alert, No. 173, December 1997; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 185]

"Documentation Requirements for Year 2000 Projects," Computer Security Alert, No. 172, November 1997; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 184]

"The Truth About Masquerading and Spoofing," Network Magazine, February 1998; Publisher: Miller Freeman, San Francisco, CA [pub. no. 183]

"Essential Controls for Internet Electronic Commerce," Proceedings of the COMPSEC'87 Conference, held in London, England, 5-7 November 1997; Publisher: Elsevier Science Publishers, Oxford, England [pub. no. 182]

"Information Security Policies Do Not Constitute A Sufficient Awareness Effort," Proceedings of the COMPSEC'87 Conference, held in London, England, 5-7 November 1997; Publisher: Elsevier Science Publishers, Oxford, England [pub. no. 181]

"Virus Protection for All LAN Servers and Personal Computers," Computer Security Alert, No. 171, October 1997; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 180]

"Releasing Employee Contact Information to External Parties," Computer Security Alert, No. 171, September 1997; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 179]

"Surreptitious Internet Collection of Personal Information," Computer Security Alert, No. 171, August 1997; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 178]

"Status of the Internet Electronic Commerce Security Market," Computer Fraud & Security, September 1997; Publisher: Elsevier Science Publishers, Oxford, England [pub. no. 177]

"Logging, Auditing, and Filtering for Internet Electronic Commerce," Computer Fraud & Security, August 1997; Publisher: Elsevier Science Publishers, Oxford, England [pub. no. 176]

"Unique Passwords for Each Internal Network Device," Computer Security Alert, No. 172, July 1997; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 175]

"Access Control Based on the Need-to-Withhold," Computer Security Alert, No. 171, June 1997; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 174]

"Users Must Not Distribute Information About System Vulnerabilities," Computer Security Alert, No. 170, May 1997; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 173]

"Place Multi-User Systems in a Locked Room," Computer Security Alert, No. 169, April 1997; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 172]

"Back-Up Security Administrator Must Be Designated and Trained," Computer Security Alert, No. 168, March 1997; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 171]

"Recent Cryptoprocess Developments: Highlights of the 1997 RSA Conference," Computer Fraud & Security, March 1997; Publisher: Elsevier Science Technology, Oxford, England [pub. no. 170]

"Controls for Global Electronic Commerce," Security Concepts [name of publication recently changed to Business & Facility Concepts], March 14, 1997; Publisher: Security Concepts, Salamanca, NY [pub. no. 169]

"Creating Effective Information Security Policies," InfoSecurity News, March/April 1997; Publisher: MIS Training Institute, Framingham, MA [pub. no. 168]

"Information Security Staffing Levels and the Standard-of-Due-Care: Results of a 1996 Survey," Computer Security Journal, March 1997; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 167]

"Default File Permissions for Networked Systems," Computer Security Alert, No. 167, February 1997; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 166]

"Managing Perceptions About Internet Electronic Commerce Security," Computer Security, Audit & Control, February 1997, pp. 10-12; Publisher: Management Advisory Services Publications, Wellesley Hills, MA [pub. no. 165]

"Risk Assessments Required for Major Changes to Critical Applications," Computer Security Alert, No. 166, January 1997; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 164]

"Require Approval for Intranet Posts," Computer Security Alert, No. 165, December 1996; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 163]

"Information Security: Are We Winning the Game?" Computer Fraud & Security Bulletin, January 1997; Publisher: Elsevier Science Technology, Oxford, England [pub. no. 162]

How to Handle Internet Electronic Commerce Security: Risks, Controls & Product Guide, [a guidebook for designers of Internet systems security, now out of print], November 1996; Publisher: Baseline Software, Sausalito, CA; ISBN#1-881585-03-4 [pub. no. 161]

"The Modern Approach to Inbound Dial-Up Connections," Computer Security Alert, No. 164, November 1996; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 160]

"Encryption for Files Left on Anonymous FTP Servers," Computer Security Alert, No. 163, October 1996; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 159]

"Encrypt All Sensitive Information Sent Via Internet," Computer Security Alert, No. 162, September 1996; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 158]

"Declassify Sensitive Information Automatically," Computer Security Alert, No. 161, August 1996; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 157]

"Escalation Process for Information Security Problems," Computer Security Alert, No. 160, July 1996; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 156]

"Password Changes After System Compromise," Computer Security Alert, No. 159, June 1996; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 155]

"Consistent Installation of the Most Recent Operating System Version," Computer Security Alert, No. 158, May 1996; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 154]

"An Internet Curmudgeon's Rants," Network Security, April 1996; Publisher: Elsevier Science Technology, Oxford, England [pub. no. 153]

"Encryption Systems Must Include Key Escrow," Computer Security Alert, No. 157, April 1996; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 152]

"Cryptography Plays Central Role in Future Electronic Commerce," March 1996, pp. 9-10, Computer Fraud & Security Bulletin; Publisher: Elsevier Science Technology, Oxford, England [pub. no. 151]

"Users Must Not Attempt to Eradicate Viruses," Computer Security Alert, No. 156, March 1996; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 150]

