Mastering NIST CSF 2.0 - The New Govern Function.pdf

Mastering NIST CSF 2.0 -
The New Govern Function
March 25th, 2025 | Ramadan 25th, 1446

Event Agenda
Welcome and Opening Remarks
Introduction of the ISC2 El Djazair Chapter
Overview of the event's objectives and agenda
Speaker Introduction & Housekeeping
Introduce the speaker and his expertise
Brief explanation of event logistics and housekeeping rules
NIST CSF 2.0 Govern Function Presentation (45 minutes)
An overview of the function with the underlying outcomes
Question & Answer Session
Open the floor for audience questions
Closing Remarks & Feedback
Summary of key takeaways from the event
Feedback survey

ISC2 El Djazair Chapter
Together Toward a Secure Future
Welcome to the ISC2 El Djazair Chapter, a vibrant community of cybersecurity professionals dedicated to
advancing information security in Algeria.
Our Mission
To empower members and professionals through knowledge sharing, professional growth, education,
awareness, and collaborative projects.
Objectives
• Knowledge Sharing: Opportunities for expertise, experiences, and best practices exchange through
conferences, workshops, and webinars.
• Professional Growth: Resources, mentorship, and career guidance to support continuous development.
• Education and Awareness: Awareness campaigns, workshops, and community outreach to promote
cybersecurity best practices.
• Collaboration on Projects: Working together on critical security challenges for a meaningful impact.

ISC2 El Djazair Chapter
AFRICAN CHAPTERS
1. South Africa
2. Ghana
3. Nigeria
4. Kenya
5. Uganda
6. Ethiopia
7. Algeria
ISC2 https://www.isc2.org/chapters

Biography
Bachir Benyammi
Managing Director
Cyber Practice
Ghardaia, Algeria
▪ Cyber Instructor. PECB, CompTIA and CSA Trainer
▪ Delivered +100 sessions to +1000 participants
▪ IT engineer with 17 years experience in IT and Cybersecurity
▪ 2 times CISO (for a short period of time ☺)
▪ Dozens of certifications in IT, Info/Cyber Sec, GRC & Audit
▪ Contributor to NIST CSF, ISACA COBIT & ISO270k Toolkit
▪ ISC2 El Djazair Board Member
▪ ISACA Engage Topic Leader (Governance, COBIT & Frameworks)
Linkedin icon - Free download on Iconfinder

Workshop Housekeeping
Chat Interactions
Please feel free to ask your questions in the chat throughout the presentation.
We will do our best to address them after the workshop session.
Webinar Feedback
Your feedback is valuable to us.
Kindly take a moment to evaluate your workshop experience today.
CPE Credits ISC2 Members
CPE credits will be credited to ISC2 members within 5 business days.
Please ensure a minimum viewing time of 45 minutes to be eligible for CPE credits.
Recording and Distribution
The workshop may be recorded and distributed for future reference and educational purposes.

NIST CSF 2.0
Publication: 3rd Edition
Date of release: February 26th, 2024
Main publication: https://doi.org/10.6028/NIST.CSWP.29
Online resources : https://nist.gov/cyberframework

Watch our latest webinar on CSF
YouTube https://youtu.be/olq5_yLoGHM

Today’s Agenda
▪ Governance Overview
▪ Exploring CSF Govern Function
▪ Implementing governance
▪ Governance Resources
▪ Wrapping-up

Cybersecurity is coming to the board !!
• Cybersecurity is a major risk that businesses
should address at the board level.
• Cybersecurity expertise on boards is currently
rare, but important for companies to effectively
protect themselves from cyber attacks and
incidents.
• Shareholders and regulators should push
businesses to improve cybersecurity oversight
and disclosure.
Pensions & Investments https://bit.ly/3TRgM6R

Governance vs Management
Governance (EDM)
The method by which an enterprise evaluates stakeholder needs, conditions and
options to determine balanced, agreed-upon enterprise objectives to be achieved.
It involves setting direction through prioritization, decision making and monitoring
performance and compliance against the agreed-upon direction and objectives.
Management (APO, BAI, DSS, MEA)
The planning, building, running and monitoring of activities in alignment with the
direction set by the governance body to achieve the enterprise objectives
ISACA Glossary https://www.isaca.org/glossary

Why Governance Matters ?
Governance is critical in today’s cybersecurity landscape.
▪ It enables informed decision-making,
▪ enhances accountability, and
▪ ensures that cyber risks are managed effectively.
Governance benefits include
• Improved alignment between cybersecurity and business goals.
• Stronger compliance with regulations.
• Better preparedness for emerging threats.

