Appendix D – References

AICPA (2022). About AICPA & CIMA. Available from https://www.aicpa.org/about/landing/about.

Alberts, C., Dorofee, A., Stevens, J., and Woody, C. (2005, Jan). OCTAVE®-S Implementation Guide, Version 1.0 (CMU/SEI-2003-HB-003). Pittsburgh: Carnegie Mellon University. Available from https://resources.sei.cmu.edu/asset_files/Handbook/2005_002_001_14273.pdf.

ANSSI (2022). EBIOS Risk Manager – The Method. Available from https://www.ssi.gouv.fr/en/guide/ebios-risk-manager-the-method/.

ASQ (2022a). Quality Resources: Six Sigma. Available from https://asq.org/quality-resources/six-sigma.

ASQ (2022b). Quality Glossary. Available from https://asq.org/quality-resources/quality-glossary/.

Banking and Financial Services BA (2012, May 10). Basil II – Direct vs. Indirect Operational Loss (Blog). Available from https://bfsba.wordpress.com/2012/05/10/basel-ii-direct-vs-indirect-loss/.

Barker, E., Roginsky, A., and Davis, R. (2020, Jun). Recommendation for Cryptographic Key Generation (NIST SP 800-133 Rev. 2). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf.

Basel Committee on Banking Supervision (2011, Jun). Principles for the Sound Management of Operational Risk. Basel, CH: Author. Available from https://www.bis.org/publ/bcbs195.pdf.

Bennekers, V. (Ed.) (2022). HITRUST Assessment Handbook. Frisco, TX: HITRUST.

BIMCO (2020). The Guidelines on Cybersecurity Onboard Ship, Version 4.0. Available from https://www.bimco.org/-/media/bimco/about-us-and-our-members/publications/ebooks/guidelines-on-cyber-security-onboard-ships-v4.ashx.

Blum, D. (2020). Rational Cybersecurity for Business: The Security Leader’s Guide to Business Alignment. Apress: Silver Springs, MD. Available from https://learning.oreilly.com/library/view/rational-cybersecurity-for/9781484259528/htmel/Cover.xhtml.

Bowen, P. and Kissel, R. (2007, Jan). Program Review for Information Security Management Assistance (PRISMA) (NISTIR 7358). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7358.pdf.

Bradley, E. H., Curry, L. A., and Devers, K. J. (2007). Qualitative data analysis for health services research: developing taxonomy, themes, and theory. Health services research, 42(4), 1758–1772. Available from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1955280/pdf/hesr0042-1758.pdf.

Britannica (2022). Encyclopedia: The Web & Communication: Information Processing. Available from https://www.britannica.com/technology/information-processing.

BSI (2017, Oct). IT-Grundschutz Methodology (BSI-Standard 200-2). Bonn: Author. Available from https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-2002_en_pdf.pdf?__blob=publicationFile&v=2.

BSI (2021). IT-Grundschutz-Compendium, Edition 2021. Bonn, GE: Author. Available from https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2021_krt.xlsx?__blob=publicationFile&v=3.

BSI (2022). BSI-Standards. Available from https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/BSI-Standards/bsi-standards_node.html.

Cambridge (2022). Dictionary. Available from https://dictionary.cambridge.org/dictionary/.

Caralli, R., Stevens, J., Young, L., and Wilson, W. (2007, May). Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process (CMU/SEI-2007-TR-012). Pittsburgh: Carnegie Mellon University. Available from https://resources.sei.cmu.edu/asset_files/TechnicalReport/2007_005_001_14885.pdf.

Carnegie Mellon University Software Engineering Institute (2022). SEI: Publications: Digital Library: Search Results: OCTAVE. Available from https://resources.sei.cmu.edu/library/results.cfm#stq=octave&stp=1.

CASES (2016, Apr). MONARC Version 1.0. Luxembourg: Author. Available from https://www.cases.lu/assets/docs/CASES_Monarc2016EN-web.pdf.

CBRN Centres of Excellence (2015, Dec). How to Implement Security Controls for an Information Security Program at CBRN Facilities, p. 1. Available from https://www.pnnl.gov/main/publications/external/technical_reports/PNNL-25112.pdf.

Centrify (2017). Stop the Breach: Reduce the Likelihood of an Attack through an IAM Maturity Model: A Forrester Consulting Thought Leadership Paper. Available from https://www.centrify.com/media/4594046/stop-the-breach.pdf.

