Enterprise Information Security and Privacy 1st

Edition by C Warren Axelrod, Jennifer Bayuk,

Daniel Schutzer ISBN 9781596931909 download

https://ebookball.com/product/enterprise-information-security-
and-privacy-1st-edition-by-c-warren-axelrod-jennifer-bayuk-
daniel-schutzer-isbn-9781596931909-12272/

Download more ebook instantly today - Get yours now at ebookball.com

 Get Your Digital Files Instantly: PDF, ePub, MOBI and More
Quick Digital Downloads: PDF, ePub, MOBI and Other Formats

Cyber Security Policy Guidebook 1st edition by Jennifer Bayuk, Jason

Healey, Paul Rohmeyer, Marcus Sachs, Jeffrey Schmidt, Joseph Weiss
ISBN 1118027809 978-1118027806

https://ebookball.com/product/cyber-security-policy-
guidebook-1st-edition-by-jennifer-bayuk-jason-healey-paul-
rohmeyer-marcus-sachs-jeffrey-schmidt-joseph-weiss-
isbn-1118027809-978-1118027806-16724/

Cyber Law Privacy and Security Concepts Methodologies Tools and

Applications 1st Edition by Information Reso Management Association
ISBN 1522588973 978-1522588979

https://ebookball.com/product/cyber-law-privacy-and-security-
concepts-methodologies-tools-and-applications-1st-edition-by-
information-reso-management-association-
isbn-1522588973-978-1522588979-17066/

Cyber Law Privacy and Security Concepts Methodologies Tools and

Applications 1st Edition by Information Reso Management Association
ISBN 1522588973 978-1522588979

https://ebookball.com/product/cyber-law-privacy-and-security-
concepts-methodologies-tools-and-applications-1st-edition-by-
information-reso-management-association-
isbn-1522588973-978-1522588979-17064/

10 Don'ts on Your Digital Devices The Non Techie's Survival Guide to

Cyber Security and Privacy 1st edition by Eric Rzeszut, Daniel
Bachrach ISBN B01IK7IJCK 978-1484203682

https://ebookball.com/product/10-don-ts-on-your-digital-devices-
the-non-techie-s-survival-guide-to-cyber-security-and-
privacy-1st-edition-by-eric-rzeszut-daniel-bachrach-
isbn-b01ik7ijck-978-1484203682-16758/
Information Assurance Managing Organizational IT Security Risks 1st
Edition by Joseph Boyce, Daniel Jennings 0750673273 9780750673273

https://ebookball.com/product/information-assurance-managing-
organizational-it-security-risks-1st-edition-by-joseph-boyce-
daniel-jennings-0750673273-9780750673273-16594/

Digital Enterprise and Information Systems 1st edition by Ezendu Ariwa

, Eyas El Qawasmeh ISBN 3642226027 978-3642226021

https://ebookball.com/product/digital-enterprise-and-information-
systems-1st-edition-by-ezendu-ariwa-eyas-el-qawasmeh-
isbn-3642226027-978-3642226021-10494/

Security and Privacy in Internet of Things Iots Models Algorithms and

Implementations 1st Edition by Fei Hu ISBN 9781040070864 1040070868

https://ebookball.com/product/security-and-privacy-in-internet-
of-things-iots-models-algorithms-and-implementations-1st-edition-
by-fei-hu-isbn-9781040070864-1040070868-15592/

Head First C A Learner Guide to Real World Programming with C XAML and
NET 3rd Edition by Jennifer Greene, Andrew Stellman ISBN 1449343503
9781449343507

https://ebookball.com/product/head-first-c-a-learner-guide-to-
real-world-programming-with-c-xaml-and-net-3rd-edition-by-
jennifer-greene-andrew-stellman-
isbn-1449343503-9781449343507-13752/

Machine Learning in Cyber Trust Security Privacy and Reliability 1st

edition by Jeffrey Tsai, Philip Yu ISBN 0387887342 978-0387887340

https://ebookball.com/product/machine-learning-in-cyber-trust-
security-privacy-and-reliability-1st-edition-by-jeffrey-tsai-
philip-yu-isbn-0387887342-978-0387887340-16710/
Enterprise Information Security and Privacy
 For a listing of recent titles in the
Artech House Information Security and Privacy Series,
turn to the back of this book.
Enterprise Information Security and Privacy
C. Warren Axelrod
Jennifer L. Bayuk
Daniel Schutzer

Editors

artechhouse.com
Library of Congress Cataloging-in-Publication Data
A catalog record for this book is available from the U.S. Library of Congress.

British Library Cataloguing in Publication Data

A catalogue record for this book is available from the British Library.

Cover design by Igor Valdman

ISBN 13: 978-1-59693-190-9

© 2009 ARTECH HOUSE, INC.

685 Canton Street
Norwood, MA 02062

All rights reserved. Printed and bound in the United States of America. No part of this book may
be reproduced or utilized in any form or by any means, electronic or mechanical, including pho-
tocopying, recording, or by any information storage and retrieval system, without permission in
writing from the publisher.
All terms mentioned in this book that are known to be trademarks or service marks have been
appropriately capitalized. Artech House cannot attest to the accuracy of this information. Use of
a term in this book should not be regarded as affecting the validity of any trademark or service
mark.

10 9 8 7 6 5 4 3 2 1
Contents
Foreword xiii

Preface xix

Acknowledgments xxiii

Part I: Trends 1

1 Privacy Roles and Responsibilities 3

1.1 Background 4
1.2 Observations 8

1.3 Recommendations 12
1.3.1 Roles and Responsibilities of Information Security 14
1.3.2 The Impact of Outsourcing: Privacy, Security, and
Enforcing Controls 16
1.3.3 Privacy and New Roles for Information Security 16
1.4 Future Trends 18

2 Data Protection 21

2.1 Background 21
2.2 Observations 24

v
vi Enterprise Information Security and Privacy

2.3 Recommendations 27
2.3.1 Formalize a Trust Model 28
2.3.2 Utilize an Integrated and Holistic Approach to Security
and Governance 30
2.3.3 Implement a Risk-Based Systemic Security Architecture 32
2.3.4 Support an Adaptive Security Approach to Security 36
2.3.5 Build Systems, Applications, Networks, Protocols, and
Others Using Accepted Standards 37
2.4 Future Trends 40

3 IT Operational Pressures on Information Security 41

3.1 Background 41
3.1.1 IT Operations and IT Service Development Impede
Information Security Goals 42
3.1.2 Information Security Impedes IT Operations and IT
Service Development Goals 43
3.1.3 Information Security Using a Technology-Centric,
Bottom-Up Risk Model 44
3.2 Observations 45

3.3 Recommendations 48
3.3.1 Stabilize the Patient and Get Plugged into Production 51
3.3.2 Find Business Risks, Identify Controls, and Fix Fragile
Artifacts 53
3.3.3 Implement Development and Release Controls 55
3.3.4 Continually Improve 56
3.4 Future Trends 57

4 Information Classification 59

4.1 Background 60

4.2 Observations 62
4.3 Recommendations 65

4.4 Future Trends 69

 Contents vii

5 Human Factors 71

5.1 Background 72
5.1.1 Historical Perspective on Privacy 73
5.1.2 Impact of Technology on Privacy 74
5.1.3 Privacy in a Corporate Setting 76
5.1.4 Evolution of Personal Information 76

5.2 Observations 77
5.2.1 Privacy Trade-offs—Human Behavioral Impact on Privacy 77
5.2.2 What is Risk? 80
5.3 Recommendations 83
5.4 Future Trends 87

Acknowledgments 87

Part II: Risks 89

6 Making the Case for Replacing Risk-Based Security 91

6.1 Introduction 92
6.1.1 Understanding Security Risk 92
6.2 Why Risk Assessment and Risk Management Fail 95
6.2.1 Misplaced Support for Risk-Based Security in Practice 97
6.2.2 Alternatives to Security Risk Assessment 99
6.3 Conclusion 101

7 The Economics of Loss 103

7.1 Security as the Prevention of Loss 104

7.2 Quantifying the Risk of Loss 105
7.3 Refining the Basic Risk Equation 106
7.4 The Problem of Quantifying Loss Itself 106

7.5 Confronting the Reality of Hypothetical Actions 107

7.6 Overcoming the Fixation on Assets 108
viii Enterprise Information Security and Privacy

7.7 Overcoming the Fixation on Market Value 108

7.8 Overcoming the Fixation on Productivity 110

7.9 Overcoming the Neglect of Substitutes 111

7.10 Taking Account of the Duration and Extent of

the Effects 112
7.11 Distinguishing Between the Different Business
Categories of Attacks 113
7.12 Putting the Proper Risk Estimates Back into the ROI
Calculation 114

8 Legal and Regulatory Obligations 115

8.1 The Expanding Duty to Provide Security 116

8.1.1 Where Does It Come From? 116
8.1.2 What Is Covered? 118
8.2 The Emergence of a Legal Standard for Compliance 120
8.2.1 The Developing Legal Definition of “Reasonable
Security” 122
8.2.2 An Increasing Focus on Specific Data Elements and
Controls 128

8.3 The Imposition of a Duty to Warn of Security Breaches 131

8.3.1 The Basic Obligation 132
8.3.2 International Adoption 134
8.4 Conclusion 135

9 Telecommunications 137

9.1 Security Issues in Mobile Telecommunications 138

9.1.1 Pressure on the Perimeter Model 138
9.1.2 Computer Security Threats for Portable Devices 139

9.2 Security Issues in Global Telecommunications 140

9.2.1 Global Cooperation on Cyber Attack 140
9.2.2 Global Attention to Software Piracy 141
 Contents ix

9.3 Security Issues in Internet Protocol–Based

Telecommunications 141
9.3.1 Reduced Technological Diversity 142
9.3.2 Increased Reliance on Shared, Decentralized Internet-
Based Systems 142
9.4 Security Issues in Bandwidth-Increasing
Telecommunications 143
9.4.1 Residential Users Have Greater Security Responsibility 143
9.4.2 Botnets Become a Huge Threat to the Global Economy 144
References 146

Part III: Experience 147

10 Financial Services 149

10.1 Laws, Regulations, and Supervisory Requirements 150

10.1.1 Gramm-Leach-Bliley Act of 1999 153
10.1.2 The Sarbanes-Oxley Act of 2002 154
10.1.3 The Fair and Accurate Credit Transactions Act of 2003 154
10.1.4 Breach Notification Requirements 155
10.1.5 Supervisory Guidance 158
10.2 Future Focus 160
10.2.1 Identity Theft Prevention 160
10.2.2 Outsourcing and Offshoring 160
10.2.3 Cross-Border Data Flows 161
10.2.4 Encryption 161
10.2.5 Online Behavioral Advertising 162
10.2.6 Internet Governance 162
10.2.7 Wireless Security 162
10.2.8 Capital Requirements for Operational Risk 162
10.2.9 Security of Web-Based Business Applications 163
10.2.10 Other Future Focuses in Financial Sector Security 163
10.3 Compliance Challenges 163

11 Energy 165

11.1 Overview of Sector 166

x Enterprise Information Security and Privacy

11.2 Risks Related to Security and Privacy 169

11.3 How Risks Are Addressed 171

11.4 Documentation and Its Relation to Information Security 174

11.5 Conclusion 177

Acknowledgments 178
Selected Bibliography 178

12 Transportation Security 181

12.1 Overview 182

12.2 Technology’s Role in Transportation Security 183
12.3 Security in Transit 187
12.4 Best Practices Applied 189

13 Academia 191

13.1 Overview 192

13.1.1 Age and Demographics 192
13.1.2 You Cannot Fire Me 192
13.1.3 Hard to Educate Users 192
13.1.4 Lax Controls 193
13.1.5 How Everything Is Connected 193
13.2 Case Studies 193
13.2.1 Case Study: Social Networking and Crimeware 194
13.2.2 Case Study: Social Phishing 196
13.2.3 Case Study: Infected Access Points 196
13.3 Protection 197
References 197

Appendix A
Key Information Security Law References 199
A.1 Federal Statutes 199
A.2 State Statutes 200
A.3 Federal Regulations 204
A.4 State Regulations 206
 Contents xi

A.5 Court Decisions 206

A.6 FTC Decisions and Consent Decrees 207
A.7 State Attorneys General Consent Decrees 208
A.8 European Union—Directives 209
A.9 European Union—Security Provisions in Country
Implementations of Data Protection Directive 209
A.10 Other Countries 212

About the Authors 213

Index 223
Foreword

If there is one lesson you can learn from this book, it is that information security
is an art, not a science, and the mastery of information security requires a
multidisciplinary knowledge of a huge amount of information, experience, and
skill. You will see much of the necessary information here in this book as the
authors take you through the subject in a security systems development life cycle
using scenarios of real life situations to emphasize each topic. The authors pro-
vide the experience and skill from many years of real life experience combined
with their academic approach to provide a rich learning experience that they
expertly present in this book. You have chosen the book well.
Since you are reading this book, you are likely in or working toward a
career in information security or at least have some serious information security
interest. You must anticipate that just about everybody hates the constraints that
your work of increasing security will put upon them, both the good guys and the
bad guys–except for malicious hackers who love the security you install as a chal-
lenge to be beaten. I concentrate on fighting the bad guys in security because
when security is developed against bad guys it also applies to accidents and
errors, but when developed against accidental problems, it tends to be ineffective
against enemies acting with intent.
I have spent 35 years of my life working in a field that most people hate
but still found it exciting and rewarding working with computers and pitting
my wits against malicious people. Security controls and practices include log-
ging on, using passwords, encrypting vital information, locking doors and draw-
ers, motivating stakeholders to support security, and installing pipes to spray
water down on your fragile computers in case of fire. These are means of protec-
tion that have no benefit except rarely when adversities occur. Good security is

xiii
xiv Enterprise Information Security and Privacy

when nothing bad happens, and when nothing bad happens, who needs secu-
rity. So why do we engage in security? Nowadays we do it because the law says
that we must do it, e.g., we are required to use seat belts and air bags–especially
if we deal with the personal information of others, electronic money, intellectual
property, and keeping ahead of the competition.
There is great satisfaction knowing that your employer’s information,
communications, systems, and people are secure, and getting paid a good salary,
being the center of attention in emergencies, and knowing that you are match-
ing your wits against the bad guys all make up for the downsides of your work. It
is no job for perfectionists, because you will almost never be fully successful, and
there will always be vulnerabilities that you aren’t aware of or that you haven’t
fixed yet. The enemy has a great advantage over us. He has to find only one vul-
nerability and one target to attack in a known place, electronically or physically,
while we must defend from potentially millions of enemies’ attacks against all of
our assets and vulnerabilities that are no longer in one computer room but are
spread all over the world by wire and now by air. It’s like playing a game in
which you don’t know your opponents and where they are, what they are doing,
why they are doing it, and are changing the rules as they play. You must be
highly ethical, defensive, secretive, and cautious about bragging about the great
security that you are employing that might tip off the enemy. Enjoy the few suc-
cesses that you experience for you will not even know about some of them.
There is a story that describes the kind of war you are entering into. A
small country inducted a young man into their ill-equipped army. They had no
guns; so they issued a broom to the new recruit for training purposes. In basic
training, the young man asked, “What do I do with this broom?”
They took him out to the rifle range and told him to pretend it is a gun,
aim it at the target, and say, “bang, bang, bang.” He did that. Then they took
him out to bayonet practice, and he said, “What do I do with this broom?”
They said, “Pretend it is a gun with a bayonet on it and say, ‘stab, stab,
stab.’”
He did that also. Then the war started, they still didn’t have guns; so the
young man found himself out on the front line with enemy soldiers running
toward him across a field, and all he had was his trusty broom. So he could only
do what he was trained to do, aimed the broom at the enemy soldiers, and said,
“bang, bang, bang.” Some of the enemy soldiers fell down, but many kept com-
ing. Some got so close that he had to shout, “stab, stab, stab,” and more enemy
soldiers fell down. However, there was one stubborn enemy soldier (there is
always one in these stories) running toward him. He said, “bang, bang, bang,”
but to no effect. The enemy continued to get closer. He got so close that the
recruit had to say, “stab, stab, stab,” but it still had no effect. In fact, the enemy
soldier ran right over the recruit, left him lying in the dirt, and broke his broom
 Foreword xv

