Govern

Download free policy and standard templates for the NIST CSF 2.0 Govern Core Function, which ensures that a small business's cybersecurity risk management strategy, expectations, and overall policy are established, communicated, and monitored.

Govern Function Background

The Govern Function ensures that an organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored. It provides insights to help prioritize and achieve the outcomes of the other five Core Functions in line with the organization’s mission and stakeholder expectations. Governance activities are essential for integrating cybersecurity into the broader enterprise risk management strategy.

The Govern function encompasses understanding the organizational context, establishing the cybersecurity strategy and supply chain risk management, defining roles and responsibilities, creating policies, and overseeing cybersecurity initiatives. The Govern Function is comprised of Categories. These Categories break down the Function into more specific outcomes and activities, providing a structured approach for organizations to manage and implement cybersecurity practices.

Govern Policy Templates

The following policy and standard templates help ensure that the NIST CSF Govern categories are adequately addressed, including Organizational Context; Risk Management Strategy, Roles, Responsibilities, and Authorities; Policy; and Oversight:

• Information Security Policy

• Acceptable Use of Information Technology Resources Policy

• Planning Policy

• Personnel Security Policy

• Systems and Services Acquisition Policy

• Information Security Risk Management Standard

Visit Template Instructions for help completing these templates and the Implementation Guide for tips on how to implement these policies and standards once the templates are completed.

Information Security Policy

• Description: This general Information Security Policy establishes the minimum mandatory requirements for information security within the organization. While organizations can exceed these requirements based on specific business needs and legal obligations, they must meet the baseline standards set forth in this policy.

• Word Template Link: Information-Security-Policy.docx

• Primary NIST CSF 2.0 Category: Policy

Acceptable Use of Information Technology Resources Policy

• Description: The Acceptable Use of Information Technology Resources Policy outlines the proper use of information and technology resources within the organization, emphasizing the importance of workforce participation and support for effective security. Inappropriate usage can lead to significant risks, including ransomware attacks, system compromises, and legal issues.

• Word Template Link: Acceptable-Use-of-Information-Technology-Resources-Policy.docx

• Primary NIST CSF 2.0 Category: Policy

Planning Policy

• Description: The Planning Policy ensures that IT resources and information systems are established with effective security controls and control enhancements that reflect applicable federal and state laws, Executive Orders, directives, regulations, policies, standards, and guidance.

• Word Template Link: Planning-Policy.docx

• Primary NIST CSF 2.0 Category: Oversight

Personnel Security Policy

• Description: The Personnel Security Policy ensures that safeguards are implemented for personnel access to and use of information technology resources and data. This policy establishes protocols to verify the trustworthiness of personnel, mitigating risks related to insider threats and ensuring that only authorized individuals have access to sensitive information. It is crucial for protecting the organization’s information assets and maintaining overall security.

• Word Template Link: Personnel-Security-Policy.docx

• Primary NIST CSF 2.0 Category: Roles, Responsibilities, and Authorities

Systems and Services Acquisition Policy

• Description: The System and Services Acquisition Policy ensures that Information Technology resources and information systems are acquired with security requirements to meet the information systems mission and business objectives.

• Document Link: Systems-and-Services-Acquisition-Policy.docx

• Primary NIST CSF 2.0 Category: Cybersecurity Supply Chain Risk Management

Information Security Risk Management Standard

• Description: The Information Security Risk Management Standard is vital for identifying, analyzing, and maintaining acceptable levels of risk to confidentiality, integrity, and availability. Regular risk assessments enable management to prioritize the most critical information assets, supporting informed decision-making. Compliance with federal and state mandates requires routine assessments to identify risks and implement necessary controls. Addressing security risks early is more cost-effective than dealing with incidents later. This standard provides a framework for evaluating the current security posture, identifying gaps, and determining appropriate actions.

• Word Template Link: Information-Security-Risk-Management-Standard.docx

• Primary NIST CSF 2.0 Category: Risk Management Strategy

NIST CSF Govern Categories

The Govern Function is comprised of a set of governance-focused Categories designed to help organizations strengthen their cybersecurity posture. These Govern Categories are designed to enhance the management and oversight of cybersecurity risks at an organizational level. These Categories emphasize leadership commitment, risk management governance, and organizational alignment with cybersecurity goals, ensuring that cybersecurity is integrated into the broader business strategy. A list and description of each specific Govern Category can be found below:

Organizational Context

• Description: The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organization’s cybersecurity risk management decisions are understood

• NIST CSF 2.0 Identifier: GV.OC

Risk Management Strategy

• Description: The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions

• NIST CSF 2.0 Identifier: GV.RM

Roles, Responsibilities, and Authorities

• Description: Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated

• NIST CSF 2.0 Identifier: GV.RR

Policy

• Description: Organizational cybersecurity policy is established, communicated, and enforced

• NIST CSF 2.0 Identifier: GV.PO

Oversight

• Description: Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy

• NIST CSF 2.0 Identifier: GV.OV

Cybersecurity Supply Chain Risk Management

• Description: Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders

• NIST CSF 2.0 Identifier: GV.SC

References

• “Securing Small and Medium-Sized Business Supply Chains.” Cybersecurity & Infrastructure Security Agency, https://www.cisa.gov/sites/default/files/2023-01/Securing-SMB-Supply-Chains_Resource-Handbook_508.pdf. Accessed 5 Nov. 2024.

• Arctic Wolf. “NIST CSF 2.0: Understanding and Implementing the Govern Function.” Arctic Wolf, 30 May 2024, https://arcticwolf.com/resources/blog/nist-csf-2-0-understanding-and-implementing-the-govern-function.

• “Choosing a Vendor/Service Provider.” National Institute of Standards and Technology, 24 Aug. 2020, https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/choosing-vendorservice-provider.

• “Govern - CSF Tools.” CSF Tools - The Cybersecurity Framework for Humans, 1 Mar. 2024, https://csf.tools/reference/nist-cybersecurity-framework/v2-0/gv.

• National Institute of Standards and Technology. The NIST Cybersecurity Framework (CSF) 2.0, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf.

• Nihill, Caroline. “Updated NIST Cybersecurity Framework Adds Core Function, Focuses on Supply Chain Risk Management.” FedScoop, 26 Feb. 2024, https://fedscoop.com/updated-nist-cybersecurity-framework-adds-core-function-focuses-on-supply-chain-risk-management.

• “NIST Cybersecurity Framework 2.0: Small Business Quick-Start Guide Overview.” NIST Cybersecurity Framework 2.0, National Institute of Standards and Technology, Feb. 2024, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf.

• Quinn, Stephen, et al. “Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight.” Computer Security Resource Center, 6 Mar. 2024, https://csrc.nist.gov/pubs/ir/8286/c/upd1/final.