Running head: GOODWILL SECURITY
1
Goodwill Security
Student
Institutional Affiliation
Teacher
Date
GOODWILL SECURITY
2
Table of Contents
Federal and State Regulations ....................................................................................................................... 3
Sarbanes-Oxley Act .................................................................................................................................... 10
Monitoring and Enforcing Compliance ...................................................................................................... 13
Certification and Accreditation ................................................................................................................... 17
Preparing for Certification(TBD) ................................................................................................................. 21
References .................................................................................................................................................. 22
GOODWILL SECURITY
3
Federal and State Regulations
Section 1 – Company Overview
The company, Goodwill of North Georgia deals with the operation of stores, donation
centers, career centers and also offers diverse employment and job training services across North
Georgia. It has also another organization called Goodwill Industries of North Georgia, that has
speciality in managing facilities and protective services.
Goodwill of North Georgia seeks to provide employability services to the unemployed
struggling to find work, people who want a change of careers and ones who seek to start in
entrepreneurship. With the it’s support, the people are empowered for employment challenges that
come as a result of physical, emotional and developmental limitations, among other challenges.
Goodwill donates household goods, clothes and even books in stores across North Georgia and the
proceeds are used to support the mission of employing people.
Goodwill has an integrated security infrastructure that consists of video cameras, monitored
alarms, access control systems, endpoint protection devices that include mobile devises, web
filtering, email protection, remote access solutions and training on end-user security awareness
•
Video cameras(CCTV) are installed in every corner of a room and outside the premises all
round used to stream in live feeds to the security team’s smartphone, desktop or tablet to
help them keep track of everyone’s activities including any suspicious activity in any part
of the company.
•
The monitored alarms are used to detect and identify specific areas breached in the
organization. They do this by emitting audible noises that can be heard by anyone in the
organization especially the security personnel.
GOODWILL SECURITY
4
•
The access control systems are used to restrict entry to special areas in the organization.
The company uses photo identification systems and access cards depending on the areas or
sections being accessed. The security team ensures that they are well placed and working
to ensure the employees and clients are protected from such tragedies.
Section 2 – Federal and State Regulations, Directives, and Acts on Security Compliance
The laws and regulations of the federal government give industry guidelines on the
significant security and privacy impact guidelines.
The Sarbanes Oxley Act
It requires companies a seven-year maintenance of financial records by companies.
Enacted in 2002, after the Enron and WorldCom scandals as a preventive law. The Sarbanes-Oxley
Act protects investors and the public through the increase of the reliability and accuracy of
corporate disclosures. The Securities and Exchange Commission is mandated to implement it by
defining what records and audits businesses should keep and the period. This act affects U.S. public
company boards, management and public accounting firms which Goodwill falls under.
This act has the following requirements and is organized in 11 key titles which are; Public
Company Accounting Oversight, Auditor Independence, Corporate Responsibility, Enhanced
Financial Disclosures, Analyst Conflicts of Interest, Commission Resources and Authority,
Studies and Reports, Corporate and Criminal Fraud Accountability, White-Collar Crime Penalty
Enhancements, Corporate Tax Returns and Corporate Fraud Accountability.
The Gramm-Leach-Bliley Act (GLB) Act of 1999
GOODWILL SECURITY
5
Also the Financial Modernization Act of 1999. This act has guidelines protecting the
personal financial information of users that financial entities hold. It has three basic parts that
include; Safeguards Rule, the pretexting provisions and Financial Privacy Rule. This act covers
financial institutions and organizations that provide financial services and products to consumers
such as financial advice or settlement services as Goodwill does.
