Risk management is key to the successful implementation of an organizational information security program. The risk management framework as defined in, SP 800-37 Rev. 1, NIST Special Publication 800-37 Revision 1 established a detailed life cycle for the identification and management of risk for information and information systems: