Want to learn about the latest NIST Cybersecurity Framework (CSF) 2.0? We've just uploaded a recording of our 2-hour training workshop organized by the ISC2 El Djazair Chapter and delivered by cybersecurity instructor Bachir Benyammi. In this workshop, you'll gain insights on: - NIST CSF 2.0 components (Core, Tiers, and Profiles) - Implementing the framework for your specific needs - Improving your organization's cybersecurity posture - Assessing your cybersecurity maturity - Examples of assessment tools Watch the full workshop on our YouTube channel: https://lnkd.in/dXEbp8QM

1. NIST Cybersecurity
Framework (CSF) 2.0
Training Workshop
March 25th, 2024 | Ramadan 15th, 1445

3. Event Agenda
Welcome and Opening Remarks
Introduction of the ISC2 El Djazair Chapter
Overview of the event's objectives and agenda
Speaker Introduction & Housekeeping
Introduce the speaker and his expertise
Brief explanation of event logistics and housekeeping rules
NIST CSF 2.0 Presentation (01h30)
An in-depth overview of the NIST Cybersecurity Framework version 2.0
Question & Answer Session
Open the floor for audience questions
Closing Remarks & Feedback
Summary of key takeaways from the event
Feedback survey

4. ISC2 El Djazair Chapter
Together Toward a Secure Future
Welcome to the ISC2 El Djazair Chapter, a vibrant community of cybersecurity professionals dedicated to
advancing information security in Algeria.
Our Mission
To empower members and professionals through knowledge sharing, professional growth, education,
awareness, and collaborative projects.
Objectives
• Knowledge Sharing: Opportunities for expertise, experiences, and best practices exchange through
conferences, workshops, and webinars.
• Professional Growth: Resources, mentorship, and career guidance to support continuous development.
• Education and Awareness: Awareness campaigns, workshops, and community outreach to promote
cybersecurity best practices.
• Collaboration on Projects: Working together on critical security challenges for a meaningful impact.

5. ISC2 El Djazair Chapter
AFRICAN CHAPTERS
1. South Africa
2. Ghana
3. Nigeria
4. Kenya
5. Uganda
6. Ethiopia
7. Algeria
ISC2 https://www.isc2.org/chapters

6. Biography
Bachir Benyammi
Managing Director
Cyber Practice
Ghardaia, Algeria
▪ Cyber Security Instructor. A PECB & CompTIA Trainer
▪ Delivered +100 training sessions with +800 participants
▪ Computer engineer, 16 years experience in IT and Cybersecurity
▪ 2 times CISO (for a short period of time ☺)
▪ Dozens of certifications in IT, InfoSec, Cyber, Audit and RM
▪ Contributor in NIST CSF, ISO270k Toolkit & Mehari RM
▪ ISC2 El Djazair Chapter Membership Chair
▪ ISACA Engage Topic Leader (COBIT & Frameworks)

7. Workshop Housekeeping
Chat Interactions
Please feel free to ask your questions in the chat throughout the presentation.
We will do our best to address them after the workshop session.
Webinar Feedback
Your feedback is valuable to us.
Kindly take a moment to evaluate your workshop experience today.
CPE Credits ISC2 Members
CPE credits will be credited to ISC2 members within 5 business days.
Please ensure a minimum viewing time of 45 minutes to be eligible for CPE credits.
Recording and Distribution
The workshop may be recorded and distributed for future reference and educational purposes.

8. NIST CSF 2.0
Publication: 3rd Edition
Date of release: February 26th, 2024
Main publication: https://doi.org/10.6028/NIST.CSWP.29
Online resources : https://nist.gov/cyberframework

9. Today’s Agenda
▪ Overview of Cyber Risks
▪ NIST CSF Journey
▪ CSF Components (Core, Tiers, Profiles)
▪ Online Resources (e.g., QSG, IR, CPRT, IE)
▪ Risk Management (ERM, C-SCRM)
▪ Cybersecurity Maturity Assessment
▪ Demos
▪ Wrapping-up

10. Top business risks in 2024
Allianz https://bit.ly/3PoTXEz

11. Cybersecurity is coming to the board !!
Cybersecurity is a major risk that
corporations should address at the
board level.
Cybersecurity expertise on boards is
currently rare, but important for
companies to effectively protect
themselves from cyberattacks.
Shareholders and regulators should
push corporations to improve
cybersecurity oversight and disclosure.
Pensions & Investments https://bit.ly/3TRgM6R