Goodwill handles job seekers and advises entrepreneurs on the best way forward and
provides financial advice to its clients, therefore, knowledge of this act is critical to its operations.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS covers the requirements needed to enhance the security of the data of a
customer account. It was developed to help in the facilitation of a global adoption of data security
measures consistently. Its founders include; American Express, MasterCard Worldwide and Visa,
JCB International, Discover Financial Services who form the PCI Security Standards Council. It
focuses on areas of policies in security management , procedures in software design, and network
architecture. Its regulations are geared towards the reduction of fraud and protection of the
information on consumer credit cards. This is quite appropriate to retailers, and companies that
handle credit card data such as credit card companies.
Since the company sells clothes to other clients through thrift shops and other avenues and
the customers may use credit cards to purchase these clothes.
The Electronic Fund Transfer Act, Regulation E
This was implemented in 1978 and is implemented to ensure the protection of any
consumer who engages in electronic fund transfer against fraud or any errors. It helps in
establishing the rights, responsibilities, and liabilities of consumers and financial institutions that
GOODWILL SECURITY
6
use and offer EFT services. These transfers include ATM services, direct deposits, the point of
sale transfers among others.
The use of electronic funds transfer is inevitable for shoppers at Goodwill, therefore due
diligence is required to ensure the protection of their data by the organization.
The Children's Online Privacy Protection Act
This act addresses the collection of data on children below the age of thirteen online. Federal
Trade Commission (FTC) monitors this act and dictates the limits on collection and the disclosure
of the children’s data. They, therefore, determine the contents of a websites privacy policy and the
process of receiving consent from parents and the operator’s responsibility.
Goodwill’s services also include settlement services that may need information on
children, thus they must be keen to ensure this act is not broken.
Identify and describe 2 State Regulations
Massachusetts 201 CMR 17 (aka Mass Data Protection Law)
This law implemented in 2010 seeks to protect the Massachusetts residents against fraud
and identity theft cases. It has a requirement that any institution storing personally identifiable
information about any of this state’s resident have a written and a plan that is regularly audited to
protect the information. Its main aim is to mitigate any risk to the security of information.
Businesses such as Goodwill that use information from residents of Massachusetts for
purposes of providing various services or products or employment are affected.
Nevada Personal Information Data Privacy Encryption Law NRS 603A
GOODWILL SECURITY
7
This law was passed to ensure the data security of any data stored of a consumer’s personal
information through encryption.
Goodwill may sell their services to a resident of Nevada and may need personal data of a
Nevada resident; therefore, it should adhere to this law.
Section 3 - Compliance Plan
For Goodwill Company, the compliance plan seeks to explain the roles and responsibilities
of different personnel in the IT infrastructure security, information classification, marking and
handling, security categorization of the information systems, the security control requirements,
and contingency planning among others.
Describe Policies, Standards, Processes, and Guidelines
The Chief information officer of Goodwill is responsible for the development and
maintenance of the company’s information security program and works with the systems security
officer ensures the operational security posture maintenance for all information systems and
programs.
Discuss the relationship between Controls and Audits
Controls refer to all the planning by an organization to safeguard all the assets of an
organization while ensuring that information is reliable and consistent to ensure efficient and
effective operation so as to enable compliance to the set rules and regulations. Audits help in
ensuring controls are executed by assessing and evaluating all the activities in a company or
organization.
Section 4 – Acceptable Use Policy
GOODWILL SECURITY
8
The Goodwill Acceptable Use Policy(AUP) addresses the issues of safeguarding the user’s
access to their services. It entails the description of prohibited activities, responsibility on systems
security, enforcement of the UAP, changes and reporting of any breaches to the UAP
The Goodwill company uses Safe Harbor principles that ensure that the customers are
notified of the purposes of the data collected and used. The company also ensures it discloses to
the client if the data they take will be disclosed to a third party, whether the purposes will be the
same or incompatible. This comes with the choice of the clients, especially when collecting their
data for employability purposes opting out of the agreement if they do not wish that their data be
used by third parties. Goodwill also ensures that the third party adheres to the same terms of use.
In case of data breaches, the company already has mechanisms to counter these.