CISA (2022a). Critical Infrastructure Partnership Advisory Council. Available from https://www.cisa.gov/critical-infrastructure-partnership-advisory-council.

CISA (2022b). Infrastructure Security: Critical Infrastructure Sector Partnerships: Sector Coordinating Councils. Available from https://www.cisa.gov/sector-coordinating-councils.

Cline, B. (2017, Sep). Leveraging a Control-Based Framework to Simplify the Risk Analysis Process, ISSA Journal, 15(9), pp. 39-42. Available from https://hitrustalliance.net/content/uploads/2016/01/Leveraging-a-Control-Based-Framework-to-Simplify-the-Risk-Analysis-Process.pdf.

Cline, B. (2018, Apr). Understanding HITRUST’s Approach to Risk vs. Compliance-based Information Protection: Why framework-based risk analysis is crucial to HIPAA compliance and an effective information protection program. Frisco, TX: HITRUST. Available from https://hitrustalliance.net/documents/csf_rmf_related/RiskVsComplianceWhitepaper.pdf.

Cline, B. (2019). Risk Management Frameworks: How HITRUST provides an efficient and effective approach to the selection, implementation, assessment and reporting of information security and privacy controls to manage risk in a healthcare environment. Frisco, TX: HITRUST. Available from https://hitrustalliance.net/content/uploads/HITRUST-RMF-Whitepaper.pdf.

Cline, B. (2019, 11 Nov). Understanding and Improving the Role of Self-Assessment in Third-Party Risk Management [Blog Post]. Available from https://hitrustalliance.net/understanding-improving-role-self-assessments-third-party-risk-management/.

Cline, B. (2019, Sep). Risk Analysis Guide for HITRUST Organizations and Assessors: A guide for self and third-party assessors on the application of HITRUST’s approach to risk analysis. Frisco, TX: HITRUST.

Cline, B. (2022). The HITRUST Approach to Quasi-Quantitative Residual Risk Analysis (QQRRA): Quantifying Risk in a Qualitative World. Frisco, TX: HITRUST.

Cline, B. (2022, Feb). HITRUST Third-Party Risk Management (TPRM) Methodology: The Qualification Process – A streamlined approach to qualifying a third party for a business relationship leveraging the HITRUST CSF and Assurance Program. Frisco, TX: HITRUST. Available from https://hitrustalliance.net/uploads/TPRM-Methodology1.pdf.

Cline, B. (2023). The HITRUST Approach to NIST Cybersecurity Framework Implementation, Version 2.0. Frisco, TX: HITRUST.
CLUSIF (2022). Reception: Services: Risk Management: The Fundamentals of MÉHARI (Google Translation). Available from https://clusif.fr/services/management-des-risques/les-fondamentaux-de-mehari/.

CMS (2015). Volume III: Catalog of Minimum Acceptable Risk Security and Privacy Controls for Exchanges (MARS-E Document Suite, Version 2.0). Baltimore, MD: Author. Available from https://www.cms.gov/CCIIO/Resources/Regulations-and-Guidance/Downloads/3-MARS-E-v2-0-Catalog-of-Security-and-Privacy-Controls-11102015.pdf.

CMS (2017). CMS Acceptable Risk Safeguards (ARS) (CMS_CIO-STD-SEC01-3.0). Baltimore, MD: Author. Available from https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/ARS-30-Publication.html.

Cybersecurity Requirements for Financial Services, 23 NYCRR 500 (2017). Available from https://www.governor.ny.gov/sites/default/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf.

De Groot, J. (2020, 1 Dec). What is the NYDFS Cybersecurity Regulation? A Cybersecurity Compliance Requirement for Financial Institutions (Blog). Digital Guardian. Available from https://digitalguardian.com/blog/what-nydfs-cybersecurity-regulation-new-cybersecurity-compliance-requirement-financial.

Department of the Navy (2008, Jul 15). DoD Information Assurance Certification and Accreditation Process (DIACAP) Handbook, Version 1.0. Washington, D.C.: Author.
ENISA (2016). ENISA Threat Taxonomy. Heraklion, GR: Author. Available from https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/@@download/file/Threat%20taxonomy%20v%202016.xlsx.

ENISA (2022). About ENISA – The European Union Agency for Cybersecurity. Available from https://www.enisa.europa.eu/about-enisa.

ENISA (2022a, Jan). Compendium of Risk Management Frameworks with Potential Interoperability: Supplement to the Interoperable EU Risk Management Framework Report. Attiki, GR: Author. Available from https://www.enisa.europa.eu/publications/compendium-of-risk-management-frameworks/@@download/fullReport.