12. What is NIST ?
A non-regulatory agency within the U.S. Department of Commerce.
Its mission is to fuel American innovation and industrial competitiveness. By:
▪ Advancing measurement science, this includes creating accurate and consistent ways to measure things.
▪ Developing standards, NIST creates guidelines and specifications for products, services, and processes.
▪ Fostering technological advancements: NIST helps develop new technologies and improve existing ones.
NIST's work strengthens the U.S. economy and improves the quality of life.
Founded on 1901, calibrated on 2022, 50 years of R&D related of cybersecurity and privacy.
HQ Located in Maryland, employs about 3,400 staff members with a budget of $1.6 billion for FY 2024.

13. CSF Overview
▪ NIST CSF 2.0 is voluntary framework to help organizations manage cybersecurity risks.
▪ It offers a common language (taxonomy) for cybersecurity objectives (outcomes).
▪ It’s useful for any organization, regardless of size, industry, country or maturity.
▪ It works well for organizations regardless of their cybersecurity program maturity.
▪ There's no one-size-fits-all approach, organizations can adapt it to their needs.
▪ It focuses on what to achieve (outcomes), not how to (specific practices or activities).
▪ It provides links to various resources for implementing cybersecurity practices.
▪ Works best when combined with other resources for a broad cybersecurity strategy.
▪ CSF latest publication (i.e., 2.0) emphasizes governance and supply chain considerations.

14. What CSF is made for?
An organization can use the CSF with its supplementary resources to
1. Understand: Describe the current or target security posture of part or all of an organization.
2. Assess: Determine gaps, and measure progress toward addressing those gaps.
3. Prioritize: Identify, organize, and prioritize actions for managing cyber risks in alignment
with organization's needs, and expectations.
4. Communicate: Provide a common language for communicating inside and outside the
organization about cybersecurity risks, capabilities, needs, and expectations.

15. Operationalizing CSF
▪ Board & Executive Management: Oversee the organization's cybersecurity posture.
Provide leadership and resources for the cybersecurity program.
▪ Business Unit Leaders: Identify and assess cyber risks specific to their areas.
▪ Risk Management Teams: Develop and maintain a comprehensive enterprise risk management program.
▪ HR Departments & Recruiters: Integrate cybersecurity awareness into onboarding and job descriptions.
▪ Business Process Owners: Collaborate with security practitioners to ensure secure business processes.
▪ Audit and Advisory Firms: Provide independent reviews and recommendations for improving security.
▪ Security Professionals: Design, implement, and maintain security controls.
▪ Security Testers: Conduct security assessments and penetration testing to identify vulnerabilities.

16. Operationalizing CSF …
▪ Education & Training Providers: Develop and deliver NIST CSF-aligned training programs.
▪ Security Operations Centers (SOCs): Develop and implement incident response plans.
▪ Legal and Compliance Teams: Ensure compliance with regulations during incident response.
▪ Procurement Teams: Integrate security requirements into vendor contracts and assess third-party suppliers.
▪ Contractors and Vendors: Implement security controls to meet contractual requirements.
▪ Cloud Providers & Security Vendors: Design and develop secure cloud services and products.
▪ Technology and SaaS Providers: Offer and map security features within their products and services.
▪ Healthcare and Payment Providers: Implement security controls to safeguard sensitive data according
▪ Sales and Marketing Teams: Communicate the security features and benefits of their products and services.