in half. However, as the enemy soldier ran by, the recruit heard the enemy mut-
tering under his breath, “tank, tank, tank.”
I tell this story at the end of my many lectures on computer crime and
security to impress on my audience that if you are going to win against crime,
you must know the rules, and it is the criminal who is making up his secret rules
as he goes along. This makes winning very difficult.
When I was lecturing in Rio de Janeiro, a young lady performed simulta-
neous translation into Portuguese for my audience of several hundred people, all
with earphones clapped over their ears. In such situations, I have no idea what
my audience is hearing, and after telling my joke nobody laughed. They just sat
there with puzzled looks on their faces. After the lecture, I asked the translator
what had happened. She had translated “tank, tank, tank” into “water tank,
water tank, water tank.” I and the recruit were both deceived that time.
Three weeks later, I was lecturing to an audience of French bankers at the
George V Hotel in Paris. I had a bilingual friend listen to the translation of my
talk. The same thing happened as in Rio. Nobody laughed. Afterwards, I asked
my friend what had happened. He said, “You will never believe this, but the
translator translated ‘tank, tank, tank’ into ‘merci, merci, merci.’” Even in tell-
ing the joke I didn’t know the rules to the game.
Remember that when working in security, you are in a virtual army
defending your employer and stakeholders from their enemies, and from your
point of view they will probably think and act irrationally, but from their per-
spective they are perfectly rational with serious personal problems to solve and
gains to be made by violating your security. You are no longer a techie with the
challenging job of installing technological controls in systems and networks.
Most of your work should be assisting potential victims to protect themselves
from information adversities and dealing with your smart but often irrational
enemies even though you rarely see or even get close to them. I spent a major
part of my security career hunting down computer criminals and interviewing
them and their victims trying to obtain knowledge from them to do a better job
of defending from their attacks. You, likewise, should also use every opportunity
to seek them out and get to know them. This experience gives you great cachet
as a real and unique expert even with only minimal exposure to a few enemies.
Comprehensiveness is an important part of the game you play for real
stakes because the enemy will likely seek the easiest way to attack the vulnerabili-
ties and assets that you haven’t fully protected yet. For example, one of the most
common threats is endangerment of assets, which means putting information
assets in harm’s way, yet I rarely find it on threat lists. Endangerment is also one
of the most common mistakes that security professionals make. You must be
thorough, meticulous, document everything (in case your competence is ques-
tioned and to meet the requirements of the Sarbanes–Oxley Law), and keep the
documents safely locked away. Be careful and document so that when an
xvi Enterprise Information Security and Privacy

adversity hits and you lose the game, you will have proof of having been diligent
in spite of the loss. Otherwise, your career could be damaged, or at least your
effectiveness will be diminished. For example, if the loss is due to management
failing to give you an adequate budget and support for the security that you
know that you need, you must have documented that before the incident
occurs. Don’t brag about how great your security is, because it can always be
beaten. Keep, expand, and use everyday check lists of everything–threats, vul-
nerabilities, assets, key potential victims and suspects of wrongdoing, security
supporters and those that don’t bother with security, attacks, enemies, criminal
justice resources, auditors, regulators, and legal council. To assist your stake-
holders, who are the real defenders of their information and systems, in manag-
ing their security, you must identify what they must protect and measure the
real extent of their security. And make sure that those to whom you report and
higher management understand the nature of your job and its limitations.
You will have a huge collection of sensitive passwords to do your job. Use
the best possible passwords to set a good example, write them down, and keep
the list safely in your wallet next to your credit card. Know as much about the
systems and networks in your organization as possible and have access to the
expert people that know the rest. Make good friends of the local and national
criminal justice people, your organization’s lawyers, insurance risk managers,
human resources people, talent, facilities managers and auditors. Audit is one of
the most powerful controls that your organization has. Remember that people
hate security and must be properly motivated with penalties and rewards to
make it work. Seek ways to make security invisible or transparent to stake-
holders, yet effective. Don’t recommend or install controls or practices that they
won’t support, because they will beat you every time by making it look like the
controls are effective but are not–a situation worse than no security at all.
One of the most exciting parts of the job is the insight you gain about the
inner workings and secrets of your organization and its culture that you must
thoroughly understand. As an information security consultant, I was privileged
to learn about the culture and secrets of more than 250 of the largest interna-
tional corporations throughout the world. I had the opportunity to interview
and advise the most powerful business giants if even for only a few minutes of
their valuable time. You should always be ready to use the five minutes that you
get with them once every year or so as your silver bullet to use with top manage-
ment for the greatest benefit of their security. Carefully learn the limits of their
security appetites. Know the nature of the business whether it is a government
department or a hotly competitive business. I once found myself in a meeting
with the board of directors intensely and seriously discussing and suppressing
my snickering about the protection of their greatest trade secret, the
manufacturing process of their new disposable diapers.
 Foreword xvii

Finally, we come to the last important bit of advice. Be trustworthy and

develop mutual trust among your peers. Your most important objectives are not
risk reduction and increased security; they are diligence to avoid negligence,
exceeding compliance with all of the laws and standards and auditors, and
enablement when security becomes a competitive or a budget issue. To achieve
these objectives, you must develop a trusting exchange of the most sensitive
security intelligence among your peers in your and other security people’s orga-
nizations so that you know where your organization stands in protection relative
to them. You need to know what the generally accepted current security solu-
tions are and especially those used in your competitors’ businesses or other
related organizations. Therefore, you need to exchange this highly sensitive
information among your peers. If the information exchanged is exposed, it
could ruin your and others’ careers as well as be a disaster for your or their orga-
nizations. Your personal and ethical performance must be spotless, and you
must protect your reputation at all costs. Pay particular attention to ethics. You
must be discrete and careful by testing and growing the ongoing peer trust to
facilitate the sharing of sensitive security information.
Donn Parker
Senior Information Security
Consultant, Retired
Preface

Our Age of Anxiety is, in great part, the result of trying to do today’s job with
yesterday’s tools and yesterday’s concepts.
We shape our tools and afterwards our tools shape us.
Most of our assumptions have outlived their usefulness.
—Marshall McLuhan

What makes otherwise sensible but overloaded men and women take the time
and put in the effort to create a book such as this—a book that questions the
very foundation and practice of a profession that has provided our livelihoods.
Perhaps one reason is that we have something in common. We are all passionate
about improving the state of security and privacy in an ever more threatened
and vulnerable world.
Our authors were carefully chosen from a relatively small cadre of talented,
engaged professionals, who are not only directly involved in “real world” activi-
ties, but contribute extensively to the evolution of the information security field
via participation in numerous professional and industry committees, associa-
tions, conferences, and other initiatives. Additionally, many of us are frequently
write and lecture on best practice on a purely voluntary basis, seeking to raise the
proficiency of the information security profession.
In a recent interview published in the January/February 2008 edition of
the IEEE Security & Privacy journal, Bob Blakely, a principal analyst with the
Burton Group, is quoted as saying, “Despite the fact that both attacks and losses
have approximately doubled every year since 1992, we continue to rely on old
models that are demonstrably ill-suited to the current reality” [1].

xix
xx Enterprise Information Security and Privacy

And there’s the rub. For the most part, we security professionals continue
to use ill-suited traditional approaches to deal with new threats and vulnerabili-
ties. The accelerating rate of incident growth and resulting losses, despite
increased attention and expenditures on security, points to the lack of effective
methods for taming the threat and vulnerability tigers that are accompanying
the rapid proliferation of new information technologies. It has become clear that
many of us in the security profession are trying to solve today’s and tomorrow’s
problems with yesterday’s solutions, which is turning out to be a no-win situa-
tion as witnessed by the continuing increases in frequency and size of security
and privacy breaches.
Of course, there has been some progress and innovation in the security
and privacy space, thanks to a veritable hoard of companies developing and pur-
veying products and services. Also, many academic and research institutions are
engaged in leading edge, though not always practical, research and development.
Despite all that effort, we still find ourselves lagging far behind the “bad guys.”
Could it be that we are slow to adapt to new challenges or to adopt new, more
effective technologies? Or, is it that pure and applied research and product
development are just not keeping up, or not addressing real pragmatic concerns
of real world practioners? It is interesting to see how our authors interpret and
respond to the situation.
This book takes a fresh, and (we hope) refreshing, approach. The author
guidelines were to examine and question current and traditional approaches, to
determine their weaknesses and strengths, and to suggest paths forward that will
overcome their deficiencies. Because of their strong practical backgrounds, the
authors’ recommendations are realistic, visionary, and doable within the context
of the rapidly changing technical and social worlds in which we live.
Trying to gauge the futures of security and privacy is a daunting task, but
it is one that the contributors to this book live with every day of their lives and
are therefore eminently capable of addressing. Some of our authors are
contrarian, others more conservative, but all are thoughtful and practical and
sufficiently concerned that they made this effort to bring their messages to the
reader. You will find yourself agreeing with some positions and disagreeing with
others. That is to be expected and to be encouraged. In fact, in a novel format
suggested by one of the editors, we have introduced comments by the editors
throughout the text in order to stimulate thought and discussion. You cannot
and should not suppress free and open thinkers or restrict their thinking to what
you believe in. That is the price of encouraging creative thinking and innova-
tion. We hope that you will agree that it is a small price for the benefits derived
from the out-of-the-box thinking from these caring and resourceful
professionals.
We, as security and privacy professionals and practitioners, are at a cross-
roads and must decide which path to take. We can continue with business as
 Preface xxi

usual and see the number and size of breaches and losses continue to mount, or
we can examine each new situation with the pragmatic approach needed to get
ahead of the monster. But, before we run off with our rallying cries and impas-
sioned pleas, we need to really understand what approaches have a chance at
actually working. This book’s purpose is to provide you with a basis for counter-
manding those who still support tired and ineffective methods. We are not seek-
ing change for change’s sake, but are looking for change that will be productive
and effective and will keep us ahead of the security-breach tsunami that is
threatening to swamp us all.
A brief note about the structure of the book. The book consists of three
major sections. At the beginning of each section we have a few pages of intro-
duction. Your editors wrote the introductions to each part. Then sprinkled
throughout the chapters, we have editorial comments and discussions, much
like blogs with their point and counterpoint repartee.
In Part I, we will trace back the history of security, privacy and informa-
tion technology to see what got us into this mess in the first place. Chapters on
the evolution of security and privacy from a variety of technological and organi-
zational views will give you the perspective and energy needed to tackle even
greater future demands.
In Part II, we tackle the thorny topic of risk. Donn Parker’s contrarian
views on this subject set the stage. Should the doctrine of risk-based security and
privacy assessments be thrown out the window, or are we losing something by
doing so? We shall see whether or not our authors can make the case for such
controversial areas as security metrics, risk analysis, and return on security
investment.
Then, in Part III, we invite those who have extensive knowledge and
expertise in specific public and private sectors to tell us what security and privacy
issues dominate their industry or sector.

Reference
[1] Saydjari, O. Sami,“Virtual Roundtable: Information Assurance Technology Forecast
2008,” IEEE Security & Privacy Journal, Vol. 6, No. 1, January/February 2008, pp. 16-23.
Acknowledgments

Author acknowledgements follow some chapters of this book. In this space, our
editors acknowledge the influences and support that allowed them to complete
this volume.
Warren Axelrod wishes to thank Wayne Yuhasz, executive acquisitions
editor for Artech House Publishers, for proposing the book. The concept for
this book, namely, to have it written by practitioners for practitioners, came out
of our discussions. Wayne also suggested that I recruit two outstanding
coeditors, which I did in the persons of Jennifer Bayuk and Daniel Schutzer.
Jennifer and Dan have been extremely supportive throughout the process and
we each picked up the slack when others were diverted by other projects or job
situations. It was this aspect of editors and authors having “day jobs” that cre-
ated the real challenge in developing the book. And so I thank all the authors
who generously gave of their time and effort to write their outstanding contribu-
tions despite their other commitments. Finally, I thank my wife Judy for putting
up with the intrusions on our personal lives as a result of this and other projects.
Jennifer Bayuk acknowledges the influential thinkers which she was lucky
enough to have as mentors and coaches in various InfoSec roles over the years.
In chronological order, these are: Ed Amoroso, her professor at Stevens Institute
of Technology and colleague at AT&T Bell Laboratories; Mike Donahue, a past
international president of the Information Systems Audit and Control Associa-
tion and her coach at Price Waterhouse; Rich Corneilson, the director of inter-
nal audit at AT&T Capital Corporation wherein she managed IT Audit, and
Pat Ripley, the highest ranking information security officer at Bear Stearns
before the title chief information security officer became commonplace. In

xxiii
xxiv Enterprise Information Security and Privacy

addition, Jennifer acknowledges her husband Michael, whose constant support

makes such extracurricular tasks as authoring textbooks possible.
Dan Schutzer acknowledges all the smart people he has been lucky enough
to have met in his long career, and the wisdom they have provided through the
years. This includes many of his colleagues at Citi including Steve Katz, David
Solo, Mark Clancy, and Bob Wilkinson. He also acknowledges his wife Myra
for her understanding and support in his undertaking this project.
Part I: Trends

Each chapter in this section consists of four parts:

• Background,
• Observations,
• Recommendations,
• Future trends.

The background provides either a history or a survey of the issue identified

in the title of the chapter. Observations show how the author is approaching the
issue and includes his or her thoughts on how today’s state of affairs evolved.
Recommendations give practical advice on how to think about the issue in order
to best serve the objectives of security and privacy with respect to information.
Future trends outline the next steps that will likely be taken by the industry as a
whole.
The subject matter covered in Part I allows a glance at the field of security
at a whole. The five chapters on different aspects of security and privacy provide
a base level of understanding of the evolution of the field to date. Though not a
comprehensive portrait of the profession,1 the staged introduction of each issue
provides the reader with a well-rounded impression of the state of affairs faced
by the infomation security practitioner.

1. For a history of the profession, see Jennifer Bayuk, Stepping Through the InfoSec Program, In-
formation Systems Audit and Control Association (ISACA), 2007, Chapter 1.