Acceptable Use Policy and Enforcement Ethics
Goodwill of North Georgia has no guarantee for no breach of data. It however believes in
two basic principles; privacy and protection of client data. It is therefore unethical and illegal for
any of its employees to cause breaches of these data.
Section 5 – Certification and Accreditation
DIACAP
The Goodwill of North Georgia looks forward to ensuring that it complies with the
Department of Defense’s(DOD) certification process to ensure it applies risk management to its
information systems through the DoD Information Assurance Certification and Accreditation
Process (DIACAP)
GOODWILL SECURITY
9
The company has already begun the process of ensuring it gets this certification and is
currently at the third phase of the process which is decision-making process of certification
determination and accreditation.
ISO27002
Goodwill Company has the ISO27002 certification and has a clear guideline for its
information security as an organization. This includes guidelines for the controls in selection,
implementation, and management based on its information security risk environment.
The organization has already implemented information security controls that are
commonly accepted. It has also developed its own information security management guidelines.
Section 6 - Preparing for Certification
The organization has already implemented information security controls that are
commonly accepted. It has also developed its own information security management guidelines in
preparation for its certification.
GOODWILL SECURITY
10
Sarbanes-Oxley Act
The Goodwill of North Georgia is a non-profit organization that deals with matters to do
with providing services when it comes to taking people through hands-on skill training, writing
resumes and cover letters for those job hunting. They also aid in helping them access job
opportunities as well as receiving donations which are then sold to help finance the job hunting
activities as well as the training programs they hold. The Sarbanes Oxley Act of 2002 is to be
applied in all the private and public companies or organizations, especially when it comes to
financial practice regulation as well as the regulation of corporate governance. This is important
in the case of the Goodwill of North Georgia in the case of corporate governance seeing that it is
an organization that requires coordination for the goals of the organization to be met without fail.
The organization relies on donations and sales of the donations to make a financial
commitment to the activities for which it engages. This also means that the organization has to
provide financial reports that are accurate in terms of what goes through the staff's hands. These
two activities ought to be conducted according to the Sarbanes Oxley Act of 2002 which
provides accurate guidance as for how they ought to be accomplished and how financial matters
ought to be handled. The act greatly encourages transparency in the corporate world and more so
in this company, Goodwill of North Georgia on how their financial resources are put into use,
how they are spent and how much is recovered from the sales made from the donations provided
by the people (http://www.soxlaw.com).
There are various incidents for which the enactment of the Sarbanes Oxley Act is
considered important, like in the case of Goodwill of North Georgia. One of the incidents it to
aid in ensuring that indeed the only statements detailed in the financial reports of the
organization are true statements. Any misleading information would be defrauding and this will
GOODWILL SECURITY
11
mean that the organization went to this extent to hide information important to the public as well
as to the authorities involved in the process. This means that the responsibility for the
organization and those in charge of the financial matters ought to be keen and clear on all matters
about financials of the organization and the numbers have to be right and according to the
organization's spending. This encourages transparency so that nothing is missed from the report.
The second incident that calls for the enactment of the Sarbanes Oxley Act is the evaluation of
the internal controls within the set previous ninety days and then having the information reported
or put into a report (Fletcher & Plette, 2008).
The evaluation of the internal controls calls for the identification of all kinds of
inefficiencies related to the organization. The inefficiencies also account for the fraudulent cases
by the employees of the organization so that it is all in the record and it can be accounted for in
the financials of the organization. All the information regarding the internal controls relates to
the internal activities of the organization and that about the financials. It is also important to
provide extra information on the internal controls in terms of the changes that might occur
especially if they are significant enough to be of negative impact. This means that the internal
activities of the organization will also be significantly affected to extents of even reflecting on
the financial reports or financial statements of the organization. Last but not least, the other
incident that is important in matters regarding the enactment of the act is the organization,
through its accountant, being able to provide information on the financial reports' procedures as
well as the internal control structure effectiveness. This helps show the adequacy of the financial
statements and internal controls adopted by the organization. This helps prove the competence of
the financial accountant for the organization.