17. NIST CSF vs ISO 27001
NIST CSF ISO/IEC 27001
Provider National Institute of Standards and Technology
(NIST)
International Organization for Standardization /
International Electrotechnical Commission (ISO/IEC)
Nature Framework (voluntary guideline) Standard (normative)
Development NIST, US and international industry, academia,
and government
Dedicated working group within the ISO/IEC joint technical
committee (JTC 1/SC 27/WG 1)
Focus Manage cyber risks and continuously improve
cybersecurity
Establish and maintain an information security management
system (ISMS)
Suitability Any business (Initially aimed at CIs) Matured organizations
Structure Components (e.g., Core, Tiers, Profiles) Plan-Do-Check-Act (PDCA) cycle
Adoption Worldwide (Initially aimed at US) Worldwide
Adaptability Flexible, tailorable Flexible, tailorable, more specific
Compliance No (Self-assessment) Set of requirements, external audit results in a certification
Cost Free of charge Significant costs
Technology-agnostic Yes Yes
Andrey Prozorov https://bit.ly/43mwwSk

18. NIST CSF vs CIS CSC
NIST CSF CIS Critical Security Controls
Provider National Institute of Standards and Technology (NIST) Center for Internet Security (CIS)
Nature Framework (voluntary guideline) Best Practices
Development NIST, US and global industry, academia, and government CIS, industry experts, and government agencies
Focus Manage cyber risks and continuously improve cybersecurity Defending against the most prevalent cyber threats
Suitability Any business (Initially aimed at CIs) All organizations
Structure Components (e.g., Core, Tiers, Profiles) List of controls
Adoption Worldwide (Initially aimed at US) Worldwide
Adaptability Flexible, tailorable Flexible, can be prioritized
Compliance No (Self-assessment) Voluntary, self-assessment
Cost Free of charge Free of charge
Technology-agnostic Yes Yes

19. NIST CSF vs NIST SP 800 53
NIST CSF NIST SP 800 53
Provider National Institute of Standards and Technology (NIST) NIST
Nature Framework (voluntary guideline) Catalog of security controls and a process for selection
Development NIST, US and global industry, academia, and government NIST
Focus Manage cyber risks and continuously improve
cybersecurity
Security and privacy controls for information systems
and organizations
Suitability Any business (Initially aimed at CIs) Federal information systems and organizations
Structure Components (e.g., Core, Tiers, Profiles) List of controls
Adoption Worldwide (Initially aimed at US) Primarily US federal agencies and contractors
Adaptability Flexible, tailorable Flexible, tailorable
Compliance No (Self-assessment) Mandatory for federal information systems and
organizations
Cost Free of charge Free of charge
Technology-agnostic Yes Yes

20. The journey to NIST CSF 1.0
Engage Stakeholders
Collect, Categorize,
Post RFI Responses
Analyze RFI
Responses
Identify Framework
Elements
Prepare and Publish
Framework
EO 13636 Issued – Feb 12, 2013
RFI Issued – Feb 2013
1st Workshop – April 2013
2nd Workshop – May 2013
Framework Outline Draft – June 2013
3rd Workshop – July 2013
4th Workshop – Sept 2013
5th Workshop – Nov 2013
Published – Feb 12, 2014

21. The journey to NIST CSF 1.1
Request for Information –
Dec 2015
1st Workshop –
Apr 2016
2nd Workshop –
May 2017
Framework 1.1 -
Apr 2018
Draft 2 - Farmwork 1.1
Request for Comment –
Dec 2017
Draft 1 - Farmwork 1.1
Request for Comment –
Jan 2017

22. The journey to NIST CSF 2.0
NIST https://bit.ly/3IIB4ZG

23. CSF by the numbers
▪ ~2 million total downloads (from over 185 countries).
▪ 18,500+ attendees at workshops & webinars.
▪ 800+ responses/comments from the public.
▪ Translated to 13 languages: Arabic, Bulgarian, French, Greek, Indonesian, Japanese,
Korean, Malay, Norwegian, Polish, Portuguese, Spanish & Ukrainian.
▪ Adapted into national cybersecurity policies and strategies (e.g., Italy, Poland, Japan,
Uruguay, Bermuda).
▪ Adopted by various organizations (e.g., MS-ISAC, LCRA, UChicago, KUMC, Pitt, ISACA,
Aramco, Cimpress, Optic Cyber).