ENISA (2022b, Jan). Interoperable EU Risk Management Framework: Methodology for and assessment of interoperability among risk management frameworks and methodologies. Attiki, GR: Author. Available from https://www.enisa.europa.eu/publications/interoperable-eu-risk-management-framework/@@download/fullReport.

ETSI (2017, Oct). CYBER; Methods and protocols; Part 1: Method and pro forma for Threat, Vulnerability, Risk Analysis (TVRA) (ETSI TS 102 165-1 V5.2.3). Sophia Antipolis Cedex, FR: Author. Available from https://www.etsi.org/deliver/etsi_ts/102100_102199/10216501/05.02.03_60/ts_10216501v050203p.pdf.

European Commission (2020, 8 Nov). IT Security Risk Management Methodology v1.2: Description of the Methodology (v1.2 r19). Available from https://ec.europa.eu/info/publications/security-standards-applying-all-european-commission-information-systems_en.

European Commission (2022). Home: Departments and Executive Agencies: Informatics. Available from https://ec.europa.eu/info/departments/informatics_en.

European Telecommunications Standards Institute, ETSI (2022). Standards: Search: Cybersecurity. Available from https://www.etsi.org/standards#page=1&search=&title=1&etsiNumber=1&content=0&version=0&onApproval=1&published=1&historical=1&startDate=1988-01-15&endDate=2022-07-19&harmonized=0&keyword=&TB=824,,755&stdType=&frequency=&mandate=&collection=&sort=1.

FAIR Institute (2022a). About. Available from https://www.fairinstitute.org/about.

FAIR Institute (2022b). What is FAIR. Available from https://www.fairinstitute.org/what-is-fair.

FAIR Institute (2022c). The FAIR Book. Available from https://www.fairinstitute.org/fair-book.

Ferraiolo, H., Mehta, K., Ghadiali, N., Mohler, J., Johnson, V. and Brady, S. (2018, Jun). Guidelines for the Use of PIV Credentials in Facility Access (NIST SP 800-116 Rev. 1). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-116r1.pdf.

Foerster, M. and Arnold, C. (2019, 21 Jul). Eight Steps to Establish a Firm Risk Management Program. International Federation of Accountants. Available from https://www.ifac.org/knowledge-gateway/preparing-future-ready-professionals/discussion/eight-steps-establish-firm-risk-management-program.

Forrester (2019, Aug). The Real Costs of Planned and Unplanned Downtime: Accelerate Recovery with New Technologies (Report). Available from https://www.ibm.com/downloads/cas/L57KW7ND.

Freund, J. and Jones, J. (2015). Measuring and Managing Information Risk: A FAIR Approach. New York: Elsevier.

Grance, T., Nolan, T., Burke, K., Dudley, R., White, G., and Good, T. (2006, Sep). Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities (NIST SP 800-84). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf.

Gruber, T. (2009). Ontology. In L. Liu and M. Tamer Ozsu (Eds.) Encyclopedia of Database Systems. Springer-Verlag. Available from https://tomgruber.org/writing/definition-of-ontology.pdf.

Guta, M. (2019, 2 Jul). Small Business Supply Chain Partners Aren’t Always to Blame for Cybersecurity Breaches (Blog). Small Business Trends. Available from https://smallbiztrends.com/2019/07/supply-chain-cybersecurity.html.

Hansche, S., Berti, J., and Hare, C. (2004). Official (ISC)2 Guide to the CISSP Exam. Boca Raton, FL: Auerbach.

Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, U.S. Statutes at Large 110 (1996): 1936-2103. https://www.govinfo.gov/content/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf.

HHS (2010). Guidance on Risk Analysis under the HIPAA Security Rule. Available from https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf?language=es.

HHS (2013, Mar). HIPAA Administrative Simplification Regulation Text: 45 CFR Parts 160, 162, and 164. Retrieved from https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf

HHS (2022a). HIPAA: HIPAA Home: For Professionals: Covered Entities and Business Associates. Available from https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html.

HHS (2022b). HIPAA: HIPAA Home: HIPAA for Professionals. Available from https://www.hhs.gov/hipaa/for-professionals/index.html.

HHS (2022c). HHS: HIPAA Home: For Professionals: The Security Rule. Available from https://www.hhs.gov/hipaa/for-professionals/security/index.html.