GOODWILL SECURITY
12
The act's importance to the organization is seen in the best industry practices, that is, in
financial practice regulations. It also helps with the address of the problems as well as issues that
may arise from financial statements and reports from the organization. In this case, the financial
governance comes into play. When it comes to personal management liability issues, the act also
plays the role of addressing such and being the defining regulation behind corporate
responsibility (ABA Coordinating Committee on Nonprofit Governance, 2005).
The act specifically focuses on the financial practice regulations as well as corporate
governance and in this case, the governance of the organization which is a non-profit. In matters
to do with financial governance, the organization is expected to give accurate financial
statements that detail clearly on matters to do with how the financial resources are put into use
within the organization and for the good of the end users. This helps instill discipline and bring
transparency to the organization and among its staff members so that misuse and fraudulent cases
are dealt with in good time. The act, therefore, is meant to send a warning to all companies
involved, including non-profit organizations that fail to provide true statements on their
financials may lead to such acts being declared criminal and action being taken against them. At
the same time, failing to reveal that some of the organizational employees have been involved in
fraudulent cases or those who may be considered illegal, also calls for inclusion of the authorities
since there ought to be some form of accountability in every matter of the organization which
then calls for the enactment of the act especially when it comes to corporate governance and
financial practice regulations (The U.S. Sarbanes Oxley Act et al. 2007).
GOODWILL SECURITY
13
Monitoring and Enforcing Compliance
Question 1
Acceptable Use Policy
1. Overview
Goodwill of North Georgia is committed to having a culture of openness, integrity and trust
among its staff and management. The company is committed to having its partners, employees
and customers protected from any kind of damage. This enables effective security to be provided
to the parties involved.
2. Purpose
The purpose of this policy is to identify the acceptable use of the organization’s resources
and thus reduce the amount of risk that would otherwise be experienced in its absence.
3. Scope
The policy herein applies to the organization’s resources, whether financial or in terms of the
donations received from well-wishers that helps with the conducting of the organization’s
business. The business of the organization is that of assisting people acquire hands-on training,
professional cover letter writing and provide ways of getting jobs. All staff and contractors are
required to adhere to the regulations in the policy and do so through sound judgment. Goodwill
of North Georgia has this policy targeting all internal and external parties that work with the
organization to realize its end goals (Calder, 2005).
4. Policy
4.1 General use and ownership
GOODWILL SECURITY
14
4.1.1 All information contained on Goodwill of North Georgia in any electronics found
within the organization’s premises remains its property for as long as it remains in the
running of the organization. The proprietary information should, therefore, remain in
protection following the Data Protection Standard.
4.1.2 All the staff of the Goodwill of North Georgia have the responsibility of reporting any
theft, unauthorized access or loss of any kind within the organization’s premises.
4.1.3 Information of the organization can only be accessed by authorized personnel and up
to the extent which the organization allows based on the person’s duties within the
organization.
4.1.4 All employees are expected to exercise sound judgment as they go about engaging in
activities within the premises on personal use.
4.2 Security and Proprietary Information
4.2.1 All personal devices belonging to staff working within the organization’s premises
and brought in are subject to security checks.
4.2.2 All the devices that the staff put to use should have passwords and have restriction to
certain information based on the personnel handling the devices.
4.3 Unacceptable Use
4.3.1 The organization’s staff is prohibited from violating any activities related to the
responsibilities that they hold within the organization.
4.3.2 Unauthorized access of unauthorized sites and copying of material belonging to the
organization are violations of the organization’s right to privacy policy.
4.3.3 Committing any fraudulent within or without the organization’s policies calls for
authoritative action and penalties or punishment by related laws.
GOODWILL SECURITY
15
4.3.4 Interference of any organizational business by the organizational staff is prohibited
and is punishable by the organization’s laws and regulations.