24. What is new in CSF 2.0?
The recently release introduces several key improvements over the previous version.
▪ New "Govern" Function: A significant addition is the introduction of a sixth core function: Govern.
This emphasizes the critical role of leadership and governance in managing cybersecurity risks effectively.
▪ Expanded Scope: CSF 2.0 broadens its focus beyond protecting critical infrastructure to encompass all organizations
across different sectors. This makes it even more relevant for a wider range of businesses.
▪ Enhanced Profile Guidance: The update offers improved and expanded guidance on creating "Profiles“.
Profiles help organizations tailor the CSF to their specific needs and risk tolerance.
▪ Reference Tool: NIST has released a new CSF 2.0 Reference Tool.
This simplifies implementation by allowing users to explore, search, and export data related to the CSF's core guidance.
▪ Implementation Examples: Samples of concise, action-oriented steps to help achieve the CSF outcomes.
In addition to guidance provided in the Informative References.
▪ Quick start guides: Designed for SMBs, enterprise risk managers and organizations seeking to secure their supply chains.

25. What are the changes made in CSF 2.0 Core?
Andrey Prozorov https://bit.ly/3PpPMIT Kelly Hood https://youtu.be/WrAecu8q82U
CSF
1.1
CSF
2.0
Functions 05 06 (+1)
Categories 23 22 (-1)
Subcategories 108 106 (-2)
Implementation
Examples
NA 363

26. Cyber Risk Management

27. CSF Components
Tiers
Organizational
Profiles
Core
Tier 1 - Partial
Tier 2 - Risk-Informed
Tier 3 - Repeatable
Tier 4 - Adaptive
Governance
Function
Management
Functions
Identification
Protection
Detection
Response
Recovery
Current
Profile
Community
Profiles
Target
Profile

28. 1st Component - CSF Core
▪ High-level cybersecurity outcomes that can
help organization manage its cyber risks.
▪ A hierarchy of Functions, Categories, and
Subcategories that detail each outcome.
▪ A Function is the highest-level structure for
cybersecurity outcomes.

29. CSF Core Functions
CSF Reference Tool https://bit.ly/3PxHui9

30. CSF Core main topics
Context, Risk Strategy,
Roles, Policy, Oversight &
Supply Chain
Assets, Risk
Assessment &
Improvement
IAM, Authentication,
Awareness, Training,
Data, Platform Security
& IT Resilience
Monitoring & Event Analysis
Incident Management,
Analysis, Response
Reporting & Mitigation
Incident Recovery
Plan Execution &
Communication

31. 1st Function : GOVERN (GV)
The organization’s cybersecurity risk management strategy, expectations, and policy
are established, communicated, and monitored.
▪ Understand and assess specific cybersecurity needs.
▪ Develop a tailored cybersecurity risk strategy.
▪ Establish defined risk management policies.
▪ Develop and communicate organizational cybersecurity practices.
▪ Establish and monitor cybersecurity supply chain risk management.
▪ Implement continuous oversight and checkpoints.

32. 2nd Function : IDENTIFY (ID)
The organization’s current cybersecurity risks are understood.
▪ Identify critical business processes and assets.
▪ Maintain inventories of hardware, software, services, and systems.
▪ Document information flows.
▪ Identify threats, vulnerabilities, and risk to assets.
▪ Lessons learned are used to identify improvements.

33. 3rd Function : PROTECT (PR)
Safeguards to manage the organization’s cybersecurity risks are used.
▪ Manage access.
▪ Train users.
▪ Protect and monitor your devices.
▪ Protect sensitive data.
▪ Manage and maintain software.
▪ Conduct regular backups.

34. 4th Function : DETECT (DE)
Possible cybersecurity attacks and compromises are found and analyzed.
▪ Monitor networks, systems, and facilities continuously to find potentially adverse events.
▪ Determine and analyze the estimated impact and scope of adverse events.
▪ Provide information on adverse events to authorized staff and tools.

35. 5th Function : RESPOND (RS)
Actions regarding a detected cybersecurity incident are taken.
▪ Execute an incident response plan once an incident is declared, in coordination with
relevant third parties.
▪ Categorize and prioritize incidents and escalate or elevate as needed.
▪ Collect incident data and preserve its integrity and provenance.
▪ Notify internal and external stakeholders of any incidents and share
incident information with them — following policies set by your organization.
▪ Contain and eradicate incidents.

36. 6th Function : RECOVER (RC)
Assets and operations affected by a cybersecurity incident are restored.
▪ Understand roles and responsibilities.
▪ Execute your recovery plan.
▪ Double-check your work.
▪ Communicate with internal and external stakeholders.

