CERTIFIED ENTERPRISE RISK MANAGER® – CYBER RISK

Q+E proposes to develop a 5-day CERM Cyber Risk (CERM – CR) Workshop focused on the NIST RMF and NIST 800 guidelines. The workshop will be available for students and graduate students and also for continuing education for IT, engineering, and security professionals. It will be deliverable first in classroom training and then online. It will be based on Q+E’s existing CERM course materials. CERM – CR will utilize NIST RMF and NIST 800’s. Q+E will customize the workshop with recent CIP examples, case studies, and illustrations.  Q+E also will introduce Critical Security Controls, ISACA COBIT 5, ISO 27001, ISA/IEC 62443 (ISA-99), and other cyber risk frameworks.

Certified Enterprise Risk Manager – Cyber Risk Components (CERM – CR)
CERM – CR is composed of three key elements:

  • Cyber Enterprise Risk Management (1 day).
  • Cyber Risk Management Frameworks (2 days).
  • Cyber Risk Assurance (1 day).

CERM – CR will provide a foundation in cybersecurity risk management and will consist of three integrated workshops: 1. Cyber Enterprise Risk Management (see page 6), Cyber Risk Management Frameworks (see page 7), and 3. Cyber Risk Assurance (see page 8).  The Cyber ERM component will look at cybersecurity in the context of the enterprise and how to integrate cyber risk into the enterprise risk management program and provide a solid foundation in cyber governance, risk management principles, and cyber compliance/assurance. The Cyber RMF component will focus on the NIST RMF and how to apply its Core Functions-Identify, Protect, Detect, Respond, Recover, and the Categories and Subcategories to organize and structure a cybersecurity program using Profiles and Tiers. The Cyber Risk Assurance component will focus on practices for ensuring compliance and assuring cybersecurity controls are effective at the enterprise, programmatic/process, and system levels.

Q+E has cybersecurity experience in five Critical Infrastructure Protection (CIP) sectors.  CERM – CR will offer CIP cyber security risk mitigation examples and case studies from chemical sector (CFATS), electric (NERC CIP), and other CIP sectors.

CERM – CYBER RISK LIFECYCLE LEARNING MODEL
The purpose of CERM – CR is to certificate professionals in cybersecurity risk management problem-solving and risk-based decision-making founded upon the CERM Cyber Lifecycle Learning Model shown in the figure below. The model has three :

1. CERM – CR certificate; 2. CERM – CR webinars; and 3. CERM – CR resources.

CERM LEARNING MODEL

 

 

 

 

 

 

 

CERM – CR CERTIFICATE EXAM
At the conclusion of the integrated CERM – CR workshops, participants can apply to take a certificate exam and receive the CERM – CR certificate.  CERM – CR will have a 3 hour certificate exam of 100 questions covering the three integrated cyber workshops below:

 

 

CERM Cyber Risk Integrated Workshops

Percentage of Test Items

Cyber Enterprise Risk Management

20%

Cyber Risk Assurance

40%

Cyber Risk Management Framework

40%

CERM – CR will eventually migrate to three certificate levels as well as sub-certificates addressing specific NIST 800 guidelines such as encryption (800 – 21) and industrial control systems (800 – 82).  The CERM – CR certificate levels would indicate:

  • Participant has covered a Body of Knowledge and has passed an objective certificate exam attesting to having achieved minimum qualifications.  CERM – CR risk, NIST RMF, and industrial competency knowledge and skills will be covered in the exam.  Q+E plans to develop a question bank of cyber risk questions so CERM – CR certificates can be completed online.
  • Specialty credentials and sub-certificates, such as CERM – Industrial Control Systems would affirm advanced cyber knowledge and specific domain expertise.
  • CERM – CR Fellows would be nominated by peers in recognition of their contributions in cybersecurity risk management.