Membership
Policy
Charters
Wiki
Docs
Search 0
The Global Centre for Risk and Innovation (GCRI)
Registry
Academy
Careers
LOGIN

TEC — Technology Risks

Last modified: September 10, 2025
For versions:
Estimated reading time: 6 min

1) Purpose, Scope & Design Principles

Mission. Build capacity to prevent, detect, respond to, and govern technology risks across the product lifecycle and enterprise stack—linking Secure-by-Design engineering, privacy & data rights, cloud/third-party risk, AI safety & model risk, OT/ICS safety, digital evidence & response, and crypto/digital assets—with clear business value and compliance outcomes.

Nexus alignment.

  • NXSCore: HPC/GPU scanning, model training, simulation labs.
  • NXSQue: event-driven orchestration across CI/CD, cloud, and SaaS.
  • NXSGRIx: standardized risk data (assets, SBOMs, alerts, loss data) into a global index.
  • NXS-EOP: analytics, attack simulations, AI risk scoring, scenario design.
  • NXS-EWS: early warnings from SOC/SIEM/OT/LLM sensors to multi-channel alerts.
  • NXS-AAP: anticipatory action playbooks—automated containment, grants/insurance triggers.
  • NXS-DSS: executive dashboards, tech risk postures, and board-ready reports.
  • NXS-NSF: verifiable credentials (OB3/VC), hash-only anchoring, partner co-badging.

Standards & frameworks (representative).
ISO/IEC 27001/27701, 27017/27018; NIST CSF 2.0, 800-53, 800-61, 800-63, 800-82, 800-207 (Zero Trust), 800-218 (SSDF); CIS Controls v8; DORA/NIS2; SOC 2; PCI DSS 4.0; IEC 62443 (OT); MITRE ATT&CK/DEFEND/D3FEND; OWASP ASVS/SAMM/Top-10; SBOM (SPDX/CycloneDX) & VEX; OpenSSF (Scorecard/SLSA/in-toto/sigstore); OAuth 2.1/OIDC, FIDO2/WebAuthn; eIDAS 2.0; GDPR/CCPA/CPRA/LGPD/PIPEDA; ISO/IEC 23894 & 42001 (AI), NIST AI RMF; CVE/CWE/CVSS v4 & EPSS; OpenTelemetry.

Evidence & portability. Every artifact is SPDX-licensed, carries W3C-PROV lineage, and is issued as Open Badges 3.0 inside a W3C Verifiable Credential. Public artifacts may receive DOIs. WCAG 2.2 AA and multilingual (EN/FR/ES/AR, RtL) by design.

2) Tiers, Workload & Quality Targets

  • NB (Nanobadge) 2–4 h (0.2–0.4 NCU): quiz + one artifact
  • MB (Microbadge) 6–8 h (0.6–0.8 NCU): mini-project + quiz
  • MC (Micro-Certificate) 12–20 h (1.2–2.0 NCU): lab + scenario + proctored QZ/OD
  • PC 60–90 h: 4–5 MCs + capstone
  • AC 120–150 h: 2 PCs + red-team defense
  • DIP 240–300 h: cross-stream capstone + board defense
  • Fellow-PNG invitation only: publish in Nexus Journals with open methods/data

Assessment quality: quiz reliability ≥ 0.75; item discrimination ≥ 0.25; multilingual DIF checks.
ECTS advisory: 1 NCU ≈ 0.33–0.40 ECTS.
Renewal: invited on MAJOR revision via delta exam or artifact refresh.

3) Codes, Versioning & Catalog Ops

  • Grammar: TEC-[NB|MB|MC]-2xx/3xx/4xx/599
  • Releases: rev: YY.MM.P (major/minor/patch) with change log; delta exam on MAJOR
  • Permalinks: /academy/courses/<code> (latest) + ?rev= for specific
  • Status: active | deprecated | superseded with successor mapping