37. CSF Core –
Categories
Sets of cybersecurity
outcomes that work
together to achieve a
broader Function

38. Subcategories
Groups of specific outcomes
of technical and management
cybersecurity activities that
comprise a Category.

39. Implementation Examples (IE)
NIST https://bit.ly/4ct7QeU
Examples of concise, action-oriented steps to help achieve the outcomes
(e.g., Share, Document, Develop, Perform, Monitor, Analyze, Assess & Exercise)

40. Core Weights (subjective)
9.09
27.27
22.73
9.09
18.18
13.64
22 Categories
7.55
29.25
20.75
10.38
12.26
19.81
106 Subcategories
4.96
32.78
21.21
10.19
10.47
20.39
363 Implementation Examples
30% 18% 22% 10% 13% 7%

41. Online Informative References (OLIR)
Mappings that indicate
relationships between
CSF Core and various
standards, guidelines,
regulations, ...
IR help inform how an
organization may achieve
the Core’s outcomes.
IR can be sector- or
technology-specific.
NIST https://bit.ly/4ctRliX

42. CSF 2.0 Informative References

43. CFS 1.1 Informative References (30)
Critical Security Controls (CIS Controls) Cybersecurity Capability Maturity Model (C2M2)
COBIT 2019 FAIR
HIPAA Security Rule HITRUST CSF
IR ISA 62443 Standard of Good Practice for InfoSec (SOGP)
ISO/IEC 27001 NERC CIP (Critical Infrastructure Protection)
NIST SP 800 37, 53, 66, 171, 181, 221 & 213 NISTIR 8286
NISTIR 8374 Ransomware Profile NIST Privacy Framework
Secure Controls Framework (SCF) TS Mitigation Open

44. Organizations behind CFS 1.1 IR
Center for Internet Security (CIS) International Society of Automation Global
Cybersecurity Alliance (ISAGCA)
Cyber Risk Institute (CRI) ISACA
Department of Energy National Institute of Standards and Technology
FAIR Institute / OpenGroup North American Electric Reliability Corporation (NERC)
HHS Office for Civil Rights (OCR) SCF Council
HITRUST Alliance Seemless Transition LLC
Information Security Forum (ISF) Threat Sketch LLC (TS)

45. IR Mappings
Mapping with
CIS 8, CRI Profile 2,
CSF 1.1 &
SP 800-221A
Mapping with
CRI Profile 2, CSF
1.1 & SP 800-221A

46. Informative Reference mappings

47. 2nd Component - Organizational Profiles
▪ A way for understanding an organization's cybersecurity posture by describing an
organization’s cybersecurity posture in terms of the Core’s outcomes.
▪ Relies on CSF to assess current capabilities (Current Profile) and desired state (Target Profile).
▪ Current Profile: Analyzes how well the organization is currently achieving each outcome.
▪ Target Profile: Defines the desired state for CSF outcomes, considering future needs and threats.
▪ Helps prioritize cybersecurity efforts based on the organization's specific needs and threats.
▪ Can be used to track progress and communicate cybersecurity strategy to stakeholders.

48. Continuous improvement of cybersecurity program
Progress
Time
Gap
Gap
Gap

49. Creating and using an Organizational Profile

50. 1st Step - Scoping the Organizational Profile
3rd Party
IT
Systems
HR IT
Systems
Systems
Using AI
End User
IT
Systems
OT/IoT
Systems
Defining the scope is crucial for creating an Organizational Profile. It clarifies the assumptions and details
the profile will focus on. Some key questions to consider when defining scope:
▪ Purpose: Why is this profile being created?
▪ Coverage: Will it cover the entire organization or specific parts (divisions, assets, etc.)?
▪ Threats: Will it address all cyber threats or focus on specific types?
▪ Ownership: Who will develop, review, and use the profile?
▪ Accountability: Who sets expectations for achieving target outcomes?

51. 2nd Step - Gather Needed Information
Examples of information may include organizational policies, risk management priorities and
resources, cybersecurity requirements and standards...
The sources of information needed will depend on the use case, the elements that the
Profiles will capture, and the level of detail desired. Common sources of information include:
▪ Community Profile as the basis for a Target Profile by copying the Community Profile into
an Organizational Profile and adapter it by adjusting the priorities of particular outcomes
and adding specific subcategories, informative references or implementation examples.
▪ Organizational Profile spreadsheet template facilitates side-by-side comparison of Current
and Target Profiles to identify and analyze gaps.