1
2 Enterprise Information Security and Privacy

As in any profession, it cannot be expected to make progress without the

recognition that it is hard to understand how to move forward without studying
the past. As the great poet and philosopher, George Santayana, said, “Those
who cannot remember the past are condemned to repeat it."
Nevertheless, the chapters in this section are not purely history lessons.
They combine history lessons with matter-of-fact observations on today’s state
of affairs. They build on the observations to provide useful insight for informa-
tion security practitioners facing dilemmas of the future.
1
Privacy Roles and Responsibilities
Sam DeKay and Ken Belva

As a relative newcomer to the information security profession and particu-

larly to the privacy field, I was under the impression that modern-day pri-
vacy legislation and regulations originated with the 1995 EU (European
Union) Directive 95/46/EC on the protection of personal data. I had been
told that the Europeans are particularly sensitive to the privacy rights of
individuals following the abuses of personal information by the Nazis
before and during World War II and hence they had very demanding pri-
vacy rights legislation. However, while the requirements mandated in the
EU Directive might be considered more stringent than those in the United
States, other aspects, such as the need to inform individuals that their infor-
mation has been compromised and could be used for illegal purposes, are
apparently not as broad as in the United States. Consequently we have little
idea as to the extent of data breaches in Europe. Be that as it may, compli-
ance with the European Union’s Directive on data protection means that
many other countries must meet higher standards than in their own coun-
try, making for issues with the free flow of personal data around the world.
I was also aware of a number of data protection and privacy laws and
directives from other countries, such as New Zealand, Japan, and the
United Kingdom. However, I did not know about the long history and the
origins of privacy concepts and laws as described in this chapter by Sam
DeKay and Ken Belva going back more than 100 years. I was particularly
interested in learning about the evolving theatre of privacy in the United
States in the 1960s and 1970s with the landmark 1974 Privacy Act.
The authors have provided us with a context that I have not seen else-
where. This review of the history helps us better understand the context in

3
4 Enterprise Information Security and Privacy

which more modern laws and regulations have been written. Tom
Smedinghoff, who is a leading expert in security and privacy law, provides a
particularly comprehensive legal perspective in Chapter 8.
The authors also address two issues, namely data classification and the
relationship between security and privacy, which are at the forefront of con-
cerns of practitioners.
The topic of data classification is handled in more detail in Chapter 4. As
the reader will see, the jury is still out on our ability to actually achieve
meaningful data classification in the private sector, since the cost of doing a
complete job and maintaining the data inventory is overwhelming to say
the least.
It is very useful to plow through the distinctions between privacy and secu-
rity as delineated by the authors. I see that loose definitions and much confu-
sion are common here, so it is refreshing to see this attempt at clarification.
Sam and Ken have tackled a difficult set of topics in an easily understood
chapter and so have provided a service to many of us who have struggled to
put together a realistic model of privacy and security. The authors do not
resolve all the issues, but give the reader a basis for understanding them and
going forward with a realistic template.
—C.W.A.

1.1 Background

The right to privacy was first defined by Brandeis and Warren in their 1890
Harvard Law Journal article, “The Right to Privacy.” It is well noted that this
article was written in response to Warren’s aristocratic lifestyle appearing in the
gossip pages of the daily Boston newspapers. While the intrusions into Warren’s
life certainly seemed unethical, until Warren’s and Brandeis’ landmark paper it
was unclear how to legally demonstrate why this was the case. Brandeis and
Warren were the first to ground an individual’s right to privacy in common law
rights, as well as the psychological health of the individual. Namely, without
such rights psychological harm would come to those who are not able to handle
certain aspects of their life in private, outside of public scrutiny.1
Glancy notes that “Warren’s and Brandeis’ original concept of the right to
privacy thus embodied a psychological insight, at that time relatively unex-
plored, that an individual’s personality, especially his or her self-image, can be
affected, and sometimes distorted or injured, when information about that indi-
vidual’s private life is made available to other people.”2 Glancy further writes,

1. Glancy, D. J., “The Invention of the Right to Privacy,” Arizona Law Review, Vol. 21, No. 1,
1979, p. 2.
2. Ibid.
 Privacy Roles and Responsibilities 5

“In the simplest of terms, for Warren and Brandeis the right to privacy was the
right of each individual to protect his or her psychological integrity by exercising
control over information which both reflected and affected that individual’s per-
sonality.”3 Warren and Brandeis realized that an individual’s control over his or
her personal information was being altered by new technology.
Technology influences the right to privacy by extending one’s ability to
freeze moments in time and replay them. When Brandeis and Warren wrote the
“The Right to Privacy,” landmark inventions such as the telegraph, inexpensive
photographic equipment, as well as the ability to record sound were becoming
commonplace. Technology enables our ability to trace history through the cre-
ation and collection of well-documented, nearly indisputable records of past
events. Upon examination we see a strong, yet often overlooked aspect of tech-
nology and privacy. By recording history, one’s privacy may potentially be vio-
lated at any point in the present or future should these records be disclosed in a
manner not intended by those who became part of the record. Moreover,
recording and electronification allow pieces of information to be automatically
linked. Information, which in isolation may not be considered private, in com-
bination is often so considered (e.g., name and account number).
As technology becomes more powerful, the functionality of our system
increases in its ability to intrude into the operations of people’s lives. One needs
to look no further than the telephoto photography of the paparazzi as ample evi-
dence. Other cases are worth mentioning due to scale: government capture of all
cellular transmissions worldwide, satellite photography used to spy across
national borders, various taps into communications equipment (e.g., fiber
optics, internet packet duplication). In short, our ability to record private events
continually increases, which culminates in a collective history through docu-
menting that which normally would otherwise be erased in the sands of time.
The concerns of Brandeis and Warren have been exacerbated as we
become more technologically sophisticated. We not only have the capability to
record events, but we have the historically unprecedented ability to correlate
such records by synthesizing and aggregating data. Historically speaking, the
privacy debate in the United States was driven by the fear of government collect-
ing and abusing data stored in its information systems. In the early 1960s, the
U.S. government proposed a National Data Center and considered creating a
unified database to synthesize all data collected about individuals. According to
its proponents, the purpose of the National Data Center was to increase effi-
ciency and decrease costs, not create dossiers on individuals.4 Its opponents,
such as Representative Cornelius Gallagher, argued that the possible abuse of

3. Ibid.
4. “Data Vampire,” http://www.time.com/time/magazine/article/0,9171,836161,00.html?
promoid=googlep, Nov. 2007.
6 Enterprise Information Security and Privacy

such a system outweighed its efficiency. Charles A. Reich, a professor of consti-

tutional law, argued that such a government system would “establish a doctrine
of no second chance, no forgiveness, one life, one chance only.”5 The National
Data Center program was ultimately dropped due to lack of public support.
The early 1960s witnessed a period of great public distrust, in both the
United States and Europe, concerning the concentration of personal data being
stored in governmental and corporate databases. Vance Packard’s best-selling
The Naked Society, published in 1964, was perhaps the most influential alarm
sounded against the dangers to privacy represented by the massive accumulation
of personal information in electronic databases. Packard’s warnings were echoed
by Myron Brinton’s The Privacy Invaders (1974). Three years later, Alan
Westin’s Privacy and Freedom reminded readers that technology remained a
grave threat to the privacy of individuals.
These books presented a seemingly persuasive case that electronic data
processing, despite the many efficiencies that it promised and often delivered,
was also responsible for the gradual diminishing of citizens’ privacy. Packard,
Brinton, and Westin portrayed a future in which the technological resources of
“big government” and “big business” could invasively spy upon and pry into the
intimate details of individuals’ lives.
Pronouncements from Washington seemed to fulfill these dire predictions.
In the early 1960s, the Bureau of the Budget proposed establishing a National
Data Center that would collect within a single database information previously
residing in the records of four separate federal agencies. Eventually, according to
the proposal, data from many additional agencies would be added to the single
database. Saturday Review published an article praising this effort, emphasizing
the productivity gained from eliminating redundant record keeping. However,
the article failed to convince readers that the government proposal was a benign
step toward progress. In fact, the article had an exactly opposite effect. Rather
than persuading Americans that the new database represented an effective means
of delivering services and performing governmental functions, the Saturday
Review piece raised fears that the most personal information concerning individ-
uals’ lives would be available to Washington bureaucrats.6
As a result of growing public distrust with the notion of centralized elec-
tronic data collection, several congressional subcommittees convened hearings
to discuss the proposed database and its implications for privacy. In 1963, Rep-
resentative Cornelius Gallagher, a member of a House subcommittee, vehe-
mently attacked those who would transform citizens into “computerized men,”
beings that were “stripped of identity and privacy.”7 Gallagher predicted that,

5. Ibid.
6. “Chapter 2, Database Nation,” http://safari.oreilly.com/0596001053/dbnationtp-CHP-2,
Nov. 2007.
 Privacy Roles and Responsibilities 7

should the national database be established, even the privacy of the home may
not be inviolate. In order to ensure privacy, claimed Gallagher, Americans will
have to ensure that “the essential ingredients of life will be carried on in sound-
proof, peep-proof, prefabricated rooms where, hopefully, no one will be able to
spy, but where life won’t be worth living.”8 However, although the subcommit-
tees interviewed hundreds of witnesses and issued thousands of pages of tran-
scripts, nearly a decade passed before legislation finally emerged.
In 1973, the Department of Health, Education, and Welfare (HEW) issued
a report condemning the trend toward making social security numbers a universal
identifier. The report noted a growing public “distrust” with computerized
recordkeeping systems and recommended a code of Fair Information Practices:

1. There must be no personal-data record-keeping systems whose very

existence is secret.
2. There must be a way for an individual to find out what information
about him is in a record and how it is stored.
3. There must be a way for an individual to prevent information about
him obtained for one purpose from being used or made available for
other purposes without his consent.
4. There must be a way for an individual to correct or amend a record of
identifiable information about him.
5. Any organization creating, maintaining, using, or disseminating
records of identifiable personal data must assure the reliability of data
for their intended use and must take reasonable precautions to pre-
vent misuse of the data.9

The HEW report made no explicit mention of information or data secu-

rity, although the insistence upon “reliability of data for their intended use” may
be interpreted as a security function. In general, however, the code of Fair Infor-
mation Practices emphasized that privacy and electronic recordkeeping could
coexist if individuals are allowed to ensure the accuracy of their own personal
data, to know what information is recorded, and to be aware of how the infor-
mation is being used.
On December 31, 1974, President Ford signed the Privacy Act. This legis-
lation, which representation a culmination of the work of earlier congressional

7. Regan, P. M., Legislating Privacy: Technology, Social Values, and Public Policy, Chapel
Hill: The University of North Carolina Press, p. 95.
8. “Data Vampire.”
9. “The Code of Fair Information Practices,” http://epic.org/privacy/consumer/code_fair_
info.html, Nov. 2007.
8 Enterprise Information Security and Privacy

subcommittees and of the HEW report, imposed strict controls on databanks in

federal agencies and also established a Privacy Protection Study Commission.
The Privacy Act, unlike the code of Fair Information Practices, included an
explicit role for information security. Subsection 10 of Section E, “Agency
Requirements,” stated that federal agencies must “Establish appropriate admin-
istrative, technical, and physical safeguards to ensure security and confidentiality
of records to protect against any anticipated threats or hazards.”10
Donn B. Parker, writing two years after the passage of the Privacy Act,
noted that the legislation was flawed. The statute included no mention of moni-
toring violations or determining the compliance of database custodians. In addi-
tion, the Act included no provisions requiring that, in the event of a data breach,
individuals must be informed that their personal information may have been
compromised or disclosed in an unauthorized manner.11 Nearly a quarter of a
century would elapse before Parker’s suggestions were incorporated into federal
legislation. However, the Privacy Act successfully established a role for informa-
tion security as a significant “safeguard” intended to protect the confidentiality
of personal data. For the first time, a relationship between privacy and informa-
tion security had been forged. Subsequent decades would witness a similar pat-
tern: The relationship between privacy and security control is substantially
grounded upon legislative fiat and regulatory requirement. Law—not business
ethics, economics, or technological advancement—has served as the primary
bond between concern for individual privacy and information security.

1.2 Observations
In the late 1990s, as computer systems became more accessible to corporate enti-
ties and the general user, the worry about data abuse moved from the govern-
ment to corporations. While some corporate entities began mining their
collected data, other businesses collected, synthesized, and aggregated data from
public and private sources to sell as products. To ease this concern, governments
worldwide passed a number of laws across different industries to prevent abuse,
misuse, and negligence of the data collected and used.12
Once we know what we want to protect and who has it, the question is
“how.” Information security as a discipline uses the concepts of confidentiality,

10. Parker, D. B., Crime by Computer, New York: Charles Scribner’s Sons, 1976, p. 237-238.
11. Oravec, J. A., “The Transformation of Privacy and Anonymity: Beyond the Right to Be Let
Alone,” Sociological Imagination, 2003, p. 6, http://www.stv.umb.edu/n05oravec, Nov. 2007.
12. New Zealand Privacy Act (1993); Hong Kong Personal Data Ordinance (1995); U.S. Health
Insurance Portability and Accountability Act (1996); European Union Data Protection Di-
rective (1998); US Gramm-Leach-Bliley Act (1999).
 Privacy Roles and Responsibilities 9

integrity, and availability (CIA) as frameworks for thinking about how data
should be protected. For any given piece of data we must ask: Is it protected
from being disclosed to those who should not access it? Is it protected from
being created, changed or deleted by those who do not have permission to do so?
And, is it available to those who need it? Information security uses mechanisms
such as encryption, access control lists, authentication, intrusion detection,
recovery procedures, and penetration testing to create and enforce the CIA triad.
These protective mechanisms are implemented at different levels and compo-
nents in the architecture of the systems environment.
Brandeis and Warren helped us to understand that we have a right to pri-
vacy and how this right is grounded in law and psychology. The mechanics of
implementation is separate from one’s privacy policy, leaving space for two dis-
tinct fields. The role of information security is to implement the mechanisms
that establish and enforce privacy rights. Privacy theoretically drives security,
but, as we shall see later in this chapter, cannot do so totally for pragmatic rea-
sons when actually implemented.
More than three decades ago, Parker wrote that “almost everything that
could be said about the right of privacy and the roles that computers play had
been said by about 1968.”13 Obviously, Parker’s statement is not literally true:
Statutes and regulations governing the privacy of electronic records in health,
financial services, and other industries did not emerge in the United States until
the late 1990s. In fact, state and federal governments continue to wrestle with
methods to combat identity fraud and other threats to individual privacy posed
by the Internet, mobile computing devices, and an unceasing supply of emerg-
ing technologies. However, a less literal interpretation of Parker’s observation
reveals that, from an historical perspective, the complex relationship between
privacy and information technology was well established by 1968. Information
security, however, did not occupy a role in this relationship until 1974.
The Privacy Act of 1974 mandated that the resources of information secu-
rity professionals must be deployed to ensure the privacy of information con-
cerning individuals when that information is maintained by federal agencies in
the United States. However, beginning in the late 1990s, the relationship
between information security and privacy has broadened to include data stored
or transmitted by private businesses. In addition, federal and state governments
commenced to implement an assortment of legislative initiatives intended to
prevent unauthorized access to or modification of personally identifiable
information.
The Gramm-Leach-Bliley Act, enacted in November 1999, required
financial services institutions to establish security controls to ensure that the
“nonpublic personal information” of consumers is not disclosed to

13. Parker, p. 249.

10 Enterprise Information Security and Privacy

unauthorized third parties. The Act, and its accompanying regulatory guidance,
did not provide an unambiguous listing of data elements that comprise
“nonpublic personal information.” Rather, these data were described as any
information:14

• Provided by a consumer to a financial institution; or

• Resulting from a transaction with the consumer or any service per-

formed for the consumer; or
• Otherwise obtained by the financial institution.