4.3.5 Providing misguided direction to the organization’s customers is a violation of the
organization’s laws and regulations and may attract a penalty that is best suited to the
situation (Northcutt & Northcutt, 2004).
5. Policy Compliance
5.1 The verification of compliance of this policy will be conducted by way of audits
conducted internally and externally, reports from the organization’s business and
feedback to the governing committee.
5.2 Exceptions are made for unique situations with the basis being made on the unique
situation.
5.3 Non-compliance of the policy may be punishable by penalty or according to the extent of
the situation, and it may also attract termination from organization.
Question 2
Investigation into a matter that affects the organization internally especially if it has to do
with violations should call for responsiveness from the part of the employer. The investigation
should be undertaken fast to prevent the same from happening again or even to prevent the costs
from rising. Ensuring confidentiality is the first step so that the employees or staff under
investigation is not aware since this might trigger change of behavior. The accuser should then
be put under interim protection thus preventing them from getting hurt further which may call for
seeking legal action and coming up with a solution for them. The investigator is then selected,
who should be detail-oriented, skillful, non-bias, has the right temperament for interview
GOODWILL SECURITY
16
conducting, should have interpersonal skills that are strong and they should not have stake in the
outcome realized. The investigator will then come up with a plan based on the accusations made.
The interview questions for all those involved should then be developed in an open-ended
manner. The interviews will then be conducted where all involved are informed of this
investigation, importance of confidentiality and have the process well detailed out to them
(Harwood, 2011). The decision is then made based on the outcome of the investigation. The
actions warranted are then decided by the employer with consideration of all involved. The
investigation is then closed after the damages have been quantified, the remedy, whether training
is important in this case, whether workplace policies have o be changed and whether a review of
the investigation and complaint resolution is important. The final step is developing a written
summary of the results from the just concluded investigation. Everything done during the
investigation of the internal environment of Goodwill of North Georgia should be documented.
Question 3
In this case, the ethical considerations of the acceptable use policy narrows down to the
fairness of the policy itself. Fairness in this case focuses on the rules of behavior attached in the
policy on matters to do with allowance of the access to the organization’s resources as well as
restriction to their access. There occurs a contradiction when the organization limits their access
but still needs work done through access of the same resources. The general guidelines in the
policy help provide guidance to users on the acceptable use, restrictions and prohibitions on use.
The policy helps keep the staff responsible for what happens to the resources but should still
show fairness by not putting all the blame on the staff. The rules provide direction to staff but
can always be amended based on the organization’s changing needs (IRMA, 2015).
GOODWILL SECURITY
17
Certification and Accreditation
Difference between Certification and Accreditation
Basically, certification entails conformance to characteristics of an individual, an
organization or an object. More often, an audit, assessment, education or external review may
provide this conformance (Grama, 2012). It is a comprehensive process of evaluation of an
event, a process, a product or a system which is classically measured against a standard or a
norm that exists (In Jahankhani, et al., 2016). A body which is independent may provide
certification in the form of an assurance which is written that indicates such a system, service or
product meets specified requirements. Certification programs are often created for the purposes
of testing or evaluating the skills of specific performing services within an area of interest of an
entity.
Generally, certification is a form of verification that an organization or an individual has
attained a particular compliance level in a specific area. It is indicative that some essential steps
in receiving a specified designation have been met. As an official measure used to demonstrate to
clients or an employer possession of the capability in a specific area as confirmed by an
organization which is reputable, it demonstrates that the services or products are in line with
consumers’ expectations (In Jahankhani, et al., 2016) A perfect example can be illustrated by
governmental agencies certifying that an organization adheres to regulations that exist within a
specific sector. Another example is by laboratories that are used for testing certifying that
particular products meet the standards that are pre-established.