HHS (2022d). Home: About HHS. Available from https://www.hhs.gov/about/index.html.

HHS (2022e). HHS: OCR Home: About Us. Available from https://www.hhs.gov/ocr/about-us/index.html.

HHS (2022f). HHS: HIPAA Home: For Professionals: HIPAA Compliance and Enforcement: Resolution Agreements. Available from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html.

Highmark (2022). Your Health Care Partner. Available from https://www.highmark.com/hmk2/index.shtml.

HITRUST (2023a). About HITRUST. Available from https://hitrustalliance.net/about-hitrust/.

HITRUST (2023b). HITRUST CSF. Available from https://hitrustalliance.net/hitrust-csf/.

HITRUST (2023c). HITRUST Assurance Program. Available from https://hitrustalliance.net/hitrust-assurance-program/.

HITRUST (2023d). HITRUST Approach. Available from https://hitrustalliance.net/the-hitrust-approach/.

HITRUST (2023e). HITRUST Threat Catalogue. Available from https://hitrustalliance.net/threat-catalogue/.

HITRUST (2023f). HITRUST Essentials, 1-year (e1) Validated Assessment. Available from https://hitrustalliance.net/certification/hitrust-essentials-1-year-e1-validated-assessment/.

HITRUST (2023g). HITRUST Implemented, 1-Year (i1) Validated Assessment. Available from https://hitrustalliance.net/certification/hitrust-implemented-1-year-i1-validated-assessment/.

HITRUST (2023h). HITRUST Risk-based, 2-Year (r2) Validated Assessment. Available from https://hitrustalliance.net/certification/hitrust-risk-based-2-year-r2-validated-assessment/.

Hu, V., Ferraiolo, D., and Kuhn, R. (2006, Sep). Assessment of Access Control Systems (NISTIR 7316). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7316.pdf.

Hu, V., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., and Scarfone, K. (2014, Jan). Guide to Attribute Based Access Control (ABAC) Definition and Considerations (NIST SP 800-162). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-162.pdf.

Hu, V., Iorga, M., Bao, W., Li, A., Li, Q., and Gouglidis, A. (2020, Jul). General Access Control Guidance for Cloud Systems (NIST SP 800-210). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-210.pdf.

Hubbard, D., Seiersen, R., Geer Jr., D., and McClure, S. (2016). How to Measure Anything in Cybersecurity Risk. Hoboken, NJ: John Wiley & Sons.

Informs (2022). Decision Analysis Society: About Us. Available from https://connect.informs.org/das/home.

ISACA (2022). What is CMMI? Available from https://cmmiinstitute.com.

ISO (2018). Risk management – Guidelines (ISO 31000:2018). Geneva: Author. Available from https://www.iso.org/standard/65694.html.

ISO/IEC (2018). Information Technology – Security Techniques – Information Security Risk Management (ISO/IEC 27005:2018). Geneva: Author. Available from https://webstore.ansi.org/Standards/ISO/isoiec270052018.

Joint HPH Cybersecurity WG (2016, May). Healthcare Sector Cybersecurity Framework Implementation Guide. Available from https://hitrustalliance.net/uploads/HPHCyberImplementationGuide.pdf.

JTF (2018, Dec). Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (NIST SP 800-37 Rev. 2). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf.

JTF (2020, Oct). Control Baselines for Information Systems and Organizations (NIST SP 800-53B). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53B.pdf.

JTF (2020, Sep). Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Rev. 5). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf.

JTF (2022, Jan). Assessing Security and Privacy Controls in Information Systems and Organizations (NIST SP 800-53 Rev. 5). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar5.pdf.

JTF TI (2011, Mar). Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf.

JTF TI (2012, Sep). Guide for Conducting Risk Assessments (NIST SP 800-30 Rev. 1). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf.

Kohen, I. (2018, 8 Mar). Data Security Best Practices for Mitigating Supply Chain Risk (Blog), Supply & Demand Chain Executive. Available from https://www.sdcexec.com/risk-compliance/blog/20995547/data-security-best-practices-for-mitigating-supply-chain-risk.

Kreitner, R. (1995). Management (6th ed.). New York: Houghton Mifflin College Division, p. 4.