The objective of this component of the legislation was to prevent an unau-

thorized individual from obtaining a consumer’s personal information and then
using this information to conduct financial transactions (identity theft).
Gramm-Leach-Bliley requires financial institutions to establish written informa-
tion security programs that describe technical and administrative controls estab-
lished to safeguard the privacy of consumer nonpublic personal information.
The Health Insurance Portability and Accountability Act (HIPAA), which
was fully implemented in July 2006, mandated that health insurance compa-
nies, clearinghouses, and individual medical providers must safeguard health
information if that information can be associated, or identified with, a specific
individual. The central intent of this legislation, as with Gramm-Leach-Bliley, is
to protect information against unauthorized disclosure. HIPAA, however, was
not primarily enacted as a safeguard against identity theft; rather, this Act
sought to prevent the possible misuse of confidential medical information by
unauthorized third parties.
HIPAA includes both a Privacy Rule and a Security Rule. The Privacy
Rule specifies the kinds of data that must be protected and the conditions under
which confidentiality is required. The Security Rule, which complements the
Privacy Rule, applies to information that is electronically stored or transmitted.
HIPAA’s Security Rule requires that information security controls, such as
access control mechanisms and encryption technology, must be applied to indi-
vidually identifiable health information.
Several data elements—including patient name, telephone number, fax
number, social security number, medical record number, and email
address—are considered identifiers of medical information. Thus, medical data
associated with these identifiers are considered highly sensitive and must receive
appropriate security control.

14. “Gramm-Leach-Bliley Act,” 15 USC Subchapter I §6809, http://ftc.gov/privacy/

glbact/glbsub1.htm, Nov. 2007.
 Privacy Roles and Responsibilities 11

In July 2003, the California legislature enacted a statute requiring any

company that conducts business with a state resident to inform the resident if
his or her personal data has been, or may have been, purposefully or accidentally
disclosed to an unauthorized third party. The California statute, SB 1386, pro-
vides a very clear definition of the types of data that, if disclosed, must trigger
the customer notification requirement:
“Personal information” is an individual’s name in combination with one
or more of the following data elements when either the name or the data ele-
ment is not encrypted or otherwise rendered unreadable or unusable:15

• Social security number;

• Driver’s license or state identification card number; or
• Account number or credit or debit card number in combination with
any required security code, access code or password that would permit
access to an individual’s financial account.

The purpose of this legislation is to provide customers with timely notifi-

cation that sensitive personal information may have been compromised and that
appropriate action should be taken (e.g., notifying credit card companies) to
prevent identity theft. As of April 2007, 33 states and one municipality (New
York City) had enacted “data breach notification” laws; most are similar to the
California legislation, but many states have implemented unique provisions that
are not duplicated elsewhere.
Information security is explicitly involved with the enforcement of these
laws because of the requirement that customers must be notified only if pro-
tected information is disclosed in an unencrypted form. Thus, information
security professionals are obligated to encrypt sensitive information to ensure
that a potential or actual data breach will not damage a company’s reputation or
result in costly litigation.
The continuing proliferation of privacy-related legislation has established
an awkward terrain within which information security professionals must navi-
gate. Gramm-Leach-Bliley, HIPAA, and the state “data breach notification
laws” mandate that an assortment of data elements must be protected against
unauthorized disclosure. The enabling legislation occasionally provides very spe-
cific examples of protected data; state laws, for example, usually categorize a cus-
tomer name and associated driver’s license or state identification card number as
“personal information.” However, Gramm-Leach-Bliley and HIPAA prefer
more ambiguous definitions of personally identifiable information.

15. “Bill Number: SB 1386 Chaptered,” http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-

1400/sb_1386_bill_20020926_chaptered_html, Nov. 2007.
12 Enterprise Information Security and Privacy

1.3 Recommendations
History reveals that privacy is the “why” and information security is the “how.”
By this statement it is meant that privacy is derived from an underlying philo-
sophical and legal concept; information security is the method or set of methods
implemented to achieve privacy. Privacy reflects the values of the given culture
and power structure of the organization creating the policy. By contrast, infor-
mation security is a pragmatic function that effects compliance with the policy
that describes one’s right (or lack thereof) to privacy.
For information security professionals, the most prudent method to
ensure compliance with legislative mandates is to ensure that all data associated
with individual customers or employees are provided the highest level of security
control. In order to provide this control, the first and most critical task of risk
management must occur: data classification, which is discussed in detail in
Chapter 4.
Privacy-related information—data elements that, either singly or in com-
bination with other data, pertain to an individual—must be classified in the
most secure category. Organizations often designate this category as “top
secret,” “personally identifiable information,” “restricted,” “confidential,” “sen-
sitive,” or by a similarly descriptive label. Many compliance officers prefer that
classifications should be self-explanatory; thus, the terms “nonpublic personal
information” or “personally identifiable information” may be preferable as the
type of classification that describes privacy-related data. The specific name
selected is less important than the establishment of a category that explicitly
includes data that are associated with individual persons. In addition, a written
policy, explaining the various kinds of data included within the classification
and accompanied by easily comprehended examples, must be developed and
published for internal organizational use. Information security will contribute to
the formulation of this policy, although the actual document may be authored
by the legal department, compliance, or a similar control function. The policy
should be accessible to all employees.
The task of identifying privacy-related data—which also includes docu-
menting the electronic locations of these data and the methods by which data
are communicated within the organization and to external entities—is best per-
formed by business stakeholders and the technologists who support systems and
applications used by the stakeholders. However, information security, in its role
as enforcer of mandated privacy regulations, is not merely a passive observer of
the identification and classification processes. In fact, information security per-
sonnel must ensure that classification occurs in a manner that will permit tech-
nical security controls (e.g., encryption, secure architecture design, access
control mechanisms) to perform their intended functions properly.
 Privacy Roles and Responsibilities 13

For example, customer names and associated account numbers may be

stored in specific databases. Access management and encryption may be appro-
priate tools to secure the confidentiality of these personally identifiable data.
However, the same information, when verbally communicated during a tele-
phone conversation, is not amenable to technical information security controls.
Sensitive information transmitted by telephone is more efficiently safeguarded
by the establishment of customer relationship procedures established by specific
business units.
Unfortunately, the task of data classification—especially in large organiza-
tions with hundreds of applications and databases—is rarely a systematic, thor-
ough process. For example, a few years ago, a large American corporation
deployed teams of technicians, business analysts, and information security per-
sonnel to classify all data elements resident within the thousands of applications
used by business units and their supporting services. Several years were devoted
to this effort. When the task was nearing completion, the organization merged
with another large company. At this point, the classification project was
discontinued.
In order to address the privacy-related mandates, however, it is not neces-
sary to perform an enterprise-wide data classification effort. Rather, it is required
only to identify those data elements that pertain to individual customers or
employees. Although the scope of this work should not be minimized, it is far
less formidable than a full classification of all available data.
The identification of personally identifiable data serves as the point of
departure for subsequent risk assessment. More specifically, information secu-
rity professionals must examine each application and database within which pri-
vate information resides; in addition, the technical environment of these
applications and databases must be scrutinized. This examination will consider
three primary risk-related factors.
First, what are the possible vulnerabilities to which the data associated
with each application or database is exposed? For example, is the application
accessible via the Internet? Can data entry and modification or approval be per-
formed by the same individual? Does the application fail to generate hardcopy
reports that detail changes to data?
Second, are there potential threats that could exploit the identified vulner-
abilities? For instance, could Internet-borne malware compromise the confiden-
tiality or integrity of data residing in an application? Is it possible that
inadequate access controls could contribute to the occurrence of fraud perpe-
trated by employees? Could the lack of hardcopy reports mask unauthorized
transactions?
Third, what is the likelihood of these threats exploiting the vulnerabilities
and, therefore, inappropriately disclosing privacy-related information? The
response to this question must necessarily involve a subjective judgment,
14 Enterprise Information Security and Privacy

because it requires a prediction of possible future action. However, when mak-

ing this prediction, information security professionals must consider that the
mere possibility of a successful exploitation is not equivalent to a likelihood that
compromise will occur. In his book, Animal Farm, George Orwell coined the
rather cynical motto: “All animals are equal, but some animals are more equal
than others.” The information security risk assessment process is guided by a
similar, although less sardonic, truth: “All possible exploits are dangerous, but
some exploits are more possible (and dangerous) than others.” Determining the
degree of possibility and danger is the task of risk assessment.
However, identifying vulnerabilities and threats and ascertaining the likeli-
hood of threats exploiting vulnerabilities is not the first responsibility of pri-
vacy-related risk management. Rather, these activities are dependent upon a
critical preliminary: the identification and classification of data that require
protection.

1.3.1 Roles and Responsibilities of Information Security

Privacy (or lack thereof)is a policy matter; the implementation of information
security controls is a pragmatic one. Within the corporate environment the chief
privacy officer and chief information security officer are assigned the tasks of ful-
filling duties related to privacy and information security, respectively. However,
the daily functions of these officers negate the notion that privacy dictates to
security its pragmatic function.
We can evaluate the relationship between information security and privacy
on two levels: top-down and bottom-up. From the top-down approach we
understand why privacy and information security controls are implemented.
The bottom-up approach, however, provides understanding of how these pri-
vacy and information security controls are implemented. Privacy and informa-
tion security contain distinct, as well as overlapping, functions.
The major benefit of the top-down perspective is a holistic approach to
integrating privacy requirements into the corporate culture. Other benefits
include, but are not limited to, regulatory and legal compliance, instilling cul-
tural values regarding privacy and a uniform pragmatic application of principles
to corporate data. On inspection we find that certain functions overlap between
the chief privacy officer and the chief information security officer. Overlapping
privacy functions include: asset management, communications and operations
management, access control, incident management, and business continuity
management.16 However, as mentioned earlier, there are specific non-
overlapping functions which apply to the chief information security officer but

16. Axelrod, C. W., “Achieving Privacy Through Security Measures,” Information Systems Con-
trol Journal, http://www.isaca.org, Vol. 2, 2007.
 Privacy Roles and Responsibilities 15

not to the chief privacy officer. These include security policy, organization of
information security, human resource security, physical and environmental
security, and system acquisition and maintenance.17
The bottom-up approach analyzes data in two ways. First we can under-
stand privacy and security relating to data at rest and data in transit. For exam-
ple, we may encrypt data on backup tapes when the data is at rest and we
encrypt data in transit via SSL when it travels across the Internet. Second, we
can apply privacy and security to specific data elements and not others. Personal,
nonpublic data such as social security numbers and bank account numbers must
be protected, whereas publicly available data is optional.
We can thus apply our top-down and bottom-up framework to the chief
privacy officer and the chief information security officer roles and have a clear
understanding why privacy will work in tandem with, but cannot drive, the
information security program.
The chief privacy officer is responsible for creating a framework that
includes legal, compliance, and cultural issues confronting the organization. On
a conceptual level, the chief privacy officer interprets legal requirements and
legal exposure. In the age of globalization, a cultural understanding of privacy
expectations, and requirements is paramount. On a pragmatic level, the chief
privacy officer’s responsibilities may include the sending of privacy notices
which are not of concern to the chief information security officer in the scope of
functional responsibility.
The chief information security officer function is a role that includes prag-
matic compliance with the corporate policy but is not limited to that role only.
Managing information security has its own best practices that dictate how cer-
tain operations should be performed. In short, the discipline of information
security manages risk over technology assets and dictates its own set of require-
ments, some of which are not within the purview of the chief privacy officer. As
an example, the chief information security officer has a responsibility to ensure
that the infrastructure is appropriately patched; this is not a role assumed by the
chief privacy officer.
Increasingly, the chief privacy officer and chief information security officer
will intimately need to know each other’s perspective. Both functions are inte-
grated in the sense that one cannot be a chief privacy officer without thinking
about the operational risk of executing the technical provisions described in the
privacy policy. And, one cannot be a chief information security officer without
thinking about compliance and legal issues. Thus, the “why” and the “how” are
intertwined in a ballet where the impact of one function necessarily influences
the other. A failure of policy will result in an incomplete, and failed, execution; a
failure of execution will be a failed policy.

17. Ibid.
16 Enterprise Information Security and Privacy

1.3.2 The Impact of Outsourcing: Privacy, Security, and Enforcing Controls

Enforcing controls over data outside one’s main environment is basically taken
on faith. Corporate interests and various laws mandate that we include contrac-
tual provisions that require third parties to treat data in the same way we would
treat data. We review various reports—SAS 70 type II, vulnerability assess-
ments, auditor statements—that give us a comfort level that service providers are
protecting data properly.
Data flow between companies may be thought of as similar to an Olympic
track relay race. One company hands the baton of data to the next company
waiting in line to process it. Each runner in the relay race follows accepted rules,
or else the entire team is disqualified. Each runner is dependent on the skills of
the other runners. Sometimes a runner steps out of bounds, sometimes a runner
drops the baton. As a company, we hope to choose the best running mates. We
practice with our teammates. We do our due diligence by requesting reports or
perhaps even directly auditing the systems of service providers. Ultimately, and
as much as we practice, we hope that when we pass the baton to our other run-
ning mates they will not drop the baton when they handle it and that they stay
in bounds and within the rules so as not to disqualify themselves and the entire
team. Unfortunately, our current technology does not allow us to tie the baton
to our running mate when we pass it to them. Generally speaking, “Where the
data flows, so must the proper controls….” 18

1.3.3 Privacy and New Roles for Information Security

Laws intended to prevent the unauthorized disclosure of private information,
coupled with the ceaseless development of new technologies, have both
expanded and altered the traditional roles of information security. For example,
the statutory focus on privacy concerns has blurred the distinction between
physical and logical security.
In recent years, well publicized news stories concerning the loss or theft of
magnetic tapes, laptops, and other media containing personally identifiable
information have become commonplace. The situation has become sufficiently
dire that a website, privacyrights.org, has been established to chronicle all
reported unauthorized disclosures of sensitive personal information since 2005.
According to the Privacy Clearing House, 217 million records have been inap-
propriately made public since the commencement of recordkeeping.19

18. Belva, K., “A nice little saying: Wherever the data flows, so must the proper controls,”
http://www.bloginfosec.com/2007/11/16/a-nice-little-saying-wherever-the-data-flows-so-
must-the-proper-controls/, Nov. 2007.
19. “A Chronology of Data Breaches,” http://www.privacyrights.org/ar/ChronDataBreaches.
htm, Feb. 2008.
 Privacy Roles and Responsibilities 17

As a result, information security professionals are required to assist with

the securing of physical media. This responsibility involves several issues:

• Establishing and assisting with the implementation of standards con-

cerning the secure destruction and erasure of hard drives, magnetic
tapes, optical disks, and other media containing personally identifiable
information;
• Formulating standards and guidelines that focus upon the secure trans-
port and storage of physical media;
• Developing policies intended to control the threat of unauthorized data
disclosure posed by portable media, such as USB devices, cell phones,
and music players;
• Devising controls intended to prevent the loss or disclosure of personal
data due to the theft of laptops.