"Study Suggests Satellite System Dithering Be Dropped," March 1996, Computer Fraud & Security Bulletin; Publisher: Elsevier Science Technology, Oxford, England [pub. no. 149]

"Writing Infosec Policies," Computers & Security, Vol. 14, No. 8, January 1996, pp. 667-674; Publisher: Elsevier Science Technology, Oxford, England [pub. no. 148]

"EDP Audit Must Be Independent of Information Security," Computer Security Alert, No. 155, February 1996; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 147]

"Should You Rely on New Security Products?" Computer Security Alert, No. 154, January 1996; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 146]

"Reliance on Information Downloaded From Internet," Computer Security Alert, No. 153, December 1995; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 145]

"The Charles Cresson Wood File - First in a Series of Contributions on Security," Information Management and Computer Security, Vol. 3, No. 4, 1995, pp. 23-26; published by MCB University Press, West Yorkshire, England [pub. no. 144]

"Clarifying Responsibility for Network Security," Computer Security Alert, No. 152, November 1995; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 143]

"Information Security Problems as an Indication of Management Failures," Computer Fraud & Security Bulletin, November 1995; Publisher: Elsevier Science Ltd., Oxford, England [pub. no. 142]

"When to Report Computer Crimes to Law Enforcement," Computer Security Alert, No. 151, October 1995; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 141]

"Shifting Information Systems Security Responsibility from User Organizations to Vendor/Publisher Organizations," Computers & Security, vol. 14, number 4, October 1995, pp. 283-284; Publisher: Elsevier Science Ltd., Oxford, England [pub. no. 140]

"New Intellectual Property and the Need for Information Security," Computer Fraud & Security Bulletin, September 1995, pp. 18-19; Publisher: Elsevier Science Ltd., Oxford, England [pub. no. 139]

"Restricted Internet Use for Productivity," Computer Security Alert, No. 150, September 1995; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 138]

"The Creation of New Intellectual Property and Information Security," Computer Fraud & Security Bulletin, October 1995, Elsevier Science Publishers, Oxford, England [pub. no. 137]

"Require Approval for Official Statements Posted to the Internet," Computer Security Alert, No. 149, August 1995; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 136]

"Restrict Physical Movement for the Most Sensitive Information," Computer Security Alert, No. 148, July 1995; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 135]

"Writing Infosec Policies," Proceedings of COMPSEC'95, held in London, England, 25-27 October 1995; Publisher: Elsevier Science Publishers, Oxford, England [pub. no. 134]

"Internet Anarchy and the Effectiveness of Laws," Computerworld, 12 June 1995. Expanded version also appears as "Need for Worldwide Internet Laws," in Computer Fraud & Security Bulletin, p.10, July 1995, Elsevier Science Publishers, Oxford, England [pub. no. 133]

"License Management Software: Key to Small Systems Security," Computer Security Alert, No. 147, June 1995; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 132]

"ISO 9000 and Information Security," Computers & Security, vol. 14, no. 4, pp. 287-288, October 1995; Publisher: Elsevier Science Publishers, Oxford, England (co-author Karen Snow) [pub. no. 131]

"Information Security Awareness Raising Methods," Computer Fraud & Security Bulletin, June 1995, pp. 13-15; Publisher: Elsevier Science Publishers, Oxford, England [pub. no. 130]

"Clarifying a Risk Assessment Project's Scope," Computer Fraud & Security Bulletin, May 1995, pp. 9-11; Publisher: Elsevier Science Publishers, Oxford, England Abbreviated version also appears in InfoSecurity News, September/October 1995; Publisher: MIS Training Institute, Framingham, MA [pub. no. 129]

"Why SATAN Should Not Have Been Distributed As It Was," Computer Security Alert, No. 146, May 1995; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 128]

"Require Approval for Changes to Production Systems Software," Computer Security Alert, No. 145, April 1995; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 127]

"Access Control Packages for Network Connected Machines," Computer Security Alert, No. 144, March 1995; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 126]

"Opting-Out of Private Information Systems," Computer Security Alert, No. 143, February 1995; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 125]

"Destroy Archived Electronic Mail Periodically," Computer Security Alert, No. 142, January 1995; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 124]

"Internet Access Without Firewalls," Computer Security Alert, No. 141, December 1994; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 123]

"Wireless Network Security," Proceedings of Wireless Datacom '94 conference held in Washington, DC, 6-8 December 1994; Publisher: Business Communications Review, Hinsdale, IL Also published in Proceedings of COMPSEC'95, held in London, England, 25-27 October 1995; Publisher: Elsevier Science Publishers, Oxford, England [pub. no. 122]

"Testing Externally Provided Software," Computer Security Alert, No. 140, November 1994; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 121]

"Floppy Disk Security Measures," Computer Security Alert, No. 140, November 1994; Publisher: Computer Security Institute, San Francisco, CA Condensed version entitled "Control Your Floppies (or Else)," appears in May/June issue of InfoSecurity News, p. 16, MIS Training Institute, Framingham, MA [pub. no. 120]

