> >Google for "DOD Orange Book". > You can forget about the Orange Book of the famous National Security Agency Rainbow series of security books as having the current answer. They are good reference but are outdated. Back in the 1990s when Air Force MajGen Hayden took over NSA (4-Star now heads the CIA), he transferred most all the security work done by the National Computer Security Center (NCSC) over to what is now known as NIST in the Dept. of Commerce. The jist was to get NSA out of the security business for non-DOD agencies. Now a days it is called selling off your non-core businesses.
So now for the non-DOD agencies, NIST is the one to make the rules for unclassified which can include Sensitive, For Official Use Only, Privacy Data, etc. The one gets into the PII (Personally Identifiable Information) which we are all getting introduced to for identity issues. It is not clear if the classified designations (Confidental, Secret, and TopSecret) used in DOD have moved over to the Defense Security Service, OSD's Information System Office of Oversight, or even the Office of the Secretary of Defense (OSD) itself. The Rainbow series is still referenced today by many vendors and quoted widely. NSA did a great job when they had the work and most of it still applies today. I have seen that it all depends on what the auditors will accept. Jim ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html