Cybersecurity Risk Management
Governance
Management

NIST CSF Governance Topics
1. Context
2. Strategy
3. Roles
4. Policy
5. Oversight
6. Supply Chain
Addressed within the
CSF Core through
• 1 Function
• 6 Categories
• 31 Subcategories
• 119 Implementation
Examples

Function : GOVERN
Cybersecurity risk management strategy, expectations, and policy
are established, communicated, and monitored.
▪ Understand and assess specific cybersecurity needs.
▪ Develop a tailored cybersecurity risk strategy.
▪ Establish defined risk management policies.
▪ Develop and communicate organizational cybersecurity practices.
▪ Establish and monitor cybersecurity supply chain risk management.
▪ Implement continuous oversight and monitoring.

1. Organizational Context
1. Mission informs risk management
e.g., Share mission statements to identify risks
2. Stakeholders' needs are considered
e.g., Identify stakeholders' cybersecurity expectations
3. Legal and regulatory requirements are managed
e.g., Track requirements like HIPAA, GDPR
4. Critical objectives and services are understood
e.g., Determine critical assets and their impact
5. Dependencies are understood
e.g., Inventory external dependencies

2. Risk Management Strategy (1/2)
1. Risk management objectives are established
e.g., Update objectives during strategic planning
2. Risk appetite and tolerance are set
e.g., Communicate risk appetite statements
3. Cybersecurity risks are integrated into enterprise risk management
e.g., Include cybersecurity in enterprise risk planning
4. Risk response options are defined
e.g., Specify criteria for accepting or avoiding risks

2. Risk Management Strategy (2/2)
5. Communication lines for risks are established
e.g., Update executives on cybersecurity posture
6. Method for calculating and prioritizing risks is set
e.g., Use templates like risk registers
7. Strategic opportunities are included in risk discussions
e.g., Identify opportunities via SWOT analysis

3. Roles, Responsibilities, and Authorities
1. Leadership is accountable for cybersecurity risk
e.g., Leaders agree on their roles in cybersecurity strategy
2. Roles and responsibilities are established and communicated
e.g., Document roles in policy
3. Resources are allocated based on strategy and roles
e.g., Ensure resources for cybersecurity tasks
4. Cybersecurity is included in HR practices
e.g., Integrate cybersecurity into onboarding

4. Policy
1. Cybersecurity policy is established and enforced
e.g., Create and disseminate risk management policy
2. Policy is reviewed and updated regularly
e.g., Update policy based on new requirements

5. Oversight
1. Strategy outcomes are reviewed to adjust direction
e.g., Measure strategy’s impact on objectives
2. Strategy is adjusted to cover requirements and risks
e.g., Review audit findings for compliance
3. Performance is evaluated for adjustments
e.g., Review KPIs and KRIs for risk management

6. Cybersecurity Supply Chain Risk Management (1/2)
1. Program and strategy are established
e.g., Develop a plan with milestones
2. Roles and responsibilities are defined
e.g., Document roles in policy
3. Integrated into risk management
e.g., Align with enterprise risk management
4. Suppliers are prioritized
e.g., Develop criteria for supplier criticality
5. Requirements are integrated into contracts
e.g., Include security requirements in agreements

6. Cybersecurity Supply Chain Risk Management (2/2)
6. Due diligence before relationships
e.g., Assess suppliers’ cybersecurity capabilities
7. Risks are monitored over time
e.g., Evaluate compliance with contracts
8. Included in incident planning
e.g., Define roles for incident response
9. Integrated into risk management programs
e.g., Require provenance records for products
10. Post-relationship activities are planned
e.g., Establish processes for terminating relationships

Implementing the Govern Function
Develop a clear roadmap to apply the Govern function in your organization
1. Gap Analysis: Assess current governance practices to identify weaknesses.
2. Policy Development: Create or update cybersecurity policies to reflect your
governance priorities.
3. Role Clarity: Assign and communicate specific cybersecurity responsibilities.
4. Risk Integration: Link cybersecurity risks to broader enterprise risk
management processes.
5. Implementation: Operationalize governance with the underlying components

Slides available at https://bit.ly/41VWuf6

COBIT Implementation Roadmap
Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018
Phase 1—What Are the Drivers?
Phase 2—Where Are We Now?
Phase 3—Where Do We Want to Be?
Phase 4—What Needs to Be Done?
Phase 5—How Do We Get There?
Phase 6—Did We Get There?
Phase 7—How Do We Keep the
Momentum Going?

Governance Components
Source: ISACA, COBIT 2019 Framework: Introduction and Methodology, USA, 2018
• Processes: structured activities to achieve IT objectives
• Organizational Structures: key decision-making bodies
• Principles, Policies, and Frameworks: practical guidance
• Information: data produced and utilized by the organization
• Culture, Ethics, and Behavior: achieve governance success
• People, Skills, and Competencies: decision-making and task completion.
• Services, Infrastructure, and Applications: supporting technologies.

