b"An information risk management framework isn't implemented in a vacuum, as National Institute of Standards and Technology Fellow Ron Ross points out."