In contrast, accreditation is considered to be a formal declaration by a third party that a
certification program is administered in an approach which meets the appropriate standards of a
certification program(Grama, 2012). This hierarchy of accreditation is mostly overseen by the
European Accreditation Forum and the International Accreditation Forum (IAF) (In Jahankhani,
GOODWILL SECURITY
18
et al., 2016). These forums have the role of approving and accrediting the National Accreditation
Body that exists in every nation with possess the relevant arrangements to operate a National
Accreditation Board. Increased globalization has inspired the existence of several accreditation
bodies to address the needs in accreditation according to market segments or specific industry.
Description of At least 3 Industry/ International Certification Frameworks Used to
Evaluate the Security of an Application System
A framework for information security refers to a series of documented processes which
are used in the description of procedures and policies in an ongoing and implementation of
controls in information security within an environment (In Jahankhani, et al., 2016) The purpose
of such a framework is to build programs in information security where risks can be well
managed and vulnerabilities reduced. In most instances, frameworks are customized to solve
particular problems in information security. Examples include; NIST SP 800 Series, COBIT and
ISO 27000 series.
NIST SP 800 Series
The United States National Institute of Standards and Technology has the responsibility
of establishing collective standards of information technology and documenting best practices.
Its first special publication which was the 800 series was published in the year 1990 and has
advanced to ensure advice is provided in most aspects that deal with information security
(Grama, 2012 Other models that have emerged for the NIST 800 series is the NIST 800-53
which has inspired the evolvement of other frameworks for government agencies in the United
States so that they can comply with the 200 requirements of the Federal Information Processing
Standards (Grama, 2012
ISO 27000 Series
GOODWILL SECURITY
19
The International Standards Organization developed the ISO 27000 Series. This series
guarantees a detailed framework for information security which can efficiently be applied to
different types of organizations. It is can also be considered to be an equivalent to ISO 9000
information security quality standards in the manufacturing sector (In Jahankhani, et al., 2016).
The ISO 27000 series has different sub-standards whose definitions are strictly based on content.
For instance, the ISO 27001 describes program requirements and ISO 27002 describes the
relevant operational steps for a program in information security. Several best practice standards
are existent in the ISO 27000 series. For instance, organizations that seek compliance with the
HIPAA Act could adopt the ISO 27799 which describes information security in the health sector
(In Jahankhani, et al., 2016). Besides, the ISO 27000 Series provides a broad range of advice in
the collection of digital evidence, security of storage systems and cloud computing.
COBIT
COBIT is the initial for Control Objectives for Information and Related Technology
(COBIT) and it is an information security framework that was established in the mid-90s by
ISACA)(Grama, 2012). ISACA is an independent organization that governs professionals in the
field of IT. Currently, two certifications are provided by ISACA which are; Certified Information
Security Manager (CISM) and the Certified Information System Auditor (CISA) (Grama, 2012).
The primary focus to the beginning of this certification was to ensure a reduction in the technical
risks that existed in organizations. However, in the recent times, it has evolved with COBIT 5 to
comprise alignment of the strategic goals of a business with Information Technology (In
Jahankhani, et al., 2016). For most financial institutions and other organizations that look
forward to achieving compliance with the Sarbanes-Oxley act, it is the most common framework
that is used.
GOODWILL SECURITY
20
Description of Common Criteria as One of the Frameworks
Common criteria is considered to be an international set of specifications and guidelines
that were developed for the evaluation of the products in information security to ensure that these
products meet the security standards that are agreed upon for governmental deployments
(Higaki, 2014). From a formal perspective, it is referred to as the Common Criteria for
Information Technology Security Evaluation. It is made up of two core constituents; Evaluation
Assurance Levels and Protection Profiles (Higaki, 2014). Protection files define sets of
standards for security requirements on a given type of a product while Evaluation Assurance
Levels define the security levels that a product went through in the evaluation process.