4) Cross-Cutting Compliance & Interoperability

  • Security management: ISO 27001 ISMS; SOC 2 mapping; CIS Controls; risk registers and control catalogs.
  • Privacy & identity: ISO 27701 PIMS; GDPR & DPIA; OAuth 2.1/OIDC, FIDO2/WebAuthn; eIDAS 2.0 alignment.
  • Cloud & third-party: DORA/NIS2 obligations; CSPM/CNAPP; vendor registers, resilience & concentration risk.
  • Secure development: NIST SSDF; SLSA levels; in-toto attestations; sigstore/cosign signing; SBOM + VEX.
  • Zero Trust: NIST 800-207 for identity, device, network, app, data—ZTA target state & roadmap.
  • Detection & response: SOC/SIEM/SOAR runbooks; OpenTelemetry; incident handling (800-61); tabletop and purple-team cadence.
  • OT/ICS: IEC 62443 zones/conduits, safety interlocks, secure remote access, firmware provenance.
  • AI governance: NIST AI RMF; ISO 23894/42001; model cards, data governance, safety testing/red-team, alignment guardrails.
  • Crypto/digital assets: key management (MPC/HSM), custody ops, smart-contract testing, bridges/oracles risk, market integrity.
  • Data sovereignty: residency, cross-border transfer controls, encryption, key custody & escrow.
  • Quantitative risk: FAIR for cyber loss modeling; CVSS v4/EPSS prioritization; service SLOs with error budgets.

5) Nanobadges (NB) — atomic tech-risk skills

Each NB includes a 10–12 item quiz and one portfolio artifact (SPDX + PROV).

  • TEC-NB-201 Threat Modeling 101 (STRIDE/LINDDUN/PASTA)
    Artifact: threat model & misuse cases for a feature.
  • TEC-NB-202 Zero Trust & Identity 101
    Artifact: ZTA mini-architecture + authn/authz policy (OIDC/FIDO2).
  • TEC-NB-203 Secure SDLC & SSDF 101
    Artifact: SSDF control map + CI/CD control checklist.
  • TEC-NB-204 SBOM & VEX 101 (SPDX/CycloneDX)
    Artifact: SBOM + vendor VEX note and triage path.
  • TEC-NB-205 Cloud Security Primitives 101
    Artifact: least-privilege/IaC snippet + misconfiguration guardrails.
  • TEC-NB-206 Incident Response 101
    Artifact: IR playbook (ransomware or data exfil) with RACI.
  • TEC-NB-207 Privacy by Design 101
    Artifact: data flow map + DPIA micro-template.
  • TEC-NB-208 AI Risk Basics 101
    Artifact: model card + safety/robustness checklist.
  • TEC-NB-209 OT/ICS Basics 101
    Artifact: zones/conduits diagram + remote access SOP.
  • TEC-NB-210 Crypto Agility & PQC 101
    Artifact: crypto inventory + PQC migration sketch.
  • TEC-NB-211 Vuln Prioritization 101 (CVSS v4/EPSS)
    Artifact: triage matrix + patch SLAs.
  • TEC-NB-212 Telemetry & Logging 101 (OpenTelemetry)
    Artifact: OTEL schema + retention/PII minimization policy.

6) Microbadges (MB) — applied bridges

  • TEC-MB-211 CI/CD Security Mini (SAST/DAST/SCA)
    Deliverable: pipeline with quality gates + evidence attestation.
  • TEC-MB-212 Kubernetes & Container Hardening Mini
    Deliverable: K8s hardening guide (PSP replacements, admission controls/OPA) + runtime rules.
  • TEC-MB-213 Cloud Threat Detection Mini
    Deliverable: ATT&CK-mapped detections + SIEM dashboards.
  • TEC-MB-214 Privacy Engineering Mini (DPIA + PETs)
    Deliverable: DPIA + PETs selection (dp-noise, PPRL, minimization).
  • TEC-MB-215 AI Red-Team & Guardrails Mini
    Deliverable: jailbreak/test scripts, content filters, alignment guardrails.
  • TEC-MB-216 SBOM Program & Signing Mini
    Deliverable: SBOM + provenance attestation; image signing (cosign).
  • TEC-MB-217 Zero Trust Micro-Lab
    Deliverable: ZTA roadmap with segment/identity/data policies.
  • TEC-MB-218 Ransomware Tabletop Mini
    Deliverable: tabletop injects + recovery runbook & RTO/RPO.
  • TEC-MB-219 Third-Party Risk & DORA Register Mini
    Deliverable: vendor register + resilience testing cadence.
  • TEC-MB-220 Digital Evidence & Chain-of-Custody Mini
    Deliverable: evidence log, hashing/salting policy, packaging SOP.

