>
>Google for "DOD Orange Book".
>
You can forget about the Orange Book of the famous National Security
Agency Rainbow series of security books as having the current answer. They
are good reference but are outdated. Back in the 1990s when Air Force
MajGen Hayden took over NSA (4-Star now heads the CIA), he transferred
most all the security work done by the National Computer Security Center
(NCSC) over to what is now known as NIST in the Dept. of Commerce. The
jist was to get NSA out of the security business for non-DOD agencies. Now a
days it is called selling off your non-core businesses.
So now for the non-DOD agencies, NIST is the one to make the rules for
unclassified which can include Sensitive, For Official Use Only, Privacy Data,
etc. The one gets into the PII (Personally Identifiable Information) which we
are all getting introduced to for identity issues. It is not clear if the
classified
designations (Confidental, Secret, and TopSecret) used in DOD have moved
over to the Defense Security Service, OSD's Information System Office of
Oversight, or even the Office of the Secretary of Defense (OSD) itself.
The Rainbow series is still referenced today by many vendors and quoted
widely. NSA did a great job when they had the work and most of it still applies
today. I have seen that it all depends on what the auditors will accept.
Jim
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