"Forwarding Electronic Mail to an Outside Address is Risky," Computer Security Alert, No. 139, October 1994; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 119]

"Fifty Ways to Secure Dial-Up Communications," Computers & Security, May 1994, vol. 13, no. 3, pp. 209-215; Publisher: Elsevier Advanced Technology, Oxford, England Also appears in COMPSEC'94 Conference Proceedings (held in London, England, 12-14 October 1994); Publisher: Elsevier Advanced Technology, Oxford, England [pub. no. 118]

"Immediate Expulsion of Workers Leaving for Competing Organizations," Computer Security Alert, No. 138, September 1994; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 117]

"An Architecture for Secure Dial-Up," Information Security Monitor, August 1994; Publisher: IBC Publishing, London, England [pub. no. 116]

"Proof of Identity Required for Password Disclosure," Computer Security Alert, No. 137, August 1994; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 115]

"Identity Token Usage at American Commercial Banks," Computer Fraud & Security Bulletin, Elsevier Science Publishers, Oxford England, March 1995, pp. 14-16; also slated to appear in an upcoming 1995 issue of Computer Security Journal, Computer Security Institute, San Francisco, CA [pub. no. 114]

"Security Problems in Collaborative Computing," an October 1994 issue of Network World; Publisher: International Data Group, Framingham, MA [pub. no. 113]

"Annual Compliance Agreement Signatures," Computer Security Alert, No. 135, July 1994; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 112]

"Extended User Authentication for All Dial-Up Connections," Computer Security Alert, No. 134, June 1994; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 111]

"The Newest Threat to Information Security: Open Book Management," EDPACS, August 1994 issue; Publisher: Warren Gorham Lamont, Boston, MA Abbreviated version also appears in InfoSecurity News, p. 17, September/October 1995, vol. 6, No. 5; Publisher: MIS Training Institute, Framingham, MA [pub. no. 110]

"Prohibition Against Testing Information System Controls," Computer Security Alert, No. 133, May 1994; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 109]

"Beating the Hacker at His Own Game--Dreams Come True with Password Genie," Information Management & Computer Security, Vol. 1, No. 5, April 1994; Publisher: MCB University Press Limited, Bradford, West Yorkshire, England [pub. no. 108]

"Reducing the Need for Information Security Department Approvals," Computer Security Alert, No. 132, April 1994; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 107]

"Prior Approval Required for All Communication Line Changes," Computer Security Alert, No. 131, March 1994; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 106]

"Using Network Management Systems to Achieve Information Security," Computer Security Journal, Spring, 1994, Vol. X, No. 1, pp. 11-21; Publisher: Computer Security Institute, San Francisco, CA Also published in NetSec'94 Proceedings, held 12-15 June 1994 in San Francisco; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 105]

"Sharing Electronic Mail Accounts Imperils Security," Computer Security Alert, No. 130, February 1994; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 104]

"Real-Time External Network Connections Must Always Utilize Firewalls," Computer Security Alert, No. 129, January 1994; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 103]

"Information Security Specialist Convicted of Crimes Against Humanity," The Password, February 1994, p. 6; Publisher: Information Systems Security Association, Chicago, IL [pub. no. 102]

"Employee Performance Evaluations and Information Security," Computer Security Alert, No. 128, December 1993; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 101]

"Escorts Required for All Visitors," Computer Security Alert, No. 127, November 1993; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 100]

"Duress Terminations and Information Security," InfoSecurity News, March/April 1994, vol. 5, no. 2, pp. 51, 53-54; Publisher: MIS Training Institute, Framingham, MA Expanded version published in Computers & Security, October 1993, vol. 12, pp. 527-535; Publisher: Elsevier Advanced Technology, Oxford, England Also published in ISSA'94 Conference Proceedings, 14-16 March 1994, Fairmont Hotel, San Francisco, pp. 513-523; Publisher: Information Systems Security Association, Chicago, IL Also appears in COMPSEC'94 conference proceedings (London, 12-14 October, 1994); Publisher: Elsevier Advanced Technology, Oxford, England [pub. no. 99]

"Mandating the Information Security Management Function," Computer Security Alert, No. 126, October 1993; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 98]

"The Easy Approach to Information Security," Computer Fraud & Security Bulletin, October 1993, pp. 11-12; Publisher: Elsevier Advanced Technology, Oxford, England [pub. no. 97]

"Permissible Exceptions to Information Security Policies," Computer Security Alert, No. 125, September 1993; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 96]

"Network Management Systems and Information Security," Proceedings of COMPSEC'93, London, England, 20-22 October 1993; Publisher: Elsevier Science Publishers, Oxford, England [pub. no. 95]

"Background Checks for Employees in Computer-Related Positions of Trust," Computer Security Alert, No. 124, August 1993; Publisher: Computer Security Institute, San Francisco, CA Also appears in Information Management & Computer Security, vol. 3, no. 5, 1995 [pub. no. 94]

"Removal of All Unauthorized Access Paths in Production Software," Computer Security Alert, No. 123, July 1993; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 93]

