Visão Geral

Este Curso Supply Chain Cyber Security Risk Management, fornece uma introdução aos conceitos fundamentais de gerenciamento de riscos de segurança cibernética e como eles são aplicados às cadeias de suprimentos modernas. Os participantes aprenderão como identificar fornecedores críticos, avaliar riscos em relacionamentos com terceiros e quartos e identificar estratégias de mitigação. O curso cobre riscos associados a hardware, software e serviços adquiridos de fontes externas, e os participantes aprenderão estratégias para analisar, tratar e monitorar riscos cibernéticos em toda a cadeia de suprimentos.

Objetivo

Após participar do Curso Supply Chain Cyber Security Risk Management com êxito você será capaz de:

• Identifique componentes da cadeia de suprimentos em organizações modernas, incluindo hardware, software e serviços
• Faça um inventário de ativos e fornecedores críticos e avalie os riscos que eles representam para sua organização
• Compreender as opções de mitigação de riscos e como adaptá-las para lidar com riscos complexos em toda a cadeia de abastecimento
• Implementar estruturas de gestão de riscos e construir um plano de gestão de riscos da cadeia de suprimentos
• Auditar e supervisionar o risco da cadeia de suprimentos para monitorar a eficácia da mitigação de riscos
• Continue aprendendo e enfrente novos desafios com treinamento individual de instrutor após o curso

Publico Alvo

• Gerentes de risco, buscando estender programas de gerenciamento de risco a terceiros, fornecedores e vendedores externos.
• Profissionais de segurança, encarregados do gerenciamento holístico de riscos.

Pre-Requisitos

• Para ter sucesso neste curso, alguma experiência com gerenciamento de riscos e gerenciamento de negócios é útil, mas não obrigatória.
• O conhecimento básico de desenvolvimento de produtos é benéfico, como ciclos de vida de desenvolvimento de software e integração de componentes em um produto final.

Materiais

Conteúdo Programatico

Risk Management Basics

In this module, you will learn to:

1. Define Risk and determine its likelihood and probability.
2. Assess Risk’s financial, reputational, and revenue impact.
3. Define Threats and Threat Actors.
4. Identify threat modeling approaches.
5. Define Vulnerabilities to networks and organizations.
6. Discuss methods of risk assessment: qualitative vs. quantitative.
7. Identify ways to mature risk assessment processes over time through an Iterative risk assessment.

Build a risk register for your fictional company.

1. Evaluate Risk Treatment options: Avoid/Mitigate/Accept/Transfer.
2. Determine when are certain options most appropriate?
3. Ask what decision factors must be considered when selecting a risk option?
4. Define what limitations exist in choosing options.

Exercise 2: Document risk treatment plans.

Supply Chain Basics

In this module, you will learn about:

1. Define Supply Chain, Vendor, Third/Fourth Party, and key parts of a supply chain.
2. Operational risk and understanding the business impact of prioritizing critical suppliers.
3. Common supply chain risks arising from Hardware (HW), Software SW), and Open-source software (OSS).
4. Inherited/platform risks (e.g., operating system risks that impact an application, underlying modules included in a larger application like Log4j).
5. Risks from services such as key vendors, third parties, etc.
6. Identifying vulnerabilities - What do attackers target?
7. What motivates supply chain attacks, and who are the victims?

 Exercise 3: Assess supply chain risks.

SCRM Tools & Practices

In this module, you will learn how to:

1. Build an SCRM plan.
2. Leverage existing security and privacy controls in the organization.
3. Identify common framework elements that push compliance to other organizations, such as Business Associates in HIPAA and data subprocessors in GDRP.

Exercise 4: Identify inputs and key outputs of SCRM planning. Document the required process elements needed.

1. Define the purpose of contracts and typical use cases.
2. Define service level requirements, service level agreements (SLAs), and the purpose/typical use cases of each.
3. Define assurance and how the level of risk will impact the level of assurance required.
4. Conduct due diligence at contract initiation and then routinely throughout the service lifetime.
5. Implement due care, such as supplier audits and identifying alternate suppliers.
6. Ensure adequate insurance coverage for third- and fourth-party risks.
7. Consume vendor-supplied audit reports and identify gaps against the organization’s internal compliance requirements.
8. Build an audit methodology and implement the program.
9. Treat previously discussed hardware, software, and service supply chain risks.

Case Studies: SolarWinds, Kaseya, and Target breaches.

Compliance Frameworks, SCRM Vendors, and Tools

In this module, you will learn about:

1. Using a compliance framework to build SCRM capability internal to an organization.
2. Requirements to comply with a framework as a vendor to other organizations.
3. CMMC & NIST SP 800-171.
4. CMMI for Acquisition
5. SOC 2
   1. Identify as a proactive measure; service providers can undergo an audit and have a documented report of compliance available to share with business partners.
   2. Discuss various SOC reports (1, 2, 3) and types (I, II).
6. Cloud Security Alliance (CSA), Cloud Controls Matrix (CCM), Consensus Assessment Initiative Questionnaire (CAIQ), and the CSA STAR Registry.

Exercise: Review a sample CAIQ-Lite report or excerpts from a SOC 2 Type II.

1. Vendor Security Alliance (vendorsecurityalliance.org).
2. Vendor security questionnaires.
3. Ongoing risk monitoring/supplier monitoring platforms (Security Scorecard, BitSight. etc.).
4. GRC platforms (ZenGRC, TugBoat Logic, etc.).