Lartey, P., Kong, Y., Bah, F., Santosh, R., and Gumah, I. (2019, Aug). Determinants of Internal Control Compliance in Public Organizations; Using Preventive, Detective, Corrective and Directive Controls. In International Journal of Public Administration, p. 4. Available from https://www.researchgate.net/profile/Isaac-Akolgo/publication/335082288_Determinants_of_Internal_Control_Compliance_in_Public_Organizations_Using_Preventive_Detective_Corrective_and_Directive_Controls/links/5d86d58e458515cbd1af4117/Determinants-of-Internal-Control-Compliance-in-Public-Organizations-Using-Preventive-Detective-Corrective-and-Directive-Controls.pdf

Law Insider (2022). Dictionary: Business Process. Available from https://www.lawinsider.com/dictionary/business-process.

Lucidchart (2022). 5 Steps to any Effective Risk Management Process (Blog). Available from https://www.lucidchart.com/blog/risk-management-process.

Merriam-Webster (2022). Homepage. Available from https://www.merriam-webster.com/.

Miller, L. and Gregory, P. (2012). CISSP for Dummies (4th ed.). New York: Wiley.

MONARC (2022). What is MONARC? Available from https://www.monarc.lu/.

NIST (2004, Feb). Standards for Security Categorization of Federal Information and Information Systems (FIPS Pub 199). Gaithersburg, MD: Author. Available from http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf.

NIST (2008, Jul). The Keyed-Hash Message Authentication Code (FIPS Pub 198-1). Gaithersburg, MD: Author. Available from https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.198-1.pdf.

NIST (2018, 16 Apr). Framework for Improving Critical Infrastructure Cybersecurity (v1.1). Gaithersburg, MD: Author. Available from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.

NIST (2021, 5 Nov). Information Technology Laboratory: Computer Security Resource Center: Projects: Program Review for Information Assistance. Available from https://csrc.nist.gov/Projects/Program-Review-for-Information-Security-Assistance/Security-Maturity-Levels.

NIST (2022, Jan). Personal Identify Verification (PIV) of Federal Employees and Contractors (FIPS Pub 201-3). Gaithersburg, MD: Author. Available from https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-3.pdf.

NIST (2022a). About NIST. Available from https://www.nist.gov/about-nist.

NIST (2022b). Information Technology Laboratory: Computer Security Resource Center: Glossary. Available from https://csrc.nist.gov/glossary..

NIST (2022c). Projects: NIST Risk Management Framework: About the RMF: NIST Risk Management Framework (RMF) – Prepare Step. Available from https://csrc.nist.gov/Projects/risk-management/about-rmf/prepare-step.

NIST (2022d). Information Technology Laboratory: Computer Security Resource Center: NIST Risk Management Framework (RMF). Available from https://csrc.nist.gov/projects/risk-management/about-rmf.

NIST (2022e). National Online Informative References Program: Informative Reference Catalog. Available from https://csrc.nist.gov/projects/olir/informative-reference-catalog?infRef=10041&sortBy=2.

NJCCIC (2017, 20 Jul). Supply Chain: Compromise of Third-Parties Poses Increasing Risk (NJCCIC Threat Analysis Report). Available from https://www.cyber.nj.gov/threat-analysis/supply-chain-compromise-of-third-parties-poses-increasing-risk.

Petersen, H. and Lemke, F. (2015 Aug). Mitigating Reputational Risks in Supply Chains. In Supply Chain Management 20(5), pp. 495-510. Available from https://www.researchgate.net/publication/281121552_Mitigating_Reputational_Risks_in_Supply_Chains.

PHE (2022). Preparedness: Planning: Critical Infrastructure Protection: Healthcare and Public Health (HPH) Sector. Available from https://www.phe.gov/Preparedness/planning/cip/HPH/Pages/default.aspx.

Portal Administración Electrónica (2022). The Portal E-government: Cover Page of Documentation: Cover of Methodologies and Guidelines: Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información. Available from https://administracionelectronica.gob.es/pae_Home/pae_Documentacion/pae_Metodolog/pae_Magerit.html?idioma=en.

Quinn, S., Souppaya, M., Cook, M., and Scarfone, K. (2018, Feb). National Checklist Program for IT Products: Guidelines for Checklist Users and Developers (NIST SP 800-70 Rev. 4). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-70r4.pdf.

Reed Smith (2017, 13 Sep). Mitigating Third Party Data Breach Risks (Reed Smith Client Alerts). Available from https://www.reedsmith.com/en/perspectives/2017/09/mitigating-third-party-data-breach-risks.