These issues are not the sole responsibility of information security.

Physical security personnel, records and media management specialists, and
legal professionals also contribute to the mitigation of security risks posed by the
many vulnerabilities associated with portable, highly mobile devices and other
physical media. However, information security must collaborate with these indi-
viduals to document and implement policies that incorporate realistic controls
intended to reduce the likelihood of unauthorized disclosure due to loss or theft.
For example, many corporations recognize that the portability of laptops
represents a security exposure. They are frequently lost, stolen, or left unat-
tended in public locations. As a result, information security professionals have
adopted policies that require power-on passwords to access data and applications
resident on laptops. In addition, the full encryption of laptop hard drives is an
increasingly accepted practice. Control of USB devices may be implemented by
requiring the use of strong encryption. Also, numerous organizations have estab-
lished technical controls that eliminate the possibility of downloading informa-
tion from workstations or laptops to USB devices.
However, the role of information security as enforcer of privacy is not lim-
ited merely to the implementation of access controls and encryption. A clearly
defined and documented reporting mechanism, activated when a potential or
actual theft or loss of data has occurred, must be established and made available
to all employees of the organization. Information security professionals are
required to monitor these reports, to determine if personally identifiable infor-
mation has been compromised, and to conduct relevant forensic analyses. Large
organizations, recognizing the importance of this investigative function,
have dedicated expanding numbers of information security personnel to the
18 Enterprise Information Security and Privacy

monitoring of incident reports and conducting forensic investigations. This

trend has been prompted, to a considerable extent, by privacy concerns.
The numerous state data breach notification laws, initiated originally by
California in 2003, provide a vivid example of the manner by which govern-
ment-mandated privacy controls have altered the roles assumed by information
security professionals. Compliance with these laws requires that organizations
must develop programs for identifying the likelihood of a privacy-related data
breach and for notifying individual customers if their personal information may
have been compromised. Implementing such programs involves the acquisition
of skills that have not traditionally been associated with the professional practice
of information security: the ability to identify any legal definition for data con-
tent involved with a specific incident, awareness of legal or public relations mea-
sures that may reduce the severity of the breach, and facility with the
communication of technical matters to legal, business, and public relations pro-
fessionals. These skills, involving knowledge of data classification systems, pri-
vacy-focused risk assessments, and regulatory requirements, are increasingly
critical to information security professionals attempting to cope with new roles
necessitated by privacy concerns.

1.4 Future Trends

Writing in 1976, Donn Parker claimed that two major factors traditionally
motivate the “imposition” of information security controls: (1) fear of losses,
based on widely publicized experience of victims of computer abuse, and (2)
establishment of laws and regulations.20 As discussed earlier in this chapter, both
of these elements were decisive to the forging of a relationship between privacy
and information security. However, these were not the only influential factors.
In addition to a broad sense of public distrust with technology, and also several
statutory and regulatory initiatives enacted in response to this distrust, it was
necessary to achieve consensus concerning concepts of “private” versus “public”
information. In the United States, this consensus emerged primarily due to fear
of identity theft, and also anxiety concerning the unauthorized disclosure of
medical information. Further, the relationship between privacy and information
security has been strengthened by the emergence of specific technologies (such
as the Internet) that are generally perceived as posing threats to accepted con-
cepts of privacy.
However, Parker’s essential theme—that public fear, followed by legisla-
tion intended to mitigate fear, are the preconditions to involvement by informa-
tion security controls—is as valid in the first decade of the twenty-first century

20. Parker, pp. 275, 276.

 Privacy Roles and Responsibilities 19

as in the 1970s. Information security remains an essentially reactive tool,

responding to broader social and political forces, rather than a proactive agent
that actually shapes social values.
To a considerable extent, information security professionals address issues
related to privacy in very traditional ways by implementing those components of
the security toolkit that are typically used to protect data confidentiality. These
tools would include identity and intrusion management, access control technol-
ogies, and incident response mechanisms. However, the task of securing pri-
vacy-related data has also greatly expanded the traditional roles of information
security.
For example, auditors and security-focused organizations have been advis-
ing information security professionals for many decades that the development
and implementation of written policies and standards is a critical element of an
effective security program. However, the task of providing adequate controls for
privacy-related data transforms policy development into a mandatory obliga-
tion. Not only must data classification policies be established to identify pro-
tected data, the emergence of privacy concerns has blurred boundaries between
physical and logical security; information security specialists can no longer
assume that logical security is their only responsibility. In order to comply with
regulations concerning privacy, security professionals must develop an aware-
ness of issues related to disposal of hard drives, restrictions upon downloads to
USB devices and other portable media, and problems associated with the loss
and theft of devices containing personally identifiable data. Similarly, policies
regarding data erasure, media destruction, secure transport and storage of infor-
mation, and controls governing the use of portable, easily lost, media must be
enforced at service provider and vendor locations.
Finally, the need to comply with regulations concerning privacy have
thrust the information security function into the midst of an intricate web of
issues pertaining to corporate governance. During the final two decades of the
twentieth century, information security professionals were aware that the ade-
quacy of their controls and programs is under continual scrutiny by the internal
audit function. In turn, many internal auditors viewed their primary task as the
assessment of information security. However, the introduction of privacy regu-
lations has greatly altered this relationship. Due primarily to the increasing focus
upon privacy, information security must now develop collaborative relation-
ships with innumerable corporate functions—internal audit, compliance, legal,
privacy officers, media and records management, physical security, and business
units. Roles and responsibilities between these numerous, diverse functions are
frequently overlapping and occasionally confused. In order to establish a consis-
tent privacy program, issues of governance—especially pertaining to the author-
ity assigned to each of these functions—must be addressed. In the absence of a
20 Enterprise Information Security and Privacy

well-defined governance structure, the implementation of privacy controls may

degenerate into a hodgepodge of conflicting goals and responsibilities.
As mentioned previously, Donn Parker maintained that “Almost every-
thing that could be said about the right of privacy and the roles that computers
play had been said by about 1968.”21 Only now are we really listening to what
was actually said.