"When Should You Perform a Risk Assessment?" Computer Fraud & Security Bulletin, June 1993, pp. 6-8; Publisher: Elsevier Science Publishers, Oxford, England [pub. no. 92]

"Achieving Consistent Protection of Information," Computer Security Alert, No. 122, June 1993; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 91]

"Constructing Difficult-to-Guess Passwords," Computer Security Alert, No. 121, May 1993; Publisher: Computer Security Institute, San Francisco, CA Republished in Information Management and Computer Security, vol. 4, no. 1, pp. 43-44, 1996; Publisher: MCB University Press, West Yorkshire, England [pub. no. 90]

"Novell, Gradient Team Up to Bring Order to Licensing Arena," LAN Times, 19 April 1993, pp. 44-45; Publisher: LAN Times, San Mateo, CA [pub. no. 89]

"Techniques for Increasing Your Information Security Budget," ISSA Journal, vol. 1, issue 1, December 1993, pp. 4-7; Publisher: Information Systems Security Association, Chicago, IL [pub. no. 88]

"Building Security Into Your System Reduces the Risk of a Breach," LAN Times, 8 February 1993, p. 47; Publisher: LAN Times, San Mateo, CA [pub. no. 87]

"Control Who Speaks with the Media to Ensure Consistent, Factual Face to Public," Computer Security Alert, No. 118, January 1993; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 86]

"A Technical Group Emergency Communications Policy Facilitates Speedy Problem Resolution," Computer Security Alert, No. 117, December 1992; Publisher: Computer Security Institute, San Francisco, CA Also published in Business Control Magazine, Issue 6, May/June 1994, p. 38; published by CSA Publishing, Brentwood, England. Additionally published in Information Security Bulletin, Leichester, England, October 1996, pp. 23-24 [pub. no. 85]

"Human Error: A Overlooked But Significant Information Security Problem," Computers & Security, vol. 12, no. 1, February 1993 (co-author William W. Banks), pp. 51-60; Publisher: Elsevier Advanced Technology, Oxford, England [pub. no. 84]

"Information Owners, Custodians, and Users," Computer Security Alert, No. 116, November 1992; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 83]

"A Policy for an Information Security Management Committee," Computer Security Alert, No. 115, October 1992; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 82]

"Modern Twists on the 'Need-to-Know'," Computer Security Alert, No. 114, September 1992; Publisher: Computer Security Institute, San Francisco, CA Also published in Computer Security Engineers Newsletter, May 1996; Publisher: Computer Security Engineers, St. Helier, Jersey, England [pub. no. 81]

"Expanding the Role and Influence of Information Security," Proceedings of COMPSEC'92 - London, England, 4-6 November 1992; Publisher: Elsevier Advanced Technology, Oxford, England Republished with the title "How to Achieve a Clear Definition of Responsibility for Information Security," by Datapro International's Information Security Service, and also by Datapro North American Information Security Service, both Vol. 1, April 1993, McGraw Hill, Berkshire, England [pub. no. 80]

"Designing a Network Security Architecture," Proceedings of COMPSEC'92 - London, England, 4-6 November 1992; Publisher: Elsevier Advanced Technology, Oxford, England A different version co-authored with Paul Quanrud published in Computer Security Journal, Fall 1992, Vol. VIII, No. 2, pp. 31-41; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 79]

"Securely Handling Staff Terminations," Computer Security Alert, No. 113, August 1992; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 78]

"A Policy for Sending Secret Information Over Communications Networks," Computer Security Alert, No. 112, July 1992; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 77]

"A Policy for Documenting End-User Programming," Computer Security Alert, No. 111, June 1992; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 76]

"Principles of Secure Information Systems Design with Groupware Examples," Proceedings of the Groupware'92 Conference, held in San Jose, California 3-5 August 1992; Publisher: Morgan Kaufmann Publishers, San Mateo, CA Also published in Computers & Security, vol. 12, no. 7, November 1993, pp. 663-678; Publisher: Elsevier Advanced Technology, Oxford, England [pub. no. 75]

"Keep Up With Jones, Advises Security Expert," (article turned into an interview) Security Magazine, p. 80, August 1992; Publisher: Cahners Publishing, Des Plaines, IL [pub. no. 74]

"A Computer Emergency Response Team Policy," Computer Security Alert, No. 110, May 1992; Publisher: Computer Security Institute, San Francisco, CA Also found in Business Control Magazine, Issue 6, May/June 1994, p. 38; Publisher: CSA Publishing, Brentwood, Essex, England. Additionally appears in Information Management and Computer Security, Vol. 4, No. 2, 1996; Publisher: MCB University Press, West Yorkshire, England [pub. no. 73]

"A Secure Password Storage Policy," Computer Security Alert, No. 109, April 1992; Publisher: Computer Security Institute, San Francisco, CA Also published in Control Security & Audit Magazine, Issue 5, p. 8, March/April 1994; Publisher: CSA Publishing, Brentwood, England [pub. no. 72]