52. 3rd Step - Creating the Organizational Profile
The steps involves customizing a template, recording current practices, setting
future goals, and documenting justifications and plans for achieving those goals.

53. 4th Step - Analyzing gaps and creating action plans
Target
Goals
• Core outcome description
• Informative References
• Implementation Examples
Current
Practices
• People
• Process
• Technology
Current
Improvements
• Action
• Priority
• Owner
• Deadline
• Resources
• Identifying and analyzing the differences between the Current
and Target Profiles enables an organization to find gaps and
develop a prioritized action plan for addressing those gaps.
• The plan is a list of pending improvements for cybersecurity program.
• In addition gap analysis, the action plan should consider mission
drivers, benefits, risks, and necessary resources (e.g., staffing, funding).

54. 5th Step - Implementing action plans
▪ Implementation and Monitoring
The action plan is carried out using various controls.
The profile tracks progress, and effectiveness is measured by
KPIs (performance) and KRIs (risk).
For high-risk situations, additional risk assessments are conducted.
▪ Updates based on findings
If risks exceed your tolerance level, the action plan, profile, or
risk tolerance might need adjustments.
Identified gaps might require a longer-term plan (POA&M).
▪ Continuous Improvement
This is an ongoing process.
New risk assessments (considering risk tolerance) and monitoring
with KPIs and KRIs help identify changes in risk levels.
These changes may prompt updates to your cybersecurity profile.

55. Community Profiles
A baseline of outcomes created and published to address shared organizations’ interests and goals.
Typically intended for a particular sector or subsector, technology, threat type, or other use case.
Typical Community Profiles
▪ Large organizations
▪ Trade associations
▪ Nonprofit entities
▪ Government agencies
▪ Advisory committees
▪ Information Sharing Organizations/
Analysis Centers (ISAOs/ISACs)

56. Community Profile Structure
A Community Profile uses CSF Core
to identify and prioritize cybersecurity
outcomes that are necessary to meet
the community’s priorities.
The stars represent the degree of
importance of CSF outcomes in the
context of the Community Profile
NIST https://doi.org/10.6028/NIST.CSWP.32.ipd

57. Current Community Profiles
CSF 1.1 Community Profiles
Ransomware Profile Botnet Threat Mitigation Profile
Manufacturing Profile Smart Grid Profile
PNT Profile Connected Vehicle Environments Profile
Liquefied Natural Gas Profile Election Infrastructure Profile
Electric Vehicle Extreme Fast Charging
Infrastructure Profile
Cybersecurity Framework DDoS Threat
Mitigation Profile
Hybrid Satellite Networks (HSN) Profile Framework Payroll Profile
Genomic Data Profile White House Fact Sheet Profile
CSF 2.0 Community Profiles
CRI Profile for the Financial Sector - Cyber Risk Institute
NCCoE https://bit.ly/43ovRjc

58. CRI Profile v2.0
Cyber Risk Institute https://bit.ly/43uffqf

59. Ransomware Risk Management - A Cybersecurity Framework Profile
NIST https://doi.org/10.6028/NIST.IR.8374

60. Community Profile Lifecycle
1. Measure Impact
2. Monitor/Feedback
3. Update
4. Retire
1. Collaborate &
Coordinate
2. Assess
1. Prioritize
2. Align
3. Document
4. Feedback
5. Inform
1. Audience
2. Scope
3. Participants
4. References
5. Content

61. 3rd Component - Tiers
▪ Tiers describe the rigor of an organization's cyber risk governance and
management practices.
▪ Provide context for how an organization views cyber
risks and the processes in place to manage those risks.
▪ Valuable when reviewing processes and practices
to determine needed improvements and monitor
progress made through those improvements.

62. Tiers…
Tier 1: Partial
▪ Relies on ad-hoc approaches with limited
awareness and inconsistent practices.
Tier 2: Risk Informed
▪ Management approves risk practices,
but they may not be widespread.
▪ Prioritization considers organizational objectives and threats.
▪ There's basic awareness of supplier risks, but responses are inconsistent.