7) Micro-Certificates (MC) — 12–20 h; proctored

Rule: Each MC requires ≥5 CORE 101 NBs, ≥2 TEC NBs, ≥1 MB, plus the lab below.
Assessment mix: Lab 50% · Scenario brief 20% · Proctored QZ/OD 30%.

TEC-MC-201 Cybersecurity & Digital Resilience

Outcomes: SOC use-case catalogue; detection mapping to ATT&CK; incident runbooks; resilience KPIs.
Prereqs (rec.): TEC-NB-201/205/206; MB-213 or 218.
Lab: SOC/DIR detection pack + IR playbook; executive resilience one-pager.
Roles: SecOps/SOC Engineer, Cyber Resilience Lead.

TEC-MC-202 Privacy Engineering & Data Rights

Outcomes: data inventory; DPIA; lawful basis + consent design; PETs deployment; data subject rights ops.
Prereqs: TEC-NB-207; MB-214.
Lab: DPIA + privacy-by-design controls & rights workflow.
Roles: Privacy Engineer/PM, Data Protection Officer (tech track).

TEC-MC-203 Responsible AI & Model Risk

Outcomes: AI policy; model governance; safety testing/red-team; model card; bias/drift metrics; human-in-the-loop controls.
Prereqs: TEC-NB-208; MB-215.
Lab: AI governance kit + OD on safety/test results.
Roles: AI Risk Lead, Model Risk/ML Ops.

TEC-MC-311 Cloud, SaaS & Third-Party Risk

Outcomes: CSPM baseline; CNAPP detections; third-party concentration assessment; exit & portability strategy.
Prereqs: TEC-NB-205/211; MB-219.
Lab: cloud risk dashboard + vendor register & testing plan.
Roles: Cloud Security Architect, Third-Party Risk Lead.

TEC-MC-312 Secure-by-Design & Red-Teaming

Outcomes: SSDF controls in backlog; SLSA level targeting; product threat model; red-team plan and purple-team metrics.
Prereqs: TEC-NB-201/203; MB-211 or 215.
Lab: product security blueprint + OD on findings & fixes.
Roles: Product Security/Red Team Lead.

TEC-MC-313 Digital Evidence & Chain-of-Custody

Outcomes: forensics triage; log retention; chain-of-custody; tamper-evident packaging; disclosure/VDP.
Prereqs: TEC-NB-206/212; MB-220.
Lab: evidence package + disclosure plan.
Roles: DFIR Lead, Security Governance.

TEC-MC-314 Kubernetes & Supply Chain Security (NEW)

Outcomes: K8s baseline; admission controls; signed artifacts; SBOM+VEX program; dependency risk metrics.
Prereqs: TEC-NB-204/205; MB-212/216.
Lab: supply chain security pack + cluster policy bundle.
Roles: Platform/DevSecOps Engineer.

TEC-MC-315 Zero Trust Architecture & Identity Governance (NEW)

Outcomes: ZTA target state; policy decision points; device posture; fine-grained authz; identity lifecycle; privileged access.
Prereqs: TEC-NB-202; MB-217.
Lab: ZTA roadmap + identity governance runbook.
Roles: Identity Architect, Enterprise Security.

TEC-MC-316 Data Security & Sovereignty (NEW)

Outcomes: data classification; tokenization/encryption; KMS/HSM models; residency controls; lawful transfer mechanisms.
Prereqs: TEC-NB-207/210; MB-214.
Lab: data security architecture + residency/TIA memo.
Roles: Data Security Architect, Privacy Engineer.

TEC-MC-317 Quantum Readiness & Crypto Agility (NEW)

Outcomes: crypto inventory; migration plan; hybrid modes; signing and PKI upgrade; vendor dependency map.
Prereqs: TEC-NB-210; MB-217 or 216.
Lab: crypto-agility roadmap + test results.
Roles: Cryptography/Platform Security.