"Part of the Foundation for Secure Systems: Separation of Duties Policy," Computer Security Alert, No. 108, March 1992; Publisher: Computer Security Institute, San Francisco, CA Also published in Control Security & Audit Magazine, Issue 4, p. 23, January/February 1994; Publisher: CSA Publishing, Brentwood, England [pub. no. 71]

"Lying About Information Security," 10 February 1992, p. 33, Computerworld; Publisher: CW Publishing, Framingham, MA [pub. no. 70]

"Why Have Decentralized Information Security Coordinators?" Computer Fraud and Security Bulletin, August 1992, pp. 12-13; Publisher: Elsevier Science Publishers, Oxford, England [pub. no. 69]

"A Strategy for Developing Information Security Documents," Journal of Information Systems Security, vol. 1, issue 2, Summer 1992, pp. 71-78; Publisher: Auerbach Publishers, New York, NY (co-author: Juhani Saari) [pub. no. 68]

"Policy #1: Information is an Organizational Asset," Computer Security Alert, No. 107, (no page numbers -- a supplement), February 1992; Publisher: Computer Security Institute, San Francisco, CA Also published in Data Processing Management Association -- Special Interest Group for Computer Security -- Newsletter, Vol. 4, No. 2, August 1992, pp. 5-6; Publisher: DPMA, Park Ridge, IL Additionally published in Control Security & Audit Magazine, issue 3, p. 27, November/December 1993; Publisher: CSA Publishing, Brentwood, England. Also appears in Computer Security Engineers Newsletter, October 1995; published by Computer Security Engineers, The Hague, Netherlands [pub. no. 67]

Effective Information Security Management [a book of tools and techniques for dealing with information security problems, now out of print], 1991; Publisher: Elsevier Advanced Technology, Oxford, England, ISBN# I 85617 070 5 [pub. no. 66]

Information Security Policies Made Easy [a book of 1175+ already-written policies provided in both hardcopy and disk form], 8th edition, 2001; Publisher: PentaSafe Security Technologies; ISBN# 1-881585-00-X. Excerpts reprinted as "Designing Corporate Information Security Policies," appearing in Datapro Reports on Information Security, #IS 15-300-101, April 1992; Publisher: Datapro Information Services, McGraw-Hill, Delran, NJ [pub. no. 65]

"Password Cracking: Keys to Reducing Your Exposure," The Business Journal, 11 November 1991; Publisher: Sloan Publications, Santa Rosa, CA [pub. no. 64]

"Burning Computer Security, Privacy, and Freedom Issues," Computers & Security, October 1991, Vol. 10, No. 6, pp. 524-532; Publisher: Elsevier Advanced Technology, Oxford, England [pub. no. 63]

"Password Guessing: A Serious Problem," Data Processing and Communications Security (renamed in 1992 to Computing and Communications Protection), July 1991, Vol. 15, No. 7, pp. 1-3; Publisher: Assets Protection Publishing, Madison, WI [pub. no. 62]

"New Conference Focuses on Privacy," Data Security Letter, May 1991, pp. 5-8; Publisher: Data Security Letter, Palo Alto, CA [pub. no. 61]

"The Forces that Drive the Commercial Information Security Market," Data Security Letter, April 1991, pp. 5-8; Publisher: Data Security Letter, Palo Alto, CA [pub. no. 60]

"Organizing the Information Security Function" chapter of Handbook of Information Security Management, 1993, edited by Harold Tipton and Zella Ruthberg, (used as Information Systems Security Association's Certified Information Systems Security Professional exam study guide); pp. 67-84; Publisher: Auerbach Publishers, Warren Gorham Lamont, Boston, MA Also appears as "Information Security Program Establishment," in the Proceedings of the 18th Annual CSI Conference, Miami, Florida, November 11-15, 1991; Publisher: Computer Security Institute, San Francisco, CA [pub. no. 59]

"Using Information Security to Achieve Competitive Advantage," Proceedings of the 18th Annual CSI Conference, Miami, Florida, November 11-15, 1991; Publisher: Computer Security Institute, San Francisco, California. Also appears in Computers & Security, August 1991, Vol. 10, No. 5, pp. 399-404; Publisher: Elsevier Advanced Technology, Oxford, England Additionally appears in ISSA Access, Q2-1991, pp. 27-29; Publisher: ISSA, Chicago, IL Revised version appears in Management Auditing Journal, Vol. 8, Issue 2, pp. 16i-16iv, 1993; Publisher: MCB University Press, West Yorkshire, England [pub. no. 58]

"Fifteen Major Forces Driving the Civilian Information Security Market," Computers & Security, vol. 9, no. 8, December 1990, pp. 677-687; Publisher: Elsevier, Oxford, England Also appears in Data Security Digest, vol. 2, no. 2, August 1991, pp. 92-98; Publisher: Cipher Management BV, Emmeloord, The Netherlands [pub. no. 57]

"What's Out There? An Overview of Information Security Products and Services, Part I", Information Security Product News, vol. 1, no. 4, November/December 1990, pp. 43-44, 46; Publisher: MIS Training Associates, Framingham, MA (Part II was published in January/February 1991 issue, pp. 39-41) [pub. no. 56]

