UK flag UK
+44 (0) 207 874 5000
+44 (0) 207 874 5000

Supply Chain Cyber Security Risk Management

Course 2014

  • Duration: 2 days
  • Language: English
  • Level: Intermediate

This course provides an introduction to fundamental cybersecurity risk management concepts and how they are applied to modern supply chains. Attendees will learn how to identify critical suppliers, assess risk in third and fourth-party relationships, and identify mitigation strategies. The course covers risks associated with hardware, software, and services acquired from external sources, and attendees will learn strategies for analyzing, treating, and monitoring cyber risk throughout the supply chain.

Supply Chain Cyber Security Risk Management Delivery Methods

  • In-Person

  • Online

Supply Chain Cyber Security Risk Management Course Benefits

Identify supply chain components in modern organizations, including hardware, software, and services

Inventory critical assets and suppliers, and assess the risks they pose to your organization

Understand risk mitigation options, and how to adapt them to address complex risks across the supply chain

Implement risk management frameworks and build a supply chain risk management plan

Audit and perform oversight of supply chain risk to monitor risk mitigation effectiveness

Continue learning and face new challenges with after-course one-on-one instructor coaching

Supply Chain Cyber Security Risk Management Instructor-Led Course Outline

Prerequisites:

  • To be successful in this course, some experience with risk management and business management is helpful but not required.
  • Basic product development knowledge is beneficial, such as software development lifecycles and integrating components into a final product.

Who should attend?

  • Risk managers, looking to extend risk management programs to external third parties, suppliers, and vendors.
  • Security practitioners, tasked with holistic risk management.

In this module, you will learn to:

  • Define Risk and determine its likelihood and probability.
  • Assess Risk’s financial, reputational, and revenue impact.
  • Define Threats and Threat Actors.
  • Identify threat modelling approaches.
  • Define Vulnerabilities to networks and organizations.
  • Discuss methods of risk assessment: qualitative vs. quantitative.
  • Identify ways to mature risk assessment processes over time through an Iterative risk assessment.

Exercise 1: Build a risk register for your fictional company.

  • Evaluate Risk Treatment options: Avoid/Mitigate/Accept/Transfer.
  • Determine when are certain options most appropriate?
  • Ask what decision factors must be considered when selecting a risk option?
  • Define what limitations exist in choosing options.

Exercise 2: Document risk treatment plans.

In this module, you will learn about:

  • Define Supply Chain, Vendor, Third/Fourth Party, and key parts of a supply chain.
  • Operational risk and understanding the business impact of prioritizing critical suppliers.
  • Common supply chain risks arising from Hardware (HW), Software SW), and Open-source software (OSS).
  • Inherited/platform risks (e.g., operating system risks that impact an application, underlying modules included in a larger application like Log4j).
  • Risks from services such as key vendors, third parties, etc.
  • Identifying vulnerabilities - What do attackers target?
  • What motivates supply chain attacks, and who are the victims?

 Exercise 3: Assess supply chain risks.

In this module, you will learn how to:

  • Build an SCRM plan.
  • Leverage existing security and privacy controls in the organization.
  • Identify common framework elements that push compliance to other organizations, such as Business Associates in HIPAA and data subprocessors in GDRP.

Exercise 4: Identify inputs and key outputs of SCRM planning. Document the required process elements needed.

  • Define the purpose of contracts and typical use cases.
  • Define service level requirements, service level agreements (SLAs), and the purpose/typical use cases of each.
  • Define assurance and how the level of risk will impact the level of assurance required.
  • Conduct due diligence at contract initiation and then routinely throughout the service lifetime.
  • Implement due care, such as supplier audits and identifying alternate suppliers.
  • Ensure adequate insurance coverage for third- and fourth-party risks.
  • Consume vendor-supplied audit reports and identify gaps against the organization’s internal compliance requirements.
  • Build an audit methodology and implement the program.
  • Treat previously discussed hardware, software, and service supply chain risks.

Case Studies: SolarWinds, Kaseya, and Target breaches.

In this module, you will learn about:

  • Using a compliance framework to build SCRM capability internal to an organization.
  • Requirements to comply with a framework as a vendor to other organizations.
  • CMMC & NIST SP 800-171.
  • CMMI for Acquisition (CMMI-ACQ).
  • SOC 2
    • Identify as a proactive measure; service providers can undergo an audit and have a documented report of compliance available to share with business partners.
    • Discuss various SOC reports (1, 2, 3) and types (I, II).
  • Cloud Security Alliance (CSA), Cloud Controls Matrix (CCM), Consensus Assessment Initiative Questionnaire (CAIQ), and the CSA STAR Registry.

Exercise: Review a sample CAIQ-Lite report or excerpts from a SOC 2 Type II.

  • Vendor Security Alliance (vendorsecurityalliance.org).
  • Vendor security questionnaires.
  • Ongoing risk monitoring/supplier monitoring platforms (Security Scorecard, BitSight. etc.).
  • GRC platforms (ZenGRC, TugBoat Logic, etc.).
Get This Course £1,645 For Team Prices Call: 44 (0) 207 874 5000

  • 2-day instructor-led training course

  • Hands-on labs included

  • End-of-course exam included

  • After-course coaching available

#2014
  • Guaranteed to Run - you can rest assured that the class will not be cancelled.
    Dec 3 - 4 2:00 PM - 9:30 PM GMT
    Herndon, VA or Virtual
  • Mar 17 - 18 1:00 PM - 8:30 PM GMT
    Herndon, VA or Virtual
  • May 27 - 28 2:00 PM - 9:30 PM BST
    Herndon, VA or Virtual
  • Sep 3 - 4 2:00 PM - 9:30 PM BST
    Herndon, VA or Virtual

  • Bring this or any training to your organization

  • Full-scale program development

  • Delivered when, where, and how you want it

  • Blended learning models

  • Tailored content

  • Expert team coaching

#2014
Questions about this course?
* Required Fields
Customise Your Team Training Experience

Fill out the form below or call 44 (0) 207 874 5000

* Required Fields
Preferred method of contact:

Need Help Finding The Right Training Solution?

Our training advisors are here for you.

Contact Us

Supply Chain Cyber Security Risk Management FAQs

Yes, the course goes in-depth into securing the supply chain for organizations that have access to Controlled Unclassified Information (CUI)

The Learning Tree course, CMMC Requirements Training, is a natural follow-on to Supply Chain Cyber Security Risk Management.

Related Courses

  • CMMC
    Certified Professional CMMC Training (CCP)

    Foundation
    5 days
  • ISC2
    CISSP® Training and Certification Prep Course

    This CISSP® Training and Certification prep course provides in-depth training in the ISC2™ curriculum that will help prepare you to pass your CISSP exam.

    Intermediate
    5 days
    Online or In-class
    Starts from £3,475
  • ISACA
    CISM Certified Information Security Manager

    In this course, you will gain the knowledge needed to successfully pass the certification exam and become a CISM, ISACA Certified Information Security Manager.

    Intermediate
    4 days
    Online or In-class
    Starts from £2,890
  • Zero Trust Security Boot Camp

    Learn how zero trust security solves typical security issues, and how to implement it in your environment.

    Foundation
    3 days
    Online or In-class