TEC-MC-421 Critical OT/ICS Security

Outcomes: zones/conduits segmentation; SBOM for PLCs/RTUs; secure remote access; safety cases & consequence modeling.
Prereqs: TEC-NB-209/210; MB-213.
Lab: OT security plan + tabletop injects.
Roles: OT/ICS Security Engineer.

TEC-MC-422 Crypto/Web3 Custody & Smart-Contract Risk

Outcomes: custody models (MPC/HSM); cold/hot segregation; smart-contract testing; oracle/bridge risk; incident & recovery.
Prereqs: TEC-NB-210; MB-216.
Lab: custody runbook + contract test plan.
Roles: Digital Assets Security/Operations.

8) Capstone & Programs

TEC-MC-599 Secure-AI/Tech Capstone (Level-5)

Tracks:

  • Board Defense: enterprise secure-by-design program, Zero Trust roadmap, AI governance, cloud/third-party resilience.
  • Deployment: live pilots—signed builds & attestations, SBOM/VEX, SOC detections, AI red-team safety tests, ZTA enforcement.
    Portfolio (must include): integrated DSS (tech risk dashboard), ZTA roadmap, AI governance pack, supply chain security bundle, IR runbooks, vendor register. VC issued; public artifacts may receive DOIs.

PRG-PC-TEC-01 Professional Certificate — Technology Risks

  • Pick 4–5 MCs from 201/202/203/311/312/313/314/315/316/317/421/422 + TEC-MC-599
  • Total:8.0 NCU (80 h) + capstone; min rev for each MC >=25.09.

Advanced Certificates (choose track)

  • AC — Secure Cloud & DevSecOps: PC(TEC) + PC(FIN or PUB) + red-team defense (supply chain, CI/CD, cloud).
  • AC — AI Safety & Governance: PC(TEC) + PC(FIN or HLT) + red-team defense (AI model risk & safety).
  • AC — OT/ICS & Critical Infrastructure: PC(TEC) + PC(PUB/ENV) + red-team defense (OT segmentation & safety).
  • AC — Digital Assets Security: PC(TEC) + PC(FIN) + red-team defense (custody, smart-contracts, market integrity).

DIP — Cross-Stream Technology Leadership

  • Any 2 ACs (≥1 TEC) + CORE-MC-595 + board defense.

Fellow-PNG (Technology Risks)

  • Invitation-only. Publish in Nexus Journals (open methods/data), release tools or mappings; maintain standard crosswalks (ORCID/ROR recorded).

9) Tutor LMS Implementation Profile

  • NB: 1–2 lessons; randomized Quiz + Assignment (artifact); Certificate on; Forum on.
  • MB: multi-lesson; Assignment rubric + Quiz; Prereq (≥1 NB) on.
  • MC: lessons + Lab Assignment + Scenario Assignment + Proctored Quiz/Oral (Zoom/approved tool); Prereqs on; Certificate on.
  • Capstone: cohort schedule; panel rubric; oral defense recording.
  • Webhooks: badge.issued, badge.revoked, program.conferral, artifact.published → NXS-NSF (OB3/VC).
  • Telemetry: xAPI/Caliper events for start, item, submission, grade, badge.

10) Standards, Competencies & CPD Mapping (extract)

  • Standards: ISO 27001/27701/27017/27018; NIST CSF 2.0, 800-53/61/63/82/207/218; CIS Controls v8; DORA/NIS2; SOC 2; PCI DSS 4.0; IEC 62443; OWASP ASVS/SAMM; SBOM (SPDX/CycloneDX) & VEX; OpenSSF (SLSA/in-toto/sigstore/Scorecard); OAuth 2.1/OIDC, FIDO2/WebAuthn; eIDAS 2.0; GDPR/CCPA/CPRA/LGPD/PIPEDA; NIST AI RMF, ISO 23894/42001; CVE/CWE/CVSS v4/EPSS; OpenTelemetry.
  • Competency frameworks: ESCO roles—Security Engineer, Cloud Security Architect, Identity Architect, Privacy Engineer, AI Risk Lead, OT/ICS Security Engineer, DFIR Lead, Digital Assets Security; optional SFIA mappings (SEC/IRMG/ARCH/DDMG/DEVM/AIQR).
  • CPD/CE: ISACA CPE, (ISC)² CPE, IAPP CPE, CSA CCSK/CCSK-Plus credits (where applicable), SANS/GIAC CPE; advisory ECTS totals on course pages.