21. Parker, pp. 239.

Other documents randomly have
different content
UNI Jeflferson at Paris, 28 July, Benjamin Franklin at Pas:
 UNI and paj' the foreign debt of the Confederation
($12,000,000) ; (2) fund and pay the domestic debt ($40,000,000) ;
(3) assume and pay the unpaid war debt ($21,500,000) of the
states. The last proposition was strongly opposed, but was finally
carried : Senate, 14 to 12; House, 34 to 28.] An act ordering a
census passed 1 Mch. 1790 Franklin dies at Philadelphia, aged 84 17
Apr. " Rhode Island ratifies the Constitution 29 May, " [The last of
the 13 colonies.] An act passed by 32 to 29— House— authorizing
the acquisition of the District of Columbia for the seat of government
10 July, rirst mechanical patent issued to Samuel Hopkins for making
potash and pearlash 31 July, First national census begun; population
enumerated as of 1 Aug. " Treaty with the Creek Indians 7 Aug. "
Tariff bill amended by increasing duties 10 Aug. " Capt. Robert Gray,
in the Columbia, returns to Boston from his voyage around the world
(see 1787), 10 Aug. " [The first American ship to sail around the
world.] Second Session adjourns 12 Aug. Gen. Harmar's and col.
Hardin's expedition against the Indians defeated in northwestern
Ohio . . 17-20 Oct. " Third Session, Philadelphia, opens 6 Dec. " Act
incorporating Bank of the United States. ..8 Feb. 1791 [Bank to be at
Philadelphia; might establish branches; chartered for 20 years;
capital, $10,000,000.] Vermont, the 14th state, admitted 18 Jan. "
An act taxing imported spirits, with new duty on domestic spirits
First Congress adjourns 3 Mch. [ An able Congress. In 2 years it
provided a competent revenue, funded the public debt, and gave the
young nation a respectable standing in the world.] Great Britain
appoints her first minister, George Hammond, to the U. S - 7 Aug. "
Second Congress, First Session, opens at Philadelphia 24 Oct. "
Speaker of the House, Jonathan Trumbull of Conn. Gen. Arthur St.
Clair's expedition against the Indians of Ohio surprised and routed 4
Nov. " Philip Freneau's National Gazette started at Philadelphia in the
interest of the Republican party " Congress grants a bounty for
fishing-vessels.. .16 Feb. 1792 Post-office department reorganized
20 Feb. " U. S. Mint established (Cots) 2 Apr. " Apportionment act,
gives one representative to 83,000 inhabitants ; 105 in all 14 Apr. "
Tariff amended 2 May, " Laws organizing the militia 8 May, " First
Session adjourns " " Capt. Robert Gray, in the Columbia, discovers
the mouth (lat. 46° 10' N.) of the river Columbia, 11 Maj', " [This
discovery strengthened the U. S. claim to the Oregon territory.]
Kentucky admitted (the 15th state) 1 June, " Second Session opens
at Philadelphia 5 Nov. " Second presidential election 6 Nov. "
President's salary fixed at $25,000 8 Feb. 1793 Electoral count 13
Feb. " [George Washington of Va. received 132 electoral votes (all) ;
John Adams of Mass. 77 votes ; and George Clinton, opposition, 50.]
Second Congress adjourns 2 Mch. " Second Administration —
Pederal. 4 Mch. 1793 to 3 Mch. 1797. Seat of Government,
Philadelphia, Pa. George Washington, Va., president. John Adams,
Mass., vice-president. CABINET. Thomas Jefferson, Va., sec. of state,
continued from 1790 to 1793. Resigns. UNI Edmund Randolph, Va.,
sec. of state, from 2 Jan. 1794. Resigns. Timothy Pickering, Mass.,
sec. of state, from 10 Dec. 1795. Alexander Hamilton, N. Y., sec. of
treas., continued from 11 Sept. 1789. Resigns. Oliver Wolcott, Conn.,
sec. of treas., from 2 Feb. 1795. Henry Knox, Mass., sec. of war,
continued from 12 Sept. 1789. Resigns. Timothy Pickering, Mass.,
sec. of war, from 2 Jan. 1795. James McHenry, Md., sec. of war, from
27 Jan. 1796. Edmund Randolph, Va., attorney- gen., continued from
26 Sept. 1789. Resigns. William Bradford, Pa., attorney-gen., from 8
Jan. 1794. Dies in office. Charles Lee, Va., attorney-gen., 10 Dec.
1795. Timothy Pickei-ing, Mass., postmaster - gen., continued from
1791. Joseph Habersham, Ga., postmaster-gen. from 25 Feb. 1795. "
Citizen " Genet of France, as minister to the U. S., arrives at
Charleston, S. C. ; warmly received, 9 Apr. 1793 Eli Whitney invents
the cotton-gin; marked effect on slavery " President issues his
celebrated proclamation of neutrality (severely criticised by the
opposition), 22 Apr. " French government directs the seizure of
vessels carrying supplies to an enemy's port 9 May, " Great Britain
orders her ships of war to stop all vessels laden with French supplies
and turn them into British ports 8 June, " Minister Genet's recall
asked for by the government, Aug. " Corner-stone of the U. S.
Capitol laid by Washington, 18 Sept. " Followers of Jefferson begin
to assume the name of Republicans, in opposition to the Federalists,
under leadership of Alexander Hamilton " Third Congress, First
Session, opens at Philadelphia, Pa 2 Dec. " Speaker of the House, F.
A. Muhlenberg, Pa. Thomas Jefferson retires from State department
. .Dec. " [A place he could no longer consistentlj' hold, owing to his
opposition to the administration, an opposition which, aided by
dissensions among the Federalists themselves, finally resulted in that
party's overthrow.] An Amendment (XI.) to the Constitution
approved by Congress, securing states against suits in the U. S.
courts 5 Mch. 1794 [Declared in force, 8 Jan. 1798.] Act authorizing
the construction of 6 ships of war, the foundation of the U. S. navy
11 Mch. " [Three 44 guns ; three 38 guns. Of these, 3 were finally
finished: Constitution, 44 guns, at Boston, launched 20 Sept. 1797 ;
United States, 44 guns, at Philadelphia, launched 10 July, 1797 ; and
Constellation, 38 guns, at Baltimore, 7 Sept. 1797.] An act is passed
forbidding any American vessel to supply slaves to another nation,
under penalty of forfeiture of the vessel and fine of $2000, 22 Mch. "
In retaliation against England, an embargo is laid on all shipping,
continued for 60 da3-s 26 Mch. " Senate ceases to sit with closed
doors 27 Mch. " President nominates John Ja\' as envoj'
extraordinary to England, with a view to a treatj', 16 Apr. "
Gouverneur Morris recalled as minister to France, and James Monroe
appointed 27 May, " An act relating to neutrality passed 5 June, "
[This was necessary because fwpular sympathy with the French and
the French minister Genet threatened to embroil the countrj' with
England. ] Post-office department permanently establisbed "
 UNI Tariff act of 1792 further amended by increasing the ad
valorem rates of duty 7 June, 1794 First Session adjourns 9 June, "
Whiskey insurrection in western Pennsylvania, July-Nov. " Gen.
Anthony Wayne defeats the Indians near Maumee Rapids, in Ohio 20
Aug. " French minister Faiichet's despatch, supposed to compromise
Edmund Randolph, sec. of state, intercepted by the British, and
shown to the U. S. government ; Randolph resigns " Second Session
ojwiis at Philadelphia, Pa 3 Nov. " Draft of treaty with England
agreed to by John Jay, special envoy 19 Nov. " Strin£;ent
naturalization law passed, requiring renunciation of titles of nobility
29 Jan. 1795 Act passed for gradual redemption of public debt. ... "
Hamilton, secretan,' of the treasury, resigns Jan, " Thi?-d Co7if/ress
adjourns 3 Mch. " President calls the Senate together to consider the
Jay treaty with England 8 June, " [Senate favored it by a two-thirds
majority; violent popular remonstrances against it.] Washington
signs the treaty 14 Aug. " Gen. Wayne's treaty with the Ohio Indians
at Greenville; they cede 25,000 sq. miles 3 Aug. " Treaty with Algiers
to ransom prisoners taken by corsairs, and to pay annual tribute of
$23,000 to the dey 5 Sept. " Treaty with Spain, opening the
Mississippi and establishing boundaries 20 Oct. " Fourth Congress,
First Session, opens at Philadelphia, Pa 7 Dec. " Speaker of the
House, Jonathan Dayton of N, J., Federalist. Proclamation of the Jay
treaty 1 Mch. 1796 House demands the papers relating to the Jaj'
treaty, 24 Mch, " [President declined, the House being no part of the
treaty-making power.] Jefferson writes the famous ''Mazzei letter,"
about 21 Apr. " [The publication of this letter, about a year later,
severs all friendly relations between Washington and Jefferson.]
Fisher Ames's speech before the House on the Jay treaty with
England 28 Apr. " [ " The most eloquent speech ever heard in
Congress by his generation," — Schouler's "Hist. D. S.," vol. i. p.
313.] House agrees to sustain Jay's treaty 30 Apr. " Tennessee
admitted (the 16th state) 1 June, " First Session adjourns " " New
treaty with the Creek Indians 29 June, " Washington's " Farewell
Address " issued, refusing to accept office again 19 Sept. " Charles
C. Pinckney succeeds James Monroe as minister to France Sept. "
Thinl presidential election 8 Nov. " [Federals, John Adams, Mass.,
and Thomas Pinckney, S. C. ; Republicans, Thomas Jefferson, Va.,
and Aaron Burr, N. Y.] Second Session opens at Philadelphia, Pa 6
Dec. " Congress assembles in the House for the purpose of counting
the electoral vote 8 Feb. 1797 [Of the 138 votes cast, John Adams of
Mass. received 71; Thomas Jefferson of Va. 68; Thomas Pinckney of
S. C. 59; and Aaron Burr, 30.] [At this time was illustrated one of the
great faults in the Constitution relative to the election of president
and vice-president prior to the Xll.th Amendment — Adams, a strong
Federalist, president, and Jefferson, in direct opposition to that party,
vicepresident.] Charles C. Pinckney, U. S. minister, not received by
the French government, leaves France Feb. " Fourth Congress
atljourns 3 Mch. " UNI Third Administration — Federal. 4 Mch. 1797
to 3 Mch. 1801. Seat of Government, Philadelphia, until 1800, then
transferred to Washington, D. C. John Adiiins, Mass., president.
Thomas Jefferson, Va., vice-president, CABINET. Timothy
Pickering,'Maas., sec. of state, continued from 10 Dec, 1795.
Resigns. John Jfarsk(dl, Va,, sec. of state, from 13 May, 1800. Oliver
Wolcott, Conn., sec. of treas., continued from 2 Feb. 1795, Siimuel
Dexter, Mass., sec. of treas, from 1 Jan. 1801. James McHenry, Md.,
sec. of war, continued from 27 Jan. 1796, Resigns, Samuel Dexter,
Mass., sec. of war, from 13 May, 1800, Roger Griswold, Conn., acting
sec. of war. from 3 Feb. 1801. George Cahot, Mass., sec. of nav}', 3
May, 1798. Declined. Benjamin Stoddert, Md,, sec. of navy, from 3
May, 1798. Charles Lee, Va., attorney-gen., continued from 10 Dec,
1795, Joseph Habersham, Ga., postmaster-gen., continued from 25
Feb. 1795. Special session of Congress called to consider the
threatening relations with France 25 Mch. 1797 Fifth Congress, First
Session (extra), assembles at Philadelphia, Pa 15 May, " Speaker of
the House, Jonathan Dayton of N. J., Federalist. Congress subjects
to a fine of $10,000 and 10 years' imprisonment any citizen
concerned in privateering against a friendly nation 14 June, "
Congress authorizes the president to raise 80,000 militia for 3
months — the quota from Tennessee, the smallest, 806, and
Massachusetts, the largest, 11,836, 24 June, " President empowered
to employ the frigates Constitution, Constellation,anA United States
{see 1794), 1 July, " Duties on stamped velhim parchment and
paper, receipts, bonds, bills, insurance policies, certificates, etc., by
act of. 6 July, " A duty on salt levied 8 July, " Senate expels William
Blount of Tennessee ... 9 July, " [Committee of Ways and Means
organized in the House for the first time at this session.] First
Session adjourns 10 July, " President appoints John Marshall of Va.
and Elbridge Gerry of Mass. with C. C. Pinckney, as commissioners to
treat with France ; they meet at Paris..40ct, " [Commissioners asked
to bribe members of French Directory, but indignantly refuse.
Talleyrand, the French minister of foreign affairs, implicated. Mr.
Marshall and Mr. Pinckney ordered out of France. C. C. Pinckney
declared that the U. S. had " millions for defence, but not one cent
for tribute."] Second Session assembles at Philadelphia, Pa. . . 13
Nov. " First personal encounter in Congress between Matthew Lyon
of Vt. and Roger (iriswold of Conn. ; the House fails to censure or
punish 12-15 Feb. 1798 Mississippi territory organized 3 Apr, " Navy
department organized 30 Apr, " Secretary of the navy appointed 3
Jlay, " Harper's Ferry selected as site for a government armorj' and
manufactory 4 May, " Congress authorizes a Provisional army, and
empowers the president, in case of an actual declaration of war or
invasion, to enlist, for 3 years, 10,000 men ; and to appoint one
lieutenant-general, to be chief commander of the army, and one
inspectorgeneral, with other necessary officers ; all to remain in the
service only so long as the president deems necessary for the public
safety 28 May, " Congress authorizes the president to instruct
commanders of ships of war to seize French armed vessels attacking
American merchantmen or hovering about the coast for that purpose
28 May " Song " Hail, Columbia !" first sung May, " •
 UNI Imprisonment for debt abolished 6 June, 1798
Commercial intercourse with France suspended.l2 June, "
Wasliington accepts appointment as commander-inchief, with rank of
lieutenant-general (Army), 17 June, " Uniform rule of naturalization
adopted 18 June, " President announces the failure of the
commission sent to France to make peace 21 June, " Alien act
passed (Alien and Sedition laws)..25 June, " All French treaties
declared void 6 July, " [The tenor of judicial opinion has been that
France and the U. S. were not at war, although naval engagements
took place. — " Narrative and Critical Historj' of America," vol. vii. p.
473.] Marine corps first organized by act of. 11 July, " Sedition laws
passed (Alien and Sedition laws), 14 July, " Second Session adjourns
16 July, " [Jefferson looked anxiously for this adjournment, as
affording the opposition (of which he was the head) the only chance
to rally. — HildretKs " U. S.," vol. V. p. 236.] By treaty the Cherokees
allow a free passage through their lands in Tennessee to all
travellers on the road to Kentuckv passing through Cumberland Gap,
2 Oct. « Trial of Matthew Lyon of Vt. before judge Patterson, under
the sedition law (Trials) 7 Oct. " Thii-d Session assembles at
Philadelphia, Pa 3 Dec. " "Wieland," the first novel of Charles
Brockden Brown, appears " U. S. frigate Constellation, com. Thomas
Truxtun, captures the French ship of war U Insurgente, off the island
of St. Kitts 9 Feb. 1799 General post-office established by act of 2
Mch. " Act to regulate the collection of duties and tonnage, and to
establish ports of entry 2 Mch, " Estimates for the year amount to
over $13,000,000. . . " Fifth Congress adjourns 3 Mch. " Upon
assurance from France that a representative from the U. S. will be
received with the " respect due a powerful nation," president
nominates William Van Murray as minister to France, and associates
with him chief-justice Ellsworth of Connecticut and gov. Davie of
North Carolina ; all are received by Napoleon, first consul 30 Mch. "
Sixth Congress, First Session, assembles at Philadelphia, Pa 2 Dec. "
Speaker of the House, Theodore Sedgwick, Mass. John Randolph of
Roanoke, Va., enters Congress, 2 Dec. " George Washington d 14
Dec. " Eulogy before Congress b,v Henry Lee of Va. calling him "
First in war, first in peace, and first in the hearts of his countrymen"
26 Dec. " U. S. frigate Constellation, com. Thomas Truxtun, defeats
the French frigate La Vengeaiice 1 Feb. 1800 [Congress honored
Truxton with a gold medal.] General Bankruptcy act 4 Apr. " Territory
of Indiana organized 7 May, " Stricter law against the slave-trade 10
May, " Congress establishes 4 land offices for the sale of public lands
in the Northwest territory (Ohio) . 10 May, " First Session (last
meeting in Philadelphia) adjourns, 14 May, " President Adams
removes Timothy Pickering, sec. of state, and James McHenry, sec.
of war. ... .May, " U. S. government removes from Philadelphia to the
new capital, Washington Julj'i " [One packet-sloop carried from
Philadelphia all the furniture of the several departments, together
with the archives of the Federal government, which filled " 7 large
boxes and 4 or 5 smaller ones."] Frigate George Washington, capt.
William Bainbridge, Carries to Algiers the dey's tribute-monej', and is
required to carry the dey's ambassador to Constantinople Sept. "
[First U. S. man-of-war in the Bosporus.] UNI Envoys to France
negotiate a convention for 8 years, preventing open war 30 Sept.
1800 [Ratified by France, 31 July, 1801, and by the U. S., 19 Dec.
1801. Under this treaty the claims for indemnity, known as the "
French Spoliation Claims," have been the subject of frequent reports
and discussions in Congress, with no result until referred to the court
of Claims by the act of 20 Jan. 1885.] Spanish government cedes
Louisiana to France by the secret treaty of St. Ildefonso 1 Oct. "
Fourth presidential election 11 Nov. " [Democratic-Republican
candidates, Thomas Jefferson and Aaron Burr; Federalists, John
Adams and Charles C. Pinckney.] Second Session ( first meeting in
Washington, D. C), 17 Nov. " Capitol building burned at Washington
19 Jan. 1801 John Marshall appointed chief-justice 20 Jan. "
Electoral votes counted 11 Feb. " [Thomas Jefferson received 73 ;
Aaron Burr, 73 ; John Adams, 65; Charles C. Pinckney, 64; John Jay,
1. The tie between Jefferson and Burr remained for the House of
Representatives to decide. Balloting began Wednesdaj-, Feb. 11, and