63. Tiers…
Tier 3: Repeatable
▪ Formal policies and procedures guide risk management.
▪ Practices are reviewed and updated regularly.
▪ Information sharing is routine, and personnel are trained.
▪ Consistent methods address risk changes.
▪ The organization consistently monitors risks and communicates them across various levels.
▪ Supplier risk management involves formal agreements and ongoing monitoring.

64. Tiers…
Tier 4: Adaptive
▪ A well-integrated approach uses risk information for decision-making.
▪ Executives consider cybersecurity risks alongside other business risks.
▪ The budget reflects risk tolerance, and business units
align with organizational goals.
▪ Cybersecurity is part of the culture, continuously
adapting to changing threats and technologies.
▪ Real-time information is used to manage supplier risks.
▪ Information sharing is extensive, including with authorized third parties.

65. Applying Tiers to Profiles

66. Cyber Risk Management
CSF can help organizations manage cybersecurity risks and understand the
connections between these different levels of risk management.
▪ Enterprise Risk Management (ERM)
Considers all aspects of an organization and its core risks, including mission,
financial, reputation, and technical. ERM helps prioritize and analyze those.
▪ Information and Communications Technology (ICT) Risk Management
Focuses on risks related to the technology an enterprise uses, including
privacy, supply chain, cybersecurity, and emerging technologies like AI.
▪ Cybersecurity Risk Management (CSRM)
Deals specifically with cybers risks and how they can impact cost, revenue,
reputation, and innovation. To be identified, It considers risk tolerance set by ERM.

67. Risk management integration and coordination

68. The cybersecurity risk register (CSRR)
Record and communicate the known system-level threats and vulnerabilities, their impact
on business objectives, and actions taken or planned for maintaining the appropriate level
of risk based on stakeholders’ expectations
NIST https://doi.org/10.6028/NIST.IR.8286B

69. Cybersecurity Supply Chain Risk Management (C-SCRM)
▪ Cybersecurity Supply Chain Risk Management (C-SCRM) is a process to identify and
mitigate cyber risks in the complex supply chains of technology products and services.
▪ Potential risks include malicious functionality, counterfeit devices, or vulnerabilities
derived from poor manufacturing and development practices within the supply chain.
▪ C-SCRM emphasizes the importance of collaboration across an organization to address
these risks throughout the entire supply chain.

70. Establishing a C-SCRM Capability
GV.SC Category contains the key outcomes that organization should achieve via its C-SCRM capability.
1. Create a C-SCRM strategy, objectives, policies, and processes.
2. Identify technology suppliers and determine how critical each one is to the organization.
3. Establish C-SCRM roles and requirements and communicate them within and outside the organization.
4. Integrate C-SCRM into risk-related processes, monitor and improve those practices throughout the
technology lifecycle.
5. Include the relevant suppliers in cybersecurity incident planning, response, and recovery activities.

71. Setting C-SCRM Requirements as a Target Profile
In addition to GV.SC Category, many of the subcategories within the remainder of the CSF can be used to
identify and communicate C-SCRM-related requirements internally for organizations and for their vendors.

72. CSF Online Resources
Item Description
Informative References View and create mappings between CSF and other documents
Cybersecurity & Privacy Reference Tool (CPRT) Browse and download CSF Core & mapped content
Implementation Examples View and download examples of steps to help achieve
outcomes
Reference Tool Access human and machine-readable versions of the Core
Community Profiles and Profile templates Help organizations put CSF into practice
Search tools Simplify and streamline as you look for specific information
Concept papers Learn more about various CSF topics
FAQs See what others are asking and get answers to top questions
https://doi.org/10.6028/NIST.SP.1299

73. CSF Quick Start Guides (QSGs)
https://www.nist.gov/quick-start-guides

74. CSF Quick Start Guides (QSGs)
Quick Start Guide Type Description
Small Business (SMB) Provides guidance for small businesses with limited cybersecurity
experience to get started.
Creating and Using
Organizational Profiles
Explains how to create profiles to define an organization's current and
target cybersecurity state.
Using the CSF Tiers Shows how to characterize the rigor of an organization's cybersecurity
practices.
Enterprise Risk
Management (ERM)
Provides information for Enterprise Risk Management professionals on
leveraging CSF 2.0 for better cybersecurity risk management
Cybersecurity Supply Chain
Risk Management (C-SCRM)
Helps organizations become more secure technology buyers and sellers by
improving their C-SCRM processes.
A Guide to Creating
Community Profiles
Explains how to develop cybersecurity plans for groups of organizations with
similar needs
https://www.nist.gov/quick-start-guides

