REFERENCES
- URLs are valid as of the date of publication of this document.
- Balanced Scorecard Institute. (2007). Handbook for Basic Process Improvement. Retrieved from http://www.balancedscorecard.org/BSCResources/ArticlesWhitePapers/HandbookforBasicProcessImprovement/tabid/243/Default.aspx
- Caralli, Richard A., Stevens, J. F., Willke, B. J., Wilson, W. R. (2004). The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management (CMU/SEI-2004-TR-010). Pittsburgh, PA: Carnegie Mellon University, Software Engineering Institute. Retrieved from http://www.sei.cmu.edu/publications/documents/04.reports/04tr010/04tr010.html
- Chew, Elizabeth, Swanson, S., Stine, K., Bartol, N., Brown, A., Robinson, W. (2007). Special Publication 800-55R1: Performance Measurement Guide for Information Security (DRAFT). Retrieved from http://csrc.nist.gov/publications/drafts/800-55-rev1/Draft-SP800-55r1.pdf
- Mell P., Bergeron, T., Henning, D. (2005). NIST SP 800-40 Creating a Patch and Vulnerability Management Program, version 2.0. Gaithersburg, MD: NIST. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf
- Office of Management and Budget. (2008). Fiscal Year 2007 Report to Congress on Implementation of The Federal Information Security Management Act of 2002. Retrieved from http://www.whitehouse.gov/omb/inforeg/reports/2007_fisma_report.pdf
- Resiliency Engineering Framework Team. (2008). CERT® Resiliency Engineering Framework Preview Version, v0.95R. Pittsburgh, PA:Software Engineering Institute, Carnegie Mellon University. Retrieved from http://www.cert.org/resiliency_engineering/
- Romanosky, S. (2006). Global Technology Audit Guide (GTAG) 6: Managing and Auditing IT Vulnerabilities. Retrieved from http://www.theiia.org/download.cfm?file=39632
SUGGESTED READING
- Barfield, R. (2004). Basel Accord: Our perspective and updates. Retrieved from www.pwc.com/uk/eng/about/svcs/vs/pwc_risk-appetite.pdf
- Director of Central Intelligence. DCID 6/3 Protecting Sensitive Compartmented Information Within Information Systems. Federation of American Scientists: DCID 6/3. Retrieved from http://www.fas.org/irp/offdocs/DCID_6-3_20Manual.htm
- SANS Technology Institute. SANS Technology Institute Risk Appetite Statement. Retrieved from www.sans.edu/RiskAppetiteStatement.pdf
- The Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2004). FAQs for COSO's Enterprise Risk Management—IntegratedFramework. Retrieved from http://www.coso.org/Publications/ERM/erm_faq.htm