continued for 7 days, until a choice was effected. Seats were
provided for the president and Senate, but the gallery was cleared
and the doors were closed. On the first ballot, New York, New
Jerse}', Pennsylvania, Virginia, North Carolina, Georgia, Kentucky,
aftd Tennessee voted for Jefferson, while New Hampshire,
Massachusetts, Rhode Island, Connecticut, Delaware, and South
Carolina voted for Burr. Vermont and Maryland were divided. 104
members were present. In the afternoon of 17 Feb., on the 36th
ballot, Delaware and South Carolina cast blanks, while Vermont and
Maryland voted for Jefferson and elected him.] Congress assumes
jurisdiction over the District of Columbia 27 Feb. « Navy reduced to
13 vessels ; the rest to be disarmed and sold 3 Mch. « [Among those
reserved were the frigates United States, Constitution, President,
Chesapeake, Philadelphia, Constellation, Congress."] Sixth Congress
adjourns 3 Mch. " Fourth Administration— Democratic-Eepublican. 4
Mch. 1801 to 3 Mch. 1805. Seat of Government at Washington, D. c.
ThoniaN Jefferson, Va., president. Aarou Burr, N. Y., vice-president.
CABINET. James Madison, Va., sec. of state, from 5 Mch. 1801.
Samuel Dexter, Mass., sec. of treas., continued. Albert Gallatin, Pa.,
sec. of treas., from 15 May, 1801. Hefiiry Dearborn, Mass., sec. of
war, from 5 Mch. 1801. Benjamin Stoddert, Md., sec. of navy,
continued. Robert Smith, Md., sec. of navy, from 26 Jan. 1802. Jacob
Crowninshield, Mass., sec. of navy, from 2 Mch. 1805. Levi Lincoln,
Mass., attorney-gen., from 5 Mch. 1801. Robert Smith, Md., attorney-
gen., from 2 Mch. 1805. Joseph Habersham, Ga., postmaster-gen.,
continued. Gideon Granger, Conn., postmaster-gen. from 28 Nov.
1801. Three frigates and one sloop-of-war sent to the Barbary coast
to protect our commerce, commanded by com. Richard Dale 20 May,
1801 Tripoli declares war against the U. S 10 June, " Seventh
Congress, First Session, convenes 7 Dec. " Speaker of the House,
Nathaniel Macon, N. C. President Jefferson sends a written message
to Congress and announces that no answer is expected. No
president has since addressed Congress orally. Congress appoints
John Beckley of Va. librarian, with a room of the Capitol for the
library 26 Jan. 1802
 UNI Congress recognizes the war with Tripoli 6 Feb. 1802
Repeal of the new Circuit act 8 Mch, " Congress reduces the army to
the peace establishment of 1796 — 1 regiment of artillery and 2 of
infantry— and organizes a military academy at West Point ".16 Mch,
" Excise tax repealed 16 Mch. " Naturalization laws of 1798 repealed
; those of 1795 restored 14 Apr. " [That of 1795 required 5 years'
residence, and application 3 years prior to naturalization; that of
1798 required 14 years' resilience, and application 5 years prior to
naturalization.] Judicial system of the U. S. amended 29 Apr. "
Library of Congress catalogued, containing 964 volumes and 9 maps
Apr. " First Session adjourns 3 May, " \yashington incorporated as a
city " " Ohio adopts a state constitution 29 Nov. " [Political intrigues
in the state of New York and at Washington against Aaron Burr,
destroying his political prospects, culminated during 1802. " Never in
the history of the United States did so powerful a combination of
rival politicians unite to break down a single man as that which
arrayed itself against Burr ; for, as the hostile circle gathered about
him, he could plainly see Jefferson, Madison, and the whole Virginia
legion, with DeWitt Clinton and others of New York, and among
them Alexander Hamilton, joining hands with his own bitterest
enemies to complete the ring and bring about his political ruin." —
Henry Adams's "Hist. U. S.," vol. i. p.332.] Second Session convenes
6 Dec. " Ohio admitted as a state (the 17th) 19 Feb. 1803 Seventh
Comjress adjourns 3 Mch. " Treaty with France : the U. S. purchases
Louisiana for $15,000,000 30 Apr. " Eighth Congress, First Session,
convenes 17 Oct. " Speaker of the House, Nathaniel Macon, N. C.
Senate ratifies the treaty with France, by vote of 24 to 7 ". 20 Oct. "
President authorized by Congress to take possession of Louisiana 30
Oct. " Frigate Philadelphia, 44 guns, capt. Bainbridge, pursuing
Tripolitan ship of war, strikes a rock in the harbor of Tripoli and is
captured 31 Oct. " Independence of Hayti proclaimed 29 Nov. " XII.
th Amendment to the Constitution, relative to electing the president
and vice-president, passed by the Senate, 22 to 10 2 Dec. " [By this
amendment the electors are required to ballot separately for
president and vice - president. The election of 1804 the first under
the amendment.] Same passed by the House— 83 to 42 12 Dec. "
New Orleans delivered to the L^. S 20 Dec. " Lieut. Stephen
Decatur, with the ketch Inti-epid, destroys the Philadelphia in the
harbor of Tripoli under the guns of the castle, without losing a man,
night of 16 Feb. 1804 Impeachment of Samuel Chase, associate
justice of the Supreme court; trial began Feb. " [Acquitted Mch.
1805.] Louisiana purchase divided into the territory of Orleans and
the District of Louisiana 26 Mch. " First Session adjourns 27 Mch. "
Capt. Meriwether Lewis, of the First Infantry, and lieut. William Clark,
appointed to explore the Missouri river and seek water
communication with the Pacific coast, enter the Missouri river, 14
May, " Burr, vice-president, mortally wounds Alexander Hamilton in a
duel at Weehawken, N, J., Hamilton having fired in the air (Burr's
conspikacy, Duels), 11 July, " Xll.th Amendment being accepted by
two thirds of the states — Massachusetts, Connecticut, and 56 UNI
Delaware only dissenting — is declared ratified, 25 Sept. 1804
Second Session convenes 4 Nov. " [7 Federal senators and 25
representatives.] Fifth presidential election 13 Nov. " Territory of
Michigan formed from Indiana. . . 11 .Jan. 1805 [Division to take
place 30 June, 1805.] Electoral vote counted 13 Feb. " [For
president, Thomas Jefferson, Va., 162 votes; for vice-president,
George Clinton, N. Y., 162 votes, both Democratic-Republicans.
Charles C. Pinckney, S. C, for president, and Rufus King, N. Y., for
vice-president. Federal, each receiving 14 votes.] Twenty-five
gunboats ordered for the protection of ports and harbors 2 Mch. "
[This measure was urged by President Jefferson, but proved to be
useless.] Genesee and Buffalo Creek, N. Y., made ports of entry 3
Mch. « Eighth Congress adjourns " " [With this Congress closes the
political life of Aaron Burr.] Pifth Administration — Democratic-
Kepublican. 4 Mch. 1805 to 3 Mch. 1809. Thomas JefTerson, Va.,
president. George Clinton, N. Y., vice-president. CABINET. James
Madison, Va., sec. of state, continued. Albert Gallatin, Pa., sec. of
treas., continued. Jacob Crowninshield, Mass., sec. of navy, from 3
Mch. 1806. Henry Dearborn, Mass., sec. of war, continued. Robert
Smith, Md., attorney-gen., from 3 Mch. 1805. John Breckinridge, Ky.,
attorney-gen., from 25 Dec. 1805. Ccesar A. Rodney, Del., attornej'-
gen., from 20 Jan. 1807. Gideon Granger, Conn., postmaster-gen.,
continued. Treaty of peace with Tripoli 3 June, 1805 Abiel Holmes's
"American Annals" first pub " Ninth Congress, First Session,
convenes. ...... .2 Dec. " Speaker of the House, Nathaniel Macon, N.
C. Commission authorized to lay out a national road from
Cumberland, Md., to the Ohio river 29 Mch. 1806 First Session
adjourns 21 Apr. " Leander, a British naval vessel, fires into an
American coaster, the Richard, off Sandy Hook, and kills the
helmsman 25 Apr. " Great Britain issues an " order in council "
declaring the whole coast of Europe, from the Elbe to Brest, in
France, under blockade 16 May, " Napoleon issues the Berlin Decree
21 Nov. " Second Session convenes 1 Dec. " Treaty with Great Britain
signed by commissioners, but the president did not even send it to
the Senate, 3 Dec. " Aaron Burr's supposed conspiracy culminates "
Burr arrested by lieut. Gaines, near fort Stoddart, Ala 19 Feb. 1807
Act to prohibit import of slaves from 1 Jan. 1808 passes the House 7
Feb. 1807, by 113 to 5; approved, 2 Mch. « Duty on salt repealed 3
]Mch. " Ninth Congress adjourns " " Burr brought to Richmond, Va.,
early in Mch. " His trial for treason begins there (Burr's conspiracy.
Trials) 22 May, " British frigate Leopard, 50 guns, capt. Humphreys,
fires into the U. S. frigate Chesapeake, com. Barron, off Chesapeake
bay, killing 3 and wounding 8, and takes 4 seamen, claiming them as
British subjects, 22 June, " [Barron was suspended by a court-
martial for 5 years without paj' and emoluments, for making no
resistance and surrendering his ship.] American ports closed to the
British, and British ships ordered from American waters July, "
 UNI First steamboat, the Clermont (Fulton's), starts from
New York for Albany 14 Sept. 1807 [From this time regular trips
were made on the Hudson at about 6 miles an hour.] Aaron Burr
acquitted 15 Sept. " Tenth Congress, First Session, convenes 26 Oct.
" Speaker of the House, Joseph B.Varuum, Mass. A British " order in
council" forbids neutral nations to trade with France or her allies
except under tribute to Great Britain 11 Nov. " Napoleon's Milan
decree forbids trade with England or her colonies, and confiscates
any vessel paying tribute or submitting to English search. . . .17 Dec.
" Congress authorizes the building of 188 gunboats, at a cost of not
over $852,000 18 Dec. " [This made, with those previously built,
257.] Embargo act prohibits foreign commerce. . . .22 Dec. " [On the
mere recommendation of tlie executive, with little debate, with
closed doors, with scarcely any warning to the public, or opportunity
of advice by those most able to give it, this act was forced through
by night sessions, and by the overbearing determination of a
majority at once pliant and obstinate— an act striking a deadly blow
at the national industry and at the means of livelihood of great
numbers, the real nature and inevitable operation of which seems to
have been equally misapprehended by the president and the cabinet
recommending it, and by the majority enacting it. — HildretKs " Hist.
U. S.," vol. vi. p. 37.] Second and more stringent Embargo act
(commonly called, reading the title backward, the " O grab me act ")
9 Jan. 1808 Embargo modified ; the president authorized to permit
vessels to transport American property home from foreign ports 12
IMch. " Army raised to 5 regiments of infantry, 1 of riflemen, 1 of
light artillery, and I of light dragoons, to be enlisted for 5 years 12
Apr. " " Salmagundi," first work of Washington Irving, pub " First
Session adjourns 25 Apr. " Burr leaves New York for Europe 9 June, "
Sixth presidential election 8 Nov. " Second Session convenes 7 Nov. "
Territory of Illinois established 3 Feb. 1809 [Now the states of Illinois
and Wisconsin.] Electoral vote counted in the House 8 Feb. "
[Candidates : Democratic - Republicans, James Madison of Va. for
president, 122 ; (Jeorge Clinton of N. Y". for vice-president, 113.
Federalists, Charles C. Pinckney of S. C. for president, 47 ; Rufus
King of N. Y'. for vice-president, 47, scattering, 21.] Embargo act
repealed 1 Mch. " Non - intercourse act forbids commercial
intercourse with Great Britain, France, and their dependencies after
May 20 1 Mch. " Tenth Congress adjourns 3 Mch. " Sixth
Administration — Democratic-Eepublican, 4 Mch. 1809 to 3 Mch.
1813. James Madison, Va., president. George Clinton, N. Y., vice-
president. C.^BINFTT. Robert Smith, Md., sec, of state, from 6 Mch.
18"j9. James Monroe, Va., sec. of state, from 2 Apr. 1811. A Ibert
Gallatin, Pa., sec. of treas., continued. William Eustis, Mass., sec. of
war, from 7 Jlch. 1809. John A rmstrong, N. Y., sec. of war, from 13
Jan. 1813. Paul Hamilton, S. C, sec. of navy, from 7 Mch. 1809.
William Jones, Pa., sec. of navy, from 12 Jan. 1813. Ciesar A.
Rodney, Del., attorney-gen., continued. William Pinkney, Md.,
attorney-gen., from 11 Dec. 1811. Gideon Granger, Conn.,
postmaster-gen., continued. President proclaims that both England
and France UNI have revoked their edicts as to neutrals, and
terminates the Non-intercourse act . 19 Apr. 1809 Eleventh
Congress, First Session (extra), convenes, 22 May, « Speaker of the
House, Joseph B. Varnum, Mass. Francisco Miranda, a native of
South America, aiming to overthrow the Spanish power in Caracas,
S. A., engages a vessel, the Leander, and with about 250 men sails
from New Y'ork, Feb. 1806. Although reinforced b)' some other
vessels, and gaining some advantages, the expedition results in
failure. The Americans of the expedition captured by the Spaniards,
while confined at Carthagena, petition their government for relief, 9
June. A resolution requesting the president to take measures for
their liberation, if satisfied that they are entitled to it, is offered in
the House,- it is lost (61 to 61) by the speaker's casting vote 14
June, " John Quincv Adams, minister to Russia, continued until
1813.'. " First Session (extra) adjourns 28 June, " Great Britain not
revoking her " Orders in Council " of 1807, the president proclaims
the Non-intercourse act still in force towards tliat country 9 Aug. "
David M. Erskine, British minister to U. S., recalled, and Francis J.
Jackson appointed arrives Sept. " [British minister F. J. .Jackson left
Washington, and from New York asked for his passport. His relations
with this government being unsatisfactory, his recall was asked for.]
Second Session convenes 27 Nov. " Committee appointed by the
House to inquire into the charge that brig. -gen. James Wilkinson
had received a bribe from the Spanish government; or was an
accomplice, or in any waj' concerned, with the agent of any foreign
power, or with Aaron Burr (see this record,'l811) 3 Apr. 1810 General
post-office established at Washington under the postmaster-general
(Postal servick) 30 Apr. " British and French armed vessels excluded
from American waters by act approved 1 Maj', " Second Session
adjourns " " Napoleon's Rambouillet decree, dated Mch. 23, issued.
May, " [Ordered the sale of 132 American vessels captured ; worth,
with their cargoes, $8,000,000 (see ^fcMuster's " Hist, of the People
of the U. S.," vol. iii., p. 367, note).] France proclaims the revocation
of the Berlin and Milan decrees, to take effect after 1 Nov. " [The
revocation was not carried into effect, but American vessels still
continued to be seized bj'' French cruisers and confiscated.] Third
Session convenes 3 Dec. " Recharter of the U. S. bank passed bj' the
House, 65 to 64 ; fails in the Senate, 17 to 17, by the casting vote of
president of the Senate, George Clinton, 20 Feb. 1811 Trading-posts
first established among the Indians by Congress ; act approved. 2
Mch. " Eleventh Congress adjourns 3 Mch. " William Pinkney, U. S.
minister to England, returns to the U. S May, " President, U.S.
frigate, 44 guns, com. John Rodgers commanding, meets the British
sloop-of-war Little Belt in lat. 37°, about 40 miles off cape Charles . .
16 May, " [In this engagement (both parties denied beginning it) the
Little Belt, a much weaker vessel than the President, was badly
riddled; action continued about 15 minutes. The conduct of both
commanders was approved by their governments.] Twelfth
Congress, First Session, convenes 4 Nov. " Speaker of the House,
Henry Clay of K}\ (first appearance in the House ; previously in the
Senate. Kentucky, senators). [John C. Calhoun of S. C. appeared in
Congress
 UNI for the first time this session, being elected as a War
Democrat.] Gen. Win. H. Harrison defeats the Indians under the
Prophet at Tippeca:soe, within the present state of Indiana 7 Nov.
1811 Brig.-yen. James Wilkinson is tried by a general comrtmartial,
convened at Fredericktown, Md., 2 Sept., and acijuitted (see this
record, 1810) 25 Dec. " Theatre at Richmond burned ; the governor
and many eminent citizens perish (Virginia) Dec. " Case of .John
Henry and the Federalists of New England ; papers laid before the
Senate by the president 9 Mch. 1812 Presi
 UNI Sloop-of-war Hornet captures and sinks British sloop
Peacock near the moutli of the Demerara river, South America (Naval
battles of the U. S.), 24 Feb, 1813 A proclamation and circular letter
from the governor of Bermuda is laid before Congress by the
president, which recites a " British Order in Council," providing for
colonial trade, with instructions to colonial governors to show special
privileges to the eastern (New England) states 24 Feb. " Congress
passes an act to encourage vaccination, 27 Feb. " [An agent was to
be appointed to keep and dispense genuine vaccine matter for public
use, etc.] President vested with the power of retaliation on British
subjects, soldiers, or Indians 3 Mch. " Twelfth Congress adjourns " "
Seventh Administration — Democratic - Kepublican. 4 Mch. 1813 to 3
Mch. 1817. James Madison, Va., president. Elbridge Gerry, Mass.,
vice-president. cabin KT. James Monroe, Va., sec. of state, continued
from 2 Apr. 1811. Albert Gallatin, Pa., sec. of treasury, continued
from 14 May, 1801. George W. Campbell, Tenn,, sec. of treasury,
from 9 Feb. 1814. A lexander J. Dallas, Pa., sec. of treasury, from 6
Oct. 1814. John A rmstrong, N. Y., sec. of war, continued from 13
Jan. 1813. James Monroe, acting sec. of war, from 26 Sept. 1814.
William H. Crawfoi-d, Ga., sec. of war, from 3 Mch. 1815. William
Jones, Pa., sec. of navy, continued from 12 Jan. 1813. Benjamin W.
Crowninshield, Mass., sec. of navy, from 19 Dec. 1814. William
Pinkney, Md., attorney-gen., continued from 11 Dec. 1811. Richard