CSF Online Resources
Item Description
Reference Tool Access human and machine-readable versions of the Core
Cybersecurity & Privacy Reference
Tool (CPRT)
Browse and download CSF Core & mapped content
Implementation Examples View and download examples of steps to help achieve
outcomes
Informative References View and create mappings between CSF and other
documents
https://doi.org/10.6028/NIST.SP.1299

NIST Cybersecurity Framework (CSF) 2.0 Reference Tool
CSF Reference Tool:
https://bit.ly/3PxHui9

Cybersecurity and Privacy Reference Tool (CPRT)
CPRT Tool: https://bit.ly/4cbJiaM

Informative Reference mappings

CSF 2.0 Online Informative References (OLIR)
NIST OLIR: https://bit.ly/4hHHPKo

CSF Quick Start Guides (QSGs)
NIST QSGs: https://www.nist.gov/quick-start-guides
Quick Start Guide Type Description
Enterprise Risk
Management (ERM)
Provides information for Enterprise Risk Management professionals
on leveraging CSF 2.0 for better cybersecurity risk management
Cybersecurity Supply Chain
Risk Management (C-SCRM)
Helps organizations become more secure technology buyers and
sellers by improving their C-SCRM processes.

Upcoming NIST CSF Event
NIST Events: https://www.nist.gov/cyberframework/events
CSF 2.0 Webinar Series:
Deep-Dive into the CSF 2.0 Govern Function to Improve Cybersecurity
Date: May 20, 2025. Time: 7:00 to 8:00PM (GMT+1)
Event description:
One of the major updates to CSF 2.0 is the creation of the Govern Function, highlighting
the importance of ensuring cybersecurity capabilities support the broader mission
through Enterprise Risk Management (ERM). In the second webinar in NIST’s new multi-
part CSF 2.0 webinar series, we will focus on the CSF 2.0 Govern Function.
Registration opening soon.

Governance Frameworks
▪ ISO/IEC 27014:2020 - Governance of information security
▪ COBIT Focus Areas - Information and Technology Risk, Information Security
▪ COBIT 2019 Framework - Introduction and Methodology
▪ ISO/IEC 38500:2024 - Governance of IT for the organization
▪ ISO 37000:2021 - Governance of organizations – Guidance

Governance Books
▪ The Cybersecurity Guide to Governance, Risk, and
Compliance 2024 – Jason Edwards & Griffin Weaver
▪ Enterprise Governance of Information Technology –
Achieving Alignment and Value in Digital Organizations –
2020 – Steven De Haes & others.
▪ Information Security Governance – 2018 - Andrej Volchkov
▪ Information Security Governance - A Practical Development and Implementation
Approach – 2009 - Krag Brotby

Governance Professional Credentials
▪ Governance, Risk and Compliance Certification (CGRC) | ISC2
▪ Certified Information Security Manager (CISM) | ISACA
▪ Implementing the NIST Cybersecurity Framework using COBIT 2019 Certificate | ISACA
▪ Certified in the Governance of Enterprise IT (CGEIT) | ISACA
▪ COBIT Foundation, Design & Implementation Certificates | ISACA
▪ ISO/IEC 38500 Lead IT Corporate Governance Manager | PECB
▪ GRC Professional (GRCP) Certification | OCEG
▪ Certified Corporate Governance Professional (CCGP) | Society for Corporate Governance

Wrapping-up
▪ The Govern function is a vital addition to the NIST CSF 2.0.
▪ CSF can be used to govern and manage cyber risks.
▪ CSF is a starting point to establish your governance and ensure its outcomes.
▪ Govern capabilities and outcomes are essential to demonstrate due diligence.
▪ CSF integrates cybersecurity with business goals and enhances risk management.
▪ Practical steps and resources are available to start implementing governance practices.

Your plan of action
▪ Download and start reading various NIST & CSF resources.
▪ Subscribe to NIST newsletter to watch out for future CSF news and events.
▪ Engage with the community and coworkers by discussing Govern outcomes.
▪ See how you can establish security governance in your organization using CSF.
▪ Map your references and needs to CSF Govern function, related categories and outcomes.
▪ Create a business case emphasising the need for security governance...etc.

Thank you for joining our workshop today.
Your active participation and engagement made this event a success.
We value your presence and hope you found the session informative and valuable.
Questions & Answers (Q&A)
We welcome your questions!
Please feel free to ask any questions you
may have related to the webinar topic.
Our speakers and experts are here to address
your inquiries and provide further insights.

Thank you!
contact@isc2chapter-eldjazair.org
https://linkedin.com/company/isc2-el-djazair-chapter

Mastering NIST CSF 2.0 - The New Govern Function.pdf

More Related Content

Similar to Mastering NIST CSF 2.0 - The New Govern Function.pdf (20)

More from Bachir Benyammi (19)

Recently uploaded (20)

Mastering NIST CSF 2.0 - The New Govern Function.pdf