It consists of scales labeled 1-7 whereby, a higher evaluation implies that a product went
through more tests as compared to a product with a lower evaluation (Higaki, 2014). It is
mandatory for vendors to complete a security target description where the security features of a
product are overviewed as well as a thorough evaluation on the potential security threats a
product may face. Additionally, vendors perform a self-assessment on a product; to highlight
how such a product conforms to relevant Evaluation Assurance Level and Protection Profile that
a vendor tests against (Higaki, 2014).
Lastly, the laboratory has to test a product and verify its security features besides
performing an evaluation to ascertain how it adheres to defined specifications in a protection
profile (Higaki, 2014). Should an evaluation be successful, an official product certification is
provided. In such a manner, the common criteria certification is basically an assurance to
customers that products being purchased have undergone a thorough evaluation and that the
claims of a vendor have clearly been verified by a neutral third party vendor.
GOODWILL SECURITY
21
Preparing for Certification(TBD)
GOODWILL SECURITY
22
References
Retrieved from https://www.sans.org/security-resources/policies/general/pdf/acceptable-usepolicy
Retrieved from http://acqnotes.com/acqnote/careerfields/dod-information-assurancecertification-and-accreditation-process-diacap
Information Security Compliance: Which regulations relate to me? (2018, January 18).
Retrieved from https://www.tcdi.com/information-security-compliance-whichregulations/
ISO/IEC 27002:2013 - Information technology -- Security techniques -- Code of practice for
information security controls. (n.d.). Retrieved from
https://www.iso.org/standard/54533.html
Relationship Between Internal Control, Internal Audit, and Organization Commitment With
Good Governance: Indonesian Case. (2012). China-USA Business Review, 11(09).
doi:10.17265/1537-1514/2012.09.006
Staff, C. (2012, December 19). The security laws, regulations and guidelines directory.
Retrieved from https://www.csoonline.com/article/2126072/compliance/compliance-thesecurity-laws-regulations-and-guidelines-directory.html#Childrens-Online-Privacy
Suyono, Eko & Hariyanto, Eko. (2012). Relationship Between Internal Control, Internal Audit,
and Organization Commitment With Good Governance: Indonesian Case. China-USA Business
Review. 11. 1237-1245
ABA Coordinating Committee on Nonprofit Governance. (2005). Guide to nonprofit corporate
governance in the wake of Sarbanes-Oxley. Chicago, Ill: Section of Business Law,
American Bar Association.
GOODWILL SECURITY
23
Fletcher, W. H., & Plette, T. N. (2008). The Sarbanes-Oxley Act: Implementation, significance,
and impact. New York: Nova Science Publishers.
http://www.soxlaw.com/
The U.S. Sarbanes Oxley Act 2002 and Corporate Governance. Big Brother is watching you?.
(2007). München: GRIN Verlag.
Calder, A. (2005). A business guide to information security: How to protect your company's IT
assets, reduce risks and understand the law. London: Kogan Page.
Harwood, M. (2011). Security strategies in Web applications and social networking. Sudbury,
MA: Jones & Bartlett Learning.
Information Resources Management Association. (2015). Business law and ethics: Concepts,
methodologies, tools, and applications.
Northcutt, S., & Northcutt, S. (2004). IT ethics handbook: Right and wrong for IT professionals.
Rockland, MA: Syngress Pub.
Grama, J. (2012). Corporate Information Security and Privacy Regulation. In Legal issues in
information security (pp. 181-204). Sudbury, MA: Jones & Bartlett Learning.
Higaki, W. H. (2014). Successful common criteria evaluations: A practical guide for vendors.
North Charleston: Createspace.
In Jahankhani, H., In Carlile, A., In Emm, D., In Hosseinian-Far, A., In Brown, G., In Sexton,
G., & In Jamal, A. (2016). Global Security, Safety and Sustainability - The Security
Challenges of the Connected World: 11th International Conference, ICGS3 2017,
GOODWILL SECURITY
24
London, UK, January 18-20, 2017, Proceedings. Cham: Springer International
Publishing.
Purchase answer to see full
attachment