Home
Courses
Supply Chain Cyber Security Risk Management

Supply Chain Cyber Security Risk Management

Course 2014

Duration: 2 days
Language: English
Level: Intermediate

This course provides an introduction to fundamental cybersecurity risk management concepts and how they are applied to modern supply chains. Attendees will learn how to identify critical suppliers, assess risk in third and fourth-party relationships, and identify mitigation strategies. The course covers risks associated with hardware, software, and services acquired from external sources, and attendees will learn strategies for analyzing, treating, and monitoring cyber risk throughout the supply chain.

Supply Chain Cyber Security Risk Management Delivery Methods

In-Person
Online

Supply Chain Cyber Security Risk Management Course Benefits

Identify supply chain components in modern organizations, including hardware, software, and services

Inventory critical assets and suppliers, and assess the risks they pose to your organization

Understand risk mitigation options, and how to adapt them to address complex risks across the supply chain

Implement risk management frameworks and build a supply chain risk management plan

Audit and perform oversight of supply chain risk to monitor risk mitigation effectiveness

Continue learning and face new challenges with after-course one-on-one instructor coaching

Supply Chain Cyber Security Risk Management Instructor-Led Course Outline

Important Supply Chain Cyber Security Risk Management Information

Prerequisites:

To be successful in this course, some experience with risk management and business management is helpful but not required.
Basic product development knowledge is beneficial, such as software development lifecycles and integrating components into a final product.

Who should attend?

Risk managers, looking to extend risk management programs to external third parties, suppliers, and vendors.
Security practitioners, tasked with holistic risk management.

Module 1: Risk Management Basics

In this module, you will learn to:

Define Risk and determine its likelihood and probability.
Assess Risk’s financial, reputational, and revenue impact.
Define Threats and Threat Actors.
Identify threat modelling approaches.
Define Vulnerabilities to networks and organizations.
Discuss methods of risk assessment: qualitative vs. quantitative.
Identify ways to mature risk assessment processes over time through an Iterative risk assessment.

Exercise 1: Build a risk register for your fictional company.

Evaluate Risk Treatment options: Avoid/Mitigate/Accept/Transfer.
Determine when are certain options most appropriate?
Ask what decision factors must be considered when selecting a risk option?
Define what limitations exist in choosing options.

Exercise 2: Document risk treatment plans.

Module 2: Supply Chain Basics

In this module, you will learn about:

Define Supply Chain, Vendor, Third/Fourth Party, and key parts of a supply chain.
Operational risk and understanding the business impact of prioritizing critical suppliers.
Common supply chain risks arising from Hardware (HW), Software SW), and Open-source software (OSS).
Inherited/platform risks (e.g., operating system risks that impact an application, underlying modules included in a larger application like Log4j).
Risks from services such as key vendors, third parties, etc.
Identifying vulnerabilities - What do attackers target?
What motivates supply chain attacks, and who are the victims?

Exercise 3: Assess supply chain risks.

Module 3: SCRM Tools & Practices

In this module, you will learn how to:

Build an SCRM plan.
Leverage existing security and privacy controls in the organization.
Identify common framework elements that push compliance to other organizations, such as Business Associates in HIPAA and data subprocessors in GDRP.

Exercise 4: Identify inputs and key outputs of SCRM planning. Document the required process elements needed.

Define the purpose of contracts and typical use cases.
Define service level requirements, service level agreements (SLAs), and the purpose/typical use cases of each.
Define assurance and how the level of risk will impact the level of assurance required.
Conduct due diligence at contract initiation and then routinely throughout the service lifetime.
Implement due care, such as supplier audits and identifying alternate suppliers.
Ensure adequate insurance coverage for third- and fourth-party risks.
Consume vendor-supplied audit reports and identify gaps against the organization’s internal compliance requirements.
Build an audit methodology and implement the program.
Treat previously discussed hardware, software, and service supply chain risks.

Case Studies: SolarWinds, Kaseya, and Target breaches.

Module 4: Compliance Frameworks, SCRM Vendors, and Tools

In this module, you will learn about:

Using a compliance framework to build SCRM capability internal to an organization.
Requirements to comply with a framework as a vendor to other organizations.
CMMC & NIST SP 800-171.
CMMI for Acquisition (CMMI-ACQ).
SOC 2
- Identify as a proactive measure; service providers can undergo an audit and have a documented report of compliance available to share with business partners.
- Discuss various SOC reports (1, 2, 3) and types (I, II).
Cloud Security Alliance (CSA), Cloud Controls Matrix (CCM), Consensus Assessment Initiative Questionnaire (CAIQ), and the CSA STAR Registry.

Exercise: Review a sample CAIQ-Lite report or excerpts from a SOC 2 Type II.

Vendor Security Alliance (vendorsecurityalliance.org).
Vendor security questionnaires.
Ongoing risk monitoring/supplier monitoring platforms (Security Scorecard, BitSight. etc.).
GRC platforms (ZenGRC, TugBoat Logic, etc.).

Get This Course 20 930 kr

2-day instructor-led training course
Hands-on labs included
End-of-course exam included
After-course coaching available

Include dates with afternoon start times

#2014

Guaranteed to Run - you can rest assured that the class will not be cancelled.
jun 20 - 21 15:00 - 22:30 CEST

Virtual
jul 17 - 18 15:00 - 22:30 CEST

New York or Virtual
aug 21 - 22 15:00 - 22:30 CEST

Ottawa or Virtual
sep 12 - 13 10:00 - 18:00 CEST

Virtual
sep 12 - 13 9:00 - 16:30 CEST

Virtual
sep 18 - 19 15:00 - 22:30 CEST

Herndon, VA or Virtual
okt 16 - 17 15:00 - 22:30 CEST

New York or Virtual
nov 20 - 21 15:00 - 22:30 CET

Ottawa or Virtual
dec 12 - 13 10:00 - 18:00 CET

Virtual
dec 12 - 13 9:00 - 16:30 CET

Virtual
dec 18 - 19 15:00 - 22:30 CET

Herndon, VA or Virtual
jan 17 - 18 15:00 - 22:30 CET

New York or Virtual
feb 12 - 13 15:00 - 22:30 CET

Ottawa or Virtual
mar 12 - 13 10:00 - 18:00 CET

Virtual
mar 12 - 13 9:00 - 16:30 CET

Virtual
mar 18 - 19 14:00 - 21:30 CET

Herndon, VA or Virtual
apr 15 - 16 15:00 - 22:30 CEST

New York or Virtual
maj 23 - 24 15:00 - 22:30 CEST

Ottawa or Virtual

Scroll to view additional course dates

Bring this or any training to your organization
Full-scale program development
Delivered when, where, and how you want it
Blended learning models
Tailored content
Expert team coaching

#2014

Questions about this course?

Customise Your Team Training Experience

Fill out the form below or call +46 (0)8 506 668 00

* Required Fields

Preferred method of contact:

Phone

Need Help Finding The Right Training Solution?

Our training advisors are here for you.

Supply Chain Cyber Security Risk Management FAQs

Yes, the course goes in-depth into securing the supply chain for organizations that have access to Controlled Unclassified Information (CUI)

The Learning Tree course, {Course:2074}, is a natural follow-on to Supply Chain Cyber Security Risk Management.