75. Cybersecurity Maturity Assessment
▪ NIST CSF (Tiers, Organizational and Community Profiles)
▪ Informative References (e.g., NIST, ISO, COBIT, CIS,...etc.)
▪ Capability Maturity Model Integration (CMMI) – CMMI Institute (part of ISACA)
▪ Cybersecurity Capability Maturity Model (C2M2) – Department of Energy (DOE)
▪ CIS Controls Self Assessment Tool (CIS CSAT) – Center for Internet Security…etc.
https://bit.ly/4a444XH

76. Cybersecurity Maturity Assessment Example
Security Architects https://bit.ly/4a6SZ8j

77. NIST CSF Maturity Tool
John Masserini https://bit.ly/3VvRFYt

78. NIST CSF Self-scoring Tool
expel https://bit.ly/3Tq9W6P

79. CSF Assessment & Risk Management Tool
Skillweed https://bit.ly/49X2zuu

80. NIST CSF 1.1 Risk Assessment and Budgeting Tool
Critical Insight https://bit.ly/4alzetv

81. NIST CSF 1.1 Management Tool (NIST CSF+)
SANS https://bit.ly/3vjMD6x

82. ISO/IEC 27002 - Information security, cybersecurity
and privacy protection - Information security controls
ISO https://bit.ly/4ctl7UV

83. ISO/IEC TS 27110:2021 - Cybersecurity framework
development guidelines
ISO https://bit.ly/495RVjZ
ISO/IEC TS
27110
Cybersecurity
Framework
Creator
Context
Requirements
Stakeholders
Resultant
Cybersecurity
Framework
Identify
Protect
Detect
Respond
Recover
Additional
Concepts

84. Threat and Safeguard Matrix (TaSM)
OWASP https://bit.ly/4apOnu1

85. Kali Purple
A Linux distribution variant of Kali Linux comes with
a defensive menu structure mapped with NIST CSF
CSF 1.1
Functions
OffSec https://bit.ly/3Tij2Cs

86. Facility Cybersecurity Framework (FCF)
FCF helps facility owners and
operators manage their cyber
risks in OT & IT environments.
FCF https://facilitycyber.labworks.org/

87. Mapping MITRE ATT&CK ICS Mitigation Strategies to FCF Controls
Cyber Threat Dictionary
Using MITRE ATT&CK
Matrix and NIST
Cybersecurity
Framework Mapping
IEEE https://doi.org/10.1109/RWS50334.2020.9241271

88. What is next for CSF?
▪ Additional Informative References and mappings
▪ Additional Quick Start Guides
▪ Future Community Profiles
▪ Draft documents finalization
▪ Resources translations
▪ Use cases and success stories
▪ Online training materials
Submit suggestions to
IR : olir@nist.gov
Misc.: cyberframework@nist.gov

89. Wrapping-up
▪ NIST CSF can be used to govern ang manage cyber risks.
▪ It can be used by top management to demonstrate due diligence.
▪ It outlines outcomes but it does not prescribe them nor how they may be achieved.
▪ It works best when mapped and/or combined with other resources.
▪ It is the starting point for the continuous improvement of your cybersecurity posture.

90. Your plan of action
▪ Download and start reading various CSF resources.
▪ Subscribe to NIST newsletter to watch out for future CSF news and events.
▪ Engage with the community and coworkers by discussing CSF concepts.
▪ See how you can operationalize CSF in your organization.
▪ Map your internal and specific references to CSF.
▪ Present a business case to Top Management…etc.

91. Thank you for joining our workshop today.
Your active participation and engagement made this event a success.
We value your presence and hope you found the session informative and valuable.
Questions & Answers (Q&A)
We welcome your questions!
Please feel free to ask any questions you
may have related to the webinar topic.
Our speakers and experts are here to address
your inquiries and provide further insights.

92. Thank you!
contact@isc2chapter-eldjazair.org
https://linkedin.com/company/isc2-el-djazair-chapter