"To Guess or Not to Guess: Beating the Password Guessers at Their Own Games," Information Security Products News, vol. 1, no. 3, August-September 1990, pp. 45-46; Publisher: MIS Training Associates, Framingham, MA [pub. no. 55]

"Security of Neural Networking Computers," Data Processing & Communication Security (renamed in 1992 to Computing & Communications Protection), vol. 14, no. 2, Summer 1990, pp. 11-13; Publisher: Assets Protection Publishing, Madison, WI. Revised version also published in the Proceedings of the 14th Annual Department of Energy (DOE) Computer Security Conference (7-9 May 1991, Concord, California); Publisher: National Technical Information Service, Springfield, VA. Revised version also published in the Proceedings of the 9th Annual ISSA Conference (21-27 March 1992, Houston, Texas); Publisher: Information Systems Security Association, Chicago, IL [pub. no. 54]

"Computer Control Selection: The Standard of Due Care Approach," Computer Fraud & Security Bulletin, June 1990, pp. 14-18; Publisher: Elsevier, Oxford, England [pub. no. 53]

"Principles of Secure Information Systems Design," Computers & Security, vol. 9, no. 1, February 1990, pp. 13-24; Publisher: Elsevier, Oxford, England [pub. no. 52]

"How Many Information Security Staff People Should You Have?" Access, First Quarter, vol. 3, issue 1, pp. 23-25, 28-29; Publisher: Information Systems Security Association. Revised and expanded version, Computers & Security, vol. 9, no. 5, August 1990, pp. 395-402; Publisher: Elsevier, Oxford, England [pub. no. 51]

"Planning as a Means to Achieve Appropriate Data Communications Security," Computers & Security, May 1989, pp. 189-200; Publisher: Elsevier, Oxford, England Also appears as keynote speech, Proceedings of the IFIP SEC'90 International Security Conference, 23-25 May 1990, Helsinki, Finland; Publisher: International Baseline Security, Helsinki, Finland [pub. no. 50]

"Security Considerations for UNIX System Users," Yrityksen Tietotekniikan Kehittaminen [technical magazine for Finnish Unix community], 1989, pp. 23-25; Publisher: International Baseline Security, Helsinki, Finland (co-author: Juhani Saari) [pub. no. 49]

"Eight Doses of Prevention," [for computer viruses] Security, February 1989, pp. 51; Publisher: Cahners Publishing, Denver, CO [pub. no. 48]

"A Few Contextual Remarks About Viruses -- Widening Applications, Change Control and Standardization," Proceedings of the Invitational Symposium on Computer Viruses, 1989, pp. 41-42; Sponsor and Publisher: Deloitte Haskins & Sells, CPAs, New York, NY [pub. no. 47]

"A Context for Information Systems Security Planning," Computers & Security, vol. 7, no. 5, October 1988, pp. 455-465; Publisher: Elsevier, Oxford, England Also, appears in Proceedings of the 7th Annual Working Conference for Information Security Professionals, 19-21 March 1990, section D-9; Sponsor and Publisher: Information Systems Security Association, Chicago, IL Also, appears in Proceedings of the Fifteenth Annual Computer Security Conference, November 1988, section W; Sponsor and Publisher: Computer Security Institute, San Francisco, CA [pub. no. 46]

"Computer Security," Encyclopedia of Microcomputers, 1988 ed., vol. 4, pp. 23-36. Editors: Allen Kent & James G. Williams, Univ. of Pittsburgh; Publisher: Marcel Dekker, New York, NY. Also, appears in Encyclopedia of Library and Information Science, 1988 edition, vol. 44, pp. 71-84; Editor: Allen Kent, University of Pittsburgh; Publisher: Marcel Dekker, New York, NY. [pub. no. 45]

"Extended User Authentication: The Next Major Enhancement to Access Control Packages," Computer Security in the Age of Information - Proceedings of the Fifth IFIP International Conference on Computer Security, Queensland, Australia, 19-21 May 1988, pp. 223-234; Publisher: North-Holland Publishers, Amsterdam. Also appears in Data Processing & Communications Security, Spring 1989, pp. 17-23; Publisher: Assets Protection Publishing, Madison, WI. [pub. no. 44]

"The Human Immune System as an Information Systems Security Reference Model," Computers & Security, vol. 6, 1988, pp. 511-516; Publisher: Elsevier, Oxford, England Also, chapter of Rogue Programs: Viruses, Worms, and Trojan Horses, ed. by L. Hoffman, 1990, pp. 50-58; Publisher: Van Nostrand Reinhold, NY. [pub. no. 43]

"Information Systems Security: Management Success Factors," Computers & Security, vol. 6, no. 4, August 1987 pp. 314-320; Publisher: Elsevier, Oxford, England [pub. no. 42]

"Structuring Systems Security: Strong Safeguards Depend on a Central Security Group with Distributed Duties," Security, April 1987, pp. 48-50, 52; Publisher: Cahners Publishing, Denver, CO. [pub. no. 41]