11) Metadata & Credential Examples

MC JSON-LD (trimmed)

{
  "@context": ["https://schema.org", "https://lrmi.dublincore.org/jsonld/context.jsonld"],
  "@type": "EducationalOccupationalProgram",
  "identifier": "TEC-MC-312",
  "version": "25.09.0",
  "name": "Secure-by-Design & Red-Teaming",
  "description": "Embed SSDF controls and SLSA levels into CI/CD, produce a product threat model, and run a red-team with evidence-based fixes.",
  "timeToComplete": "PT18H",
  "educationalCredentialAwarded": "Micro-Certificate",
  "programPrerequisites": ["CORE-NB-117","TEC-NB-201","TEC-MB-211"],
  "provider": {"@type":"Organization","name":"GCRI"},
  "teaches": [
    {"@type":"DefinedTerm","name":"Secure Software Development Framework"},
    {"@type":"DefinedTerm","name":"Threat Modeling"},
    {"@type":"DefinedTerm","name":"Red Team/Purple Team"}
  ]
}

Badge policy essentials (OB3/VC). BadgeClass binds to TEC-… code + rev; assertion uses hashed recipient + salt; evidence links to artifacts with SPDX & PROV; public status list; optional hash-only anchoring via NXS-NSF.

12) QA & Release Gates (Technology Risks)

  1. Catalog linter: codes, revs, prereq DAG, standards/competency tags, i18n.
  2. Accessibility: WCAG 2.2 AA automated + manual checks (terminal screenshots, diagrams).
  3. Psychometrics: reliability ≥ 0.75; discrimination ≥ 0.25; multilingual DIF.
  4. Provenance & privacy: SPDX + PROV; synthetic/de-identified data; secrets handling policies.
  5. Secure-by-Design evidence: SBOMs, signed artifacts, in-toto attestations, vulnerability SLAs.
  6. Ops & resilience: IR tabletop cadence; backup/DR drills; third-party resilience tests (where applicable).
  7. Release notes: version bump; MAJOR → delta-exam invitation; CPD table updated.

13) Emerging-Risk Annex

  • GenAI security & safety: jailbreaks, prompt injection, data leakage, model theft; guardrails, monitoring, alignment testing, model provenance.
  • Supply chain & build integrity: dependency confusion, typosquatting; deterministic builds; SBOM at every stage; VEX for exploitability.
  • Identity threats: MFA fatigue, session fixation, adversary-in-the-middle; phishing-resistant authentication; identity threat detection & response (ITDR).
  • Ransomware & extortion economics: data theft triple extortion, RAAS ecosystems; immutable backups, segmented recovery, legal/comms.
  • Edge/IoT & safety: device lifecycle, firmware signing, safety interlocks; safety case documentation.
  • Data sovereignty & AI training data: consent, licenses, opt-out/objection, copyright/minors, model unlearning.
  • Quantum-era crypto: PQC pilots, hybrid modes, inventory and migration of TLS/VPN/code-signing/PKI.
  • Space & GNSS dependencies: timing/position trust, spoof/jam playbooks; satellite downlink security.
  • Web3 operational risk: key compromise, bridge/oracle exploits, MEV/manipulation; incident coordination and recovery.
  • Green/energy constraints: resilience under grid stress, thermal limits in DC/GPU clusters, sustainability reporting linkages.
Written by: GCRI
Was this article helpful?
Dislike 0 0 of 0 found this article helpful.
Views: 18

Continue reading

Previous: POL — Political Risks
Next: ENV — Environmental Risks
Leave a Reply
Close
Search

Hit enter to search or ESC to close

Your shopping cart

Cart

Have questions?