Q+E proposes to develop a 5-day CERM Cyber Risk (CERM – CR) Workshop focused on the NIST RMF and NIST 800 guidelines. The workshop will be available for students and graduate students and also for continuing education for IT, engineering, and security professionals. It will be deliverable first in classroom training and then online. It will be based on Q+E’s existing CERM course materials. CERM – CR will utilize NIST RMF and NIST 800’s. Q+E will customize the workshop with recent CIP examples, case studies, and illustrations.  Q+E also will introduce Critical Security Controls, ISACA COBIT 5, ISO 27001, ISA/IEC 62443 (ISA-99), and other cyber risk frameworks.

CERM – CR is architected around a Cyber Governance model (see figure on right). CERM – CR will provide a foundation in cybersecurity risk management and will consist of three integrated workshops: 1. Cyber Enterprise Risk Management (ERM), 2. Cyber Risk Management Frameworks (RMF), and 3. Cyber Risk Assurance. The Cyber ERM component will look at cybersecurity in the context of the enterprise and how to integrate cyber risk into the enterprise risk management program and provide a solid foundation in cyber governance, risk management principles, and cyber compliance/assurance. The Cyber RMF component will focus on the NIST RMF and how to apply its Core Functions-Identify, Protect, Detect, Respond, Recover, and the Categories and Subcategories to organize and structure a cybersecurity program using Profiles and Tiers. The Cyber Risk Assurance component will focus on practices for ensuring compliance and assuring cybersecurity controls are effective at the enterprise, programmatic/process, and system levels.

CERM – CR will provide a foundation in cybersecurity risk management and will consist of three integrated workshops: 1. Cyber Enterprise Risk, Cyber Risk Management Frameworks, and 3. Cyber Risk Assurance.  The Cyber ERM component will look at cybersecurity in the context of the enterprise and how to integrate cyber risk into the enterprise risk management program and provide a solid foundation in cyber governance, risk management principles, and cyber compliance/assurance. The Cyber RMF component will focus on the NIST RMF and how to apply its Core Functions-Identify, Protect, Detect, Respond, Recover, and the Categories and Subcategories to organize and structure a cybersecurity program using Profiles and Tiers. The Cyber Risk Assurance component will focus on practices for ensuring compliance and assuring cybersecurity controls are effective at the enterprise, programmatic/process, and system levels.

Additional information on Certified Enterprise Risk Manager – Cyber Risk can be found below:

• Cyber Enterprise Risk Management (1 day).
• Cyber Risk Management Frameworks (2 days).
• Cyber Risk Assurance (1 1/2days).

Q+E has cybersecurity experience in five Critical Infrastructure Protection (CIP) sectors.  CERM – CR will offer CIP cyber security risk mitigation examples and case studies from chemical sector (CFATS), electric (NERC CIP), and other CIP sectors.

CERM – CYBER RISK LIFECYCLE LEARNING MODEL
The purpose of CERM – CR is to certificate professionals in cybersecurity risk management problem-solving and risk-based decision-making founded upon the CERM Cyber Lifecycle Learning Model shown in the figure below. The model has three :

1. CERM – CR certificate; 2. CERM – CR webinars; and 3. CERM – CR resources.

CERM – CR CERTIFICATE EXAM

At the conclusion of the integrated CERM – CR workshops, participants can apply to take a certificate exam and receive the CERM – CR certificate.  CERM – CR will have a 3 hour certificate exam of 100 questions covering the three integrated cyber workshops below:

CERM – CR will eventually migrate to three certificate levels as well as sub-certificates addressing specific NIST 800 guidelines such as encryption (800 – 21) and industrial control systems (800 – 82).  The CERM – CR certificate levels would indicate:

• Participant has covered a Body of Knowledge and has passed an objective certificate exam attesting to having achieved minimum qualifications.  CERM – CR risk, NIST RMF, and industrial competency knowledge and skills will be covered in the exam.  Q+E plans to develop a question bank of cyber risk questions so CERM – CR certificates can be completed online.
• Specialty credentials and sub-certificates, such as CERM – Industrial Control Systems would affirm advanced cyber knowledge and specific domain expertise.
• CERM – CR Fellows would be nominated by peers in recognition of their contributions in cybersecurity risk management.