"Security Prudent," Computerworld (editorial), June 8, 1987, pp. 22, 24; Publisher: CW Publishing, Framingham, MA [pub. no. 40]

"Quantitative Risk Analysis and Information Systems Security," Data Processing & Communications Security, vol. 10, no. 2, Spring 1986, pp. 8-11; Publisher: Assets Protection Publishing, Madison, WI. [pub. no. 39]

"Administrative Controls for Password-Based Computer Access Control Systems," Computer Fraud & Security Bulletin, January 1986, pp. 5-13; Publisher: Elsevier, Oxford, England [pub. no. 38]

"A New Approach to Computer User Authentication," Data Processing & Communications Security, Fall 1986, pp. 21-26; Publisher: Assets Protection Publishing, Madison, WI. [pub. no. 37]

"Information Security: Four Roads to Reveal Risk," Security, October 1986, pp. 30, 32; Publisher: Cahners Publishing, Denver, CO. [pub. no. 36]

With Zeidler, Howard, "Security Modules -- Potent Information Security Systems Components," Computers & Security, June 1986, pp. 141-121; Publisher: Elsevier, Oxford, England [pub. no. 35]

"Establishing Internal Technical Systems Security Standards," Computers & Security, vol. 5, August 1986, pp. 193-200; Publisher: Elsevier, Oxford, England [pub. no. 34]

"Privacy and Information Handling," Computerworld (editorial), November 24, 1986; Publisher: CW Publishing, Framingham, MA [pub. no. 33]

"Establishing Technical Information Security Standards at a Major Multinational Bank," International Federation of Information Processing Societies (IFIP)-SECURITY'85 Conference Proceedings, Dublin, Ireland, 1985. [pub. no. 32]

"Network Security and Administration," Chapter IX of a book entitled Network Interfaces and Protocols, 1985, pp. 9.2-9.32; Publisher: Network Management Services, Inc., Murray, UT. [pub. no. 31]

"Password-Based Access Control Systems: Policies, Procedures, Standards, and Related Control Ideas," Information Systems Security Association white paper, San Francisco Chapter, November 1985 meeting. Also published in Proceedings of the Forth Annual Information Systems Security Association Conference, Los Angeles, 23-27 March 1987; Publisher: ISSA, Chicago, IL Reprinted as a chapter in Network World's Network Security SECRETS, by David J. Stang and Sylvia Moon, IDG Books Worldwide, San Mateo, CA, 1993. [pub. no. 30]

"Security Checklist for Computer Based Information Systems -- Air Force Logistics Command," Lawrence Livermore National Laboratory Publication UCAR-10135, 1985; Publisher: Lawrence Livermore National Laboratory, Livermore, California. Also published as Computer Security: A Comprehensive Controls Checklist, 1987, [a book detailing standard control practices ... particularly useful for audits and reviews]; Publisher: John Wiley & Sons, New York, NY. ISBN# O-471-84795-X. Telecommunications security chapter was reprinted in Network Security in the '90s: Issues and Solutions for Managers, by Thomas W. Madron, 1992, pp. 227-254; Publisher: John Wiley & Sons, New York, NY. [pub. no. 29]

"Livermore Risk Analysis Methodology for Information Systems Security," Lawrence Livermore National Laboratory Publication UCAR-10150, 1985; Publisher: Lawrence Livermore Labs, Livermore, CA; co-author - Dr. Sergio Guarro. [pub. no. 28]

"Information Security with One-Way Functions," Data Processing & Communications Security, vol. 9, no. 5, May/June 1985, pp. 14-16; Publisher: Assets Protection Publishing, Madison, WI. [pub. no. 27]

"Floppy Diskette Security Measures," Computers & Security, vol. 4, September 1985, pp. 223-228; Publisher: Elsevier, Oxford, England Republished in Computer Control Quarterly, Winter '86, pp. 20-26; Publisher: Kevin Fitzgerald & Associates, Victoria, Australia. [pub. no. 26]

"Countering Unauthorized Systems Accesses," Journal of Systems Management, vol. 35, no. 4, issue no. 275, April 1984, pp. 26-28. Also, appears in EDP Auditor Journal, vol. 1, 1986; Publisher: EDP Auditors Association (now Information Systems Audit & Control Association), Carol Stream, IL [pub. no. 25]

"Data Dictionaries and Information Security," Proceedings of SECURICOM'84 International Conference, Cannes, France, 29 February - 2 March 1984, pp. 55-63; Publisher: SEDEP, Paris, France. [pub. no. 24]

"Logging, Security Experts Database, and Crypto Key Management in the '90s," Association for Computing Machinery Annual Conference Proceedings, held in San Francisco 8-10 October 1984; Sponsor and Publisher: Association for Computing Machinery, New York, NY. [pub. no. 23]

"Information Resource Management," Computerworld, 25 April 1983, "In-depth" article, pp. In-Depth 11-17; Publisher: CW Publishing, Framingham, MA [pub. no. 22]