Richards, D., Oliphant, A., and Le Grand, C. (2005, Mar). Global Technology Audit Guide: Information Technology Controls (GTAG 1). Altamonte Springs, FL: The Institute of Internal Auditors. Available from https://pdf4pro.com/cdn/gtag-1-information-technology-controls-26aa03.pdf.

Riskope (2017, Feb 1). Making Sense of Probabilities and Frequencies. Available from https://www.riskope.com/2017/02/01/making-sense-probabilities-frequencies/.

Ross, J. (2006, Nov). The reliability, validity, and utility of self-assessment. Practical Assessment, Research & Evaluation, 11(10). Available from https://scholarworks.umass.edu/cgi/viewcontent.cgi?article=1196&context=pare.

Ross, R., Dempsey, K., and Pillitteri, V. (2018, Jun). Assessing Security Requirements for Controlled Unclassified Information (NIST SP 800-171A). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171a.pdf.

Ross, R., Dempsey, K., and Pillitteri, V. (2022, Mar). Assessing Enhanced Security Requirements for Controlled Unclassified Information (NIST SP 800-172A). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-172A.pdf.

Ross, R., Pillitteri, V., Dempsey, K., Riddle, M., and Guissanie, G. (2020, Feb). Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171 Rev.2). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf.

Ross, R., Pillitteri, V., Guissanie, G., Wagner, R., Graubart, R., and Bodeau, D. (2021, Feb). Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (NIST SP 800-172). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-172.pdf.

Rossebo, J., Fransen, F., and Luiijf, E. (2016, Apr). Including threat actor capability and motivation in risk assessment for Smart Grids. IEEE Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG). See workshop presentation available from https://project-sparks.eu/wp-content/uploads/2016/04/rossebo-cpsr-sg-paper-one.pdf.

Samandari, H., Walsh, J., and Yueh, E. (2013, 1 Jul). Managing when vendor and supplier risk becomes your own. McKinsey & Company. Available from https://www.mckinsey.com/business-functions/risk/our-insights/managing-when-vendor-and-supplier-risk-becomes-your-own.

Scarfone, K., Souppaya, M., Cody, A., and Orebaugh, A. (2008, Sep). Technical Guide to Information Security Testing and Assessment (NIST SP 800-115). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf.

Shadish, W. R., Cook, T. D., & Campbell, D. T. (2002). Experimental and quasi-experimental designs for generalized causal inference. Boston: Houghton Mifflin Company.
Sophis (2021, Apr). The State of Ransomware 2021. Available from https://www.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf.

Stine, K., Kissel, R., Barker, W. C., Fahlsing, J., and Gulick, J. (2008, Aug). Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories (NIST SP 800-60 Vol. 1 Revision 1). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf.

Stine, K., Kissel, R., Barker, W. C., Lee, A., and Fahlsing, J. (2008, Aug). Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories (NIST SP 800-60 Vol. 2 Rev. 1). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdf.

Stine, K., Quinn, S., Witte, G., and Gardner, R. (2020, Oct). Integrating Cybersecurity and Enterprise Risk Management (ERM) (NISTIR 8286). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8286.pdf.

Swanson, M., Bowen, P., Phillips, A., Gallup, D., and Lynes, D. (2010, May). Contingency Planning Guide for Federal Information Systems (NIST SP 800-34 Rev. 1). Gaithersburg, MD: NIST. Available from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf.

The Open Group (2021, Nov). Risk Analysis (O-RA), Version 2.0.1. Berkshire, UK: Author. Available from https://publications.opengroup.org/standards/open-fair-standards/c20a.

The Open Group (2022). Risk Analysis. Available from https://www.opengroup.org/forum/security/riskanalysis.

Trowbridge, M. (2017, 2 Nov). Five Techniques to Manage Supply Chain Risk (Blog). Supply Chain Risk Management Review. Available from https://www.scmr.com/article/five_techniques_to_manage_supply_chain_risk.

Tucker, B. (2020, Nov). Advancing Risk Management Capability Using the OCTAVE FORTE Process (CMU/SEI-2020-TN-002). Pittsburgh: Carnegie Mellon University. Available from https://resources.sei.cmu.edu/asset_files/TechnicalNote/2020_004_001_644641.pdf.

Van Fleet, D. and Seperich, G. (2013). Agribusiness: Principles of Management (International ed.) New York: CENGAGE, p. 24.

Williams, C., Donaldson, S., and Siegal, S. (2020). Building an Effective Security Program. Boston: De Gruter.

© 2023 HITRUST All rights reserved. Reproduction, re-use, and creation of derivative works are prohibited.