Risk Management Handbook
1.1
1.1
Table of Contents
Risk Management Handbook
1.1
Risk Management Handbook — 1.1
Executive Summary
Table of Contents
List of Figures
List of Tables
Introduction
Risk Concepts
Risk and Risk Management
Risk Management Frameworks
Step 1- Identify Risks and Define Protection Requirements
Step 2- Specify Controls
Step 3- Implement and Manage Controls
Step 4- Assess and Report
The HITRUST Risk Management Framework
Step 1- Identify Risks and Define Protection Requirements
Risk Analysis
Control Framework-based Risk Analysis
Quasi-Quantitative Residual Risk Analysis
Background
Current Limitations
QQRRA Approach
Step 2- Specify Controls
Step 3- Implement and Manage Controls
Step 4- Assessment and Reporting
Assurance
Dimensions of Assurance
Attributes of Assurance
Indicators of Assurance
Assessment Approach
HITRUST CSF Control Maturity Model
Evaluating HITRUST CSF Controls
Final Thoughts
About the Author
About HITRUST
Appendix A – Special Topics
A-1. Alternate Controls
A-2. Compliance
A-3. Control Functions
A-4. Cyber Threat Adaptive Control Specification
Introduction
Approach
Disclaimer
A-5. Information Risk
A-6. Interoperability
A-7. NIST Cybersecurity Framework Implementation
Introduction
NIST Cybersecurity Framework Core
Implementing the NIST Cybersecurity Framework
A-8. Purposive Samples
A-9. Third-Party Risk Management
Introduction
Third-Party Risk Management
Third-Party Qualification
A-10. Threat Ontology
Appendix B – Acronyms and Abbreviations
Appendix C – Glossary of Terms
Appendix D – References
Appendix E – Summary of Changes
Version 1.0
A-9. Third-Party Risk Management
A-8. Purposive Samples
Introduction
This page is intentionally left blank.
A-8. Purposive Samples
Introduction