"Moderate Cost Computer Security Controls," Datamation, special supplement, 'Making the Case for Computer Security,' September 1983; Publisher: Cahners Publishing, Denver, CO. (co-author: Donn B. Parker) [pub. no. 21]

"Enhancing Information Security with the IRM Approach," Computers & Security, vol. 2, November 1983, pp. 203-229; Publisher: Elsevier, Oxford, England [pub. no. 20]

Computer Crime: Computer Security Techniques, U.S. Government Printing Office, U.S. Department of Justice, order no. 1982-361-233-1873, 1983; Publisher: US Government Printing Office, Washington, DC. (co-author: Donn B. Parker) [pub. no. 19]

"IRM Regards Data as Major Corporate Resource," Information Systems News, June 13, 1983. [pub. no. 18]

"Information Resource Management," SRI International Business Intelligence Report, Report #672, November 1982; Publisher: SRI International, Menlo Park, CA [pub. no. 17]

"The Role of PBX (Private Branch Exchange) Systems in the Office of the Future," SRI International Business Intelligence Program, November 1982; Publisher: SRI International, Menlo Park, CA [pub. no. 16]

With Dewey, Russell, "Security: Nine Banking Software Controls," ICP Banking Industry Interface, vol. 7, issue 1, Spring 1982, pp. 16-18, 20-21; Publisher: International Computer Programs, Indianapolis, IN. [pub. no. 15]

"Effective Information System Security with Password Controls," Computers & Security, vol. 2, no. 1, 1983, pp. 5-10; Publisher: Elsevier Science Publishers, Oxford, England [pub. no. 14]

"Password Palisade Repels System Penetrators," Information Systems News, July 26, 1982, pp. 28-31. [pub. no. 13]

"Policies for Deterring Computer Abuse," Computers & Security, vol. 1, 1982, pp. 139-145; Publisher: Elsevier, Oxford, England [pub. no. 12]

With Kramer, Scott, "Terminal Security Vulnerability," sensitive limited-distribution report, 1981 ADAPSO Conference Proceedings; Sponsor: SRI International, Menlo Park, CA [pub. no. 11]

"International Barriers to Information Flows," SRI International Business Intelligence Report, Report #1057, March 1981; Publisher: SRI International, Menlo Park, CA [pub. no. 10]

With Parker, Donn B. and Walling, Vic C., "Cryptography in the Private Sector: A Policy Analysis," SRI International Business Intelligence Program, file no. 81-616, 1981; Publisher: SRI International, Menlo Park, CA [pub. no. 9]

"Future Applications of Cryptography," IEEE Computer Society Conference Proceedings, 1981. Also, appears in Computers & Security, vol. 1, January 1982, pp. 65-71; Publisher: Elsevier, Oxford, England [pub. no. 8]

With Parker, Donn B., "Computer Abuse: Threats and Countermeasures," The Executive, August 1981, pp. 46-47; Publisher: Executive Publications, Newport Beach, CA [pub. no. 7]

With Parker, Donn B., "Fraud: The Achilles Heel of a New Technology," Christian Science Monitor, 24 February 1981, p. B10; Publisher: Christian Science Publishing Society, Boston, MA [pub. no. 6]

With Mason, John, "Six Ways Banks Computerize and Cannibalize Their Services," Marketing News, December 12, 1980, pp. 18, 20-21; Publisher: Marketing News Magazine, Chicago, IL [pub. no. 5]

"Telecommunications Security in Banks," ICP Banking Industry Interface, Spring 1980, pp. 16-18; Publisher: International Computer Programs, Indianapolis, IN. [pub. no. 4]

"Communications Security with Electronic Mail," The Office, August 1980, pp. 22, 24, 28, 158; Publisher: Office Publications, Inc., Stamford, CT. [pub. no. 3]

With Merkhofer, Miley, "Decision Analysis Applied to a Technology Assessment of Public Key Cryptographic Systems," American Society for Engineering Education -- Annual Conference Proceedings, 1980; Publisher: American Society for Engineering Education, Washington, DC. [pub. no. 2]

With Parker, Donn B., Computer Crime: Criminal Justice Resource Manual; Publisher: U.S. Government Printing Office, Washington, DC; prepared for U.S. Department of Justice; order no. 1979-311-379/1710, 1979. [pub. no. 1]

Charles Cresson Wood, CISA, CISM, CISSP

Independent Information Security Consultant & Author

InfoSecurity Infrastructure, Inc.
Post Office Box 708
Mendocino, California 95460 USA

For information about consulting services
707-937-5572 office voice

For information about books by Charles Cresson Wood contact Information Shield at http://www.informationshield.com
713-443-8428 (or) 888-641-0500

information security consulting, information security books, information security investigations, information security infrastructure, computer
security, computer crime, computer security consulting, computer abuse, computer privacy, information security policies, information security policy, information systems acceptable use policy, information security guidelines, information security standards, Internet security, intranet security, extranet security, encryption, virtual private network, VPN, hacker, cracker, network security, firewall, security code reviews, systems certification, EDP audit, computer audits, infosecurity, INFOSEC, COMPSEC, COMSEC