This course provides an introduction to fundamental cybersecurity risk management concepts and how they are applied to modern supply chains. Attendees will learn how to identify critical suppliers, assess risk in third and fourth-party relationships, and identify mitigation strategies. The course covers risks associated with hardware, software, and services acquired from external sources, and attendees will learn strategies for analyzing, treating, and monitoring cyber risk throughout the supply chain.
Skills Gained
- Identify supply chain components in modern organizations, including hardware, software, and services
- Inventory critical assets and suppliers, and assess the risks they pose to your organization
- Understand risk mitigation options, and how to adapt them to address complex risks across the supply chain
- Implement risk management frameworks and build a supply chain risk management plan
- Audit and perform oversight of supply chain risk to monitor risk mitigation effectiveness
- Continue learning and face new challenges with after-course one-on-one instructor coaching
Who Can Benefit
- Risk managers, looking to extend risk management programs to external third parties, suppliers, and vendors.
- Security practitioners, tasked with holistic risk management.
Prerequisites
- To be successful in this course, some experience with risk management and business management is helpful but not required.
- Basic product development knowledge is beneficial, such as software development lifecycles and integrating components into a final product.
Module 1: Risk Management Basics
In this module, you will learn to:
- Define Risk and determine its likelihood and probability.
- Assess Risk’s financial, reputational, and revenue impact.
- Define Threats and Threat Actors.
- Identify threat modeling approaches.
- Define Vulnerabilities to networks and organizations.
- Discuss methods of risk assessment: qualitative vs. quantitative.
- Identify ways to mature risk assessment processes over time through an Iterative risk assessment.
Exercise 1: Build a risk register for your fictional company.
- Evaluate Risk Treatment options: Avoid/Mitigate/Accept/Transfer.
- Determine when are certain options most appropriate?
- Ask what decision factors must be considered when selecting a risk option?
- Define what limitations exist in choosing options.
Exercise 2: Document risk treatment plans.
Module 2: Supply Chain Basics
In this module, you will learn about:
- Define Supply Chain, Vendor, Third/Fourth Party, and key parts of a supply chain.
- Operational risk and understanding the business impact of prioritizing critical suppliers.
- Common supply chain risks arising from Hardware (HW), Software SW), and Open-source software (OSS).
- Inherited/platform risks (e.g., operating system risks that impact an application, underlying modules included in a larger application like Log4j).
- Risks from services such as key vendors, third parties, etc.
- Identifying vulnerabilities - What do attackers target?
- What motivates supply chain attacks, and who are the victims?
Exercise 3: Assess supply chain risks.
Module 3: SCRM Tools & Practices
In this module, you will learn how to:
- Build an SCRM plan.
- Leverage existing security and privacy controls in the organization.
- Identify common framework elements that push compliance to other organizations, such as Business Associates in HIPAA and data subprocessors in GDRP.
Exercise 4: Identify inputs and key outputs of SCRM planning. Document the required process elements needed.
- Define the purpose of contracts and typical use cases.
- Define service level requirements, service level agreements (SLAs), and the purpose/typical use cases of each.
- Define assurance and how the level of risk will impact the level of assurance required.
- Conduct due diligence at contract initiation and then routinely throughout the service lifetime.
- Implement due care, such as supplier audits and identifying alternate suppliers.
- Ensure adequate insurance coverage for third- and fourth-party risks.
- Consume vendor-supplied audit reports and identify gaps against the organization’s internal compliance requirements.
- Build an audit methodology and implement the program.
- Treat previously discussed hardware, software, and service supply chain risks.
Case Studies: SolarWinds, Kaseya, and Target breaches.
Module 4: Compliance Frameworks, SCRM Vendors, and Tools
In this module, you will learn about:
- Using a compliance framework to build SCRM capability internal to an organization.
- Requirements to comply with a framework as a vendor to other organizations.
- CMMC & NIST SP 800-171.
- CMMI for Acquisition (CMMI-ACQ).
- SOC 2
- Identify as a proactive measure; service providers can undergo an audit and have a documented report of compliance available to share with business partners.
- Discuss various SOC reports (1, 2, 3) and types (I, II).
- Cloud Security Alliance (CSA), Cloud Controls Matrix (CCM), Consensus Assessment Initiative Questionnaire (CAIQ), and the CSA STAR Registry.
Exercise: Review a sample CAIQ-Lite report or excerpts from a SOC 2 Type II.
- Vendor Security Alliance (vendorsecurityalliance.org).
- Vendor security questionnaires.
- Ongoing risk monitoring/supplier monitoring platforms (Security Scorecard, BitSight. etc.).
- GRC platforms (ZenGRC, TugBoat Logic, etc.).