Rush, Pa., attorney-gen., from 10 Feb. 1814. [" The attorney-
generalship now became a cabinet office."— Hildreth's " Hist. U. S.,"
vol. vi, p. 458, " Up to this time the attorney-gen. had not been
regarded as standing on the same footing with the other members
of the cabinet. His salary was much less, and he had neither office
room or clerks, and was not required to reside permanently at
Washington."— Henry Adams's " Hist. U. S." vol. vii. p. 398.] Gideon
Granger, Conn., postmaster-gen., continued from 28 Nov. 1801.
Return J. Meigs, O., postmaster-gen., from 17 Mch. 1814. Russia
offers mediation between the U. S. and Great Britain Mch. 1813 U. S.
divided into 9 military districts 19 Mch. " William H. Crawford, Ga.,
appointed to succeed Joel Barlow (d. 26 Dec. 1812) as minister to
France, Apr. " Gen. Wilkinson takes possession of the Spanish fort at
Mobile 15 Apr, " York (now Toronto), Upper Canada, captured . . 27
Apr, " Defence of Fort Meigs (0.) by gen. Harrison, 28Apr.-9May, "
Gen. Green Clay is checked in attempting to reinforce fort Meigs 5
May, " Albert Gallatin, Pa, and James A. Bayard, Md., appointed as
peace commissioners with John Quincy Adams at the Russian court
to negotiate a peace; they sail 9 May, " Thirteenth Congress, First
Session (extra), convenes, Speaker of the House, Henry Clay, Ky, 24
May, « [Daniel Webster entered Congress at this session,] Fort
George, on the west side of Niagara river, near its mouth, is
captured by the American troops under gen. Dearborn (Fort George)
, 27 May, " Frigate Chesapeake surrenders to the British ship
Shannon (Naval battles of the U. S.) . . . . 1 June, " Action at Stony
Creek, Upper Canada 6 June, " Affair at Beaver Dams, Upper Canada
24 June, " Legislature of Massachusetts remonstrates against the
continuance of the war 15 July, " UNI Maj. George Croghan's gallant
defence of Fort Stephenson 2 Aug. Congress authorizes the loan of
$7,500,000 .... " Congress lays a direct tax of |i3,000,000 ; number
of states, 18 ; New York assessed the most, being $430,141.62;
Louisiana the least, $28,295.11 2 Aug. First Session (extra) adjourns
" British sloop-of-war Pelican captures the brig A rgus in the British
channel (Naval battles of the U. S.), 14 Aug. Massacre at Fort
Mimms, Ala., by the Creek Indians, 30 Aug. Brig Enterprise captures
British brig Boxer off the coast of Maine (Naval battles of the U.
S.)..5 Sept, Perrv's victory on lake Erie (Naval battles of the U'S.) 10
Sept. Detroit, Mich., reoccupied by the U. S. forces, 28 Sept Battle of
the Thames, Upper Canada; Harrison defeats Proctor; death of
Tecumseh 5 Oct. Action at Chrysler's Field, on the northern shore of
the St. Lawrence, about 90 miles above Montreal, 11 Nov. Jackson's
campaign against the Creek Indians (Creek war) Nov. Second
Session convenes 6 Dec. Gen. George McClure, commanding a
brigade on the Niagara frontier, burns the village of Newark, Canada,
and evacuates fort George, opposite fort Niagara (he is severely
censured) 10 Dec. Embargo established by Congress until 1 Jan.
1815, 17 Dec. Fort Niagara captured by the British (Fort Niagara,
New York) 19 Dec. Buffalo and Black Rock burned by the British and
Indians 30 Dec. Pres. Madison orders a general court-martial at
Albany, N. Y., upon brig.-gen. Wm. Hull for the surrender of Detroit.
He is tried on charges of (1st) treason, (2d) cowardice, and (3d)
neglect of duty and unofficer-like conduct 3 Jan. An English vessel,
the Bramble, under a flag of truce, arrives at Annapolis, Md., with
offers of peace, 6 Jan. Congress authorizes increasing the army to
63,000 regular troops, and 5 years' service Jan. Daniel Webster's
first speech in the House on the enlistment bill 14 Jan. Henry Clay
resigns as speaker of the House. . . 19 Jan. [He was appointed one
of the peace commissioners, to meet at Ghent.] Langdon Cheves of
S. C. elected speaker 19 Jan. Resolution tabled in Congress for a
committee to investigate the Blue lights 24 Jan. President transmits
to the House a report from the sec, of war explaining the failure of
the army on the northern frontier 2 Feb. [It was founded on letters
and reports from the sec. of war (John Armstrong), gen. Henry
Dearborn, gen. Jas. Wilkinson, gen. Wade Hampton, gen. Lewis
Cass, gen. William H. Harrison, and gen. George B. McClure (see "
Annals of the Xlll.th Congress," p. 2353).] Massachusetts forbids the
confinement in her jails of persons not committed by her judicial
authorities, 7 Feb. [The object was to free herself from confining
British captives.] Loan of $25,000,000 and an issue of treasury notes
for $10,000,000 authorized by Congress '. .24 Mch. Brig.-gen. Wm.
Hull is found guilty on the 2d and 3d charges, and sentenced to be
shot (see 3 Jan. 1814), 26 Mch. [This sentence was approved by the
president, but the execution remitted.] Gen. Jackson defeats and
crushes the Creek Indians at Great Horse Shoe Bend, on the
Tallapoosa . 27 Mch. Frigate Essex, capt. David Porter, surrenders to
the British ships Phoebe and Cherub in the harbor of Valparaiso, Chili
(Naval battles of the U. S.), 28 Mch. 1813 1814
 UNI Gen. Wilkinson, with about 2000 troops, attacks a
party of British, fortitied in a stone mill, at La Colle, Lower Canada,
near the north end of lake Champlain, and is repulsed 30 Mch. [Gen.
Wilkinson was relieved from command; a court of inquiry was
granted, which exculpated him, but he was never restored to
command.] Repeal of the embargo 14 Apr. Congress authorizes the
purchase of the British vessels captured on lake Erie 10 Sept. 1813,
for $255,000, to be distributed as prize money among the captors;
com. Oliver H. Perry to be paid $5000 in addition 18 Apr. Congress
authorizes the collection and preservation of flags, standards, and
colors captured by the land or naval forces of the f. S 18 Apr. Secoiid
Session adjourns " British blockade extended to the whole coast of
the U. S 23 Apr. Sloop-of-war Peacock captures the British brig
Epervier off the coast of Florida with $118,000 in specie (Xaval
battles of the U. S.) 29 Apr. British attack and destroy the fort at
Oswego, New YoKK 6 May, Action at Big Sandy Creek, New York 29
May, Sloop-of-war Wasp captures the British sloop Reindeer in the
British channel (Naval battles of the U. S.), 28 June, Fort Erie, with
about 170 British soldiers, surrenders to gen. Winfield Scott and gen.
Ripley 3 July, Battle of Chippewa, Upper Canada 5 July, Battle of
Lundy's Lane, or Bridgewater, Upper Canada (New York, 1814) 25
July, Congress appropriates $320,000 for one or more floating-
batteries, designed by Robert Fulton ; one finished July, [This was
the first steam vessel of war built. Batteries.] Expedition from Detroit
against Fort Mackinaw fails 4 Aug. British troops land at Pensacola,
Florida .... " British troops, 5000 strong, under gen. Drummond,
invest Fort Erie 4 Aug, American commissioners to negotiate a peace
with Great Britain : John Quincy Adams and Jonathan Russell, Mass.
; Albert Gallatin, Pa. ; James A. Bayard, Del. ; and Henry Clay, Ky.
These commissioners meet adra. lord Gambler, Henry Goulbourn,
and William Adams, British commissioners, at Ghent, Belgium 8 Aug.
Creek Indians, by treaty, surrender a great part of their territory to
the U. S 9 Aug. Stonington, Conn., bombarded by the British fleet
under com. Hardy 9-12 Aug. British fleet, with 6000 veterans from
Wellington's army under gen. Ross, appears in Chesapeake bay, 14
Aug. Midnight assault by the British on fort Erie repulsed (Fort Erie)
15 Aug. Battle of Bladensburg, the Capitol at Washington burned 24
Aug. Banks in the District of Columbia suspend. . .27 Aug. Nantucket
island stipulates with the British fleet to remain neutral 31 Aug.
Sloop-of-war Wasp sinks the British sloop Avon (Naval battles of the
U. S.) 1 Sept. British gen. Prevost crosses the Canadian frontier
towards Plattsburg, N. Y., with 12,000 veteran troops, 1 Sept. John
Armstrong, secretary of war, resigns. . . .3 Sept. [He was blamed for
the capture of Washington.] Fleet on lake Champlain under com.
Thomas McDonough defeats the British under com. Downie (Naval
battles of the U. S.) 11 Sept. [Army under Prevost retired without a
general engagement, though with a loss in its advance and retreat of
over 1.500 men.] British approaching Baltimore, Md., under gen.
Ross; he is killed at North Point 12 Sept. 1814 UNI They find the city
too well fortified, and retire, 13 Sept. 1814 British fleet bombard Fort
McHenry " " [During this attack Francis Scott Key wrote " The Star-
Spangled Banner."] British attack on Fort Bowyer, Mobile bay,
repulsed, 15 Sept. " Garrison at Fort Erie bv a sortie break up the
siege, 17 Sept. " Third Session convenes 19 Sept. " Gen. Drummond
raises the siege of fort Erie. 21 Sept. " Wasp captures the British brig
Atlanta (Naval battles of the U. S.) 21 Sept. " Gallant fight of the
privateer, the Gen. Armstrong, with the British 74-gun ship-of-the-
line, the Plantagenet, in the harbor of Fayal, one of the Azores
(Naval battles of the U. S.) 26 Sept. " Gen. Geo. Izard, on the
Niagara frontier, moves on Chippewa with a force of 6000 men 13
Oct. " A resort of pirates and smugglers at Barataria bay broken up,
without resistance, by com. Patterson, 16 Oct. " Gen. Izard, after a
skirmish with the British near Chippewa, 19 Oct., retires to the
Niagara river, opposite Black Rock 21 Oct. " " The Star-Spangled
Banner" first sung at the Holliday Street theatre, Baltimore Oct. "
Fort Erie abandoned and blown up by the U. S. troops, 5 Nov. " Gen.
Jackson occupies Pensacola 6 Nov. " Elbridge Gerry of Mass., 5th
vice-president of the U. S., dies at Washington, D. C, aged 70 years.
. .23 Nov. " John Gaillard of S. C. elected president of the Senate, 25
Nov. « Hartford Convention meets at Hartford, Conn., 15 Dec.
'*Martial law proclaimed in New Orleans by^ gen. Jackson ..15 Dec.
" British approach New Orleans 22 Dec. " Gen. Jackson attacks the
command of gen. Keane on Villere's plantation, about 9 miles below
the city, and checks its advance on the night of 23 Dec. " He
intrenches about 7 miles below the city. . .24 Deo " [His line,
extending at right angles to the river, reached to a cypress swamp
about 1\ miles distant, and was protected by rudely constructed
breastworks of cotton bales and earth, with a shallow ditch in front.
At the extreme left of this line was stationed the brigade of gen.
Coffee, 800 strong, then came Carroll's brigade, about 1400 men,
while the right towards the river was held by 1300 men under col.
Ross, including all the regulars ; gen. Adair was placed in the rear
with about 500 men as a reserve. Along the line was placed at
intervals 18 guns, carrying from 6 to 23 pound balls, and several
guns across the river under Patterson. Anticipating an advance on
the west bank of the river as well, Jackson had placed gen. David B.
Morgan with about 1200 men, and 2 or 3 guns, a little in advance of
his own position.] Treaty of peace signed bj' the commissioners at
Ghent, 24 Dec. « British attack gen. Jackson with artillery, but are
forced to retire 28 Dec. " Another attempt made 1 Jan. 1815 Final
assault fails , 8 Jan. " [The British commander, sir Edward
Pakenham, in his final assault designing to attack on both sides of
the river at once, ordered col. William (afterwards sir) Thornton to
cross on the night of 7 Jan. with 1200 men, and attack gen. Morgan
at early dawn. The main assault under Pakenham was made as early
as 6 a.jl, the 8th, in 2 columns, the right under maj.-gen. sir Samuel
Gibbs, the left under maj.-gen. John Keane, and the reserve under
maj.-gen. John Lambert; total force probably numbered about 7000
men. Gen. Gibbs's column in close ranks, 60 men front, came under
fire first, which was so severe and deadly that a few platoons only
reached the edge of the ditch and broke.
 UNI In this advance Gibbs was mortally wounded, and
Pakenham, in his attempt to rally the men, was almost instantly
killed. The left advance under Keane fared no better, Keane being
severely wounded and carried off the field, and his column routed.
By 8 A.M. the assault was at an end. Col. Thornton's attack on the
west side of the river was successful, for he routed gen. Morgan's
militia, which were poorly armed, and drove them bej-ond Jackson's
position towards the citj-, and compelled Patterson to spike his guns
and retire, but owing to the failure of the main assault, together with
the loss of the chief officers, gen. Lambert, now chief in command,
recalled Thornton from his successes, and on 9 Jan. began
preparation for retreating. Of the 7000 British troops probably
engaged in the assault, 2036 were killed and wounded, the killed
hp\ns estimated at over 700; Americans lost 8 kiuea aui. ^S 'yc
inded in the main assault ; total loss on both sides of the river, 71.]
Congress levies a direct tax of $6,000,000 (number of states 18) 9
Jan. 1815 [The largest assessment, that of New York state, was
$864,283.24 ; the smallest, of Delaware, $64,092.50.] Christopher
Gore of Mass. opposes this bill in the Senate 5 Jan. " Frigate
President, 44 guns, com. Decatur commanding, is captured by the
British frigates Endymion, 40 guns, the Pomone, Tenedos, and
Majestic (Naval battles of the U.S.) 15 Jan. " Congress imposes
duties on household furniture and on gold and silver watches 18 Jan.
" [Tax on a gold watch, $2 ; on a silver watch, $1 ; on $1500 worth
of household furniture, $6 ,• $3000, $17 ; $4000, $28 ; $6000, $45 ;
$10,000, $100. Beds, bedding, kitchen furniture, and family pictures,
exempt.] U. S. purchases Jefferson's liVarv. about 7000 volumes, for
the use of Congress for $23,000 (vote of the House 81 to 71) 26
Jan. " Bill to incorporate the Bank of the U. S. is vetoed by pres.
Madison 30 Jan. " Treaty of peace reaches New York in the British
sloopof-war Favorite 11 Feb. " It is ratified 17 Feb. " Frigate
Constitution captures the Cyane and the Levant, British sloops-of-
war (Naval battles of the U. S.), Feb. " Fort BowYER, invested by the
British fleet, surrenders '. 12 Feb. " Army reduced to a peace footing
of 10,000 men, 2 major-generals, and 4 brigadier-generals. . . .3
Mch. " [The major-generals were Jacob Brown and Andrew Jackson ;
the brigadier-generals were Winfield Scott, Edmund Gaines,
Alexander Macomb, and Eleazar W. Kipley.] Non-intercourse and
Non-importation acts repealed, 3 Mch. " U. S. declares war against
Algiers " " Thirteenth Congress adjourns " " Sloop-of-war Hornet,
capt. James Biddle, captures the British brig-of-war Penguin, off
cape of Good Hope (Naval battles of the U. S.) 23 Mch. " Gen.
Jackson, at New Orleans, is fined $1000 for contempt of court 31
Mch. " American prisoners-of-war at Dartmoor, Engl., are fired upon
by prison guards ; 5 killed and 33 wounded, 2 mortall}' 6 Apr. "
Com. Decatur sails from New York for Algiers with the frigates Guen-
iere. Macedonian, and Constellation, 1 sloop-of-war, 4 brigs, and 2
schooners. . . .19 May, " Guerri'ere captures an Algerian frigate of 44
guns off Gibraltar 17 June, " Dey, in a treaty of peace, renounces all
claims to tribute, or presents, or to hold prisoners-of-war as slaves,
30 June, " At a grand Indian council at Detroit, Mich., a treaty is
XJNI made with 8 of the principal tribes east of the Mississippi 1
Sept. 1815 Total debt of the U. S., $119,600,000 30 Sept. "
[Estimated cost of the war, $85,500,000.] Fourteenth Congress, First
Session, convenes. . .4 Dec. " President of the Senate pro tern., John
Gaillard of S. C. Speaker of the House, Henry Clay of Ky. North A
merican Review starts in Boston, Mass., William Tudor, editor "
Congress fixes the pay of its members at $1500..19 Jlch. 1816
[President of the Senate ^ro tem.&nA the speaker of the House
$3000 each.] Repeal of the act of 18 Jan. 1815, taxing household
furniture, watches, etc 9 Apr. " U. S. bank, capital $35,000,000,
chartered by Congress for 20 years 10 Apr. " Indiana authorized by
Congress to form a constitution and state government 19 Apr. " An
act for the relief of the relatives and representatives of the crew of
the sloop-of-war Wasp, believed to be lost, passed (Naval battles of
the U. S., 1814), 24 Apr. " [12 months' wages and $50,000 prize-
money awarded.] Act passed regulating duties on imports 27 Apr. "
Congress appropriates $1,000,000 a year for 8 j^ears to increase
the navy 29 Apr. " First Session adjourns 30 Apr. " Presidential
election held 12 Nov. " [Democratic-Republican candidate for
president^ James Monroe of Va. ; for vice-president, Daniel D.
Welcome to Our Bookstore - The Ultimate Destination for Book Lovers
Are you passionate about books and eager to explore new worlds of
knowledge? At our website, we offer a vast collection of books that
cater to every interest and age group. From classic literature to
specialized publications, self-help books, and children’s stories, we
have it all! Each book is a gateway to new adventures, helping you
expand your knowledge and nourish your soul
Experience Convenient and Enjoyable Book Shopping Our website is more
than just an online bookstore—it’s a bridge connecting readers to the
timeless values of culture and wisdom. With a sleek and user-friendly
interface and a smart search system, you can find your favorite books
quickly and easily. Enjoy special promotions, fast home delivery, and
a seamless shopping experience that saves you time and enhances your
love for reading.
Let us accompany you on the journey of exploring knowledge and
personal growth!

ebookball.com